NotJustExam Interactive Question Bank | [Microsoft] AZ-305

Question 1

You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,
Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the
Microsoft 365 E5 plan.
You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
✑ To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
✑ If the manager does not verify an access permission, automatically revoke that permission.
✑ Minimize development effort.
What should you recommend?

A. In Azure Active Directory (Azure AD), create an access review of Application1.
B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.
D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.

Correct Answer: A

Explanation:

The best solution to verify and manage the access permissions of Fabrikam developers to Application1, meeting the specified requirements with minimal development effort, is to use Azure AD Access Reviews.

Therefore, the recommended answer is A. In Azure Active Directory (Azure AD), create an access review of Application1.

Reasoning:

Azure AD Access Reviews are designed specifically to periodically review and manage user access rights. They allow you to efficiently manage who has access to organizational resources and ensure that access is appropriate.
Access reviews can be configured to automatically send email notifications to managers, prompting them to review the access permissions of their team members (in this case, the Fabrikam developers) for Application1.
A key feature of Access Reviews is the ability to automatically remove access if the reviewer (the manager) doesn't respond within a specified time period. This directly addresses the requirement to automatically revoke permissions that are not verified.
Using Access Reviews minimizes development effort because it is a built-in Azure AD feature that requires configuration rather than custom code development.

Reasons for not choosing other options:

B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet: While an Azure Automation runbook with `Get-AzRoleAssignment` could list the access permissions, it would require significant development effort to implement the notification and automatic revocation features. It doesn't provide a built-in review and approval workflow like Access Reviews.
C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources: Privileged Identity Management (PIM) is primarily used for managing, controlling, and monitoring access to important resources in your organization. It's focused on just-in-time access and elevation, which is not suitable for the continuous access review required in this scenario. PIM doesn't directly address the periodic review and revocation requirements as efficiently as Access Reviews.
D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet: Similar to option B, this approach would require custom development to handle notifications and automatic revocation, increasing development effort and complexity compared to using Access Reviews. This cmdlet is also more focused on application role assignments rather than general RBAC permissions.

Citations:

Title: What are Azure Active Directory access reviews?, https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Question 2

You have an Azure subscription. The subscription has a blob container that contains multiple blobs.
Ten users in the finance department of your company plan to access the blobs during the month of April.
You need to recommend a solution to enable access to the blobs during the month of April only.
Which security solution should you include in the recommendation?

A. shared access signatures (SAS)
B. Conditional Access policies
C. certificates
D. access keys

Correct Answer: A

Explanation:

The best solution to enable access to the blobs during the month of April only is to use A. Shared Access Signatures (SAS).

Reasoning: SAS tokens provide granular control over access to Azure Storage resources, including the ability to set an expiration time. This perfectly aligns with the requirement to grant access only during the month of April. You can generate SAS tokens that are valid only for that specific time period, ensuring that the finance department users can access the blobs only when required.

Why other options are not suitable:

B. Conditional Access policies: Conditional Access policies are powerful tools for controlling access to Azure resources, but they are more suited for persistent access controls based on conditions like user identity, device, location, and application. While you could theoretically create a Conditional Access policy that allows access only during April, it's more complex and less precise than using SAS tokens for time-bound access to specific storage resources.
C. Certificates: Certificates are typically used for authentication and encryption, and are not directly applicable to granting time-limited access to Azure Blob Storage.
D. Access keys: Access keys provide full access to the storage account, which is a security risk. They do not offer the ability to restrict access to a specific time period. Sharing access keys with multiple users is also not a recommended practice.

Therefore, SAS tokens are the most appropriate and secure solution for granting time-limited access to the blobs for the finance department users.

Citations:

Shared access signatures (SAS) in Azure Storage, https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Question 3

You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain.
You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses Integrated Windows authentication.
Some users work remotely and do NOT have VPN access to the on-premises network.
You need to provide the remote users with single sign-on (SSO) access to WebApp1.
Which two features should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Azure AD Application Proxy
B. Azure AD Privileged Identity Management (PIM)
C. Conditional Access policies
D. Azure Arc
E. Azure AD enterprise applications
F. Azure Application Gateway

Correct Answer: AE

Explanation:

The correct answer is A & E.

