Crucial Exams

Microsoft Azure Security Engineer Associate AZ-500 Practice Question

Your Azure Key Vault contains a software-protected RSA key named ContosoKey. The key is configured to expire 180 days after it is created. You must ensure that ContosoKey is regenerated automatically every 180 days and that the security team receives a warning 30 days before the key expires. Which configuration meets both requirements?

  • Configure an Event Grid subscription for the Microsoft.KeyVault.KeyNearExpiry event that triggers an Azure Automation runbook to call az keyvault key rotate every 180 days.

  • Assign the built-in Azure Policy definition "Key Vault keys should have an expiration date" at the subscription scope.

  • Create a key rotation policy on ContosoKey that includes a Rotate lifetime action with timeAfterCreate set to P180D and a Notify lifetime action with timeBeforeExpiry set to P30D.

  • Enable soft-delete and purge protection on the vault and rely on Key Vault to regenerate the key automatically when it expires.

Microsoft Azure Security Engineer Associate AZ-500
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot