Study Azure AZ-305 Auth and Secrets: key concepts, common traps, and exam decision cues.
AZ-305 identity questions become simpler when you separate three things: who is the principal, what is it trying to access, and how can you avoid long-lived secrets. If you blur authentication, authorization, and secret storage together, the distractors become much harder to eliminate.
Managed identity: Azure-managed workload identity that lets a service authenticate to other Azure services without storing credentials in code or configuration.
| Requirement | Strongest first fit | Why |
|---|---|---|
| Azure resource calling another Azure service | managed identity | avoids secret storage and manual rotation |
| define who can do what on Azure resources | Azure RBAC | scope-based authorization model |
| protect keys, certificates, and secrets | Key Vault or Managed HSM | centralized storage, rotation, and auditing |
| partner access to tenant resources | Microsoft Entra B2B pattern | external identity with governance control |
| privileged admin access with review and reduced standing privilege | PIM plus RBAC | just-in-time elevation and governance |
| Question | Strongest first lens |
|---|---|
| how do we prove identity? | authentication |
| what can that identity do? | authorization |
The exam often tempts you to solve an authorization problem with an authentication product name, or vice versa. Keep the boundary clean.
When the requirement includes on-premises resources, the design question is usually about how Azure identities and existing enterprise identity systems meet. The right answer often preserves enterprise identity constraints instead of pretending everything is cloud-native already.
If a workload on Azure needs to reach another Azure service and managed identity is supported, the stronger architect answer is usually:
That is cleaner to operate and harder to mishandle than client secrets scattered across apps and pipelines.