Reasoning for choosing A (Azure AD Application Proxy) and E (Azure AD enterprise applications):
Azure AD Application Proxy provides secure remote access to on-premises web applications. It enables users to access internal web apps from outside the corporate network without requiring a VPN. It works by establishing an outbound connection from the on-premises application server to Azure AD, which then acts as a reverse proxy, authenticating users and forwarding requests to the internal application.
Azure AD enterprise applications represent the on-premises web application (WebApp1) within Azure AD. This allows you to manage authentication and authorization for the application using Azure AD features like single sign-on (SSO). By registering WebApp1 as an enterprise application, you can configure it to use Integrated Windows Authentication via the Application Proxy, providing a seamless SSO experience for remote users.

Reasoning for not choosing the other answers:

B (Azure AD Privileged Identity Management (PIM)): PIM is used to manage, control, and monitor access to important resources in your organization. While important for security, it's not directly related to providing SSO access to an on-premises web application for remote users.
C (Conditional Access policies): Conditional Access policies are used to enforce authentication requirements based on various conditions, such as user location, device compliance, and application sensitivity. While Conditional Access could be used in conjunction with Application Proxy for enhanced security, it is not a fundamental requirement for providing SSO access in this scenario. It's an optional security enhancement.
D (Azure Arc): Azure Arc is used to extend Azure management capabilities to on-premises and multi-cloud environments. It's not directly related to providing SSO access to an on-premises web application.
F (Azure Application Gateway): Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to web applications. While it can be used for external-facing applications, in this case, the Azure AD Application Proxy is the more suitable solution for providing secure remote access to an on-premises application with integrated Windows authentication. Application Gateway is more commonly used for applications hosted in Azure.

Citation:

Azure AD Application Proxy, https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy
Azure AD enterprise applications, https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-an-application

Question 4

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users.
You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements:
✑ The evaluation must be repeated automatically every three months.
✑ Every member must be able to report whether they need to be in Group1.
✑ Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
✑ Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.
What should you include in the recommendation?

A. Implement Azure AD Identity Protection.
B. Change the Membership type of Group1 to Dynamic User.
C. Create an access review.
D. Implement Azure AD Privileged Identity Management (PIM).

Correct Answer: C

Explanation:

The recommended solution is to create an access review (Option C).

Reasoning:
Access reviews in Azure AD are designed to periodically review and recertify group memberships and application access. They meet the specified requirements in the question:

Periodic Evaluation: Access reviews can be scheduled to run automatically at specific intervals, such as every three months.
Self-Attestation: Members of the group can be prompted to attest whether they still need membership.
Automated Removal: Access reviews can be configured to automatically remove users who deny needing access or who fail to respond within a specified timeframe.

Reasons for not choosing the other options:

Option A: Implement Azure AD Identity Protection. Azure AD Identity Protection is focused on detecting and remediating risks related to user identities and sign-ins. It does not provide a mechanism for recurring membership reviews or self-attestation.
Option B: Change the Membership type of Group1 to Dynamic User. Dynamic user groups determine membership based on rules that evaluate user attributes. This does not allow for self-attestation or periodic reviews based on user input. Also, the scenario specifies that the group is currently assigned and changing it to dynamic might not be feasible or desirable based on other requirements not mentioned in the question.
Option D: Implement Azure AD Privileged Identity Management (PIM). PIM is designed to manage, control, and monitor access to important resources in the organization. While PIM includes access reviews for privileged roles, it is not the appropriate solution for evaluating the membership of a regular security group like Group1.

In summary, access reviews are the correct solution because they are specifically designed to address the requirements of recurring membership evaluation, self-attestation, and automated removal in Azure AD groups.

