AZ-500: Azure Security Engineer Associate Practice Exam

What the AZ-500 exam covers

• Manage Identity and Access171 questions
• Implement Platform Protection148 questions
• Manage Security Operations143 questions
• Secure Data and Applications137 questions

Free AZ-500 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 599.

1. Question 1Manage Identity and Access

   A company has recently migrated to Microsoft Entra ID and wants to ensure that all employees must register for multi-factor authentication within 14 days of their first sign-in. The security team also wants to exclude a break-glass emergency access account from this requirement. Which approach should the security engineer take?

   • AUse Azure Policy to enforce MFA registration on all user objects in Microsoft Entra ID
   • BConfigure a Conditional Access policy that blocks sign-in for users who have not registered MFA within 14 days
   • CCreate a Conditional Access policy requiring MFA registration for all users, exclude the break-glass account, and set a 14-day registration grace period using the Microsoft Entra ID Protection MFA registration policyCorrect
   • DEnable per-user MFA for all accounts in the tenant and manually disable MFA for the break-glass account
   ✓ Correct answer: C

   The Microsoft Entra ID Protection MFA registration policy is purpose-built to drive initial MFA enrollment. It prompts unregistered users to set up authentication methods and enforces a configurable grace period (such as 14 days) during which sign-in continues before registration becomes mandatory. Because it is implemented as a policy in Entra ID, it supports user and group scoping so a break-glass emergency account can be explicitly excluded, preserving guaranteed access if all other admins are locked out. This combination of phased enrollment, grace period, and exclusion is exactly what the scenario requires.

   Why the other options are wrong

   • AAzure Policy governs the configuration and compliance of Azure resources such as VMs and storage; it has no construct for forcing identity-level MFA registration on Entra ID user objects, so it cannot deliver the registration grace period this scenario needs.
   • BBlocking sign-in for unregistered users assumes MFA is already set up, but Conditional Access evaluates an existing registration state and cannot itself walk a brand-new user through initial enrollment, so users would simply be locked out rather than onboarded.
   • DPer-user (legacy) MFA toggles enforcement on each account individually and offers no grace-period window, so it neither provides the 14-day phased rollout nor scales cleanly across the whole employee base.
2. Question 2Secure Data and Applications

   A government agency requires that their Azure Key Vault access is restricted to specific virtual networks and that no management plane operations can be performed from the public internet. They also need private DNS resolution for Key Vault. What combination should the engineer configure?

   • AConfigure NSG rules on the Key Vault's subnet to block internet traffic
   • BCreate a private endpoint for Key Vault, disable public access, and link a private DNS zone for privatelink.vaultcore.azure.net to the VNetCorrect
   • CConfigure Key Vault firewall rules to allow only specific VNet subnets using service endpoints
   • DDeploy Key Vault inside a VNet using VNet injection
   ✓ Correct answer: B

   Private endpoints combined with public access disabled and private DNS zones provide complete network isolation for Azure Key Vault. Creating a private endpoint creates a network interface in the customer's VNet that connects to the Key Vault service, allowing management and data plane operations to occur over private network connectivity. Disabling public access on the Key Vault ensures the management endpoint is not exposed to the internet and cannot be accessed without the private endpoint. Linking a private DNS zone for privatelink.vaultcore.azure.net to the VNet ensures that DNS resolution of vaultcore.azure.net resolves to the private IP of the private endpoint, not the public IP, providing seamless private DNS resolution. This configuration meets the requirement for restricted VNet access, no public internet management operations, and private DNS resolution.

   Why the other options are wrong

   • AConfigure NSG rules on the Key Vault's subnet to block internet traffic is incorrect because Key Vault is not deployed in a VNet (it is multi-tenant) and cannot have NSG rules applied directly.
   • CConfigure Key Vault firewall rules to allow only specific VNet subnets using service endpoints is incorrect because service endpoints alone do not provide private DNS resolution or full isolation.
   • DDeploy Key Vault inside a VNet using VNet injection is incorrect because Azure Key Vault does not support VNet injection; private endpoints are the correct mechanism.
3. Question 3Manage Identity and Access

   A security administrator at Proseware Inc. wants to restrict which applications users can consent to in the tenant. They want users to be able to consent only to apps from verified publishers that request low-risk permissions. Which setting should be configured?

   • ASet user consent to 'Allow user consent for all apps'
   • BSet user consent to 'Allow user consent for apps from verified publishers, for selected permissions'Correct
   • CConfigure an admin consent workflow only
   • DSet user consent to 'Do not allow user consent'
   ✓ Correct answer: B

   This consent setting restricts self-service user consent to applications whose publisher has completed Microsoft's publisher verification and limits consent to a defined set of low-risk permissions that the administrator classifies. It lets ordinary users adopt trustworthy apps without admin intervention while blocking risky or unverified apps from harvesting broad permissions. That balance of usability and control is precisely what Proseware wants.

