Microsoft Azure Solutions Architect Expert Practice Test (AZ-305)

Using a least-privilege model, you should grant only the restart permission and make it time-bound. Creating a custom Azure RBAC role that includes the single management actions Microsoft.Web/sites/restart/action and Microsoft.Web/sites/stop/action meets the permission scope requirement. Assigning that role through Azure AD Privileged Identity Management as an eligible role allows each engineer to activate it only when needed, for a configured maximum of two hours, and records every activation for audit. The built-in Website Contributor role grants many additional write permissions, violating least privilege, and assigning it permanently would not be time-bound. Azure Policy can enforce or deny resource configurations but does not grant operational permissions. A user-delegation SAS token applies to storage resources and cannot restart App Service instances.

Azure SQL Database in the Hyperscale service tier is purpose-built for very large and quickly growing databases. Hyperscale supports up to 100 TB of storage that expands automatically as data is inserted, so no manual size-increase operations or data migrations are required. It can provision as many as 30 named read-scale replicas, which can be added or removed in minutes to provide rapid, non-blocking compute scale-out for read-intensive workloads. General Purpose serverless tops out at 4 TB and offers no read replicas. Managed Instance Business Critical provides only a single built-in read-only replica and allows a maximum of 8 TB per database. The Premium tier of single databases is limited to 4 TB (and uses geo-replication primarily for DR, not fast scale-out) and therefore cannot accommodate growth beyond 15 TB. Consequently, Hyperscale is the only option that satisfies both the storage and read-scale requirements.

Azure AD entitlement management lets administrators bundle multiple resources-such as Teams, SharePoint sites, and Azure AD groups-into one access package that internal or external users can request through a self-service portal. Each package supports expiration settings (for example, 60 days) and can trigger periodic access reviews that ask project owners to re-confirm user access. Conditional Access policies only enforce sign-in conditions, not packaging or lifecycle governance. Privileged Identity Management governs privileged roles, not general resource access for guests. Azure AD B2C focuses on consumer sign-up/sign-in, not enterprise collaboration governance. Therefore, entitlement management best meets all requirements with minimal ongoing administration.

Azure SQL Database in the Hyperscale service tier is the best fit. Hyperscale supports up to 128 TB for a single database and can add or remove compute replicas in roughly a minute because replicas share the same distributed storage layer, so no data movement is involved. It is a fully managed PaaS offering and includes automated snapshot-based backups with a configurable point-in-time restore window of 1-35 days (7 days by default).

General Purpose elastic pools are limited to 1 TB per database, so they cannot accommodate the current or projected size. Azure SQL Managed Instance Business Critical supports up to 16 TB and allows online compute scaling, but adding vCores typically takes longer than a few minutes and incurs a brief connectivity interruption; it therefore does not meet the rapid, promotion-driven burst requirement as well as Hyperscale. Running SQL Server on an Azure VM could provide the required capacity, but it is an IaaS solution that lacks the fully managed PaaS benefits the scenario requires.

A single, centrally located Log Analytics workspace allows administrators to run Kusto queries across all data regardless of the originating subscription. Setting the workspace's default retention to 90 days keeps frequently queried data in the hot tier. Enabling the Log Analytics archive tier for data older than 90 days preserves the full seven-year history at a fraction of the cost of hot retention and supports on-demand restoration within hours, which satisfies the relaxed access-time requirement.
Deploying separate workspaces per subscription with seven-year hot retention would be far more expensive and would complicate cross-subscription queries. Streaming directly to Event Hubs or only exporting to Azure Storage removes the ability to perform ad-hoc Kusto queries without additional services. Therefore, the central workspace plus archive tier best meets all consolidation, retention, querying, and cost goals.

The Cool access tier in a General Purpose v2 storage account is optimized for data that is infrequently accessed but must be available for immediate retrieval, with lower storage costs than the Hot tier and no rehydration delay like the Archive tier. Locally redundant storage (LRS) provides 11 nines (99.999999999 %) durability within a single region and is the least-expensive redundancy option. Therefore, choosing a GPv2 account with LRS and storing the blobs in the Cool tier best balances durability, performance, and cost. The Hot tier costs more to store data, Premium block blob targets low-latency workloads at higher prices, and using Archive plus GRS adds both retrieval delay and unnecessary replication expense.

Azure Container Apps is designed for containerized microservices and APIs that need HTTP ingress, automatic event-driven scaling (including scale to zero), and no direct virtual-machine administration. It can run containers for long-running requests well beyond the execution limits imposed by the Azure Functions Consumption plan. Azure App Service always keeps at least one instance running and therefore cannot scale to zero. Azure Functions on a Consumption plan scales to zero but imposes an execution timeout that is too short for a one-hour workload unless you move to the Premium plan, which still maintains warm instances. Azure Kubernetes Service can meet the technical requirements but requires cluster management that the operations team wants to avoid. Therefore, Azure Container Apps best satisfies all stated constraints.

