Microsoft AZ-305 Exam (page: 7)
Microsoft Designing Azure Infrastructure Solutions
Updated on: 12-Jan-2026

Explanation:

Box 1: Yes
User1 is member of Group1.
Group1 is assigned the Virtual Machine Contributor role for MG1.

MG1 is in Sub1.
RG1 is in Sub1.

Virtual Machine Contributor
Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Box 2: No
User2 is a member of Group2.
User2 has no special permissions to Group2.

Box 3: Yes
User3 is a member of Group3.
Group3 is assigned the Contributor role for the Tenant Root Group. As a member of the Tenant Root Group User3 can create storage accounts in RG2.

Note: Each Microsoft Entra tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.

Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/governance/management-groups/manage https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles

Explanation:

Compliance Report using Azure Policy
Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole

Azure deployment.
Enforce tags for resource creation
So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.

Reference:

Explanation:

Box 1: User Administrator for the MarketingAU
User1 must be able to create user accounts.

User Administrator
Can manage all aspects of users and groups, including resetting passwords for limited admins.

Create users
Etc.

Roles that can be assigned with administrative unit scope
The following Microsoft Entra roles can be assigned with administrative unit scope.
* Helpdesk Administrator
* User Administrator
* Etc.

Box 2: Helpdesk Administrator for the MarketingAU
User2 must be able to reset user passwords.

Helpdesk Administrator
Can reset passwords for non-administrators and Helpdesk Administrators.

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles

Explanation:

Box 1: Secret
Tutorial: Use Key Vault references in an ASP.NET Core app.

Add a secret to Key Vault
To add a secret to the vault, you need to take just a few additional steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called Message, and you store the value “Hello from Key Vault” in it.

1. From the Key Vault properties pages, select Secrets.
2. Select Generate/Import.
3. In the Create a secret pane, enter the following values:
4. Upload options: Enter Manual.
5. Name: Enter Message.
6. Value: Enter Hello from Key Vault.
7. Leave the other Create secret properties with their default values.
8. Select Create.

Box 2: A managed service identity (MSI)
Grant your app access to Key Vault
Azure App Configuration won’t access your key vault. Your app will read from Key Vault directly, so you need to grant your app read access to the secrets in your key vault. This way, the secret always stays with your app. The access can be granted using either a Key Vault access policy or Azure role-based access control.

You use DefaultAzureCredential in your code above. It’s an aggregated token credential that automatically tries a number of credential types, like EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and VisualStudioCredential.

Alternatively, you can set the AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET environment variables, and DefaultAzureCredential will use the client secret you have via the EnvironmentCredential to authenticate with your key vault. After your app is deployed to an Azure service with managed identity enabled, such as Azure App Service, Azure Kubernetes Service, or Azure Container Instance, you grant the managed identity of the Azure service permission to access your key vault. DefaultAzureCredential automatically uses ManagedIdentityCredential when your app is running in Azure. You can use the same managed identity to authenticate with both App Configuration and Key Vault.

Reference:

https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core

Explanation:

Box 1: App roles
App1 supports role-based access control (RBAC) and includes a role named Writer.

Implement role-based access control
Define app roles
The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly.

Box 2: Token configuration
You need to ensure that when App2 authenticates to access App1, the tokens issued by Microsoft Entra ID include the Writer role claim.

Configure optional claims
You can configure optional claims for your application through the Azure portal or application manifest.

1. Go to the Azure portal.
2. Search for and select Microsoft Entra ID.
3. Under Manage, select App registrations.
4. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
5. Under Manage, select Token configuration
6. Etc.

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-implement-rbac-for-apps https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims

Explanation:

1: A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
1: With workspace-based resources, Application Insights sends telemetry to a common Log Analytics workspace, providing full access to all the features of Log Analytics while keeping your application, infrastructure, and platform logs in a single consolidated location.
1: VM insights collects its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace.
The only requirement of the workspace is that it must be located in a supported location and be configured with the VMInsights solution.

Reference:

Explanation:

Microsoft Entra ID Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right principals have the right access to the right resources and at the right time.
The principals (or identities) whose access you can govern include users, groups, and applications (or service principals). The users can be your employees, business partners, vendors, or contractors. The resources to which you can govern access include groups, access packages, and privileged roles.
Note: Microsoft Entra access reviews
Use Microsoft Entra access reviews to configure one-time or recurring access reviews for attestation of a principal’s right to access Microsoft Entra resources. The principals are users or applications (service principals). The Microsoft Entra resources include groups, applications (service principals), access packages, and privileged roles. Access reviews is a feature of Microsoft Entra ID Governance.
Typical customer scenarios for access reviews include:
Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to Microsoft Entra resources.
Customers can review and audit assignments to Microsoft Entra privileged roles. This supports organizations in the management of privileged access.

Reference:

Explanation:

Box 1: DeployIfNotExists
DeployIfNotExists
Similar to AuditIfNotExists, a DeployIfNotExists policy definition executes a template deployment when the condition is met.

DeployIfNotExists evaluation
DeployIfNotExists runs after a configurable delay when a Resource Provider handles a create or update subscription or resource request and has returned a success status code. A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don’t evaluate to true. The duration of the deployment depends on the complexity of resources included in the template.

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource.

Incorrect:
* EnforceRegoPolicy
No such thing in this context.

* Modify
Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter.

Modify evaluation
Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The Modify operations are applied to the request content when the if condition of the policy rule is met. Each Modify operation can specify a condition that determines when it’s applied. Operations with false condition evaluations are skipped.

Box 2: The identity required to perform the remediation task Policy assignments with effect set as DeployIfNotExists require a managed identity to do remediation.

Note: Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.

These effects are currently supported in a policy definition:

Append
Audit
AuditIfNotExists
Deny
DenyAction (preview)
DeployIfNotExists
Disabled
Manual
Modify

Reference:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects