Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage Azure resources for your company. Security policy states that no inbound public port may remain open directly to any production virtual machine. However, administrators occasionally need to initiate RDP sessions to troubleshoot Windows Server VMs from anywhere on the Internet. Each connection must be limited to a maximum of three hours, and every access request must be logged automatically. Which Azure capability meets all of these requirements with the least administrative effort?
Configure just-in-time VM access in Microsoft Defender for Cloud.
Deploy Azure Bastion Standard and disable public IP addresses on the VMs.
Enable point-to-site VPN connectivity by using Azure VPN Gateway.
Publish the RDP endpoint through Microsoft Entra Application Proxy.
Configuring just-in-time (JIT) VM access in Microsoft Defender for Cloud best meets the requirements. JIT keeps selected inbound management ports (such as 3389 for RDP) blocked by default and opens them only after an administrator submits and receives approval for a time-limited request-three hours is within the configurable range (up to 24 hours). When the approved window expires, Defender for Cloud automatically removes the temporary allow rule and re-applies the default deny policy. Every JIT request-approved or denied-is written to the Azure Activity log for auditing.
Azure Bastion avoids exposing RDP on each VM but permanently keeps TCP 443 open on the Bastion host and does not enforce a per-connection time window; sessions can persist as long as the user remains connected. A point-to-site VPN secures traffic but does not automatically close or time-limit RDP port access inside the virtual network. Publishing RDP via Microsoft Entra Application Proxy is intended for Remote Desktop Services environments with an RD Gateway and introduces additional deployment overhead, so it is not the least-effort solution for direct VM troubleshooting in Azure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Just-in-Time VM access in Microsoft Defender for Cloud?
Open an interactive chat with Bash
How does Azure Activity Log help in auditing JIT access requests?
Open an interactive chat with Bash
Why isn't Azure Bastion the best solution in this scenario?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .