Azure Expert Solutions Architect

codeigniter tailwindcss php
5/4/2025
index

Exam AZ-305 Overview

  • Audience: Experienced Azure professionals with prior knowledge of Azure administration (AZ-104).
  • Certification: Part of earning the Microsoft Certified: Azure Solutions Architect Expert certification.
  • Skills Measured (as of current blueprint):

  1. Design Identity, Governance, and Monitoring Solutions (25–30%)

    • Azure AD (B2B, B2C, hybrid identity)
    • Role-Based Access Control (RBAC), Conditional Access
    • Monitoring via Azure Monitor, Log Analytics, Azure Sentinel

  2. Design Data Storage Solutions (20–25%)

    • Structured/unstructured storage design (Blob, Data Lake, SQL, Cosmos DB)
    • Backup, disaster recovery, data archiving
    • Access control and data redundancy

  3. Design Business Continuity Solutions (10–15%)

    • High availability and disaster recovery strategies
    • Backup and restore, Azure Site Recovery
    • Resilient workload architecture

  4. Design Infrastructure Solutions (30–35%)

    • Networking (VNet, NSGs, Load Balancers, DNS)
    • Compute (VMs, App Services, containers, AKS)
    • Hybrid and multi-cloud integration

AZ-305 Prerequisites

This exam is not for beginners. It assumes real-world experience with Azure infrastructure and services. Below are the recommended prerequisites:

1. Certification Prerequisite

  • Must complete Exam AZ-104 (Microsoft Azure Administrator) or have equivalent knowledge.

    • Covers core services: compute, storage, networking, identity, and governance.
    • Exam link: AZ-104 Exam Overview

2. Hands-On Experience

You should be confident in designing and implementing solutions in the following areas:

AreaRequired Knowledge
ComputeVMs, App Services, Azure Kubernetes Service
NetworkingVNet, VPN, ExpressRoute, Load Balancer, DNS
StorageBlob, File, Disk, and performance tiers
SecurityRBAC, Azure AD, Conditional Access, Key Vault
MonitoringAzure Monitor, Log Analytics, alerts
Backup & DRAzure Backup, Site Recovery, availability zones
IdentityHybrid identity, Azure AD Connect, SSO
GovernanceAzure Policy, Blueprints, Cost Management

Prerequisites

index

Prerequisites

When designing Azure solutions — particularly for the AZ-305 certification — it’s essential to first understand how Azure is built and organized. This includes the physical infrastructure (regions, datacenters, and network) and the management structure (how resources are controlled, secured, and organized). This guide offers a breakdown of the key concepts, structured to help both exam preparation and real-world Azure usage.

Azure Regions, Region Pairs, and Datacenters

Azure Regions

Azure operates in multiple geographic regions, each consisting of one or more datacenters. These regions are strategically located around the globe to provide low-latency performance, data residency compliance, and geographic redundancy for customers.

  • Examples: West Europe, East US, Southeast Asia.
  • Some regions, such as North Europe and West Europe, are paired for disaster recovery and backup purposes.

Sovereign Regions

Azure also offers Sovereign Regions, tailored for specific governments or organizations with stringent regulatory requirements:

  • Azure Government (US)
  • Azure China (operated by 21Vianet)

These regions operate separately from the public Azure network, offering services that comply with specialized data residency and regulatory laws.

Region Pairs

Azure regions are always paired with another region within the same geography. Key benefits include:

  • High Availability: Ensures data replication between paired regions for improved availability.
  • Staggered Updates: Reduces downtime by rolling out updates to each region separately.
  • Durability: Data replication in services like Azure Storage ensures durability.

👉 Learn more about Azure regions and region pairs

Azure Datacenters

Azure regions consist of datacenters — large-scale facilities housing servers, storage, and networking equipment. Key characteristics of Azure datacenters:

  • Physical security: Biometric access controls, surveillance, and fencing ensure physical protection.
  • Redundancy: Multiple power supplies and network paths safeguard against failures.
  • Environmental controls: Temperature and humidity are strictly monitored to ensure optimal conditions.
  • Compliance: Azure datacenters adhere to standards like ISO 27001, SOC 1/2/3, and PCI DSS, ensuring they meet industry best practices for security and compliance.

