175+ Free Azure AZ-305 Practice Questions

Pass your Microsoft Azure Solutions Architect Expert (AZ-305) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

175+ Questions

100% Free

1 / 175

Question 1

Score: 0/0

A company needs to implement multi-factor authentication (MFA) for all administrator accounts while exempting emergency access accounts. What should you configure in Microsoft Entra ID?

Enable Security Defaults for the tenant

Create a Conditional Access policy targeting directory roles with emergency account exclusions

Enforce MFA at the user settings level for each administrator

Deploy Microsoft Entra ID Protection with user risk policies

to track

2026 Statistics

Key Facts: Azure AZ-305 Exam

700/1000

Passing Score

Microsoft

~60 Q

Exam Questions

Microsoft (varies)

60-100 hrs

Study Time

Recommended

$165

Exam Fee

Microsoft

4 domains

Exam Domains

Microsoft AZ-305 outline

120 min

Exam Duration

Microsoft

AZ-305 is Microsoft's expert-level Azure architecture certification, requiring a passing score of 700 out of 1000. The exam has approximately 60 questions in 120 minutes, covering identity/governance/monitoring (25-30%), data storage (20-25%), business continuity (15-20%), and infrastructure (30-35%). Candidates must first pass AZ-104 (Azure Administrator). It is one of the most respected cloud architecture certifications, with certified architects earning $120,000-$180,000+ annually.

Sample Azure AZ-305 Practice Questions

Try these sample questions to test your Azure AZ-305 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 175+ question experience with AI tutoring.

1A company needs to implement multi-factor authentication (MFA) for all administrator accounts while exempting emergency access accounts. What should you configure in Microsoft Entra ID?

A.Enable Security Defaults for the tenant

B.Create a Conditional Access policy targeting directory roles with emergency account exclusions

C.Enforce MFA at the user settings level for each administrator

D.Deploy Microsoft Entra ID Protection with user risk policies

Explanation: Conditional Access policies provide granular control over authentication requirements based on conditions. By targeting directory roles and excluding emergency access accounts (break-glass accounts), you enforce MFA for administrators while preserving emergency access capabilities. Security Defaults enforce MFA for all users, not just administrators. User-level settings are difficult to manage at scale.

2Your organization has acquired a subsidiary that uses on-premises Active Directory with custom attributes. You need to synchronize users while preserving these attributes. What should you implement?

A.Microsoft Entra Connect with default settings

B.Microsoft Entra Connect with directory extension attribute sync

C.Microsoft Entra Cloud Sync with group-based filtering

D.Manual user creation via Microsoft Graph API

Explanation: Microsoft Entra Connect with directory extension attribute synchronization extends the on-premises Active Directory schema to Microsoft Entra ID, preserving custom attributes. Default settings only sync standard attributes. Cloud Sync does not support directory extensions. Manual creation via API is not scalable for directory synchronization scenarios.

3You need to provide temporary privileged access to contractors for specific Azure resources, with automatic revocation after 30 days. Which solution should you implement?

A.Azure AD Privileged Identity Management (PIM) with time-bound assignments

B.Custom role definitions with expiration dates

C.Azure Policy to audit privileged access

D.Azure AD Access Reviews with quarterly reviews

Explanation: Microsoft Entra Privileged Identity Management (PIM) provides just-in-time privileged access with time-bound assignments. Eligible assignments can be configured to expire automatically after a specified duration. Custom roles do not provide native time-bound access. Azure Policy audits but does not control access. Access Reviews require manual approval for revocation.

4An organization requires all resource groups to include department and cost center tags. Resources without these tags must be prevented from deployment. What should you implement?

A.Azure Blueprints with artifact locks

B.Azure Policy with deny effects on the required tags

C.Azure Resource Manager templates with parameter validation

D.Azure Advisor recommendations for resource tagging

Explanation: Azure Policy with deny effects prevents the creation of resources that do not comply with tagging requirements. The built-in policy definitions for required tags can enforce this at the subscription or management group level. Blueprints help with deployment consistency but do not actively prevent non-compliant deployments. ARM template validation only applies to template deployments. Advisor provides recommendations but does not enforce.

5Your company has 50 Azure subscriptions that need consistent governance policies. You need to apply policies to all subscriptions while allowing some subscription-level overrides. What should you configure?

