Microsoft Azure Security Engineer Associate Practice Test (AZ-500)
Use the form below to configure your Microsoft Azure Security Engineer Associate Practice Test (AZ-500). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft Azure Security Engineer Associate AZ-500 Information
About the Microsoft Azure Security Engineer Associate (AZ-500) Exam
The Microsoft Azure Security Engineer Associate certification, achieved by passing the AZ-500 exam, is a critical credential for professionals dedicated to securing Azure environments. This exam is designed for individuals who implement, manage, and monitor security for resources in Azure, as well as in multi-cloud and hybrid environments. Candidates are expected to have practical experience with the administration of Microsoft Azure and a solid understanding of security principles. The exam validates a candidate's expertise in managing identity and access, implementing platform protection, managing security operations, and securing data and applications. With 95% of Fortune 500 companies utilizing Azure, professionals with validated security skills are in high demand.
Key Domains and Skills Measured
The AZ-500 exam typically consists of 40–60 questions and requires a score of 700 out of 1,000 to pass. The questions, which can include multiple-choice, case studies, and scenario-based formats, are divided into four main domains. These domains include securing identity and access (15–20%), securing networking (20–25%), securing compute, storage, and databases (20–25%), and managing security with Microsoft Defender for Cloud and Microsoft Sentinel (30–35%). This structure ensures that certified professionals are proficient in a wide range of security tasks, from configuring Azure Active Directory for secure access to using advanced tools like Microsoft Sentinel for threat detection and response.
The Value of Practice Exams in Preparation
A crucial component of a successful study plan for the AZ-500 exam is the use of practice exams. These tools are invaluable for several reasons. Firstly, they provide a realistic simulation of the actual exam environment, helping to reduce anxiety and build confidence by familiarizing candidates with the question formats and time constraints. Secondly, practice tests are an excellent way to identify knowledge gaps. By reviewing incorrect answers and the provided explanations, you can pinpoint specific areas that require further study and focus your learning efforts more effectively. Finally, consistently taking practice exams helps in tracking progress over time, offering motivation as scores improve and ensuring a deep, practical understanding of Azure security technologies rather than mere memorization of facts. Microsoft even offers a free practice assessment on its official certification page to help candidates gauge their readiness.
Free Microsoft Azure Security Engineer Associate AZ-500 Practice Test
- 20 Questions
- Unlimited time
- Secure identity and accessSecure networkingSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
You want to surface a new set of corporate policies in the Regulatory compliance dashboard so that every subscription in the Finance management group is evaluated against them. Before you choose Add custom standard in Microsoft Defender for Cloud, which preparatory action must you complete?
Add the tag complianceStandard=true to each individual policy definition you intend to include.
Enable Microsoft Defender for Cloud Plan 2 on every subscription in the Finance management group.
Assign the Microsoft Defender for Cloud Policy Contributor role to the built-in Security Insights application at the management-group scope.
Define an Azure Policy initiative at the Finance management-group scope and set its category to "Regulatory Compliance".
Answer Description
Defender for Cloud can only expose a custom regulatory compliance standard when the underlying Azure Policy initiative already exists and is discoverable at the same scope. The initiative has to be created (or uploaded) in Azure Policy, assigned at the Finance management-group scope, and marked with the Regulatory Compliance category. Without this specific initiative definition in place, the Add custom standard wizard has nothing to attach to, so the standard cannot be created. Enabling higher-tier Defender plans, granting additional RBAC roles, or simply tagging individual policies does not meet this prerequisite.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Policy initiative?
Why must the initiative's category be set to Regulatory Compliance?
What does assigning an initiative at the management-group scope mean?
You manage 15 Azure virtual networks that reside in two subscriptions. You already created an Azure Virtual Network Manager instance and added all production networks in East US to a single network group. You must make sure all member virtual networks automatically peer with each other in a full-mesh topology without creating individual peerings. Which object should you create and deploy?
A hub-and-spoke connection configured on each virtual network
A security admin rule collection assigned to the network group
A connectivity configuration with mesh topology deployed to the East US region
An Azure Virtual WAN hub created in the East US region
Answer Description
A connectivity configuration in Azure Virtual Network Manager defines how virtual networks in one or more network groups connect to each other. When you choose the mesh topology and deploy the configuration to a region, VNets in the targeted network group are automatically connected by peering links. Security admin rule collections only control traffic; they do not establish connectivity. Hub-and-spoke connections require a designated hub and do not deliver a full mesh automatically, and Azure Virtual WAN hubs are a separate service that is not managed through Virtual Network Manager for VNet-to-VNet peering.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Virtual Network Manager?
What is the difference between mesh topology and hub-and-spoke topology in Azure VNets?
How does Azure Virtual Network Manager deploy configurations to specific regions?
You assigned the built-in Azure Policy "Allowed locations" at the production subscription scope. After a merger, three resource groups must remain in an unsupported region for the next six months. You need to prevent those resource groups from being reported as non-compliant without removing or modifying the existing policy assignment. What should you configure?
Create a policy exemption for each of the three resource groups.
Add a role assignment granting the Policy Contributor role to each resource group.
Wrap the existing policy in an initiative definition and assign the initiative instead.
Create a new policy assignment with the Allowed locations policy but set the effect to Disabled at the resource-group scope.
Answer Description
A policy exemption is designed for temporary or permanent waivers when a resource cannot meet a policy requirement. When an exemption is applied to a specific scope, resources in that scope are excluded from compliance evaluation results, yet the original assignment and its auditing history remain intact and can be re-enabled at any time. Placing the policy inside an initiative does not exclude the resource groups; it only groups definitions. Granting the Policy Contributor role changes who can edit policies, not how they are evaluated. Creating a second assignment with the Disabled effect at a lower scope does not override a Deny assignment at a higher scope because Deny has higher precedence than Disabled.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a policy exemption in Azure?
What is the difference between a policy exemption and a policy assignment?
Why does the Deny effect have higher precedence than Disabled in Azure Policy?
Your company stores personally identifiable information in an Azure SQL Database. Compliance rules state that the data must be encrypted at rest, in transit, and while it is processed on the server, and that neither database administrators nor Microsoft support engineers can read plaintext values. The application must still perform equality searches on the sensitive columns with minimal code changes. Which Azure SQL feature should you recommend?
Transparent Data Encryption (TDE)
Always Encrypted configured with deterministic encryption
Row-level security
Dynamic Data Masking
Answer Description
Always Encrypted encrypts designated columns in the client driver before the data reaches Azure SQL Database. Because the encryption keys never leave the client application, the database engine, administrators, and Microsoft personnel cannot view the plaintext data. Using deterministic encryption allows the service to evaluate equality predicates, so existing queries such as WHERE Column = @value continue to work with little or no code change. Transparent Data Encryption protects files and backups on disk only, leaving data visible to anyone who can query the database. Dynamic Data Masking merely obfuscates query results and can be bypassed by privileged users. Row-level security restricts which rows a user can access but does not encrypt the data. Therefore, Always Encrypted with deterministic encryption is the only feature that meets every requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Always Encrypted ensure that encryption keys never leave the client application?
What is deterministic encryption and how does it enable equality searches?
What are the limitations of Transparent Data Encryption compared to Always Encrypted?
Your company has 75 virtual networks spread across three Azure subscriptions. You must immediately block all outbound traffic to two public IP addresses that have been reported as command-and-control endpoints, while avoiding per-NSG changes. What should you do?
Add a user-defined route with next hop set to None for the two IP addresses in each subnet of every virtual network.
Create a security admin rule collection in Azure Virtual Network Manager, attach it to a network group that contains all virtual networks, and add a deny outbound rule for the two IP addresses.
Deploy a centralized Azure Firewall in a hub virtual network and add an outbound application rule that denies connections to the two IP addresses.
Associate the affected virtual machines with a new application security group and add a deny outbound rule to existing NSGs that references this group.
Answer Description
Security admin rules in Azure Virtual Network Manager are evaluated before subnet-level NSG rules and apply to every network that belongs to the selected network group, regardless of subscription. Creating a deny, outbound security admin rule that targets the malicious IP addresses meets the requirement in a single configuration step and does not require modifying individual NSGs. User-defined routes or Azure Firewall would need additional routing changes in every virtual network, and NSG rules referencing an application security group would still have to be added to each NSG individually.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Virtual Network Manager?
What are security admin rule collections?
How do security admin rules differ from NSG rules?
An Azure Firewall is associated with a firewall policy that contains two network rule collections:
- Deny-Internet (priority 100) with action Deny and destination address prefixes 0.0.0.0/0 and ::/0.
