- Domain 1 Overview: Why It's the Second-Largest Weight on AZ-305
- Identity Design: What You Actually Need to Master
- Governance Design: Management Groups, Policy, and Cost Controls
- Monitoring Design: Azure Monitor, Log Analytics, and Alerting
- How Domain 1 Questions Are Actually Written
- A Domain 1 Study Sequence That Fits the Exam Weighting
- Common Mistakes Candidates Make on This Domain
- Who Hires for These Skills
- Frequently Asked Questions
- Domain 1 covers identity, governance, and monitoring at 25-30% of AZ-305 - nearly a third of the exam.
- Expect scenario and case-study questions on Entra ID, Conditional Access, RBAC, Azure Policy, and Azure Monitor.
- Passing requires 700+ on a 40-60 question exam with 100 minutes of exam time, per Microsoft's format.
- You must already hold Azure Administrator Associate before AZ-305 counts toward the Expert certification.
Domain 1 Overview: Why It's the Second-Largest Weight on AZ-305
Of the four content areas on Exam AZ-305: Designing Microsoft Azure Infrastructure Solutions, "Design identity, governance, and monitoring solutions" carries a 25-30% weighting - second only to Domain 4: Design infrastructure solutions, which sits at 30-35%. That means roughly a quarter to nearly a third of your exam questions will draw from identity, governance, or monitoring scenarios. If you're building a study plan without a clear sense of how this domain compares to the other three, start with the AZ-305 Exam Domains 2026 guide for the full breakdown before drilling into this one.
This domain is unusual because it blends three distinct disciplines - identity architecture, organizational governance, and operational monitoring - into a single scored area. Microsoft treats them as one domain because in real Azure environments, they're deeply interdependent: your governance model depends on identity (who can assign policy), and your monitoring strategy depends on governance (what gets logged and where). Architects who separate these mentally during study often struggle with case-study questions that require connecting all three.
Identity Design: What You Actually Need to Master
The identity portion of this domain centers on Microsoft Entra ID (formerly Azure AD) and how it's positioned within a broader access strategy. You're not memorizing PowerShell syntax - you're deciding when to recommend one identity pattern over another based on a scenario's business and technical requirements.
Identity Design Focus Areas
Candidates must be able to recommend appropriate identity architectures for hybrid and cloud-native organizations.
- Choosing between Entra ID, Entra ID Domain Services, and Active Directory Domain Services for a given hybrid scenario
- Designing authentication strategies including passwordless, multifactor authentication, and Conditional Access policies
- Recommending an authorization strategy using RBAC, Azure AD custom roles, and resource-level permissions
- Designing solutions for external identities using B2B collaboration and B2C scenarios
- Selecting the right hybrid identity solution: password hash sync, pass-through authentication, or federation with AD FS
A large share of these questions appear as case studies where you're given an existing on-premises Active Directory environment plus a set of new cloud requirements, and asked to pick the hybrid identity model that satisfies both security and latency constraints. Expect trade-off questions: federation versus password hash sync, or Conditional Access versus network-level restrictions for the same compliance goal.
Key Takeaway
When a question mentions "single sign-on across on-premises and cloud with minimal infrastructure," password hash sync combined with seamless SSO is usually the intended answer - federation is reserved for scenarios explicitly requiring on-premises authentication enforcement.
Governance Design: Management Groups, Policy, and Cost Controls
Governance questions test your ability to structure an Azure environment so that policy, cost, and access controls scale across subscriptions and business units. This is where many candidates underestimate the depth required - governance design questions often span multiple layers of the Azure resource hierarchy at once.
Governance Design Focus Areas
You need fluency in the full hierarchy: tenant, management groups, subscriptions, resource groups, and resources.
- Designing a management group and subscription structure for multi-department or multi-region organizations
- Recommending Azure Policy definitions and initiatives to enforce compliance requirements
- Designing for resource tagging strategies that support cost allocation and automation
- Choosing between Azure Blueprints-style landing zone patterns and manual governance for new environments
- Recommending cost management solutions including budgets, alerts, and reservation strategies
Expect scenario prompts describing a company with several subsidiaries, each with different compliance regimes, asking you to design the management group hierarchy and policy assignment scope that satisfies all requirements without applying unnecessary restrictions to unrelated business units. These questions reward understanding of policy inheritance - a policy assigned at a management group level cascades down unless explicitly excluded.
Monitoring Design: Azure Monitor, Log Analytics, and Alerting
The monitoring slice of Domain 1 focuses on designing observability for distributed workloads, not on writing Kusto queries. You'll be asked to select the right monitoring components and connect them into a coherent design.
Monitoring Design Focus Areas
Candidates should understand how Azure Monitor components fit together at an architectural level.
- Designing for centralized log collection using Log Analytics workspaces, including single versus multiple workspace strategies
- Recommending diagnostic settings and data collection rules for compute, network, and data services
- Designing alerting strategies using action groups, alert rules, and integration with ITSM tools
- Selecting between Azure Monitor Application Insights, Container Insights, and VM Insights based on workload type
- Designing solutions that meet log retention, data sovereignty, and audit requirements
A recurring exam theme is the single-workspace-versus-multiple-workspace decision. Multinational organizations with data residency requirements often need region-specific Log Analytics workspaces, while a centralized security team typically wants a unified workspace for correlation. Questions test whether you can identify which constraint - residency, access control, or cost - should drive the workspace topology in a given scenario.
Key Takeaway
If a scenario mentions strict data residency laws for a specific country's subsidiary, that's a strong signal the answer involves a separate regional Log Analytics workspace rather than a single global one.
How Domain 1 Questions Are Actually Written
AZ-305 doesn't publish an exact format list in advance. Microsoft's exam sandbox for this exam includes active screen, build list, case study, drag-and-drop, hot area, multiple choice, and possibly labs. In Domain 1 specifically, expect a heavier concentration of case-study and drag-and-drop items compared to straightforward multiple choice, because identity and governance decisions rarely have a single isolated fact to test - they require weighing several requirements simultaneously.
A typical case study might present a company profile with existing infrastructure, security requirements, and a list of planned changes, then ask three or four questions that touch identity, governance, and monitoring in sequence. This is intentional: Microsoft is testing whether you can hold the full context of an organization in mind while making three different but related design decisions.
| Exam Detail | What Microsoft States |
|---|---|
| Question count | Typically 40-60 questions (varies by exam and update) |
| Exam time | 100 minutes exam time, 120 minutes seat time (no-lab format) |
| Passing score | 700 or greater |
| Domain 1 weight | 25-30% of total scored content |
| Learn access during exam | Available within the Learn domain while timer runs |
Notice that Learn access during the exam is scoped to the Learn domain itself - it won't hand you answers, but it can help you confirm terminology or service names if you blank on something mid-question. That said, relying on it too heavily eats into your 100 minutes, so it should be a last resort rather than a strategy. For a deeper look at how difficult candidates find this exam overall, see How Hard Is the AZ-305 Exam?.
A Domain 1 Study Sequence That Fits the Exam Weighting
Because Domain 1 is worth close to a third of the exam, it deserves proportional study time - but not so much that you neglect Domain 4, which is still the largest single area. A reasonable sequence dedicates the early weeks of your prep to identity and governance since these concepts underpin later infrastructure decisions, then layers in monitoring once you understand what's actually being monitored.
Identity Architecture
- Map out hybrid identity models: password hash sync, pass-through authentication, federation
- Practice Conditional Access and MFA design scenarios
- Review RBAC versus Entra ID role assignments and where each applies
Governance Structure
- Build a mental model of the tenant → management group → subscription → resource group hierarchy
- Study Azure Policy inheritance and initiative design
- Practice tagging and cost management scenario questions
Monitoring Design
- Compare single versus multi-workspace Log Analytics designs
- Review Application Insights, Container Insights, and VM Insights use cases
- Practice case studies combining identity, governance, and monitoring in one scenario
This sequencing matters because governance decisions frequently depend on identity decisions made earlier in the same case study, and monitoring recommendations often reference the governance structure you just designed. Studying them in isolation, out of order, tends to produce gaps that show up as missed points on multi-part case-study questions. For a full week-by-week plan covering all four domains, the AZ-305 Study Guide 2026 lays out how to balance this domain against the other three.
