The jump from AZ-104 to AZ-305 is steeper than candidates expect. Both exams cover Azure infrastructure, but the question type is fundamentally different. AZ-104 asks "how do you configure this?" AZ-305 asks "given these business requirements, constraints, and tradeoffs, which architecture satisfies all of them?" Getting the right answer requires understanding not just what Azure services do, but which combination of services and configurations satisfies a complex set of requirements simultaneously.
This is how to develop that architecture judgment before the exam.
What Changes at the Expert Level
AZ-305 replaced AZ-301 in 2022 with a tighter focus on real architectural decision-making. The change made it harder for candidates who memorized service names to pass without genuine design experience.
| Domain | Weight |
|---|---|
| Design identity, governance, and monitoring solutions | 25-30% |
| Design data storage solutions | 25-30% |
| Design business continuity solutions | 10-15% |
| Design infrastructure solutions | 25-30% |
Three of four domains carry equal weight at roughly 25-30%. There's no domain you can deprioritize — the exam distributes questions across all areas.
The prerequisite is AZ-104, and Microsoft enforces it. Candidates who skip AZ-104 and attempt AZ-305 without the administrator-level knowledge typically fail because they can't evaluate whether their architectural decisions are practically achievable.
How AZ-305 Scenario Questions Work
Every scenario question follows a pattern:
- Business context: company size, industry, current infrastructure
- Requirements: what must be true (non-negotiable)
- Constraints: limitations (budget, timeline, existing systems to preserve)
- Goals: what the solution should optimize for
The trap: candidates read requirements and match them to services, ignoring constraints. A solution that satisfies requirements while violating a constraint is wrong. A solution that satisfies constraints but fails a requirement is also wrong.
Example scenario framework:
"A financial company has 500 employees across three offices. They run a legacy application on SQL Server 2012 that cannot be modified. They need the application available 24/7, want to reduce on-premises infrastructure management burden, and must keep data within the UK for regulatory reasons."
Requirements: 24/7 availability, no code modification, UK data residency. Constraints: SQL Server 2012 compatibility, cannot modify application. Goal: reduce infrastructure management.
The architecture question: which database solution meets all three requirements while maximizing the goal? Azure SQL Database Managed Instance runs as a PaaS service (reduces management), supports SQL Server 2012 compatibility level, and can be deployed in the UK South or UK West region (data residency). Azure SQL Database Hyperscale is tempting but has SQL Server compatibility considerations. Running SQL Server 2012 on Azure VMs works but doesn't reduce management. SQL Managed Instance is the answer.
Domain 1: Design Identity, Governance, and Monitoring (25-30%)
Multi-Tenant and Hybrid Identity
AZ-305 identity questions are more complex than AZ-104. They involve multi-tenant architectures, cross-tenant collaboration, and hybrid identity scenarios.
Azure AD Connect vs Azure AD Connect Cloud Sync: both synchronize on-premises Active Directory to Azure AD, but they serve different scenarios.
| Feature | Azure AD Connect | Azure AD Connect Cloud Sync |
|---|---|---|
| Deployment | On-premises server required | Agent-based, lightweight |
| Multi-forest support | Yes, complex topologies | Yes, but simpler configurations |
| Group writeback | Supported | Limited |
| Password hash sync | Supported | Supported |
| Pass-through auth | Supported | Not supported |
| Best for | Complex AD topologies | Simple, distributed environments |
The exam scenario: "A company has five Active Directory forests in different geographic locations. They want to synchronize all users to Azure AD with minimum infrastructure." Azure AD Connect Cloud Sync can handle multiple forests through multiple lightweight agents without requiring a centralized server.
Azure AD B2B vs B2C
B2B (Business-to-Business): external partners access your Azure resources. They authenticate with their own identity provider (their Azure AD, Google, etc.) and get a guest account in your directory. You control access through RBAC on your resources.
B2C (Business-to-Consumer): your application handles customer identity. You build custom sign-up/sign-in flows. You own the identity store. Best for applications with large numbers of external users who need registration, social sign-in, or custom identity workflows.
