Microsoft AZ-305 Azure Solutions Architect Expert: The Cert That Proves You Can Design Azure at Enterprise Scale

Area 1 — Design Identity, Governance, and Monitoring Solutions (~25–30%)

The largest area and the one most architecturally distinct from the administrator tier. Identity questions shift from “configure Conditional Access” to “design a Conditional Access strategy for an organisation with 15,000 users, external partners, and a mix of managed and BYOD devices.” Know Microsoft Entra ID tenant design, B2B guest access governance, and hybrid identity topology choices: Entra Connect Sync vs Entra Connect Cloud Sync and when each applies.

Azure RBAC at the management group level: custom role design, least-privilege scoping across a multi-subscription landing zone, and PIM (Privileged Identity Management) for just-in-time access with approval workflows. Azure Policy initiative assignments across management groups and how to design a policy framework that enforces compliance without blocking legitimate deployment. Azure Monitor and Log Analytics workspace architecture: centralised (all logs to one workspace, simpler cross-workload queries) vs decentralised (separate workspace per workload, better data isolation for regulated environments).

• Entra ID hybrid identity: password hash sync vs pass-through authentication vs Active Directory Federation Services — the tradeoffs and when each is appropriate
• Azure Key Vault access models: access policy model vs Azure RBAC model, and private endpoint vs service endpoint for network isolation
• Managed identity (system-assigned vs user-assigned) and when to prefer it over service principals for workload identity
• Microsoft Sentinel workspace design: single workspace vs distributed, data connector selection, and analytics rule scope

Area 2 — Design Data Storage Solutions (~15–20%)

The exam tests the ability to select the correct Azure data service given a set of requirements: latency target, consistency model, query pattern, cost envelope, and regulatory constraints. The decision tree candidates must internalise:

• Azure SQL Database vs Azure SQL Managed Instance: SQL Database for cloud-native apps that can be redesigned; Managed Instance for lift-and-shift migrations that require SQL Agent, cross-database queries, CLR, or full SQL Server Agent compatibility.
• Azure Cosmos DB: globally distributed, chosen when the workload requires sub-10ms reads at any scale, multi-region active-active writes, or a non-relational data model. Know the five consistency levels — strong, bounded staleness, session, consistent prefix, eventual — and their latency and throughput tradeoffs.
• Azure Data Lake Storage Gen2: hierarchical namespace layered on Blob Storage for big data analytics workloads using Azure Synapse Analytics or Databricks; know the difference between flat namespace and hierarchical namespace and why HNS matters for rename operations.
• Storage account redundancy: LRS (three copies, one datacenter), ZRS (three availability zones, one region), GRS (LRS plus async replication to paired region), GZRS (ZRS plus async paired region), RA-GRS / RA-GZRS (adds read access to secondary). Know the RPO characteristics for each and which failover type is customer-initiated vs Microsoft-initiated.

Azure Files and Azure File Sync for hybrid scenarios: File Sync caches hot files on Windows Server endpoints and tiers cold files to Azure, enabling organisations to reduce on-premises storage footprint while maintaining local performance. The exam tests multi-site sync topology design: server endpoints, cloud endpoints, and sync group architecture.

Area 3 — Design Business Continuity Solutions (~10–15%)

High-availability architecture choices: Availability Zones provide physical redundancy within a region (separate power, cooling, and networking across three zones); Availability Sets provide fault domain and update domain separation within a single datacenter (no zone-level protection). For new workloads, Availability Zones is the standard recommendation. Zone-redundant services — Azure SQL, Azure Storage with ZRS, AKS with zone-spanning node pools — distribute automatically across zones.

Azure Site Recovery (ASR) for VM-level disaster recovery: replication to a secondary Azure region, configurable RPO (minimum 30 seconds for Hyper-V, five minutes for VMware-based workloads), and three failover modes — test failover (isolated, non-disruptive), planned failover (pre-coordinated, minimal data loss), and unplanned failover (immediate, data loss within the RPO window). Recovery plans allow multi-VM orchestrated failover with custom actions.

Azure Backup: Recovery Services vault for VM backup, SQL Server in Azure VM, and Azure Files. Backup vault for managed disks and blob storage. Soft delete retains backup data for 14 days after deletion. Cross-region restore enables recovery to the paired region for Recovery Services vault-protected resources.

• Traffic Manager vs Azure Front Door for geographic failover: Traffic Manager is DNS-based and works with any public endpoint including on-premises; Front Door is an anycast HTTP/HTTPS proxy with built-in CDN and WAF — not a substitute for Traffic Manager when non-HTTP workloads or on-premises endpoints are involved.
• RTO vs RPO design: RTO is recovery time; RPO is acceptable data loss. Map these requirements to the correct Azure service combination before selecting architecture.

Area 4 — Design Infrastructure Solutions (~25–30%)

Compute selection is the most scenario-heavy section of the exam. The decision framework the exam applies:

• Azure Virtual Machines: maximum control, IaaS, required for OS-level customisation, legacy workloads, or anything that can’t be containerised or migrated to PaaS.
• Azure Kubernetes Service (AKS): container orchestration for microservices at scale, chosen when the workload is containerised and requires auto-scaling, rolling updates, Helm-managed deployments, or fine-grained resource governance.
• Azure Container Apps: serverless container hosting built on Kubernetes internals (KEDA, Dapr, Envoy), chosen for event-driven microservices and background workers when you want containers without the overhead of managing AKS node pools.
• Azure App Service: PaaS for HTTP(S)-based web applications — OS patching, auto-scaling, deployment slots, and TLS are managed; appropriate when the application doesn’t require OS access or custom container runtime configuration.
• Azure Functions: serverless for event-triggered, short-duration tasks. Consumption plan for sporadic workloads; Elastic Premium for VNET integration, longer execution times, or pre-warmed instances.

Networking architecture: hub-and-spoke topology with Azure Firewall or a Network Virtual Appliance (NVA) in a manually managed hub VNet versus Azure Virtual WAN (Microsoft-managed hub, automated routing, global mesh). Virtual WAN is preferred when connecting more than five spoke VNets, operating across multiple regions, or requiring branch-to-branch connectivity without explicit spoke peering. The exam tests which to recommend given scale and operational complexity requirements.

Private connectivity: Private Link vs service endpoints. Private Link creates a private IP address in your VNet for a PaaS resource — traffic never traverses the public internet end-to-end, and the PaaS resource’s public endpoint can be disabled. Service endpoints route traffic over the Microsoft backbone but the PaaS resource retains its public IP. For regulated workloads requiring no public IP exposure on PaaS resources, Private Link is the correct answer.

Load balancing tier selection: Azure Load Balancer (Layer 4, regional, TCP/UDP, no SSL inspection), Application Gateway (Layer 7, regional, HTTP/HTTPS with URL path routing and WAF), Azure Front Door (Layer 7, global, anycast with CDN and WAF), Traffic Manager (DNS-based, global, protocol-agnostic). The exam constructs multi-tier scenarios where the correct answer depends on whether the requirement is global vs regional, HTTP vs TCP, and whether CDN or WAF is needed.