   Why the other options are wrong

   • AAllowing user consent for all apps removes the publisher-verification and permission-risk guardrails entirely, letting users approve any application including malicious ones requesting sensitive scopes.
   • CConfiguring an admin consent workflow only routes every request to an administrator and removes user self-service, which is more restrictive than the requirement and adds admin overhead rather than enabling consent for verified low-risk apps.
   • DSetting consent to 'Do not allow user consent' blocks all user-driven consent outright, so even verified publishers requesting low-risk permissions would be denied, contradicting the goal.
4. Question 4Implement Platform Protection

   Contoso Ltd needs to ensure that all traffic between their virtual networks passes through an Azure Firewall for inspection. Which routing configuration should the network security team implement?

   • AConfigure BGP route propagation on all subnets
   • BCreate user-defined routes (UDRs) that set the Azure Firewall as the next hopCorrect
   • CConfigure service endpoints on all subnets
   • DEnable IP forwarding on all virtual machines
   ✓ Correct answer: B

   User-defined routes allow customization of routing tables to direct traffic to specific destinations (next hops). By creating UDRs that set the Azure Firewall as the next hop for inter-virtual network traffic, all traffic between VNets is forced through the firewall for inspection and policy enforcement. This centralized inspection point ensures consistent security policies.

   Why the other options are wrong

   • AConfigure BGP route propagation on all subnets is incorrect because BGP propagation enables dynamic route learning but does not force traffic through a specific inspection point.
   • CConfigure service endpoints on all subnets is incorrect because service endpoints provide direct access to Azure services, bypassing the firewall.
   • DEnable IP forwarding on all virtual machines is incorrect because enabling IP forwarding on VMs allows them to forward traffic, but does not force traffic through the firewall for inspection.
5. Question 5Implement Platform Protection

   You need to implement Azure Policy to ensure all storage accounts in your subscription enforce HTTPS-only traffic. Which policy effect should you use to prevent creation of non-compliant storage accounts?

   • ADeployIfNotExists effect (deploys remediation resources)
   • BAudit effect (reports non-compliance but allows creation)
   • CDeny effect (prevents creation of non-compliant resources)Correct
   • DDisabled effect (disables the policy)
   ✓ Correct answer: C

   To enforce HTTPS-only traffic on storage accounts and prevent creation of non-compliant resources, you must use the Deny effect in Azure Policy. The Deny effect blocks any attempt to create or update a resource that does not meet the policy conditions, providing proactive compliance enforcement. This approach ensures no non-compliant storage accounts can be created, maintaining organizational security standards.

   Why the other options are wrong

   • ADeployIfNotExists effect (deploys remediation resources) is incorrect because it deploys resources to remediate non-compliance but does not prevent creation of non-compliant storage accounts.
   • BAudit effect (reports non-compliance but allows creation) is incorrect because it only logs non-compliance without preventing resource creation.
   • DDisabled effect (disables the policy) is incorrect because it provides no enforcement at all.
6. Question 6Manage Security Operations

   A security analyst needs to investigate a potential lateral movement attack in the Azure environment. They want to use Microsoft Sentinel to proactively search for indicators of compromise across historical log data. Which Sentinel feature is most appropriate?

   • AEntity behavior analytics (UEBA)
   • BData connectors
   • CAnalytics rules
   • DThreat huntingCorrect
   ✓ Correct answer: D

   Threat hunting in Microsoft Sentinel enables security analysts to proactively search through historical data using custom KQL queries to identify potential indicators of compromise and attack patterns. This capability is specifically designed for investigative searches where analysts explore data based on suspicions or threat intelligence rather than relying on pre-built detection rules. Threat hunting supports the iterative exploration process needed to uncover lateral movement and advanced attack techniques.

   Why the other options are wrong

   • AEntity behavior analytics (UEBA) is incorrect because it focuses on detecting anomalous user and entity behaviors rather than proactive historical searching.
   • BData connectors is incorrect because it provides data ingestion capabilities, not threat hunting functionality.
   • CAnalytics rules is incorrect because it creates automated detections rather than supporting manual historical investigation.
7. Question 7Secure Data and Applications

   You are configuring Azure Key Vault to allow access only from your virtual network and specific trusted Microsoft services. What should you configure?