A.Apply policies at each subscription individually

B.Create a management group hierarchy with policy inheritance

C.Use Azure Blueprints assigned at the tenant level

D.Deploy policies via Azure DevOps pipelines

Explanation: Management groups provide hierarchical governance where policies can be assigned at higher levels and inherited by child subscriptions and management groups. This enables consistent governance while allowing lower-level overrides through policy exemptions or exclusions. Individual subscription assignments do not scale. Blueprints help with initial deployment but not ongoing governance. DevOps pipelines are for deployment automation, not governance.

6You need to centralize logs from multiple Azure subscriptions into a single Log Analytics workspace for enterprise-wide monitoring. Which architecture should you implement?

A.Deploy a Log Analytics workspace in each subscription and query across workspaces

B.Create a dedicated monitoring subscription with a central Log Analytics workspace and use Azure Monitor Agent

C.Use Azure Event Hubs to stream logs from all subscriptions to a single location

D.Configure diagnostic settings on each resource to store logs in Azure Storage accounts

Explanation: A dedicated monitoring subscription with a central Log Analytics workspace provides the most efficient architecture for enterprise monitoring. The Azure Monitor Agent can be configured to forward logs from multiple subscriptions to the central workspace. Cross-workspace queries add complexity. Event Hubs requires additional processing infrastructure. Storage accounts do not provide querying capabilities.

7An application team needs real-time alerting when VM CPU exceeds 80% for 5 minutes. Which Azure Monitor feature should you configure?

A.Log Analytics alert rules based on log queries

B.Metric alert rules with static thresholds

C.Activity log alerts for VM operations

D.Azure Service Health alerts

Explanation: Metric alert rules with static thresholds are designed for real-time alerting on numeric metrics like CPU percentage. They evaluate frequently and can trigger actions within minutes. Log-based alerts have query latency. Activity log alerts are for administrative operations, not performance metrics. Service Health alerts are for platform issues, not resource metrics.

8You need to implement identity protection that automatically blocks users whose accounts are compromised and requires password reset. What should you configure?

A.Microsoft Entra ID Protection with user risk policies set to block access

B.Conditional Access policies targeting high-risk sign-ins

C.Azure AD B2C with custom policies

D.Microsoft Defender for Identity with automatic response

Explanation: Microsoft Entra ID Protection with user risk policies can automatically block access and require password changes when user risk is detected as high (compromised). The policy can trigger remediation flows including password resets. Conditional Access can use risk signals but requires ID Protection for risk detection. B2C is for customer identity, not employee protection. Defender for Identity detects threats but does not directly enforce access controls.

9Your organization needs to track and report on resource changes across all subscriptions for compliance auditing. Which solution should you implement?

A.Azure Activity Logs stored in Log Analytics

B.Azure Change Tracking in Azure Automation

C.Azure Resource Graph queries

D.Azure Monitor Application Insights

Explanation: Azure Activity Logs capture all resource creation, modification, and deletion operations. When stored in Log Analytics, they provide querying and reporting capabilities for compliance auditing. Change Tracking monitors configuration changes on VMs but not Azure resource operations. Resource Graph queries current state, not historical changes. Application Insights monitors application telemetry, not resource changes.

10A company has separate Azure AD tenants for different business units. They need to allow users from one tenant to access resources in another tenant while maintaining separate identity management. What should you configure?

A.Microsoft Entra B2B collaboration with guest user invitations

B.Microsoft Entra Connect to sync identities between tenants

C.Microsoft Entra Domain Services in each tenant

D.Federation between the two Azure AD tenants

Explanation: Microsoft Entra B2B collaboration allows users from one tenant to access resources in another tenant as guest users while maintaining separate identity management in their home tenant. Connect syncs on-premises to cloud, not tenant-to-tenant. Domain Services provides managed domain services, not cross-tenant access. Federation is complex and not native to Azure AD-to-Azure AD scenarios.

About the Azure AZ-305 Exam

The Microsoft Azure Solutions Architect Expert (AZ-305) exam validates expertise in designing cloud and hybrid solutions that run on Microsoft Azure, including compute, network, storage, monitoring, and security. Candidates must have advanced experience and knowledge of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platforms, and governance.