The exam scenario test: "A company is building a consumer e-commerce application that needs social sign-in (Google, Facebook) and custom profile management." Azure AD B2C — consumer identity, custom flows. "A company works with 200 partner organizations whose employees need read access to a project portal." Azure AD B2B — external collaboration with existing identities.
Azure Monitor Architecture
At the architect level, the exam tests how to design a monitoring strategy, not just configure individual alerts.
Log Analytics workspace design: should you use one workspace or multiple?
"The number one mistake in enterprise Azure monitoring design is proliferating Log Analytics workspaces without a governance model. Then you have data scattered across 30 workspaces and no way to query across them. One workspace per region, with strict access control via RBAC and table-level permissions, is almost always the right answer." — Sam Cogan, Azure MVP and cloud architect
Design considerations:
- Single workspace: simplifies cross-resource queries, reduces workspace management
- Multiple workspaces: required when regulatory compliance mandates data sovereignty (different workspace per region for regulated data), when billing segregation is required (different subscriptions need separate workspaces), or when security isolation is required (different tenants)
Domain 2: Design Data Storage Solutions (25-30%)
Relational vs Non-Relational Selection
The exam presents storage scenarios and asks which service fits. Understanding the selection criteria prevents overthinking:
Azure SQL Database: structured relational data, OLTP workloads, existing SQL Server applications. Serverless tier for intermittent workloads (auto-pause when idle). Hyperscale tier for large databases (up to 100 TB) that need fast scale-out.
Azure SQL Managed Instance: near-complete SQL Server compatibility. Best for lift-and-shift of SQL Server with features that Azure SQL Database doesn't support: SQL Server Agent, linked servers, cross-database queries, CLR.
Azure Cosmos DB: globally distributed, multi-model (document, key-value, graph, table). Best when global distribution is required, data is unstructured or semi-structured, and eventual consistency is acceptable for some operations.
Azure Table Storage vs Cosmos DB Table API: Table Storage is cheaper for simple key-value storage. Cosmos DB Table API provides global distribution, lower latency, and automatic secondary indexes — at higher cost. The exam tests when the cost premium of Cosmos DB is justified.
Data Migration Scenarios
AZ-305 tests database migration architecture:
Azure Database Migration Service (DMS): managed migration service. Online migration (near-zero downtime, CDC-based) for cutover with minimal disruption. Offline migration for workloads that can tolerate downtime.
The migration decision tree:
- Same database engine (SQL → SQL, MySQL → MySQL): Azure DMS, potentially with DMS online for minimal downtime
- Different engine (Oracle → Aurora, SQL Server → PostgreSQL): DMS with Schema Conversion Tool (SCT) for schema transformation
- No code changes allowed: Azure SQL Managed Instance over Azure SQL Database (higher compatibility)
- Large scale (TB of data): Azure Data Box for initial load, DMS for ongoing sync during cutover window
Domain 3: Design Business Continuity Solutions (10-15%)
Business continuity questions on AZ-305 are calculation problems as much as design problems. You need to understand RPO, RTO, and which Azure configurations achieve specific targets.
RPO and RTO Definitions
Recovery Point Objective (RPO): maximum acceptable data loss. "We can lose up to 4 hours of data" = RPO of 4 hours. Determines backup frequency and replication strategy.
Recovery Time Objective (RTO): maximum acceptable downtime. "We must be back online within 1 hour" = RTO of 1 hour. Determines whether you can afford manual failover (minutes to hours) or need automatic failover (seconds to minutes).
| Solution | RPO | RTO |
|---|---|---|
| Azure Backup (daily) | Up to 24 hours | Hours (restore time) |
| Azure Backup (hourly) | Up to 1 hour | Hours |
| SQL Database Active Geo-Replication | < 5 seconds | < 30 seconds (manual failover) |
| SQL Database Auto-Failover Group | < 5 seconds | Automatic |
| Azure Site Recovery | < 15 seconds | Minutes |
| Availability Zones | Near-zero | Automatic (seconds) |
| Paired Region with replication | Minutes-hours | Minutes with failover plan |
The exam scenario: "A company's e-commerce application can tolerate a maximum of 30 minutes of data loss and must resume operations within 2 hours of a regional failure." SQL Database with hourly backup (RPO ≤ 60 min) and Azure Site Recovery for VMs (RTO in minutes with defined recovery plan) satisfies both requirements. Active Geo-Replication with auto-failover groups is technically better but likely over-engineered for a 30-minute RPO and 2-hour RTO requirement.