Common Mistakes Candidates Make on This Domain
A few patterns show up repeatedly among candidates who underperform on this domain specifically:
- Treating identity and governance as separate silos. Many case studies require you to recognize that an identity decision (like who's in a specific Entra ID group) directly determines a governance recommendation (like which policy scope applies to them).
- Overlooking hybrid scenarios. AZ-305 assumes real-world complexity, including organizations still running on-premises Active Directory. If you only study cloud-native identity, you'll miss hybrid-specific questions.
- Underestimating monitoring architecture. Candidates often assume monitoring is a minor add-on topic, but with governance and identity combined, this domain is nearly a third of the exam - monitoring design deserves real study time, not a quick review.
- Ignoring cost and compliance constraints in governance scenarios. The "correct" governance answer often depends on a constraint buried in the middle of a long case study description, not just the final requirement listed.
Who Hires for These Skills
Identity, governance, and monitoring design skills map directly to roles that organizations hire for once they've moved beyond basic cloud adoption and need someone to own architecture decisions at scale. This typically includes cloud architects, Azure governance leads, identity architects, and platform engineering leads responsible for landing zone design. These roles often require the Expert-level credential specifically because it demonstrates you can already administer Azure - remember that AZ-305 only counts toward the Azure Solutions Architect Expert certification if you already hold Azure Administrator Associate.
If you're trying to understand how this domain and certification translate into career outcomes, the AZ-305 Salary Guide 2026 and Is the AZ-305 Certification Worth It? articles cover that in more depth. For a broader look at roles that list this certification as a requirement or preference, see AZ-305 Jobs.
Because this domain so closely mirrors day-to-day architect responsibilities - designing tenant structures, writing policy that won't break other teams, deciding what gets logged and why - it's also one of the more transferable skill sets covered on the exam, useful even outside of roles that require the certification itself.
Key Takeaway
Before registering for the exam through Pearson VUE, confirm you already hold Azure Administrator Associate - it's a prerequisite for earning the Expert-level credential after passing AZ-305, not just a recommendation.
For the mechanics of registering, pricing (typically $165 plus applicable taxes for US-proctored exams), and renewal (free annual renewal via a Microsoft Learn assessment), see the AZ-305 Certification Cost 2026 breakdown. And if you want to practice against realistic scenario questions covering this exact domain weighting, our practice test platform is built around the current AZ-305 domain structure rather than generic Azure trivia.
Frequently Asked Questions
Microsoft doesn't publish an exact count, but Domain 1 is weighted at 25-30% of the exam. Given that most Microsoft certification exams typically contain 40-60 questions, that translates to roughly 10-18 questions touching identity, governance, or monitoring design, though the exact number varies by exam version.
Difficulty is subjective and depends on your background. Candidates with strong on-premises Active Directory or governance experience often find this domain easier than infrastructure-heavy topics, while those coming from a pure networking or compute background may need more time here. See How Hard Is the AZ-305 Exam? for a broader difficulty discussion.
AZ-305 tests design decisions, not hands-on configuration steps. That said, having configured Conditional Access policies, Azure Policy assignments, or Log Analytics workspaces yourself makes it much easier to reason through case-study scenarios quickly.
AZ-305 assumes you already have Azure Administrator Associate-level knowledge, since it's a prerequisite for the Expert certification. Domain 1 builds on that foundation by asking you to make design-level recommendations rather than perform the administrative tasks themselves.
Identity architecture is the best starting point, since governance and monitoring decisions in case studies frequently reference identity constraints established earlier in the same scenario. For the complete domain-by-domain roadmap, review the AZ-305 Exam Domains 2026 guide.
- AZ-305 Domain 2: Design data storage solutions (20-25%) - Complete Study Guide 2026
- AZ-305 Domain 3: Design business continuity solutions (15-20%) - Complete Study Guide 2026
- AZ-305 Domain 4: Design infrastructure solutions (30-35%) - Complete Study Guide 2026
- AZ-305 Exam Domains 2026: Complete Guide to All 4 Content Areas