Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Enterprise Identity Governance - Access Reviews Automation

·749 words·4 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Azure AD Access Reviews
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with enterprise identity governance automation. In the enterprise world, this decision often hinges on balancing security requirements with operational efficiency and compliance. Let’s drill into a simulated identity governance scenario.

The Scenario
#

Tailspin Manufacturing operates a multinational enterprise with an Azure AD tenant named tailspin.com. Within their directory, they maintain a security group, “ProdAppAdmins,” which has 50 members, including 20 guest users from partner organizations. Regulatory requirements and internal policies mandate that group membership must be automatically reviewed every 90 days to confirm continued access needs. Each member should be able to confirm or dispute their membership status. Users who do not respond or are deemed unnecessary must be automatically removed to reduce security risk and maintain compliance posture.

Key Requirements
#

  • Automate recurring evaluations of “ProdAppAdmins” group membership every 3 months.
  • Allow group members to report or validate their need for membership during each review.
  • Automatically remove users who either report no longer needing access or fail to respond.

The Options
#

  • A) Implement Azure AD Identity Protection
  • B) Change the membership type of “ProdAppAdmins” group to Dynamic User
  • C) Create Access Reviews in Azure AD Identity Governance
  • D) Implement Azure AD Privileged Identity Management (PIM)

Correct Answer
#

C) Create Access Reviews in Azure AD Identity Governance

The Architect’s Analysis
#

Correct Answer
#

Option C: Create Access Reviews in Azure AD Identity Governance

Step-by-Step Winning Logic
#

Access Reviews are a core feature of Azure AD Identity Governance that align perfectly with the requirements:

  • They allow automated recurring evaluations of group membership on customizable schedules.
  • Group members can self-report their need for continued membership, streamlining collaboration with partners or guests.
  • Users who do not respond or whose membership is no longer justified can be automatically removed as per policy.
  • Access Reviews support guest user scenarios seamlessly, maintaining external collaboration security.
  • This solution promotes the Operational Excellence and Security pillars of the Microsoft Well-Architected Framework by enforcing least privilege and automating compliance workflows.
  • Implementing Access Reviews fits naturally within the Microsoft Cloud Adoption Framework’s emphasis on governance and identity lifecycle management.

The Traps (Distractor Analysis)
#

  • Option A: Azure AD Identity Protection focuses on sign-in risk and conditional access policies, not membership lifecycle or reviews.
  • Option B: Dynamic groups auto-update membership based on user attributes but do not support member feedback or automated removal based on review cycles or user input.
  • Option D: Privileged Identity Management manages elevation and just-in-time access for privileged roles, not routine group membership governance or guest user review.

The Architect Blueprint
#

  • Mermaid Diagram illustrating the flow of the correct solution: automated Access Reviews for security group membership lifecycle management in a hybrid identity context.*
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor': '#e3f2fd', 'primaryTextColor': '#0d47a1', 'primaryBorderColor': '#1976d2', 'lineColor': '#42a5f5', 'secondaryColor': '#bbdefb', 'tertiaryColor': '#90caf9', 'background': '#ffffff', 'darkPrimaryColor': '#1e3a5f', 'darkPrimaryTextColor': '#bbdefb', 'darkPrimaryBorderColor': '#42a5f5', 'darkLineColor': '#90caf9', 'darkSecondaryColor': '#263850', 'darkTertiaryColor': '#37474f', 'darkBackground': '#0d1117' }}}%% flowchart TD User["User / Guest"] -->|"Receives Access Review<br/>Notification"| Review["Azure AD Access Reviews"] Review -->|"Reports Need or No Need"| Decision{"Review Decision"} Decision -->|"No Response<br/>or 'No'"| Remove["Automatic Removal<br/>from Group"]:::remove Decision -->|"Yes"| Keep["Retention in Group"]:::keep style Review fill:#0078D4,stroke:#333,color:#fff,rx:12px,ry:12px style Remove fill:#D14343,stroke:#333,color:#fff,rx:12px,ry:12px style Keep fill:#1E7E34,stroke:#333,color:#fff,rx:12px,ry:12px classDef remove fill:#D14343,stroke:#333,color:#fff classDef keep fill:#1E7E34,stroke:#333,color:#fff

Diagram Note: This diagram represents the workflow where users receive periodic review prompts, report their access need, and are either retained or removed automatically, supporting continuous governance.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A) Azure AD Identity Protection Medium Moderate (based on license SKU) Risk-based conditional access; improves sign-in security Does not address group membership reviews
B) Dynamic Group Membership Low Minimal Automates membership based on attributes No user input or review workflow; can’t auto-remove stale guests
C) Access Reviews (Correct) Medium Low to Moderate (requires Azure AD P2 licenses) Automated recurring reviews; user participation; auto-removal Requires appropriate licensing; slight admin overhead
D) Azure AD PIM Medium Moderate Manages privileged roles access; just-in-time elevation Not designed for recurring group membership reviews

Real-World Practitioner Insight
#

Exam Rule
#

“For the exam, always select Azure AD Access Reviews when you see requirements for automated, recurring group membership validation and guest user lifecycle management.”

Real World
#

“In enterprise environments like Tailspin Manufacturing, Access Reviews are essential to reduce identity sprawl and maintain compliance. While Dynamic Groups simplify membership automation, they cannot replace governance workflows requiring user validation or auto-removal, especially for guest accounts. PIM shines when managing privileged access elevation but is unrelated to membership review processes.”

Related Articles