These datacenters form the foundation of Azure’s global cloud infrastructure, ensuring both reliability and performance.

Availability Zones

Availability Zones are distinct datacenters within a single Azure region, designed to increase the reliability and availability of applications and data. Key features:

  • Failure isolation: A failure in one zone does not impact other zones within the same region.
  • Replication: Data and applications can be replicated across zones for higher availability.

Each zone operates with:

  • Independent power and cooling systems.
  • Independent networking and isolation from other zones.

Common usage scenarios:

  • Deploying zone-redundant VMs to ensure high availability.
  • Running geo-redundant databases.
  • Hosting load-balanced web apps across zones.

👉 What are Availability Zones?

Azure Resources and Resource Groups

Resources

In Azure, a resource is any Azure service you use, including:

  • Virtual Machines
  • Azure SQL Databases
  • Storage Accounts
  • Virtual Networks
  • App Services

These resources are the building blocks that you manage, monitor, and secure within Azure.

Resource Groups

A Resource Group is a logical container for related Azure resources.

Key benefits:

  • Simplifies deployment and management: Resources within a group can be managed collectively.
  • Access Control: Role-Based Access Control (RBAC) can be applied to the resource group as a whole.
  • Cost Tracking: Grouping resources helps in tracking costs effectively.

Best practice: Group resources based on their lifecycle. For example, group a web app, its database, and the associated networking components together.

👉 Learn how to manage Resource Groups

Subscriptions

An Azure Subscription serves as the container for Azure resources and is closely tied to the following:

  • Billing: Tracks the cost of resources used.
  • Service Limits and Quotas: Defines the maximum resources available within the subscription.
  • Access Permissions: Specifies who has access to resources within the subscription.

You can create separate subscriptions to organize resources by teams, projects, or environments (e.g., development, test, production).

Benefits of using separate subscriptions:

  • Workload Isolation: Keep production workloads separate from development or testing.
  • Policy Enforcement: Apply different policies and quotas per subscription.
  • Cost Management: Assign different billing accounts or cost centers for better cost control.

👉 Explore Azure Subscriptions

Management Groups

In enterprise environments, managing multiple subscriptions is streamlined through Management Groups.

Key Functions:

  • Organize Subscriptions: Group multiple subscriptions logically.
  • Governance: Apply policies and RBAC roles across multiple subscriptions.
  • Security & Compliance: Ensure organizational compliance and security standards.

For example:

  • A Production management group might include all production subscriptions, with stricter governance and security policies.
  • A Dev/Test management group might include less restrictive settings to support agile development.

👉 Learn about Management Groups

Azure Management Hierarchy

Azure resources are organized into a hierarchical structure that includes:

  1. Management Groups: High-level organizational units.
  2. Subscriptions: Containers for resources and billing.
  3. Resource Groups: Logical containers for related resources.
  4. Resources: Individual services and components you manage.

This hierarchy enables you to organize resources efficiently, apply governance policies, and maintain a secure, compliant environment across multiple subscriptions and regions.

Design Identity Governance

index

Design Identity Governance

Welcome! These are my personal notes about how to design governance solutions in Azure, especially useful if you’re preparing for the AZ-305 exam. Think of Azure governance as the rules and guardrails that keep your cloud environment secure, organized, and running smoothly.

What Is Azure Governance?

Simply put, governance means setting up clear rules and processes to manage your Azure resources effectively. It’s like creating company policies for how your cloud environment should be used and maintained. Azure gives you a structure to organize and apply these rules at different levels, so you can manage everything from a high level or down to individual resources.

The main tools we’ll talk about here are Azure Policy and Resource Tags.

Understanding Azure’s Structure

Before setting rules, it helps to know how Azure organizes everything:

  • Tenant Root Group: The top-level container for your entire Azure environment, linked to your company’s Azure Active Directory.
  • Management Groups: Containers that group multiple subscriptions so you can apply policies and permissions across them all.
  • Subscriptions: Logical units that contain your resources. They’re also billing boundaries.
  • Resource Groups: Containers where you group related resources (like virtual machines, databases) that share the same lifecycle.
  • Resources: The actual services you use, like VMs, storage, or apps.

Policies and permissions applied higher in this hierarchy flow down to the levels below.

