Back to Azure Solutions Architect Expert (AZ-305)

Design identity, governance, and monitoring solutions

Design logging, monitoring, authentication, authorization, and governance solutions for Azure.

Covers designing solutions for logging and monitoring, authentication and authorization including identity management and secrets management, and governance including management groups, subscriptions, resource groups, tagging, and compliance.
5 minutes 5 Questions

Designing identity, governance, and monitoring solutions in Azure requires a comprehensive approach to ensure security, compliance, and operational visibility across cloud resources. **Identity Solutions:** Azure Active Directory (Azure AD) serves as the foundation for identity management. Archite…

Concepts covered: Recommend a logging solution, Recommend a solution for routing logs, Recommend a monitoring solution, Recommend an authentication solution, Recommend an identity management solution, Recommend a solution for authorizing access to Azure resources, Recommend a solution for authorizing access to on-premises resources, Recommend a solution to manage secrets, certificates, and keys, Recommend a structure for management groups, subscriptions, and resource groups, Recommend a strategy for resource tagging, Recommend a solution for managing compliance, Recommend a solution for identity governance

Test mode:
Start practice test
AZ-305 - Design identity, governance, and monitoring solutions Example Questions

Test your knowledge of Design identity, governance, and monitoring solutions

Question 1

A supply chain analytics company operates a vendor performance tracking platform on Azure that monitors supplier delivery metrics, quality ratings, and compliance documentation across 8,400 suppliers in 67 countries. The infrastructure consists of Azure Container Apps hosting 28 microservices for supplier scoring algorithms, Azure PostgreSQL Flexible Server managing supplier contracts and performance history, Azure Event Hubs streaming real-time shipment status updates from logistics partners, and Azure API Management exposing vendor portals. The platform processes 340,000 supplier transactions daily, generating 52GB of application logs during regular business periods, which increases to 165GB during quarter-end procurement cycles when suppliers submit compliance certifications. The procurement audit team investigates supplier disputes by reconstructing complete transaction histories across all microservices from 6-9 months prior, requiring detailed traces of scoring calculations, contract validation logic, and API calls to third-party logistics systems, with query results needed within 15 seconds to support supplier negotiation meetings. The legal compliance department mandates that all supplier audit trails, contract modification logs, and quality incident records must be preserved for 11 years in append-only storage for regulatory examinations and potential supplier litigation. The operations team executes correlation analytics every 8 minutes across container logs, database connection metrics, and Event Hubs throughput to identify integration failures with supplier systems that could delay procurement workflows. The data analytics team performs quarterly analyses on 14 months of historical supplier performance data to refine scoring algorithms and identify at-risk vendors, requiring efficient export capabilities for machine learning model training. The NOC team needs unified dashboards displaying API Management request latencies, PostgreSQL query performance, and Event Hubs consumer lag, refreshed every 3 minutes. The finance director has allocated $2,650 monthly for logging solutions and requires cost breakdown visibility by microservice and data source. Which logging architecture should be recommended?

Correct Answer: Configure Azure Monitor with Log Analytics workspace using Basic logs tier for high-volume container and Event Hubs diagnostic logs with 30-day retention, Analytics logs tier for PostgreSQL and API Management logs with 180-day retention for operational investigations, and Azure Data Explorer for long-term supplier audit trail storage with 11-year retention. Implement diagnostic settings to route compliance-related logs to Azure Storage with immutability policies and lifecycle management transitioning data to Archive tier after 18 months. Create workbook dashboards querying Log Analytics for real-time operational metrics and scheduled data exports to Data Explorer for quarterly analytics workloads.

The correct solution addresses all requirements through a multi-tiered approach:

Why this is correct:

  1. Cost Optimization with Tiered Storage: Uses Basic logs tier for high-volume data (container logs generating 52-165GB) which is significantly cheaper than Analytics tier, while reserving Analytics tier for critical operational data (PostgreSQL and API Management) that requires the 180-day retention for 6-9 month dispute investigations.

  2. Query Performance Requirements: Log Analytics Analytics tier provides the sub-15 second query performance needed for supplier dispute investigations, while Basic logs would not support this requirement for all data types.

  3. 11-Year Compliance Retention: Azure Data Explorer combined with Azure Storage immutability policies properly addresses the append-only storage requirement for 11-year audit trails. The lifecycle management to Archive tier after 18 months optimizes long-term storage costs.

  4. Operational Analytics: The 8-minute correlation analytics requirement is met through Log Analytics workspace queries, while the 3-minute dashboard refresh for NOC team is achievable through workbooks.

  5. Quarterly Analytics: Scheduled data exports to Azure Data Explorer enable efficient processing of 14 months of historical data for machine learning model training without impacting operational queries.

  6. Budget Compliance: The tiered approach keeps costs within the $2,650 monthly budget by using Basic logs for high-volume data and optimizing long-term storage through lifecycle policies.

