AZ-500 Exam Overview
Prepare for the Microsoft AZ-500 certification exam
with our comprehensive study guide. This study material contains 440 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The AZ-500 exam — Microsoft Azure Security Technologies — is offered by Microsoft.
Passing this exam earns you the Microsoft Certified: Azure Security Engineer Associate credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-19 to reflect the
most recent exam objectives and content.
About the Microsoft Certified: Azure Security Engineer Associate
The Microsoft Certified: Azure Security Engineer Associate is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the AZ-500 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 440 questions from the AZ-500 exam.
Try before you buy — purchase the full study guide for all 440 questions with answers and explanations.
Question 417
You have an Azure resource group that contains 100 virtual machines.
You have an initiative named Initiative1 that contains multiple policy definitions. Initiative1 is assigned to the resource group.
You need to identify which resources do NOT match the policy definitions.
What should you do?
A. From Azure Security Center, view the Regulatory compliance assessment.
B. From the Policy blade of the Azure Active Directory admin center, select Compliance.
C. From Azure Security Center, view the Secure Score.
D. From the Policy blade of the Azure Active Directory admin center, select Assignments.
Show Answer
Correct Answer: B
Explanation:
To identify which resources do NOT match the policy definitions in an assigned initiative, you must review Azure Policy compliance results. The Azure Policy **Compliance** view shows compliant and non‑compliant resources for initiatives and policy assignments at the resource group scope. Azure Security Center/Defender for Cloud focuses on security standards and regulatory frameworks, not general policy initiative compliance.
Question 116
You have an Azure subscription.
You create a new virtual network named VNet1.
You plan to deploy an Azure web app named App1 that will use VNet1 and will be reachable by using private IP addresses. The solution must support inbound and outbound network traffic.
What should you do?
A. Create an Azure App Service Hybrid Connection.
B. Create an Azure application gateway.
C. Create an App Service Environment.
D. Configure regional virtual network integration.
Show Answer
Correct Answer: C
Explanation:
The requirement is for an Azure web app to use a virtual network and be reachable via private IP addresses while supporting both inbound and outbound traffic. An App Service Environment (ASE) runs entirely inside a customer’s VNet and can be deployed with an internal load balancer, providing private inbound access. Because it is fully VNet‑integrated by design, it also supports controlled outbound traffic. Regional VNet integration only supports outbound traffic, and the other options do not provide private inbound access for an App Service.
Question 157
DRAG DROP
-
You have an Azure subscription.
You plan to create two custom roles named Role1 and Role2.
The custom roles will be used to perform the following tasks:
• Members of Role1 will manage application security groups.
• Members of Role2 will manage Azure Bastion.
You need to add permissions to the custom roles.
Which resource provider should you use for each role? To answer, drag the appropriate resource providers to the correct roles. Each resource provider may be used, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Role1: Microsoft.Network
Role2: Microsoft.Network
Explanation:
Application Security Groups are part of Azure Virtual Network resources, which belong to the Microsoft.Network resource provider. Azure Bastion is also a networking service (bastionHosts, VNets, subnets, public IPs), all managed under Microsoft.Network.
Question 402
You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
What should you do?
A. Install the Network Performance Monitor solution.
B. Create an Azure Log Analytics workspace.
C. Enable diagnostic logging for the NSG.
D. Enable NSG flow logs.
Show Answer
Correct Answer: D
Explanation:
To log network traffic flowing through a subnet-level NSG to an Azure Storage account, you must enable NSG flow logs. NSG flow logs capture information about allowed and denied traffic through the NSG and store it in Azure Storage. Diagnostic logging logs NSG resource operations, not traffic flows, and the other options do not meet the requirement.
Question 490
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?
A. an application permission without admin consent
B. a delegated permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent
Show Answer
Correct Answer: B
Explanation:
The requirement states that App1 must access Azure Key Vault secrets **on behalf of the application users**, which directly implies the OAuth 2.0 *delegated permission* model. Application permissions are used when no user is involved, so A and D are incorrect.