Management Groups — Why They Matter

Management groups help you manage many subscriptions at once. For example, you can apply security policies or access rules to all sales-related subscriptions in one place.

Tips for Management Groups:

  • Keep your hierarchy simple — usually 3-4 levels deep is enough.
  • Group subscriptions by departments or regions for easy management.
  • Create special groups for production environments, sandboxes, or sensitive data.
  • Use management groups to apply policies and permissions efficiently.

Using Resource Tags

Tags are labels (like key-value pairs) you add to your Azure resources to help organize and manage them.

Examples of tags:

  • Environment = Production
  • Owner = JohnDoe
  • CostCenter = Finance

Why use tags?

  • Track costs by department or project
  • Find resources quickly
  • Enforce policies based on tags

Start with a few important tags and use Azure Policy to make sure they’re always applied.

Azure Policy — Your Rule Enforcer

Azure Policy lets you create rules that ensure your resources follow your company’s standards. For example, you can:

  • Block resources being created in disallowed regions
  • Require certain tags on resources
  • Automatically fix noncompliant resources

You assign policies at different levels (management groups, subscriptions, or resource groups), and Azure checks if resources comply. If not, it can block actions or just flag the issues for review.

Role-Based Access Control (RBAC) — Who Can Do What

RBAC controls who can access Azure resources and what they can do with them. You assign roles like Owner, Contributor, or Reader to users or groups, at different levels in the hierarchy.

Key points:

  • RBAC answers the question: Who can do what?
  • Azure Policy answers: Are resources configured properly?
  • Use both together for strong governance.

Subscriptions — Organizing Your Azure Environment

Subscriptions are where your Azure resources live and how your costs are tracked. You might have separate subscriptions for development, testing, and production to keep things organized.

When designing subscriptions:

  • Align them with your teams or business units.
  • Group them under management groups for easier policy and access control.
  • Consider a shared subscription for common services like networking or security.
  • Be aware of Azure service limits per subscription to avoid bottlenecks.

Resource Groups — Grouping Related Resources

Resource groups help you manage resources that share a common lifecycle, like all the components of an app’s production environment. When you delete a resource group, all resources inside get deleted too — so use this wisely.

Azure Landing Zones — Your Cloud Foundation

An Azure landing zone is a pre-configured environment with all the basics ready: networking, security, monitoring, and policies. Think of it like a well-prepared building site with utilities ready before construction begins.

Landing zones help you:

  • Scale your cloud environment
  • Keep everything consistent and secure
  • Support both migrating existing apps and building new cloud-native ones

Use Infrastructure as Code tools to set up landing zones so you can automate, version, and repeat the process easily.

Case Study #1

index

Case Study #1

Nadirarfi Inc. is an engineering company with offices throughout Europe. The company has a main office in Paris, and branch offices in London, Sweden, and Rome.

Active Directory Environment

The network contains two Active Directory forests:

  • corp.nadirarfi.com (production forest)
  • rd.nadirarfi.com (used only for the Research and Development (R&D) department).

There are no trust relationships between the forests, and corp.nadirarfi.com is used for internal user and computer authentication. The rd.nadirarfi.com forest is restricted to on-premises resources only.

Network Infrastructure

Each office has at least one domain controller from the corp.nadirarfi.com domain, with the main office containing all domain controllers for the rd.nadirarfi.com forest. All offices are connected with a high-speed connection to the internet.

An existing application, WebApp1, is hosted in the Paris office’s data center. WebApp1 is used by customers to place and track orders. It has:

  • Web tier using IIS.
  • Database tier running SQL Server 2016 on virtual machines in a Hyper-V environment.

Problem Statement

  • The use of WebApp1 is unpredictable. During peak times, users report delays, and during off-peak times, resources are underutilized.

Planned Changes

  • Nadirarfi Inc. plans to move most of its production workloads to Azure over the next few years.
  • The company is planning a hybrid identity model for Microsoft Office 365 deployment, while R&D operations will remain on-premises.
  • The initial project involves migrating the production and test instances of WebApp1 to Azure.

