Security And Governance Boundary — Azure Solutions Architect (AZ-305)
SIEM Detection vs. Policy Enforcement vs. Identity Control
A scenario describing unauthorized lateral movement sounds like a Microsoft Sentinel problem, and Sentinel is the right tool for detection and investigation. If the scenario instead asks how to enforce configuration standards across all resources in a subscription, that is Defender for Cloud recommendations applied through Azure Policy. Conditional access and identity federation belong to Microsoft Entra ID. Limiting what an authenticated principal can do maps to RBAC. Each control category addresses a different threat model layer. Map the threat to the correct category before selecting a specific service. Selecting a service before mapping the threat is the error this question type exploits.
What This Pattern Tests
Azure security questions test four distinct control planes. RBAC controls who can manage resources (Contributor, Reader, custom roles) scoped to management group, subscription, resource group, or resource. Azure Policy controls what resource configurations are allowed (enforce tags, restrict VM sizes, require encryption). NSGs control network traffic at the subnet or NIC level. Conditional Access controls authentication requirements (MFA, compliant device, location). The exam tests whether you apply the right control at the right layer — using Azure Policy to enforce encryption at rest, not RBAC.
Decision Axis
Security layer (identity vs. configuration vs. network vs. authentication) determines which Azure control applies.
Associated Traps
Decision Rules
Whether to scope the RBAC role assignment to the target resource group (or storage account) versus the subscription, given that the workload boundary is explicitly narrow and the least-privilege constraint is the stated requirement.
Whether to assign the Key Vault Secrets User role scoped to the specific Key Vault resource via a system-assigned Managed Identity, versus assigning a broader role (Contributor or Key Vault Administrator) at subscription or resource-group scope—with the correct answer determined by matching identity type and RBAC scope to the narrowest boundary that satisfies the workload requirement.
Assign Contributor scoped to the single named resource group to an Entra service principal with workload identity federation — not scoped to the parent subscription — satisfying both no-stored-credentials and least-privilege simultaneously.
Which RBAC role and scope pairing satisfies both the no-stored-credentials constraint and the least-privilege constraint for a managed identity that needs data-plane read access to one Key Vault instance?
Whether satisfying 'all PaaS access must remain off the public internet' requires Azure Private Link—eliminating the public endpoint at the PaaS layer with no topology changes—or Azure Firewall with forced tunneling—centralized L7 egress inspection that oversolves the constraint and mandates hub-level architectural changes not called for in the scenario.
Whether satisfying a centralized L7 egress inspection mandate requires Azure Firewall deployed in the hub rather than Azure Application Gateway, which is an ingress-scoped control incapable of inspecting outbound traffic flows.
Whether inbound OWASP Top 10 inspection that satisfies a regional data-residency compliance constraint is fulfilled by a globally distributed edge WAF (Azure Front Door with WAF policy) or a regionally colocated L7 WAF (Azure Application Gateway WAF_v2), where both satisfy the L7 inspection requirement but only one preserves the geographic inspection boundary.
Whether NSG subnet rules (L3/L4 port-level restriction, no routing change) or Azure Firewall with UDR-based forced routing (L7 centralized inspection) is the minimum-scope control that satisfies an intra-VNet east-west segmentation requirement when routing complexity minimization is a stated constraint.
Domain Coverage
Difficulty Breakdown