Domain 4: Design Infrastructure Solutions (25-30%)
Network Topology Design
The hub-spoke topology is the dominant enterprise network pattern tested on AZ-305.
Hub-spoke: a central hub VNet contains shared services (firewalls, VPN/ExpressRoute gateways, DNS). Spoke VNets contain application workloads and peer to the hub. Spokes cannot communicate directly with each other — traffic routes through the hub for inspection.
Benefits: centralized network security, shared expensive resources (VPN gateways are $0.05-$0.35/hour), consistent policy enforcement.
Azure Virtual WAN: a managed hub-spoke topology at scale. Microsoft manages the hub. Optimal routing (Microsoft's global backbone rather than internet routing), integrated security (Azure Firewall in the hub), and simplified management for large deployments (100+ spokes).
The exam distinguishes when custom hub-spoke (manually configured VNet peering) is appropriate vs Azure Virtual WAN:
- Custom: < 20 spokes, specific routing requirements, need full control
- Virtual WAN: large scale, global presence, want managed routing
Compute Selection Framework
AZ-305 requires matching compute service to architectural requirements:
| Requirement | Service |
|---|---|
| Existing code, minimal changes | Azure VMs or App Service (rehost/replatform) |
| Web application, managed OS | Azure App Service |
| Containerized, simple deployment | Azure Container Instances |
| Containerized, orchestrated | Azure Kubernetes Service |
| Event-driven, serverless | Azure Functions |
| Long-running background jobs | Azure Batch |
| Machine learning training | Azure Machine Learning compute clusters |
The combination question: the exam often presents scenarios where the right answer is a combination of services. "A company needs to host a web frontend, run background processing jobs, and store results in a database." App Service (web frontend) + Azure Functions (background processing) + Azure SQL Database or Cosmos DB (results storage). The exam asks you to select the appropriate service for each component.
Migration Assessment
AZ-305 tests the migration assessment process:
Azure Migrate: discovery and assessment tool. Deploys an appliance on-premises to discover servers, map dependencies, and assess readiness for Azure migration. Provides sizing recommendations and cost estimates.
Assessment results:
- Readiness: Ready, Ready with conditions, Not ready
- Recommended VM size based on performance data (not just current sizing)
- Monthly cost estimate
The exam scenario: "A company wants to migrate 300 on-premises servers to Azure but doesn't know which servers are suitable for migration without changes." Azure Migrate assessment — deploy the appliance, run discovery, review readiness report.
How to Build Scenario Question Skills
The skills gap on AZ-305 isn't knowledge of individual services — it's the ability to synthesize requirements into architectures. This improves fastest through scenario practice, not additional study.
Study approach:
- Complete Microsoft Learn's AZ-305 learning paths (foundational knowledge)
- Take one full practice exam (Whizlabs or MeasureUp) — not to score, but to identify which question types you struggle with
- For each wrong answer on practice exams, write out: what was the requirement, what constraint was violated by your answer, what made the correct answer satisfy both?
- Repeat practice exam + analysis cycle with increasing score threshold
Target before booking: 75% consistently on Whizlabs or MeasureUp practice exams. AZ-305 is graded 700/1000.
Study resource that fills the gaps: Microsoft's well-architected framework documentation. The five pillars (reliability, security, cost optimization, operational excellence, performance efficiency) directly map to the tradeoffs the exam asks you to make.
AZ-305 Domain Breakdown
| Domain | Weight | What It Covers Beyond AZ-104 |
|---|---|---|
| Design identity, governance, and monitoring solutions | 25-30% | Multi-tenant identity, cross-tenant B2B, Log Analytics workspace design, governance at scale |
| Design data storage solutions | 25-30% | Storage service selection with complex requirements, database migration architecture, data lake patterns |
| Design business continuity solutions | 10-15% | RPO/RTO calculation, Azure Site Recovery design, cross-region failover patterns |
| Design infrastructure solutions | 25-30% | Hub-spoke topology, Azure Virtual WAN, compute selection framework, migration assessment |
AZ-104 tests whether you can configure each service. AZ-305 tests whether you can choose the right combination of services and configurations to satisfy a set of requirements you haven't seen before. The question format changes completely — AZ-104 questions are often 2-3 sentences, AZ-305 questions are regularly 6-10 sentences with embedded constraints.