For Azure Key Vault, the delegated permission exposed is **user_impersonation**, which allows the app to access Key Vault using the signed-in user’s identity and permissions. This delegated permission **does not require admin consent** by default; users can consent themselves, and access is still constrained by Key Vault access policies or RBAC.
Therefore, the correct configuration is a delegated permission without admin consent.
Question 317
You have a sneaking suspicion that there are users trying to sign in to resources which are inaccessible to them.
You decide to create an Azure Log Analytics query to confirm your suspicions. The query will detect unsuccessful user sign-in attempts from the last few days.
You want to make sure that the results only show users who had failed to sign-in more than five times.
Which of the following should be included in your query?
A. The EventID and CountIf() parameters.
B. The ActivityID and CountIf() parameters.
C. The EventID and Count() parameters.
D. The ActivityID and Count() parameters.
Show Answer
Correct Answer: C
Explanation:
To detect failed sign-in attempts, the query must filter on the specific EventID that represents a failed logon (for example, EventID 4625). Once the dataset is already filtered to only failed events, the correct way to find users with more than five failures is to aggregate using count() per user and then apply a threshold (count() > 5). CountIf() is unnecessary in this scenario because the condition is handled by the where clause, and ActivityID is not used to identify failed sign-in events.
Question 503
You have the Azure virtual machines shown in the following table.
You create an Azure Log Analytics workspace named Analytics1 in RG1 in the East US region.
Which virtual machines can be enrolled in Analytics1?
A. VM1 only
B. VM1, VM2, and VM3 only
C. VM1, VM2, VM3, and VM4
D. VM1 and VM4 only
Show Answer
Correct Answer: C
Explanation:
Azure Log Analytics workspaces can collect data from Azure VMs in any region and any resource group. The workspace’s region does not restrict which VMs can be connected; region mainly affects data residency and potential bandwidth costs. Therefore, all listed VMs (VM1, VM2, VM3, and VM4) can be enrolled in Analytics1.
Question 337
SIMULATION -
The developers at your company plan to publish an app named App12345678 to Azure.
You need to ensure that the app is registered to Azure Active Directory (Azure AD). The registration must use the sign-on URLs of https://app.contoso.com.
To complete this task, sign in to the Azure portal and modify the Azure resources.
Show Answer
Correct Answer: Azure portal → Azure Active Directory
App registrations → New registration
Name: App12345678
Supported account type: as required
Redirect URI: Web
URL: https://app.contoso.com
Register
Explanation:
Registering the app in Azure AD with a Web redirect URI set to https://app.contoso.com ensures the application is trusted by Azure AD and can use that sign-on URL for authentication.
Question 270
You have an Azure SQL Database server named SQL1.
For SQL1, you turn on Azure Defender for SQL to detect all threat detection types.
Which action will Azure Defender for SQL detect as a threat?
A. A user updates more than 50 percent of the records in a table.
B. A user attempts to sign in as SELECT * FROM table1.
C. A user is added to the db_owner database role.
D. A user deletes more than 100 records from the same table.
Show Answer
Correct Answer: B
Explanation:
Azure Defender for SQL detects anomalous and malicious activities such as SQL injection attempts. Attempting to sign in using a SQL statement like "SELECT * FROM table1" is a classic SQL injection pattern and is flagged as a threat. Bulk updates/deletes or role membership changes are not, by themselves, threat-detection alerts.
Question 167
HOTSPOT -
You have a hybrid Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1 and the servers shown in the following table.
The tenant is linked to an Azure subscription that contains a storage account named storage1. The storage1 account contains a file share named share1.
User1 is assigned the Storage File Data SMB Share Contributor role for storage1.
The Security protocol settings for the file shares of storage1 are configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Show Answer
Correct Answer: No
Yes
No
Explanation:
The SMB security settings allow only Kerberos authentication and disable NTLMv2. Using a storage account access key requires NTLMv2, so access keys cannot be used from either server. Kerberos with user credentials is supported for domain-joined servers, so User1 can map the share using their credentials on Server1.