Diagnostic settings are the Azure-native mechanism for routing platform and resource logs. A single diagnostic setting can simultaneously send the same log stream to up to five destinations, including a Log Analytics workspace and an Event Hub. By deploying an Azure Policy (or initiative) that automatically creates or updates diagnostic settings across all subscriptions, the security team receives the required logs in the central workspace while the SIEM consumes the same data from the Event Hub. Continuous export from Log Analytics is not supported for all log types and adds latency, and the Azure Monitor agent with data collection rules does not cover platform logs. Private link data collection endpoints are used for ingestion isolation, not routing to external systems.

A cloud-only Microsoft Entra ID tenant natively supports modern SAML and OpenID Connect single sign-on, so no on-premises identity infrastructure is required. Enabling Microsoft Entra Domain Services (formerly Azure AD Domain Services) stands up a managed domain that exposes LDAP, Kerberos, and NTLM, allowing the legacy VMs to authenticate without deploying or managing domain controllers. Azure AD B2B guest collaboration lets partner users sign in with their existing Entra ID credentials, meeting the requirement for low-overhead external access. Deploying IaaS-based domain controllers or AD FS keeps server administration responsibilities, conflicting with the goal of retiring infrastructure, and Azure AD B2C targets consumer scenarios, not internal or partner access.

Azure AD Pass-through Authentication (PTA) uses lightweight agents to validate a user's password directly against the on-premises domain controller during sign-in, so no password hashes are ever stored in Azure AD. PTA supports Seamless Single Sign-On, allowing users to authenticate with their existing corporate credentials, and Azure AD Conditional Access can require MFA for all cloud sign-ins. This approach needs only a few agent installations and avoids the extra servers, proxy configuration, and certificate management overhead required by an AD FS farm. Password Hash Synchronization does not meet the requirement to avoid storing hashes in Azure AD, while Azure AD B2C is intended for external identities rather than corporate users. Therefore, implementing PTA with Seamless SSO and Azure AD MFA is the best fit.

A user-assigned managed identity is created as an independent Azure resource that can be attached to multiple Azure compute resources-even across subscriptions-so every AKS cluster (and the pods running on its node pools) can share the same identity. Azure AD automatically maintains and rotates the identity's credentials, so no secrets are stored in the containers and no redeployment is required.

A system-assigned managed identity is created automatically for each AKS cluster and cannot be shared with other clusters. Service principals that rely on client secrets or certificates would require storing and periodically rotating those secrets inside the cluster, violating the stated requirements.

A single Log Analytics workspace can collect diagnostic and activity logs from multiple subscriptions, letting administrators query data across all resources without extra infrastructure. Configuring subscription-level diagnostic settings in each subscription forwards activity logs, while resource- or resource group-level diagnostic settings send resource logs to the same workspace. Setting the workspace's interactive retention to 90 days keeps recent data in hot storage for fast queries, and enabling the Archive tier with seven-year retention stores older data at lower cost. Azure Monitor alert rules can run Kusto queries directly against the workspace for near-real-time alerting. Approaches that rely on Event Hubs with SQL, standalone Azure Data Explorer clusters, or raw blob storage plus Sentinel introduce additional components or lack native, low-cost query and alert capabilities, making them less suitable.

Azure platform metrics automatically include the Percentage CPU metric for every virtual machine at one-minute granularity. These metrics are stored in the Azure Monitor metrics store for 93 days at no additional storage cost, satisfying the 90-day trend-analysis requirement. You can create standard (static-threshold) metric alert rules configured to fire when the average Percentage CPU for each VM exceeds 80 percent over a one-minute evaluation period, providing near-real-time notification without any data-ingestion charges. Alternatives that rely on Log Analytics performance counters, VM Insights, or Application Insights would introduce extra ingestion and retention costs or are intended for application telemetry rather than host-level CPU monitoring. Therefore, using built-in platform metrics with static metric alerts is the most cost-effective and requirements-compliant solution.

An Azure SQL Database elastic pool lets many small databases share a pool of compute and memory resources, allowing each database automatically to use more DTUs or vCores during peak demand and relinquish them when idle-ideal for multi-tenant SaaS workloads with unpredictable, offset usage patterns. Selecting the General Purpose vCore service tier provides balanced performance at the lowest price point that supports elastic pools.

Individual serverless databases would remove manual scaling but managing 200 separate deployments increases operational overhead and could cost more than sharing resources in a pool. A single Azure SQL Managed Instance would require consolidating all schemas, offers no per-tenant isolation, and compute is provisioned for the entire instance, not dynamically per database. Hyperscale targets very large databases; putting all data in one database eliminates tenant isolation and incurs higher cost without benefiting small (<10 GB) workloads. Therefore, an elastic pool on the General Purpose vCore tier best meets the cost, scaling, and manageability requirements.