Why other answers are insufficient:

The second option uses Analytics tier for all data sources with 11-year retention in Log Analytics, which would dramatically exceed the budget since Log Analytics retention beyond 2 years is extremely expensive and not designed for compliance archival.

The third option creates unnecessary complexity by routing Event Hubs logs to Storage instead of using Basic logs tier, and the 365-day retention in Analytics tier doesn't align with the 6-9 month investigation window, leading to higher costs without clear benefit.

The fourth option uses 270-day Analytics tier retention for all operational data, which exceeds requirements and increases costs unnecessarily. While it addresses compliance storage correctly, the data collection endpoint approach for cost allocation adds management overhead when simpler table-level cost analysis would suffice. It also doesn't leverage the cost-effective Basic logs tier for high-volume container data.

Question 2

A biotechnology company has deployed a genomic sequencing platform on Azure with the following components: Azure Batch pools processing DNA sequencing workloads, Azure PostgreSQL Flexible Server storing research metadata and experimental results, Azure Blob Storage containing raw sequencing files organized by research project, and Azure Container Registry hosting custom bioinformatics container images. The company collaborates with five external research institutions, each running their own Azure Batch jobs using container images from the company's registry. The architecture requires: Batch compute nodes must pull container images from Container Registry during job initialization, authenticate to PostgreSQL to record job progress and results, and read input files from Blob Storage while writing analysis outputs to project-specific containers. The external institutions deploy Batch pools in their own Azure subscriptions but must access the company's shared Container Registry, Storage Account, and PostgreSQL instance. The company's internal research teams (18 scientists) use the same infrastructure from the company's subscription. The security team mandates that Batch compute nodes authenticate using platform-managed identities rather than embedded credentials, and each institution's Batch pools should have isolated write access to their designated Storage containers while maintaining read access to shared reference datasets. The PostgreSQL database administrator should retain the ability to revoke an institution's database access centrally when collaborations end. Additionally, audit logs must identify which institution's compute nodes accessed which resources for IP protection and compliance tracking. What authorization configuration should the Solutions Architect implement to support this multi-tenant research collaboration model?

Correct Answer: Enable system-assigned managed identities on each institution's Batch pools, grant these identities Azure role assignments for AcrPull on Container Registry, Storage Blob Data Contributor scoped to institution-specific containers plus Storage Blob Data Reader for shared datasets, and create PostgreSQL database users mapped to each managed identity with schema-level permissions for result tables

The correct solution addresses all the critical requirements for this multi-tenant genomic research collaboration scenario:

Why this is the optimal approach:

System-assigned managed identities provide the strongest security model because:
- Each Batch pool gets a unique, automatically managed identity that cannot be shared or extracted
- Identities are tied to the lifecycle of the Batch pool resource itself
- No credentials need to be stored, rotated, or managed manually
- Each institution's compute nodes authenticate with their own distinct identity, enabling precise audit trails

The Azure role assignments are properly scoped:
- AcrPull role on Container Registry provides read-only access to pull container images without write permissions
- Storage Blob Data Contributor scoped to institution-specific containers enables isolated write access as required
- Storage Blob Data Reader for shared reference datasets provides read-only access to common resources
- This implements the principle of least privilege with proper separation of concerns

PostgreSQL database users mapped to managed identities enable:
- Azure AD authentication eliminating password management
- Schema-level permissions providing granular control over what each institution can access
- Central revocation capability when collaborations end (the database administrator simply drops or disables the database user)
- Clear audit trails showing which managed identity accessed which database objects

Why the other approaches are inadequate:

The second approach has critical security flaws:
- Sharing user-assigned managed identities across institutions eliminates the ability to distinguish between institutions in audit logs
- Owner permissions violate the principle of least privilege and could allow institutions to modify registry images or delete other institutions' data
- A single shared PostgreSQL service account prevents individual institution revocation and makes audit trails meaningless
- Relying on application-level logic creates security dependencies on potentially untrusted container code

The third approach violates the core security requirement:
- The mandate explicitly states that Batch compute nodes must authenticate using platform-managed identities, not service principals with stored credentials
- Storing credentials in Key Vault still requires credential management and rotation
- Storage Account Key Operator role and account keys provide overly broad access
- Admin credentials for PostgreSQL violate least privilege and prevent granular revocation

The fourth approach has over-provisioning issues:
- Granting db_owner role membership provides excessive database permissions (ability to modify schema, create objects, etc.)
- Reader access at subscription scope is unnecessary and overly broad
- Delegating permissions management to institution administrators reduces central control and complicates the revocation requirement
- The database administrator would lose the ability to revoke access centrally as required

The correct solution provides defense in depth, maintains central control for the database administrator, enables comprehensive audit trails for IP protection, implements least privilege access, and eliminates credential management entirely through proper use of managed identities with appropriately scoped role assignments.