   • AKey Vault access policies with IP restrictions
   • BKey Vault soft delete and purge protection
   • CKey Vault private endpoint only
   • DKey Vault firewall with virtual network rules and trusted services bypassCorrect
   ✓ Correct answer: D

   To restrict Key Vault access to a virtual network while still allowing trusted Microsoft services to connect, you must configure the Key Vault firewall. Virtual network rules allow only specified subnets to access the vault, while the trusted services bypass mechanism permits services like Azure Backup, Azure Disk Encryption, and Azure Data Lake to access the vault even when the firewall is enabled. This two-tiered approach provides network isolation without breaking legitimate Microsoft service integrations that your applications depend on.

   Why the other options are wrong

   • AKey Vault access policies with IP restrictions is incorrect because IP-based restrictions are configured at the application level, not in Key Vault itself, and do not provide virtual network isolation.
   • BKey Vault soft delete and purge protection is incorrect because these features prevent accidental deletion of secrets but do not restrict network access to the vault.
   • CKey Vault private endpoint only is incorrect because while private endpoints provide private network access, they alone do not provide the ability to allow specific Microsoft services bypass; the firewall configuration with trusted services bypass is required for this functionality.
8. Question 8Secure Data and Applications

   You need to ensure that sensitive data in Azure SQL Database columns (like credit card numbers) is encrypted end-to-end, including in memory on the database server, so that even database administrators cannot see the plaintext values. Which feature should you implement?

   • ARow-Level Security
   • BDynamic Data Masking
   • CAlways Encrypted with secure enclavesCorrect
   • DTransparent Data Encryption (TDE)
   ✓ Correct answer: C

   Always Encrypted keeps column data encrypted end to end, including on the server, so administrators never see plaintext, and the secure enclaves enhancement adds a trusted execution environment on the server where richer operations such as range comparisons and pattern matching can run on encrypted data without exposing it. This protects credit card numbers in memory on the database server while still allowing meaningful queries. It is the feature that best matches end-to-end column encryption with in-memory protection.

   Why the other options are wrong

   • ARow-Level Security filters which rows a principal can access and does nothing to encrypt column values, so it cannot keep credit card numbers confidential in memory.
   • BDynamic Data Masking only obscures values in returned result sets and leaves stored and in-memory data unencrypted, so administrators can still access the real data.
   • DTransparent Data Encryption encrypts data only at rest and decrypts it in memory for processing, so it does not protect plaintext on the server or hide values from administrators.
9. Question 9Implement Platform Protection

   Which best practice should be followed when managing Platform within Implement Platform Protection?

   • AImplement untested solutions found in online forums
   • BFollow documented best practices and vendor guidelinesCorrect
   • CSkip planning and configure based on assumptions
   • DUse default settings without any review or modification
   ✓ Correct answer: B

   When managing platform-wide configurations and policies, following documented best practices and vendor guidelines ensures consistent, secure implementations. These guidelines provide proven approaches for configuring platform services, implementing security controls, and optimizing performance. Adhering to vendor recommendations ensures your platform management aligns with industry standards and leverages the expertise accumulated from countless deployments.

   Why the other options are wrong

   • AImplement untested solutions found in online forums is incorrect because forum-based solutions are not vetted for security, compatibility, or alignment with organizational standards.
   • CSkip planning and configure based on assumptions is incorrect because assumption-based configuration often misses critical requirements and results in unstable or insecure implementations.
   • DUse default settings without any review or modification is incorrect because defaults are generic and may not implement necessary security controls or align with your specific platform requirements.
10. Question 10Implement Platform ProtectionSelect all that apply

    Litware Inc needs to implement a solution that involves a particular feature and a specific service. Which two components should the administrator configure? (Choose two.)

    • Ajust-in-time VM accessCorrect
    • BAzure Firewall rules
    • CAzure Dedicated HostCorrect
    • DAzure Bastion
    • ENSG rules and ASG
    ✓ Correct answer: A, C

    Implementing this infrastructure solution requires administrative access controls and hardware isolation. Just-in-time VM access provides time-limited access to administrative ports, reducing the window of exposure for potential attacks. Azure Dedicated Host ensures workloads run on isolated hardware, preventing co-tenancy risks and meeting compliance requirements for sensitive applications.

    Why the other options are wrong

    • BAzure Firewall rules is incorrect because while valuable for network protection, it does not provide administrative access controls or hardware isolation.
    • DAzure Bastion is incorrect because while useful for remote access, it is not the primary administrative access control mechanism like just-in-time access.
    • ENSG rules and ASG is incorrect because network security groups provide network-layer filtering but lack the time-based access restrictions of just-in-time policies.

AZ-500 practice exam FAQ