Questions

60 scored questions

Time Limit

120 minutes

Passing Score

700/1000

Exam Fee

$165 (Microsoft / Pearson VUE)

Azure AZ-305 Exam Content Outline

25-30%

Identity, Governance & Monitoring

Microsoft Entra ID design, hybrid identity, identity protection, privileged identity management, governance design, Azure Policy, management groups, subscription design, monitoring solutions with Azure Monitor and Log Analytics

20-25%

Data Storage

Azure Storage account design, blob storage tiers and lifecycle, storage replication options, storage security, Azure Files design, disk storage, SQL database design, SQL Managed Instance, Cosmos DB design, data protection

15-20%

Business Continuity

Azure Backup design, Azure Site Recovery, high availability architecture, disaster recovery strategy, RTO/RPO design, availability zones, VM availability sets, load balancer design

30-35%

Infrastructure

VNet design, subnet design, network security groups, Azure Firewall, VNet peering, VPN Gateway, ExpressRoute, private endpoints, VM and VMSS design, App Service design, AKS design, container solutions

How to Pass the Azure AZ-305 Exam

What You Need to Know

Passing score: 700/1000
Exam length: 60 questions
Time limit: 120 minutes
Exam fee: $165

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Azure AZ-305 Study Tips from Top Performers

1Focus on design scenarios — AZ-305 tests decision-making, not just knowing what services exist. Practice analyzing requirements and selecting the best solution.

2Master Azure networking deeply: VNet design, subnetting, NSGs vs Azure Firewall, VNet peering vs VPN Gateway vs ExpressRoute — these are heavily tested.

3Understand identity architecture: Microsoft Entra ID, hybrid identity with AD Connect, identity protection, PIM for privileged access, and B2B collaboration.

4Know storage design trade-offs: when to use Blob vs Files vs Disks, hot/cool/archive tiers, replication options (LRS/ZRS/GRS/RA-GRS), and data protection strategies.

5Study high availability and disaster recovery: availability zones vs sets, load balancer tiers, Azure Site Recovery, backup strategies, and calculating RTO/RPO.

6Practice with hands-on labs — build multi-tier applications, configure hybrid networking, implement governance with Policy and Blueprints.

Frequently Asked Questions

What is the AZ-305 passing score?

The Microsoft Azure Solutions Architect Expert (AZ-305) exam requires a passing score of 700 out of 1000. The exam typically has around 40-60 questions and must be completed within 120 minutes. Microsoft uses scaled scoring, so the raw number of correct answers is converted to a 1-1000 scale.

What are the prerequisites for AZ-305?

To earn the Azure Solutions Architect Expert certification, you must first pass AZ-104 (Azure Administrator Associate). Microsoft requires the Administrator certification as a prerequisite because AZ-305 tests design decisions based on deep implementation knowledge. You cannot take AZ-305 without first earning AZ-104.

How hard is the AZ-305 exam?

AZ-305 is considered a challenging expert-level exam. Unlike AZ-900 (concepts) or AZ-104 (implementation), AZ-305 tests design decisions — knowing WHY to choose one solution over another. Questions present complex scenarios requiring trade-off analysis. Most candidates need 2-3 months of study (60-100 hours) with hands-on Azure experience. The exam has a lower pass rate than associate-level exams.

How long should I study for AZ-305?

Most candidates need 2-3 months of study, investing 60-100 hours total. Key study actions: 1) Review all four exam domains with focus on Infrastructure (30-35%) and Identity/Governance (25-30%). 2) Build hands-on labs for networking, storage, and compute scenarios. 3) Practice scenario-based questions requiring design trade-offs. 4) Understand when to choose specific services (e.g., VPN Gateway vs ExpressRoute, SQL MI vs Cosmos DB). 5) Complete at least 200 practice questions. Candidates without AZ-104 experience should allow additional time.

What jobs does AZ-305 qualify me for?

AZ-305 is an expert-level certification qualifying you for senior cloud architecture roles: Azure Solutions Architect, Cloud Architect, Enterprise Architect, Infrastructure Architect, and Cloud Consultant. Certified professionals typically earn $120,000-$180,000+ depending on location and experience. The certification is highly valued by enterprises running Azure workloads and is often required for consulting roles at Microsoft partners.

What is the difference between AZ-305 and AZ-104?

AZ-104 (Azure Administrator) tests hands-on ability to implement and manage Azure resources — the "how." AZ-305 tests design decision-making — the "why" and "when." For example, AZ-104 tests how to configure a VNet peering, while AZ-305 tests when to choose VNet peering vs VPN Gateway vs ExpressRoute based on requirements. AZ-305 requires understanding trade-offs between cost, performance, security, and complexity.