What AZ-305 Tests That AZ-104 Doesn't Cover
Identity and Security at Scale
AZ-104 tests Azure AD configuration for a single organization. AZ-305 tests identity design for complex organizational structures.
Multi-tenant identity scenarios: the exam presents scenarios involving companies with multiple Azure AD tenants after acquisitions, joint ventures, or segregated environments for compliance. The question: how do users from Tenant A access resources in Tenant B? Azure AD B2B guest access creates external identities in the host tenant. Cross-tenant synchronization (newer feature) allows synchronizing user objects bidirectionally between tenants, so users appear as members rather than guests.
Azure AD B2B vs B2C at design depth: AZ-104 might ask what B2B is. AZ-305 asks which external identity solution fits a specific architectural requirement:
| Scenario | Solution | Why |
|---|---|---|
| 500 partner employees accessing internal portal | Azure AD B2B | Small, trusted external user base with their own identity providers |
| E-commerce app with 2 million customers | Azure AD B2C | Consumer identity at scale, social sign-in, custom branding |
| Healthcare portal for external patients | Azure AD B2C | Self-registration, no IT provisioning, custom user flows |
| SaaS application sold to enterprise customers | Azure AD B2B (multi-tenant app registration) | Each enterprise customer authenticates with their own Azure AD |
Enterprise identity governance design: AZ-305 tests how to design an identity governance strategy, not just configure PIM. This includes entitlement management (access packages that bundle multiple permissions into requestable packages), access reviews at scale, and the process for automating user lifecycle management.
Disaster Recovery Design with Specific RTO/RPO Targets
AZ-104 teaches what Azure Site Recovery does. AZ-305 asks you to design a DR solution that achieves a specific RPO of 15 minutes and RTO of 2 hours — which requires knowing which services can hit those targets.
AZ-305 DR design scenarios:
"A company's critical application runs on Azure VMs with Azure SQL Database. Their RPO is 4 hours and RTO is 8 hours." Solution: Azure Backup for VMs (hourly backup policy achieves RPO ≤ 1 hour, restore achieves RTO in hours) + Azure SQL Database geo-replication (RPO < 5 seconds, but RTO requires manual failover planning).
"A company needs their application available in a secondary region within 1 hour of a primary region failure, with zero data loss." Solution: Azure Site Recovery for VMs (RPO near-zero for Managed Disks, RTO configurable to minutes with Recovery Plans) + Azure SQL Database auto-failover groups (automatic failover, RPO near-zero, RTO < 30 seconds).
The distinction AZ-305 requires: knowing not just that a service provides DR, but what specific RPO/RTO numbers each service achieves and which configuration mode (automatic vs manual failover) is required for specific RTO targets.
AZ-305 vs AZ-104: How Scenario Questions Differ
AZ-104 scenario question (typical): "A company has a storage account. They need to allow access to a specific blob for 48 hours to an external partner without sharing the storage account key. What should you configure?" Answer: Shared Access Signature (SAS token).
AZ-305 scenario question (typical): "A financial services company is designing a data lake for regulatory reporting. The data includes customer PII subject to GDPR. Data scientists need analytical access to aggregated data but must not see individual customer records. The company operates in both EU and US regions. Data must remain in the EU. The solution must minimize operational overhead."
Requirements from this scenario:
- PII protection with selective access (data scientists see aggregated, not individual)
- EU data residency
- Analytical access for data scientists
- Minimal operational overhead
The architecture answer: Azure Data Lake Storage Gen2 in an EU region, with Azure Purview for data classification and access policies, Azure Synapse Analytics for analytical access with column-level security or row-level security to hide PII columns, and Azure Policy with allowed regions restriction to prevent data being replicated outside the EU.