Technical Requirements

  • Website content must be easily updated from a single point.
  • User input must be minimized when provisioning new app instances.
  • Whenever possible, existing on-premises licenses should be used to reduce cost.
  • Users must always authenticate using their corp.nadirarfi.com UPN identity.
  • New deployments to Azure must be redundant in case an Azure region fails.
  • Solutions should be deployed using Platform as a Service (PaaS) wherever possible.
  • An email distribution group named IT Support must be notified of any directory synchronization issues.
  • Directory synchronization between Azure Active Directory (AAD) and corp.nadirarfi.com should not be impacted by a link failure between Azure and on-premises.

Database Requirements

  • Database metrics for WebApp1’s production instance should be available for performance analysis and optimization.
  • Database downtime during migration should be minimized to avoid disrupting customer access.
  • Database backups should be retained for a minimum of seven years to meet compliance requirements.

Security Requirements

  • Company information, including policies, templates, and data, should remain inaccessible to anyone outside the company.
  • Users on the on-premises network must be able to authenticate to corp.nadirarfi.com if the internet link fails.
  • Administrators should be able to authenticate to the Azure portal using corp.nadirarfi.com credentials.
  • All administrative access to the Azure portal must be secured with multi-factor authentication (MFA).
  • The testing of WebApp1 updates must not be visible to anyone outside the company.

Questions & Answers

1. What should you include in the identity management strategy to support the planned changes?

Options:

  • A. Move all the domain controllers from corp.nadirarfi.com to virtual networks in Azure.
  • B. Deploy domain controllers for corp.nadirarfi.com to virtual networks in Azure.
  • C. Deploy a new Azure AD tenant for the authentication of new R&D projects.
  • D. Deploy domain controllers for the rd.nadirarfi.com forest to virtual networks in Azure.

Answer:

  • B. Deploy domain controllers for corp.nadirarfi.com to virtual networks in Azure.

Explanation: Deploying domain controllers for corp.nadirarfi.com to Azure allows for hybrid identity and low-latency authentication. This meets the need to extend the corporate identity to Azure, ensuring consistent authentication across cloud and on-premises services. The R&D department will remain on-premises and does not need Azure integration.

2. What should you recommend for migrating the database content of WebApp1 to Azure?

Options:

  • A. Use Azure Site Recovery to replicate the SQL servers to Azure.
  • B. Use SQL Server transactional replication.
  • C. Copy the BACPAC file that contains the Azure SQL database file to Azure Blob storage.
  • D. Copy the VHD that contains the Azure SQL database files to Azure Blob storage.

Answer:

  • C. Copy the BACPAC file that contains the Azure SQL database file to Azure Blob storage.

Explanation: The BACPAC file is the correct way to migrate an Azure SQL database as it enables both database schema and data migration to Azure. This method minimizes downtime and can be used to import the database into Azure SQL Database.

3. What is the minimum number of Azure AD tenants needed for Nadirarfi Inc.?

Options:

  • A. 1
  • B. 2
  • C. 3
  • D. 4

Answer:

  • A. 1

Explanation: Nadirarfi Inc. only needs 1 Azure AD tenant for managing users, including both corp.nadirarfi.com and Azure AD identities. There is no need for a second tenant since both corporate identities and Azure-based services can be managed in a single Azure AD tenant.

4. What should you recommend for the web tier of WebApp1 to minimize resource underutilization during off-peak times?

Options:

  • A. Create a runbook that resizes virtual machines automatically to a smaller size outside of business hours.
  • B. Configure the Scale Up settings for a web app.
  • C. Deploy a virtual machine scale set that scales out on a 75 percent CPU threshold.
  • D. Configure the Scale Out settings for a web app.

Answer:

  • D. Configure the Scale Out settings for a web app.

Explanation: Scaling out allows Azure to automatically add instances of the web app to handle increased traffic during peak times. This prevents underutilization of resources when traffic is low and ensures that resources are allocated efficiently.

5. What is the solution to meet the database retention requirement for Nadirarfi Inc.?

Options:

  • A. Configure a long-term retention policy for the database.
  • B. Configure Azure Site Recovery.
  • C. Configure geo-replication of the database.
  • D. Use automatic Azure SQL Database backups.

Answer:

  • A. Configure a long-term retention policy for the database.

Explanation: Long-Term Retention (LTR) policies are specifically designed to store Azure SQL Database backups for up to 10 years. This meets the 7-year retention requirement for compliance purposes. Geo-replication and automatic backups do not offer the long-term retention needed.