Question 46
You have an Azure subscription named Sub1 that has Security defaults disabled. The subscription contains the following users:
• Five users that have owner permissions for Sub1.
• Ten users that have owner permissions for Azure resources.
None of the users have multi-factor authentication (MFA) enabled.
Sub1 has the secure score as shown in the Secure Score exhibit. (Click the Secure Score tab.)
You plan to enable MFA for the following users:
• Five users that have owner permission for Sub1.
• Five users that have owner permissions for Azure resources.
By how many points will the secure score increase after you perform the planned changes?
A. 0
B. 5
C. 7.5
D. 10
E. 14
Show Answer
Correct Answer: C
Explanation:
In Microsoft Defender for Cloud, the control for enabling MFA on privileged accounts has a maximum score contribution of 10 points, calculated proportionally based on how many applicable accounts are compliant.
Applicable users in this subscription:
- 5 users with Owner role at the subscription scope
- 10 users with Owner role on Azure resources
Total applicable users = 15
Planned change enables MFA for:
- 5 subscription owners (5/5 compliant)
- 5 of the 10 resource owners (5/10 compliant)
Score contribution:
- Subscription owners: 5 × (5/5) = 5 points
- Resource owners: 5 × (5/10) = 2.5 points
Total secure score increase = 5 + 2.5 = 7.5 points.
Question 107
DRAG DROP
-
You have an Azure AD tenant and an application named App1.
You need to ensure that App1 can use Microsoft Entra Verified ID to verify credentials.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Show Answer
Correct Answer: Create an Azure Key Vault.
Configure the Verified ID service.
Register App1 in Azure AD and grant permissions.
Explanation:
Verified ID requires a Key Vault for keys and DID signing. After the vault exists, the Verified ID service is configured at the tenant level. Finally, the application is registered and granted permissions to request and verify credentials.
Question 179
You have an Azure subscription that contains an Azure Files share named share1 and a user named User1. Identity-based authentication is configured for share1.
User1 attempts to access share1 from a Windows 10 device by using SMB.
Which type of token will Azure Files use to authorize the request?
A. OAuth 2.0
B. JSON Web Token (JWT)
C. SAML
D. Kerberos
Show Answer
Correct Answer: D
Explanation:
When accessing Azure Files over SMB with identity-based authentication from a Windows 10 device, Azure Files uses Kerberos for authentication and authorization. SMB on Windows relies on Kerberos tickets (via Azure AD DS or on-premises AD integration) rather than OAuth, JWT, or SAML, which are used for HTTP-based or federation scenarios, not SMB file access.
Question 48
HOTSPOT
-
You are implementing an Azure Application Gateway web application firewall (WAF) named WAF1.
You have the following Bicep code snippet.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Yes
No
Yes
Explanation:
The WAF policy is in Detection mode, so even though a custom rule matches (negated IP match), requests are logged but not blocked; therefore traffic from 10.1.1.5 is allowed. Managed OWASP rules also do not block in Detection mode, so file path attacks are not blocked. The maxRequestBodySizeInKb (128 KB) does not limit file uploads, and Application Gateway allows uploads well above 50 MB (GB range depending on SKU).
Question 287
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Azure Defender for SQL.
What should you do?
A. From Azure CLI, run the Get-AzOperationalInsightsWorkspace cmdlet.
B. From the Azure SQL Database query editor, create a Transact-SQL query.
C. From the Azure Sentinel workspace, create a Kusto query language query.
D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
Show Answer
Correct Answer: C
Explanation:
Azure Sentinel (now Microsoft Sentinel) stores and queries security events using Azure Monitor Logs, which are queried with Kusto Query Language (KQL). To create a saved query that finds events reported by Azure Defender for SQL, you must create a KQL query directly within the Azure Sentinel workspace. The other options use T-SQL or management/CLI commands that cannot query Sentinel log data.