The complexity multiplier: AZ-305 questions regularly have 4-6 simultaneous requirements where each one eliminates certain options. Candidates who evaluate requirements one at a time and don't check their answer against all requirements fail because they satisfy requirements 1-3 while violating requirement 4 or 5.
Failing Candidates vs Passing Candidates: The Profile
Failing candidates on AZ-305:
- Know Azure services well but haven't practiced multi-requirement scenario synthesis
- Pick the answer that satisfies the most prominent requirement, ignoring constraints
- Confuse "which service does X" questions (AZ-104 pattern) with "which design satisfies all requirements" questions (AZ-305 pattern)
- Underinvest in the business continuity domain because it's 10-15% — then fail 2-3 questions they could have answered correctly
Passing candidates:
- Explicitly map each scenario's requirements and constraints before evaluating answer options
- Know the approximate RPO/RTO numbers for major Azure services (Site Recovery, SQL Database geo-replication, Azure Backup hourly)
- Understand the design reasoning behind hub-spoke topology, not just its configuration
- Have practiced 100+ scenario questions and built pattern recognition for requirement-constraint combinations
"The candidates who fail AZ-305 typically know Azure. The ones who pass have learned to think in requirements and constraints simultaneously. That's not a knowledge gap — it's a reasoning pattern gap. The best preparation is doing practice questions and for every wrong answer, writing out: what requirement did my answer fail to satisfy? What constraint did my answer violate? After 50-100 questions of that analysis, the pattern recognition becomes automatic." — Sam Cogan, Azure MVP and cloud architect
References
- Microsoft. Exam AZ-305: Designing Microsoft Azure Infrastructure Solutions — Skills Measured. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/certifications/exams/az-305/
- Microsoft. Microsoft Azure Well-Architected Framework. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/azure/architecture/framework/
- Savill, John. AZ-305 Microsoft Azure Infrastructure Solutions Study Cram. YouTube/NTFAQGuy, 2024. (Microsoft MVP; comprehensive video coverage of AZ-305 architectural concepts)
- Microsoft. Azure Architecture Center — Reference Architectures. Microsoft, 2024. https://learn.microsoft.com/en-us/azure/architecture/
- Whizlabs. AZ-305 Designing Microsoft Azure Infrastructure Solutions Practice Tests. Whizlabs, 2024. https://www.whizlabs.com
- Cogan, Sam, and Henry Been. Exam Ref AZ-305 Designing Microsoft Azure Infrastructure Solutions. Microsoft Press, 2022. ISBN: 978-0137878956.
Frequently Asked Questions
What makes AZ-305 harder than AZ-104?
AZ-305 tests architectural judgment across multiple interconnected requirements simultaneously — business constraints, compliance requirements, cost tradeoffs, and technical feasibility all in one scenario. AZ-104 tests individual service configuration. The jump from configuration knowledge to architectural synthesis is what catches candidates.
Is AZ-104 required before AZ-305?
Yes — Microsoft requires AZ-104 as a prerequisite. More importantly, AZ-305 scenario questions assume you can answer AZ-104-level configuration questions automatically. Without AZ-104 knowledge internalized, you'll spend exam time on background questions instead of the architectural decisions the exam actually tests.
What is the Azure hub-spoke topology and why does it appear on AZ-305?
Hub-spoke connects spoke VNets to a central hub containing shared services (firewalls, VPN gateways, DNS). Spokes cannot communicate directly — traffic routes through the hub. It's the standard enterprise Azure network topology and appears frequently in AZ-305 networking design scenarios.
How do RPO and RTO affect AZ-305 answers?
RPO (maximum acceptable data loss) and RTO (maximum acceptable downtime) determine which Azure business continuity services apply. SQL Database Active Geo-Replication achieves < 5 second RPO and < 30 second manual failover RTO. Azure Backup achieves 1-24 hour RPO with hour-scale RTO. The exam gives specific requirements and asks which solution meets them.
What is the best way to practice AZ-305 scenario questions?
For each wrong practice exam answer, write out: what the requirement was, what constraint your answer violated, and what made the correct answer satisfy both. This analytical approach builds architectural pattern recognition faster than simply re-reading why you were wrong.