6. What should you recommend as a notification solution for the IT Support distribution group?

Options:

  • A. Azure Network Watcher
  • B. An action group
  • C. A SendGrid account with advanced reporting
  • D. Azure AD Connect Health

Answer:

  • D. Azure AD Connect Health

Explanation: Azure AD Connect Health is specifically designed to monitor directory synchronization services and can be configured to send notifications about synchronization issues to the IT Support distribution group. This meets the requirement of notifying the IT Support team about directory synchronization problems.

Options:

  • A. Configure Azure AD Connect with staging mode
  • B. Use Azure AD Connect cloud sync
  • C. Deploy additional domain controllers in Azure
  • D. Configure Azure AD Connect with additional sync servers

Answer:

  • B. Use Azure AD Connect cloud sync

Explanation: Azure AD Connect cloud sync provides resilience to network link failures by allowing synchronization to continue even when the on-premises network connection is disrupted. This meets the case study requirement that “Directory synchronization between Azure Active Directory (AAD) and corp.nadirarfi.com should not be impacted by a link failure between Azure and on-premises.”

Conclusion

This case study focuses on Azure migrations, hybrid identity management, and database migration strategies. The goal is to ensure that Nadirarfi Inc. can smoothly migrate to Azure, maintain secure access and compliance, and optimize the use of resources. By leveraging Azure’s PaaS offerings and long-term retention policies, the company can achieve its technical and business goals efficiently.

Case Study #2

index

Case Study #2

  • Company: nadirarfi, Inc.
  • Industry: Medium-sized finance company
  • Main Office: London
  • Focus: Finance services requiring high compliance and data security

Existing Environment - Detailed

Identity Environment

  • Active Directory forest named nadirarfi.com (on-premises)
  • Azure AD tenant named nadirarfi.com (cloud identity)
  • Second Azure AD tenant named dev.nadirarfi.com (isolated development environment)
  • Azure AD Connect: Currently synchronizing identities between on-premises AD and Azure AD
  • Licensing: All users have Azure AD Premium P2 licenses (includes advanced security features like PIM, Identity Protection, etc.)
  • Conditional Access Policy:
    • Policy name: capolicy1
    • Requirement: Users managing production environments via Azure portal must connect from hybrid Azure AD-joined devices
    • Scope: Production environment management
    • No MFA requirement currently configured in this policy

Azure Environment

  • Production Tenant (nadirarfi.com):
    • 10 Azure subscriptions
    • Used for all production workloads
  • Development Tenant (dev.nadirarfi.com):
    • 5 Azure subscriptions
    • Isolated environment for development and testing
  • Subscription Management:
    • All 15 subscriptions are part of an Enterprise Agreement (EA)
    • Consolidated billing and management
  • Custom RBAC Role:
    • Role name: Role1
    • Permissions: DataActions read permission to blobs and files in Azure Storage
    • Scope: Currently not clearly defined across all subscriptions
  • Network Connectivity:
    • ExpressRoute circuit connecting on-premises to Azure
    • High-bandwidth, low-latency private connection

On-premises Infrastructure (Detailed)

Linux Environment

  • Servers: SERVER1, SERVER2, SERVER3
  • OS: Ubuntu 18.04 LTS
  • Virtualization: Running as virtual machines on Hyper-V
  • Application: Third-party app named App1
  • App1 Details:
    • Purpose: Not explicitly stated but critical to business operations
    • Data Storage: External Apache Hadoop-compatible storage solution
    • Authentication: POSIX access control list (ACL) with file-level permissions
    • Current Challenges: Sharing physical hardware with other workloads

Windows Environment

  • Server: SERVER10
  • OS: Windows Server 2016
  • Database: Microsoft SQL Server instance
  • Databases:
    • DB1: Purpose and size not specified, but business-critical
    • DB2: Purpose and size not specified, but business-critical
    • No current high availability configuration mentioned

Planned Changes - Implementation Details

Database Migration

  • Target: Migrate DB1 and DB2 to Azure
  • Considerations:
    • Minimizing downtime during migration
    • Preserving data integrity
    • Implementing high availability
    • Optimizing performance
    • Maintaining security and compliance
    • Supporting automatic failover
    • Ensuring minimal I/O latency