Azure AD Application Proxy can publish on-premises web applications externally while providing Azure AD pre-authentication, including support for Kerberos Constrained Delegation to the backend servers. Because traffic is proxied through an outbound connection initiated by the on-premises connector, no inbound firewall ports or site-to-site networking are required, and Conditional Access policies are enforced before the user reaches the application.
The Point-to-Site VPN option meets the connectivity requirement but violates the mandate to avoid a VPN and would expose more of the network. Azure AD Domain Services does not provide external application publishing or Conditional Access by itself. Migrating the apps to Azure App Service would necessitate significant redevelopment and infrastructure changes, contradicting the requirement to minimize changes on-premises.

Configure an Azure Monitor diagnostic setting in every subscription to stream the Azure Activity log to a central Event Hub namespace and simultaneously archive it to a central storage account that has a lifecycle policy moving data to the Archive tier for two-year retention at minimal cost. In the Azure AD tenant, create a single diagnostic setting that streams Azure AD sign-in logs to the same Event Hub namespace and storage account. Splunk can ingest the near real-time stream from the Event Hub, while the storage account maintains an immutable, low-cost archive. The other options introduce additional cost, latency, or administrative overhead without meeting both the real-time SIEM and long-term retention requirements.

Azure SQL Database elastic pools let you place many individual databases into a single pool that shares a set of vCores and memory. When one or more databases experience a workload spike, they can consume more of the pool's available compute, while idle databases consume very little, keeping overall costs low. Microsoft specifically recommends elastic pools for multi-tenant SaaS scenarios that involve hundreds or thousands of small databases with unpredictable usage patterns.

By contrast:

• Azure SQL Database in the Hyperscale tier provisions compute per database, so each tenant requires its own dedicated resources, increasing costs linearly.
• An Azure SQL Managed Instance provisions compute at the instance level; although databases inside the same instance share resources, scaling to thousands of tenant databases would likely require multiple instances, each incurring its own fixed compute cost, reducing cost efficiency for mostly idle workloads.
• Deploying thousands of separate serverless single databases would eliminate cross-database resource sharing; although each database can auto-pause, you still pay per database and cannot pool compute across tenants.

Therefore, elastic pools best satisfy the requirement for automatic, cost-efficient redistribution of compute across many small, variable-load databases.

Azure AD B2C is designed for business-to-consumer scenarios and includes built-in user flows plus native connectors for popular social identity providers such as Google and Facebook. You can also configure a multi-tenant Azure AD identity provider (or individual single-tenant providers) so that users from any customer's Azure AD tenant can authenticate through the same B2C endpoint. Because Azure AD B2C issues the tokens and manages all user flows, the web application only needs a single OpenID Connect/OAuth 2.0 integration, keeping code changes to a minimum.

Using Azure AD External Identities within a standard Azure AD tenant can allow some social and enterprise logins, but its feature set and customization options are more limited and it is optimized for partner collaboration rather than high-scale consumer scenarios. App Service authentication configured with a single-tenant Azure AD application would block users from other Microsoft Entra tenants and would still require additional configuration effort to add social providers. Azure AD Domain Services targets legacy LDAP/Kerberos requirements and does not address modern web or social authentication needs. Therefore, deploying an Azure AD B2C tenant and configuring both social and Azure AD identity providers is the most suitable choice.

Azure AD entitlement management lets you bundle resource permissions from Microsoft 365 and Azure into an access package that external or internal users can request through a self-service portal. You can configure approval workflows, set assignment expiration periods, and schedule recurring access reviews; the service also keeps a detailed audit trail of who requested, approved, and held each assignment. Privileged Identity Management focuses on Azure role elevation rather than multi-resource collaboration bundles; a standalone access review on a group does not provide self-service requests or automatic assignment on approval; dynamic groups with expiration policies cannot incorporate approvals or capture audit trails across heterogeneous resources. Therefore, entitlement management best meets all stated requirements with the least ongoing administration.

A dedicated Log Analytics workspace in a separate management subscription provides a single, durable location for logs that is unaffected if other subscriptions or resources are deleted. Subscription-level diagnostic settings can forward both Azure Activity Logs and resource diagnostic logs directly to this workspace. By assigning an Azure Policy initiative that automatically deploys and configures these diagnostic settings to any current or future subscription, you avoid manual per-subscription configuration and ensure consistent onboarding. The workspace's retention can be set to 730 days, meeting the compliance requirement. The other options either scatter logs across multiple storage accounts, rely on on-premises infrastructure, or use Application Insights (which is intended for application telemetry, not comprehensive platform logging) and therefore fail to meet centralization, durability, or administrative-effort requirements.