Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Contoso publishes several internal REST APIs through a single Azure API Management (APIM) instance. The security team issues the following requirements for one of the APIs:
Client applications must authenticate with Microsoft Entra ID, and APIM-not the backend-must validate the issued access tokens.
Any request whose payload exceeds 128 KB must be rejected before it reaches the backend service.
Business analysts who use the APIM developer portal must be able to obtain test tokens without exposing a client secret in the browser.
Which APIM configuration meets all of these requirements?
Require mutual TLS on the API, add an IP-filter policy that allows only APIM gateway IP addresses, and add a rate-limit-by-key policy that limits each caller to 50 requests per minute.
Enable the implicit-grant flow for the developer portal, add an enforce-https policy, and add a validate-jwt policy that references the Microsoft Entra ID metadata endpoint.
Deploy the APIM instance in internal VNet mode, enable static IP whitelisting on the backend, and add a set-body policy that replaces any request body larger than 128 KB with an error message.
Create an OAuth 2.0 authorization server in APIM that uses the authorization-code grant, add a validate-azure-ad-token inbound policy to the API, and add a validate-content inbound policy that sets a 128-KB maximum body size.
Defining an OAuth 2.0 authorization server in APIM that uses the authorization-code grant lets the developer portal obtain Microsoft Entra ID tokens on behalf of users without exposing a client secret in the browser. Adding the validate-azure-ad-token inbound policy causes the gateway to verify every JSON Web Token issued by Microsoft Entra ID, ensuring unauthenticated calls are blocked. The validate-content inbound policy, configured with a 128-KB size limit, rejects any oversized request body before the call reaches the backend. None of the alternative configurations satisfies all three requirements simultaneously: mutual TLS does not supply Entra ID tokens, IP filtering does not limit payload size, and the implicit grant exposes tokens directly in the browser without a secure back-channel exchange.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an OAuth 2.0 authorization server in APIM?
Open an interactive chat with Bash
What does the validate-azure-ad-token inbound policy do?
Open an interactive chat with Bash
What does the validate-content inbound policy do in APIM?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .