Microsoft Azure Solutions Architect Expert Practice Test (AZ-305)

A Log Analytics workspace provides near real-time ingestion and a rich KQL query experience that administrators already use for alerting. Retaining only the recent data (for example, 30-90 days) in the workspace keeps ingestion and query costs predictable. Azure Monitor data export (or the legacy Continuous Export) can automatically copy every newly ingested record to a storage account, where lifecycle management policies move the data to Cool or Archive tiers for inexpensive seven-year retention. Event Hubs, HDInsight, or direct Storage ingestion would require additional infrastructure or prevent KQL-based alerting, and Synapse-based querying of archived blobs does not deliver the five-minute latency the operations team needs.

Azure SQL Database already creates automatic full, differential, and transaction-log backups that provide point-in-time restore (PITR) for up to 35 days in the General Purpose tier, meeting the 30-day PITR requirement without extra configuration. To meet the seven-year compliance need, you can enable the long-term retention (LTR) feature on the database. LTR automatically copies the weekly full backups produced by the built-in service to RA-GRS storage and keeps them for the period you specify (up to 10 years), with no servers or scripts to maintain and costs limited to the storage consumed.

Azure Backup cannot protect Platform as a Service (PaaS) SQL databases; it supports SQL Server running in Azure VMs, so that option is invalid. Exporting weekly BACPACs with Automation scripts introduces additional management overhead and does not provide PITR capability. Migrating to a Managed Instance with manual snapshots would raise costs and still require operational effort to manage snapshots. Therefore, configuring an LTR policy on the existing Azure SQL Database while relying on the default automated backups is the optimal and most economical solution.

Azure SQL Managed Instance performs automatic full, differential, and transaction-log backups that support point-in-time restore (PITR) for a configurable retention period of up to 35 days; setting this to seven days satisfies the short-term recovery objective with no additional infrastructure. The service also supports Long-Term Retention (LTR), which copies full backups to RA-GRS blob storage on a monthly, weekly, or yearly schedule and keeps them for up to 10 years. Defining an LTR policy to retain a monthly backup for 60 months (five years) meets the compliance requirement at minimal cost and with no extra management overhead. Azure Backup vault policies and ASR do not natively protect Managed Instance databases, and manual BACPAC exports increase operational effort and remove the benefit of built-in PITR. Therefore, configuring automated backups with a seven-day PITR window and an LTR policy for monthly backups is the correct solution.

Management groups provide a hierarchy for policy and RBAC inheritance. Creating one management group for each geography under the tenant root lets you assign an Azure Policy initiative to each region once and have it flow to all current and future subscriptions in that region. The initiative can include the built-in Allowed locations policy with parameters set to the permitted datacenters for that geography and the Inherit tag policy so resources automatically receive the costCenter tag. Subscriptions placed under the proper regional management group inherit these settings, and regional administrators can still add policies at lower scopes without affecting other regions. Assigning policies to every subscription or resource group would multiply administration effort, and resource locks or deny assignments do not address automatic tag inheritance.

An availability set places all its virtual machines in the same datacenter, distributing them only across fault and update domains. A complete datacenter outage therefore takes the entire set offline, and Microsoft guarantees only a 99.95 percent SLA for two or more VMs in an availability set. Deploying the instances in an Azure Virtual Machine Scale Set or in individual VMs that are distributed across at least two Availability Zones within the same region provides isolation from a single datacenter failure. Microsoft offers a 99.99 percent virtual-machine SLA when two or more instances are placed in different Availability Zones in the same region. Azure Site Recovery targets disaster recovery across regions and does not provide in-region high availability; adding a load balancer or increasing fault domains cannot protect against a full datacenter failure. Therefore, creating a zone-redundant VM scale set (or moving the VMs to separate Availability Zones behind the existing load balancer) is the correct way to meet the 99.99 percent SLA without requiring application changes.

Azure Cosmos DB for NoSQL guarantees single-digit millisecond reads and writes and is schema-agnostic, making it well-suited for high-velocity, flexible JSON telemetry. Enabling autoscale throughput lets the service automatically adjust RU/s based on load, reducing cost when traffic is low. Azure Blob Storage is the most economical option for large binary objects such as JPEGs. A lifecycle management policy that moves blobs from the Hot tier to Cool after 30 days and to Archive after 180 days keeps frequently accessed images performant while minimizing long-term storage costs, and requires no manual administration.

Azure SQL Database Hyperscale offers strong relational capabilities but incurs higher costs and imposes rigid schemas, making it less appropriate for rapidly changing JSON telemetry; Azure Files and managed disks are costlier than object storage for large, infrequently accessed images. Azure Data Lake Storage Gen2 can store both data types but would not provide the required millisecond read latency without additional compute (for example, Azure Synapse or Data Explorer) and may raise overall cost and complexity. Redis is an in-memory cache, not a durable store for long-term telemetry or images. Therefore, using Cosmos DB with autoscale for telemetry plus tiered Azure Blob Storage for images best balances features, performance, and cost.