Application Migration

  • Target: Migrate App1 to Azure virtual machines
  • Infrastructure Approach:
    • Deploy on Azure dedicated hosts (isolated physical servers)
    • Implement across multiple availability zones
    • Configure for auto-scaling
    • Ensure high availability
    • Maintain data integrity and security

Requirements - Technical Details

Authentication and Authorization Requirements

User Authentication

  • Device Requirements:
    • Users managing production must connect from hybrid Azure AD-joined devices
    • Hybrid Azure AD-joined devices are domain-joined to on-premises AD and registered in Azure AD
    • Provides strong device identity and security posture
  • MFA Requirements:
    • Azure Multi-Factor Authentication required for all production environment management
    • Must be integrated with existing conditional access policies
    • Must ensure all users are properly registered

Role-Based Access Control

  • Network Administration:
    • Network Contributor built-in role must be assigned for all virtual networks
    • Must be implemented across all 15 subscriptions
    • Must be assigned at the highest possible scope (management group level) to minimize administrative overhead
  • Storage Account Permissions:
    • Custom Role1 must be used for all storage accounts
    • Must grant read-only permissions to blobs and files
    • Must be applied consistently across all subscriptions

Application Identity

  • App1 Authentication Method:
    • Must use managed identity of host VMs
    • Eliminates need for stored credentials
    • Simplifies secret management
    • Provides automated credential rotation

Resiliency Requirements - Technical Specifications

Database Resiliency (DB1 & DB2)

  • Availability Requirements:
    • Must maintain functionality if two availability zones fail
    • Requires deployment across three or more availability zones
    • Requires active-active or active-passive configuration
  • Failover Specifications:
    • Must support automatic failover without manual intervention
    • Must minimize failover time to maintain service continuity
    • Must ensure data consistency during failover
  • Performance Requirements:
    • Must minimize I/O latency for database operations
    • Requires storage optimized for database workloads
    • May require local SSD or premium storage options

Application Resiliency (App1)

  • Regional Requirements:
    • Must be deployed in an Azure region that supports availability zones
    • Availability zones provide physical and logical separation within a region
  • Scaling Requirements:
    • VMs must support automatic scaling based on demand
    • Scale-out during peak times, scale-in during off-peak
    • Must maintain performance levels during scaling operations
  • Availability Requirements:
    • Must remain available if two availability zones fail
    • Requires deployment across three or more availability zones
    • Must implement appropriate load balancing

Security and Compliance Requirements - Detailed Controls

Data Protection

  • App1 Data Write Controls:
    • New data must be writable to the application
    • Both new and existing data must be protected from modification for 3 years
    • Requires immutable storage with time-based retention policies
    • Must comply with financial data regulations

Network Security

  • Storage Access Requirements:
    • On-premises users and services must have access to Azure Storage for App1
    • Must leverage existing ExpressRoute connection
    • Must not expose storage accounts to the public internet
    • Public endpoint access must be blocked
    • Must implement appropriate private connectivity solution

Database Security

  • Encryption Requirements:
    • All Azure SQL databases in production must have Transparent Data Encryption (TDE)
    • TDE encrypts data at rest
    • Must be automatically enforced through policy
    • Must be verified for compliance

Hardware Isolation

  • App1 Hardware Requirements:
    • Must not share physical hardware with other workloads
    • Requires dedicated hosts in Azure
    • Increases security through physical isolation
    • May help meet specific compliance requirements

Business Requirements - Implementation Strategy

Administrative Efficiency

  • Objective: Minimize administrative effort
  • Approach:
    • Use platform-as-a-service (PaaS) options where possible
    • Implement automation for routine tasks
    • Apply policies at highest possible scope
    • Leverage managed services to reduce operational overhead
    • Configure auto-scaling to reduce manual intervention
    • Implement comprehensive monitoring and alerting

Cost Optimization

  • Objective: Minimize costs
  • Strategies:
    • Leverage existing licenses where applicable
    • Implement right-sizing for cloud resources
    • Use reservation-based pricing for predictable workloads
    • Configure auto-scaling to reduce resource wastage
    • Select appropriate service tiers based on requirements
    • Optimize storage usage and retention policies

Exam Questions, Options, and Solutions

Q1: Azure MFA Configuration

Question: You need to ensure that users managing the production environment are registered for Azure MFA and must authenticate by using Azure MFA when they sign in to the Azure portal. The solution must meet the authentication and authorization requirements. What should you do?

