AZ-305 Designing Microsoft Azure Infrastructure Solutions Exam

Recommend a structure for management groups, subscriptions, and resource groups, and a strategy for resource tagging

Azure governance starts with a clear hierarchy of management groups, subscriptions, and resource groups. Management groups act as containers to organize subscriptions, while resource groups group resources that share a common lifecycle. Structuring these tiers properly helps teams apply policies and control access at the right level. A well-designed hierarchy ensures consistency and simplifies administration across large environments.

At the top level, use management groups to mirror your organization’s structure. For example, create separate groups for departments such as Finance, IT, and Development. Under each management group, place subscriptions that align to business units or project types. This approach enforces governance rules uniformly and supports clear billing boundaries.

Within each subscription, resource groups organize resources by application or lifecycle. Group together all virtual machines, storage accounts, or databases used by a single application. This lets you deploy, update, or delete resources as a set. Keeping resource groups focused prevents accidental changes and streamlines maintenance tasks.

A robust tagging strategy further enhances governance by adding metadata to every resource. Use tags like:

• Environment: dev, test, prod
• CostCenter: finance, marketing
• Owner: team or individual name
  These tags support cost reporting, operational management, and automation. Consistently applying tags via policies ensures all resources are easily identifiable.

Finally, enforce structure and tagging through Azure Policy. Define policies that require tags on creation and block non-compliant resources. Use a deny-based approach for critical tags and audit-based policies for optional tags. This automated enforcement keeps your environment aligned with governance standards.

Recommend a solution for managing compliance

Managing compliance in Azure revolves around continuous monitoring and automated enforcement. A common solution uses Azure Policy to define and apply rules across resources. Policies can audit existing resources, enforce required configurations, and prevent non-compliant deployments. Automation of compliance checks reduces manual effort and ensures standards are met at scale.

Azure Policy definitions cover areas like allowed VM sizes, permitted locations, and required tags. Assign policies at the management group or subscription level to reach all resources. Use initiative definitions to group related policies for scenarios such as ISO 27001 or NIST. Initiatives simplify management by bundling policies under a single compliance goal.

For consistent environment deployments, leverage Azure Blueprints. Blueprints package policies, role assignments, and ARM templates into a reusable template. When you assign a blueprint, it creates a fully governed subscription aligned with compliance requirements. This ensures new subscriptions are ready for production with minimal manual steps.

Finally, monitor compliance with Azure Monitor and Azure Security Center. Set alerts on policy violations and review reports in the compliance dashboard. Regularly export audit logs to a SIEM for long-term retention and deeper analysis. Proactive monitoring closes gaps before they become risks.

Recommend a solution for identity governance

Identity governance in Azure focuses on securing access and managing user privileges. Azure Active Directory (Azure AD) provides the foundation for identity and access management. Key features include Privileged Identity Management (PIM), Entitlement Management, and Access Reviews. Together, these tools enable a zero-trust approach by enforcing least-privilege access.

Use PIM to grant just-in-time (JIT) access for privileged roles. JIT access reduces standing privileges and issues time-bound assignments. When a user requests elevated permissions, PIM triggers approvals and multi-factor authentication before granting the role. This process limits exposure and tracks all elevation events.

Implement Entitlement Management to control external and internal access to resources. Define access packages that bundle groups, applications, and policies. Users request packages and go through approval workflows. Automated expiration and recertification policies keep access aligned with business needs and reduce orphaned accounts.

Conduct regular Access Reviews to validate ongoing access. Schedule reviews for critical groups, applications, and role assignments. Reviewers can remove unnecessary access or approve continued access. Frequent reviews maintain a secure posture by ensuring only authorized users retain privileges.

Conclusion

In the Design governance section, you learned how to build a scalable hierarchy of management groups, subscriptions, and resource groups, paired with a strong tagging strategy to maintain order and clarity. You explored solutions like Azure Policy and Azure Blueprints to enforce compliance automatically and monitor resources for any deviations. Finally, you examined identity governance tools—PIM, Entitlement Management, and Access Reviews—to uphold least-privilege access and secure critical operations. Altogether, these practices form a cohesive governance framework that keeps your Azure environment organized, compliant, and secure.