Azure Migrate provides a unified discovery and assessment capability for servers and databases. After an on-premises appliance performs discovery, the Server Assessment tool analyzes performance over time, recommends right-sized Azure VM SKUs, flags compatibility issues, calculates estimated Azure costs, and can optionally collect network data to produce dependency maps that aid in grouping servers. Azure Site Recovery focuses on replication, Azure Monitor plus Workbooks does not produce cost or sizing guidance, and the TCO Calculator lacks dependency mapping and detailed compatibility analysis.

Azure Cosmos DB configured for the Core (SQL) API automatically indexes all JSON properties, so new or changing sensor attributes require no schema updates. The service offers single-digit-millisecond latency for reads and writes worldwide and a 99.999-percent availability SLA when multi-region writes are enabled. Provisioned or autoscale throughput allows the database to handle millions of events per second with minimal administration. Azure Table storage cannot deliver the required low-latency queries or automatic rich indexing. Azure Data Lake Storage Gen2 is optimized for batch analytics, not interactive queries. Azure SQL Database Hyperscale requires explicit schema and index management and is better suited to structured relational workloads.

Azure Data Factory (ADF) Mapping Data Flows are designed for precisely this scenario. ADF offers a visual, code-free authoring experience that lets data engineers build complex transformations such as JSON flattening, joins, aggregations, and look-ups without writing Spark code. Each data-flow execution is run on an automatically provisioned, scaled-out Azure-managed Spark cluster that starts when the job begins and is torn down when the job finishes, so you pay only for the runtime. ADF pipelines supply native scheduling, dependency management, and integration with Azure Monitor for logging and alerting, while the Data Flow canvas provides lineage and monitoring views.

The other options do not fully satisfy the requirements:

• Azure Stream Analytics focuses on streaming data and offers limited support for complex, batch-oriented transformations like multitable joins and JSON hierarchy flattening.
• Azure Logic Apps provide workflow orchestration but lack the scalable data-transformation engine required for large-volume joins and complex data shaping.
• Azure Functions would require substantial custom code for parsing, transformation, scaling, and monitoring, increasing operational overhead rather than reducing it.

Azure Blueprints is designed for governing at scale. It lets architects package Azure Policy definitions, role-based access control assignments, resource group structures, and ARM templates into a single reusable blueprint. Blueprints are versioned, so updates can move through development, test, and production rings, and a single assignment applies the entire package to a subscription. An initiative assigned at a management group would only deploy policies and lacks integrated RBAC, template deployment, and versioning. Microsoft Defender for Cloud's regulatory compliance dashboard reports on compliance posture but does not deploy or version governance artifacts. Azure Advisor delivers optimization suggestions rather than enforceable compliance controls.

Azure Event Grid is designed for large-scale, serverless, event-driven architectures. It delivers events in near real time with an at-least-once guarantee, automatically manages infrastructure, and offers built-in integrations with many Azure services-including Storage, IoT Hub, and custom topics-simplifying the onboarding of new event sources. Event Grid supports fan-out by allowing multiple event handlers to subscribe to the same topic and provides subject and advanced filtering to route events only to interested subscribers.

Azure Service Bus topics can broadcast messages to multiple subscriptions, but Service Bus is optimized for enterprise messaging scenarios that require ordered, state-full messages rather than lightweight publish/subscribe events, and it does not natively integrate with diverse Azure service events without additional code. Azure Event Hubs focuses on high-throughput data ingestion for streaming analytics, not generalized event routing with filtering. Azure Notification Hubs targets mobile push notifications and is not intended to act as an event backbone for microservices. Therefore, Azure Event Grid with a custom topic best meets all stated requirements.

Azure Site Recovery (ASR) can continuously replicate an Azure VM to another Azure region with an effective RPO measured in minutes, easily meeting the 15-minute requirement. However, ASR replicas are crash-consistent images of the entire VM and do not provide item-level recovery. Enabling Azure Backup on the same VMs adds daily application-consistent backups that support file-level restore. Using ASR together with Azure Backup therefore satisfies both the aggressive RPO for full-VM recovery and the need to restore individual files, while remaining fully managed by Azure. The other options fail to meet one or more requirements: Azure Backup alone cannot deliver a 15-minute RPO; ASR alone lacks file-level recovery; and a custom Automation-driven snapshot strategy introduces extra management overhead and does not provide built-in file recovery.