Options:

  • Box 1 Options:

    • Security defaults in Azure AD
    • Per-user MFA in MFA management UI
    • Azure AD Identity Protection

  • Box 2 Options:

    • Grant control in capolicy1
    • Session control in capolicy1
    • Sign-in risk policy

Answer:

  • Box 1: Azure AD Identity Protection
  • Box 2: Sign-in risk policy

Technical Implementation:

  1. Configure Azure AD Identity Protection to identify users who haven’t registered for MFA
  2. Create a Conditional Access policy requiring MFA registration
  3. Implement sign-in risk policies to enforce MFA during authentication to the Azure portal
  4. Ensure both policies work together with existing capolicy1

Q2: Network Connectivity for App1 Storage

Question: You plan to migrate App1 to Azure. You need to recommend a network connectivity solution for the Azure Storage account that will host the App1 data. The solution must meet the security and compliance requirements. What should you include in the recommendation?

Options:

  • A. A private endpoint
  • B. A service endpoint that has a service endpoint policy
  • C. Azure public peering for an ExpressRoute circuit
  • D. Microsoft peering for an ExpressRoute circuit

Answer: A. A private endpoint

Technical Details:

  • Implementation:

    • Creates a private IP address for the storage account within the VNet
    • Associates the private IP with the Azure Storage account
    • Configures DNS to resolve the storage account name to the private IP

  • Network Architecture:

    • Storage traffic remains on the Microsoft backbone network
    • No exposure to the public internet
    • Accessible from on-premises via ExpressRoute private peering
    • Accessible from Azure VMs in the same or peered VNets

Q3: Managed Identity Token Access for App1

Question: You plan to migrate App1 to Azure. The solution must meet the authentication and authorization requirements. Which type of endpoint should App1 use to obtain an access token?

Options:

  • A. Azure Instance Metadata Service (IMDS)
  • B. Azure AD
  • C. Azure Service Management
  • D. Microsoft identity platform

Answer: A. Azure Instance Metadata Service (IMDS)

Technical Implementation:

  • Token Request Process:
    • App1 makes a REST API call to http://169.254.169.254/metadata/identity/oauth2/token
    • Includes the resource it needs access to (e.g., Azure Storage)
    • IMDS returns an access token bound to the VM’s managed identity
    • App1 uses this token in API calls to Azure services

Q4: Azure Policy for TDE on SQL Databases

Question: You need to configure an Azure policy to ensure that the Azure SQL databases have TDE enabled. The solution must meet the security and compliance requirements. Which three actions should you perform in sequence?

Options:

  1. Create an Azure policy definition that uses the deployIfNotExists identity
  2. Create an Azure policy assignment
  3. Invoke a remediation task
  4. Configure a periodic review of the policy
  5. Create an Azure policy initiative
  6. Modify the permissions of the managed identity

Answer:

  1. Create an Azure policy definition that uses the deployIfNotExists identity
  2. Create an Azure policy assignment
  3. Invoke a remediation task

Technical Implementation Details:

Step 1: Create policy definition

  • Effect: deployIfNotExists
  • Target scope: Azure SQL databases
  • Policy criteria: Checks if TDE is enabled
  • Remediation action: Enable TDE if not enabled

Step 2: Create policy assignment

  • Target scope: Management group or subscription level
  • Assignment parameters: Configure any parameters needed
  • Managed identity: Automatically created to perform remediation

Step 3: Invoke remediation task

  • Identify non-compliant resources
  • Trigger deployIfNotExists effect
  • Enable TDE on non-compliant databases

Q5: High Availability Solution for App1

Question: You plan to migrate App1 to Azure. You need to recommend a high-availability solution for App1. The solution must meet the resiliency requirements. What should you include in the recommendation?

Options:

  • Number of host groups: [?]
  • Number of VM Scale Sets: [?]