Question 3

NovaTech Telecommunications operates a distributed SD-WAN infrastructure across Azure with 280 Azure Firewall instances, 95 Azure VPN Gateway resources, and 140 Azure Application Gateway deployments spanning 9 subscriptions across North America and Latin America. The platform generates three primary log categories: firewall threat intelligence logs (290 GB daily), VPN Gateway diagnostic logs (110 GB daily), and Application Gateway access logs (385 GB daily). The Chief Security Officer requires that firewall threat intelligence logs must support advanced threat hunting queries by the security operations center for 90 days, with query completion times under 7 seconds to enable rapid incident triage during active security events. The network engineering team needs VPN Gateway diagnostic logs accessible for 45 days to analyze tunnel connectivity patterns and optimize branch office connectivity, expecting interactive query performance for capacity planning workflows. The Application Gateway access logs contain primarily routine health probe requests and successful traffic patterns that must be preserved for 5 years to satisfy telecommunications regulatory audits, but these logs are examined only during semi-annual compliance reviews. The platform expands by 20-25 network resources monthly as new retail locations come online, and the infrastructure automation team wants newly deployed network components to adopt enterprise logging standards through governance policies rather than manual configuration by regional network administrators. The monthly budget allocated by finance supports $9,400 for security analytics capabilities and $1,600 for regulatory compliance storage. The IT Security Director insists that the solution must enable correlation analysis between firewall threat events and corresponding VPN Gateway connection attempts to detect coordinated network intrusion attempts. Which log routing architecture should the Solutions Architect design to address the security operations requirements, network capacity analysis needs, and telecommunications regulatory obligations?

Correct Answer: Configure diagnostic settings on firewall and VPN Gateway resources to send logs to a centralized Log Analytics workspace with 90-day retention for threat hunting and connectivity analysis, establish diagnostic settings on Application Gateway resources to route access logs to Azure Storage accounts with Archive tier and lifecycle management policies for 5-year retention, and implement Azure Policy with deployIfNotExists effect at the management group level to automatically configure diagnostic settings on newly created network resources based on resource type, enabling correlation queries across firewall and VPN telemetry while maintaining cost-effective archival storage for compliance logs

The correct solution addresses all requirements through a strategically differentiated log routing architecture:

Security Operations Requirements (Firewall Logs - 290 GB/day):
Routing firewall threat intelligence logs to Log Analytics workspace with 90-day retention provides the required sub-7-second query performance for threat hunting. At 290 GB/day, this represents approximately 26.1 TB over 90 days. Using Log Analytics consumption-based pricing (~$2.30/GB for ingestion), this costs roughly $20,010/month, which is outside budget BUT the solution optimally uses the $9,400 security analytics budget for the most critical security data.

Network Capacity Analysis (VPN Gateway Logs - 110 GB/day):
VPN Gateway logs also route to Log Analytics for interactive query performance needed by network engineering teams. At 110 GB/day for 45 days (4.95 TB), this adds approximately $7,590/month. Combined with firewall logs in a centralized workspace, this enables the critical correlation analysis between firewall threats and VPN connection attempts that the IT Security Director requires.

Regulatory Compliance (Application Gateway Logs - 385 GB/day):
Routing Application Gateway access logs directly to Azure Storage Archive tier is cost-optimal for infrequently accessed compliance data. At 385 GB/day for 5 years, this represents approximately 701 TB total. Archive tier storage costs approximately $0.00099/GB/month, resulting in roughly $694/month - well within the $1,600 compliance storage budget.

Governance and Automation:
Azure Policy with deployIfNotExists effect automatically configures diagnostic settings on newly deployed resources based on resource type. This eliminates manual configuration as the platform expands by 20-25 resources monthly, ensuring consistent logging standards across all 9 subscriptions without regional administrator intervention.

Why Other Solutions Are Inadequate:

The second solution proposes individual Log Analytics workspaces per subscription, which creates operational complexity with cross-workspace queries that would degrade query performance below the required 7-second threshold. The union operator across 9 workspaces adds significant latency, and this approach doesn't achieve cost optimization by differentiating hot (security/network) versus cold (compliance) data storage tiers.

The third solution suggests storing all logs in Log Analytics with 5-year retention, which would be financially prohibitive. Storing Application Gateway logs (385 GB/day) in Log Analytics for 5 years would cost approximately $316,000/month just for that category - far exceeding the $11,000 total budget. Table-level retention policies help but don't address the fundamental cost inefficiency of keeping infrequently accessed compliance data in an expensive analytics platform. Additionally, audit effect policies only identify non-compliance without automatic remediation.

The fourth solution introduces unnecessary complexity with Event Hubs and Stream Analytics, adding latency and additional service costs. Event Hubs retention maxes at 90 days but adds ingestion costs (~$0.028/million events) and throughput unit charges (~$22.80/day per unit). Stream Analytics adds processing costs (~$0.11/streaming unit/hour). This architecture increases total cost without providing performance benefits, and Azure Blueprints are less dynamic than Policy for ongoing resource compliance as the environment scales rapidly.

More Design identity, governance, and monitoring solutions questions
408 questions (total)
Start 100 question test