Read-access geo-redundant storage (RA-GRS) keeps three synchronous copies in the primary region and maintains asynchronous geo-replication of another three copies to a paired secondary region. Because the secondary endpoint is readable at all times, applications can switch to it automatically or manually if the primary region is unavailable, providing up to 99.99 percent read availability. Writes still occur only in the primary region, so application latency and cost remain lower than options such as geo-zone-redundant storage (GZRS) or read-access GZRS, which add zone-level replication and higher pricing. Zone-redundant storage (ZRS) protects only against single-zone failures within one region, and standard GRS does not allow reads from the secondary until after a failover. Therefore, RA-GRS is the appropriate choice.

Configuring the database in the Business Critical service tier with zone redundancy enables SQL Database's built-in quorum-based high-availability architecture to place multiple synchronous replicas across three availability zones in the same region. Automatic failover occurs transparently with no data loss, the SLA increases to 99.995 percent, and the existing connection string remains valid because the listener endpoint does not change.

Active geo-replication or auto-failover groups replicate asynchronously to another region, provide only a 99.99 percent intra-region SLA, and may require updating endpoints. Deploying SQL Server on Azure VMs inside an availability set achieves just a 99.95 percent SLA and imposes full infrastructure and patching management responsibilities.

Azure Container Apps is a fully managed service that runs containers on an Azure-managed Kubernetes environment yet hides cluster management from developers. It supports event-driven horizontal scaling with KEDA, including scaling to zero when workloads are idle, and offers native integration with the Dapr runtime for service invocation and pub/sub. Azure Kubernetes Service also supports KEDA and Dapr but still requires customers to operate and secure the cluster and cannot completely eliminate baseline node costs. Azure App Service for Containers and Azure Container Instances do not provide Dapr integration or scale-to-zero capabilities. Therefore, Azure Container Apps best meets all stated requirements.

Pass-through Authentication (PTA) with Seamless Single Sign-On allows Azure AD to validate a user's password against on-premises Active Directory through outbound-only HTTPS requests from lightweight authentication agents. This removes the need for AD FS servers and does not require exposing inbound ports. Because authentication is handled by Azure AD, Conditional Access policies and multifactor authentication can be applied to cloud apps.

Password Hash Synchronization would meet cloud sign-in requirements but would not satisfy organizations that want on-premises password validation, and it cannot enforce on-premises sign-in policies in real time. Continuing with AD FS keeps the infrastructure you are asked to retire and still requires inbound access to the federation servers. Azure AD Domain Services provides domain join and LDAP/Kerberos for Azure VMs but is not intended to replace user sign-in flows to Microsoft 365 or SaaS applications. Therefore, implementing Azure AD Pass-through Authentication with Seamless SSO is the most appropriate solution.

Azure SQL Database automatically retains short-term, point-in-time backups for up to 35 days, satisfying the 30-day requirement. By enabling the built-in long-term retention (LTR) policy, weekly full backups are copied to cost-effective Azure Blob Storage and can be kept for as long as 10 years, meeting the compliance mandate with minimal administrative overhead. Active geo-replication and auto-failover groups address availability but do not provide decade-long backup retention. Using the Azure Backup agent or manual BACPAC exports would introduce additional operational effort and higher costs compared to the managed LTR feature.

Because the company needs to move hundreds of terabytes within a short time frame and cannot rely on limited bandwidth, an offline seeding approach is required. Azure Data Box Heavy is a Microsoft-managed ruggedized appliance that can transfer up to 1 PB of data per order and is designed specifically for large, one-time bulk moves to Azure Storage. Azure File Sync and Azure Data Box Gateway depend on the existing network, which would take several months to move 800 TB over a 200 Mbps link. Copying over ExpressRoute with AzCopy also relies on network bandwidth and would exceed the four-week window even with a dedicated 200 Mbps circuit. Therefore, Azure Data Box Heavy is the most suitable choice.

Assigning an Azure Policy initiative at the management group level lets you bundle multiple policy definitions-such as allowed SKUs and required encryption-and apply them to every subscription contained in that management group. All existing and newly created subscriptions that move under the production management group will automatically inherit the policy assignments, and compliance data is aggregated at the management group scope. Assigning at resource-group scope would require ongoing manual work and yield fragmented reporting. Blueprints would still need to be applied to each subscription and do not automatically affect future subscriptions. RBAC custom roles control permissions but cannot enforce configuration settings such as storage account SKU or encryption.

Azure Database Migration Service (DMS) supports online migrations from SQL Server to Azure SQL Managed Instance. In an online migration, DMS sets up continuous data replication while the source database remains fully operational, enabling validation and testing on the target. When ready, a brief cutover stops replication, applies any final changes, and redirects clients-typically achievable in well under 30 minutes.

Exporting a 4-TB database to a BACPAC would require extended downtime for export, transfer, and import. Transactional replication to Managed Instance is supported but involves complex configuration and manual fail-over steps, making it less suitable for a streamlined, Microsoft-managed process. Log shipping cannot restore to a Managed Instance, and upgrading a SQL Server VM does not convert it to a managed PaaS offering.