Answer:

  • Number of host groups: 3
  • Number of VM Scale Sets: 1

Technical Architecture:

  • Host Groups Configuration:

    • Host Group 1: Deployed in Availability Zone 1
    • Host Group 2: Deployed in Availability Zone 2
    • Host Group 3: Deployed in Availability Zone 3
    • Each host group contains dedicated hosts for App1

  • VM Scale Set Design:

    • Single scale set spans all three availability zones
    • Configured with zone redundancy
    • Automatic scaling based on defined metrics

Q6: Cost Estimation and Minimization

Question: You plan to migrate App1 to Azure. You need to estimate the compute costs for App1 in Azure. The solution must meet the security and compliance requirements. What should you use to estimate the costs, and what should you implement to minimize the costs?

Options for estimation tool:

  • Azure Advisor
  • Azure Cost Management Power BI app
  • Azure TCO calculator

Options for cost minimization:

  • Azure Reservations
  • Azure Hybrid Benefit
  • Azure Spot VM pricing

Answer:

  • Estimation tool: Azure TCO calculator
  • Cost minimization: Azure Hybrid Benefit

Detailed Cost Optimization Strategy:

Azure TCO Calculator Usage:

  • Input current on-premises infrastructure details
  • Specify workload characteristics of App1
  • Include hardware, software, and operational costs

Azure Hybrid Benefit Implementation:

  • Leverage existing Windows Server licenses
  • Apply to Azure dedicated hosts
  • Potential savings of up to 40% on VM costs

Q7: Storage Solution for App1

Question: You plan to migrate App1 to Azure. You need to recommend a storage solution for App1 that meets the security and compliance requirements. Which type of storage should you recommend, and how should you recommend configuring the storage?

Options:

  • Storage type: [various Azure storage options]
  • Configuration: [various configuration options]

Answer:

  • Storage type: Standard general-purpose v2
  • Configuration: NFSv3

Technical Implementation Details:

Storage Account Configuration:

  • Account type: Standard general-purpose v2
  • Replication: Zone-redundant storage (ZRS)
  • Access tier: Hot (for active workloads)

NFSv3 Implementation:

  • Enable hierarchical namespace
  • Configure NFSv3 protocol support
  • Set up POSIX-compatible access control

Q8: Data Storage Compliance for App1

Question: You migrate App1 to Azure. You need to ensure that the data storage for App1 meets the security and compliance requirement. What should you do?

Options:

  • A. Create an access policy for the blob
  • B. Modify the access level of the blob service
  • C. Implement Azure resource locks
  • D. Create Azure RBAC assignments

Answer: A. Create an access policy for the blob

Technical Implementation:

  • Policy Type: Time-based retention policy
  • Retention Period: 3+ years (to meet requirement)
  • Policy Scope: Applied at the container level
  • Write Operations:
    • Allow creation of new blobs
    • Allow deletion of blobs after retention period
    • Prevent modification of existing blob data
    • Prevent deletion during retention period

Q9: DB1 and DB2 Azure Implementation

Question: How should the migrated databases DB1 and DB2 be implemented in Azure?

Options:

  • Database type: [various Azure database options]
  • Service tier: [various service tier options]

Answer:

  • Database type: SQL Managed Instance
  • Service tier: Business Critical

Technical Architecture:

SQL Managed Instance Configuration:

  • Deployment Model: Zone-redundant deployment
  • Availability Model: Built-in Always On availability groups
  • Instance Size: Based on current workload requirements
  • Storage Configuration: Local SSD for data and log files

Business Critical Tier Features:

  • High Availability Architecture:
    • 4 nodes in a high-availability ring
    • 1 Primary node for read-write operations
    • 3 Secondary nodes for read operations
    • Automatic failover orchestration
    • 99.99% availability SLA

Q10: Azure RBAC for Network Contributor

Question: You need to implement the Azure RBAC role assignments for the Network Contributor role. The solution must meet the authentication and authorization requirements. What is the minimum number of assignments that you must use?

Options:

  • A. 1
  • B. 2
  • C. 5
  • D. 10
  • E. 15

Answer: B. 2

Technical Implementation:

Management Group Structure:

  • nadirarfi.com Tenant:

    • Root Management Group
    • All 10 production subscriptions nested below

  • dev.nadirarfi.com Tenant:

    • Root Management Group
    • All 5 development subscriptions nested below

Role Assignment Strategy:

  • Assignment 1: Network Contributor role at root management group of nadirarfi.com tenant
  • Assignment 2: Network Contributor role at root management group of dev.nadirarfi.com tenant