Citations:

What are Azure Active Directory access reviews?, https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Question 5

HOTSPOT -
You plan to deploy Azure Databricks to support a machine learning application. Data engineers will mount an Azure Data Lake Storage account to the Databricks file system. Permissions to folders are granted directly to the data engineers.
You need to recommend a design for the planned Databrick deployment. The solution must meet the following requirements:
✑ Ensure that the data engineers can only access folders to which they have permissions.
✑ Minimize development effort.
✑ Minimize costs.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: See interactive view.

Explanation:

Based on the question requirements and the discussion, the recommended answer is as follows:

Box 1: Premium
Box 2: Credential passthrough

Reasoning:
The question specifies the need to ensure data engineers can only access folders to which they have permissions, minimize development effort, and minimize costs.
To achieve these goals, the optimal solution is to use the Premium tier of Azure Databricks with credential passthrough enabled.

Premium Tier: The Premium tier is selected because it supports the credential passthrough feature, which is essential for automatically authenticating to Azure Data Lake Storage using the data engineers' Azure Active Directory identities. This fulfills the requirement of ensuring that data engineers can only access folders they have permissions to.
Credential Passthrough: By using credential passthrough, commands run on the cluster can read and write data in Azure Data Lake Storage without needing separate service principal credentials. This minimizes development effort because data engineers don't have to manage additional credentials.

Reasons for not choosing other options:

Standard Tier: While the Standard tier might seem more cost-effective, it does not support all the features necessary for credential passthrough in a multi-user scenario. Some discussions mention that standard clusters with credential passthrough are limited to a single user, which does not meet the requirement of multiple data engineers accessing the data.
Azure Key Vault-backed scopes: While Azure Key Vault-backed scopes are a secure method for managing secrets, they would require more development effort to configure and manage compared to credential passthrough. The aim is to minimize development effort while ensuring secure access, making credential passthrough the better option.
Service Principals: Using Service Principals would also increase development and operational overhead, as they require creating and managing service principal credentials and ensuring they are securely stored and rotated. This goes against the requirement to minimize development effort.

Therefore, choosing the Premium tier with credential passthrough is the most suitable option that fulfills all the specified requirements efficiently and securely.

Citations:

Azure Databricks Credential Passthrough with Azure Data Lake Storage:
https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough

Question 6

HOTSPOT -
You plan to deploy an Azure web app named App1 that will use Azure Active Directory (Azure AD) authentication.
App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows 10 and are joined to Azure AD.
You need to recommend a solution to ensure that the users can connect to App1 without being prompted for authentication and can access App1 only from company-owned computers.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer: See interactive view.

Explanation:

Based on the question and the discussion, the recommended solution is:
Box 1: An Azure AD app registration
Box 2: A Conditional Access policy

Reasoning:
The question requires users to connect to App1 without being prompted for authentication and access App1 only from company-owned computers.
Azure AD app registration is necessary to integrate the web application (App1) with Azure AD. This registration establishes a trust relationship, enabling Single Sign-On (SSO) capabilities. Without registering the app, Azure AD would not recognize it, and SSO would not be possible.
Conditional Access policies allow enforcing specific conditions for accessing resources. In this scenario, a Conditional Access policy can be configured to allow access only from devices that are Azure AD joined (company-owned computers), fulfilling the requirement. This provides a mechanism to verify that the user is connecting from a trusted device before granting access to App1.

Why other options are not suitable:

Azure AD Proxy: Azure AD Proxy is designed for publishing on-premises web applications, not Azure web apps. Therefore, it is not the correct choice for this scenario.

In Summary: We need to register the app in Azure AD to enable authentication and authorization, and we need a Conditional Access policy to restrict access to company-owned computers.

Citation:

Using Azure Active Directory Authentication in Your Web Application, https://codingcanvas.com/using-azure-active-directory-authentication-in-your-web-application/
Azure Active Directory Conditional Access Overview, https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Question 7

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.
Does this meet the goal?

A. Yes
B. No

Correct Answer: B

Explanation:

The suggested answer is B. No.
Reasoning: While Azure Network Watcher is indeed useful for network monitoring, the specific feature needed to determine if packets are being allowed or denied to virtual machines is IP flow verify, not Traffic Analytics. Traffic Analytics focuses on providing insights into traffic patterns and security threats across your network but doesn't give a packet-level allow/deny assessment. IP flow verify directly tests whether a packet matching specific criteria (source, destination, port, protocol) is permitted or blocked by network security groups (NSGs) or Azure Firewall.
Why other options are not correct:

Option A (Yes): This is incorrect because Azure Traffic Analytics does not provide the granular detail of whether specific packets are being allowed or denied. It gives an overview of network traffic patterns.

Citations:

Azure Network Watcher Overview, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
IP flow verify, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Azure Traffic Analytics, https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics

Question 8

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
Solution: Use Azure Advisor to analyze the network traffic.
Does this meet the goal?

A. Yes
B. No

Correct Answer: B

Explanation:

The suggested answer is B (No).
Reasoning: Azure Advisor is a service that provides recommendations to help you optimize your Azure resources for high availability, security, performance, and cost. It does not analyze network traffic to identify whether packets are being allowed or denied to virtual machines. For this purpose, you should use Network Watcher, specifically the IP Flow Verify tool.
Why other options are not correct: Azure Advisor's primary function is to provide recommendations on resource optimization, cost management, security enhancements, and performance improvements. It's not designed for real-time network traffic analysis or diagnosing network connectivity issues at the packet level. Thus, using Azure Advisor is not the correct approach for the stated goal.

Citations:

Azure Advisor Overview, https://learn.microsoft.com/en-us/azure/advisor/advisor-overview
Azure Network Watcher Overview, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
IP Flow Verify, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question 9

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Does this meet the goal?

A. Yes
B. No

Correct Answer: A

Explanation:

The suggested answer is A: Yes.

Reasoning: IP flow verify in Azure Network Watcher is specifically designed to analyze network traffic and determine whether packets are being allowed or denied to and from a virtual machine. This aligns directly with the problem statement, which requires identifying whether packets are being allowed or denied to the virtual machines experiencing network connectivity issues. Therefore, using IP flow verify is an appropriate solution.

Why other options are incorrect: Option B (No) is incorrect because IP flow verify is an appropriate tool for the stated goal. It is designed to analyze network traffic rules and determine if traffic is being blocked or allowed.

Citations:

Azure Network Watcher Overview, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
IP flow verify, https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Question 10

DRAG DROP -
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016 and Linux.
You need to use Azure Monitor to design an alerting strategy for security-related events.
Which Azure Monitor Logs tables should you query? To answer, drag the appropriate tables to the correct log types. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Correct Answer: See interactive view.

Explanation:

Based on the question and discussion, the recommended answer is to use the Event table for Windows security-related events and the Syslog table for Linux security-related events.

Reasoning:
The Event table in Azure Monitor Logs is designed to collect and analyze Windows events, including security-related events logged by the Windows Event Viewer. This makes it the appropriate choice for monitoring Windows Server 2016 virtual machines.
The Syslog table in Azure Monitor Logs is the standard location for capturing system and application logs from Linux systems. Security-related events generated on Linux VMs are typically logged via syslog, making this the correct table to query.

Why other options are not suitable:

AzureActivity: This table stores logs related to Azure resource operations and management activities. While useful for auditing changes to your Azure environment, it does not contain detailed security events originating from within the Windows or Linux operating systems.

Therefore, the accurate mapping is:
Windows: Event
Linux: Syslog

Citation: Data sources in Azure Monitor, https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
Citation: Collect Syslog events with Azure Monitor Agent, https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog

[Microsoft] AZ-305 - Azure Solutions Architect Expert Exam Dumps & Study Guide

Free [Microsoft] AZ-305 - Azure Solutions Architect Expert Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10