- Allow-Internal (priority 200) with action Allow and destination address prefix 10.0.0.0/8.
Users in the connected virtual networks cannot establish HTTPS connections to 10.5.0.4.
Which change will allow the traffic while still blocking outbound internet access?
Convert the Deny-Internet rule collection to an application rule collection.
Change the priority of the Allow-Internal rule collection to 50 so it is evaluated before Deny-Internet.
Add an application rule in Deny-Internet that allows https://10.5.0.4./
Enable forced tunneling on the firewall and add a route to 10.0.0.0/8.
Answer Description
Azure Firewall evaluates rule collections in order of priority, starting with the lowest numerical value. Because Deny-Internet has a lower priority number (100) than Allow-Internal (200), traffic to 10.5.0.4 first matches the broader deny rule and is blocked. Lowering the priority number of Allow-Internal places the allow rule ahead of the deny rule, so packets destined for 10.0.0.0/8 are accepted, and traffic that does not match that prefix continues to be denied by the subsequent Deny-Internet rule. Converting Deny-Internet to an application rule or adding an application rule would not help because network rules are evaluated before application rules. Forced tunneling does not affect intra-virtual-network traffic and would not resolve the issue.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Azure Firewall prioritize rule collections?
What is the difference between network rules and application rules in Azure Firewall?
What is forced tunneling in Azure Firewall, and how does it work?
Your team assigns the built-in policy "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace," which uses the DeployIfNotExists effect. After 24 hours the assignment lists 80 storage accounts as non-compliant, and every remediation task created from the assignment fails with the status Unauthorized. What is the most likely reason the remediation tasks cannot complete?
The policy definition must be changed to use the Modify effect instead of DeployIfNotExists.
Remediation tasks cannot run until the policy's overall compliance reaches 100 percent.
The policy assignment scope needs to be a management group rather than a subscription for remediation to succeed.
The policy assignment was created without a managed identity that has sufficient write permissions on the targeted storage accounts.
Answer Description
DeployIfNotExists (and Modify) effects rely on the managed identity that is automatically created (or supplied) when the policy assignment is made. During remediation, this identity runs the ARM deployment that adds the required diagnostic setting. If the assignment was created without a managed identity, or with an identity that lacks write permissions such as Contributor on the target scope, any deployment triggered by remediation will be rejected and surface as Unauthorized. Changing the effect, modifying the scope, or waiting for compliance will not grant the necessary permissions, so those actions would not resolve the failure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a managed identity in Azure?
What permissions does a managed identity need to use DeployIfNotExists?
How does the DeployIfNotExists effect work in Azure policies?
You manage a subscription that hosts several Azure Container Apps environments. Security operations must receive alerts when Microsoft Defender detects suspicious or malicious activity inside the running containers. You have already onboarded the subscription to Microsoft Defender for Cloud, but no security alerts are shown for the container apps. To ensure runtime threat detection for Azure Container Apps, what should you do first?
Configure egress filtering for the Container Apps environment by sending outbound traffic through Azure Firewall.
Deploy the container apps into an App Service Environment to inherit App Service threat detection features.
Enable the Microsoft Defender for Containers plan for the subscription (or relevant resource group).
Enable diagnostic settings on each container app to stream the ContainerAppConsoleLogs and ContainerAppSystemLogs categories to a Log Analytics workspace.
Answer Description
For Azure Container Apps, runtime threat detection is provided by Microsoft Defender for Containers. Merely onboarding a subscription to Microsoft Defender for Cloud does not automatically enable any Defender plans. You must explicitly enable the Microsoft Defender for Containers plan at the subscription or resource-group level. Once the plan is enabled, Defender instruments the Container Apps environment and can raise security alerts for suspicious processes, reverse shells, crypto-mining, and other threats. Enabling diagnostic logs, deploying the apps to an App Service Environment, or configuring egress filtering can improve observability or network security but will not activate Defender's runtime analysis or generate the required alerts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Containers?
Why doesn’t enabling Microsoft Defender for Cloud automatically include Defender plans?
What happens after enabling the Defender for Containers plan?
Your Azure VNet has WebSubnet (web-tier VM scale set) and AppSubnet (application VMs). Requirements:
- Allow Internet → web tier on TCP 443.
- Allow web tier → app tier on TCP 8080.
- Block any traffic initiated from AppSubnet to the Internet or WebSubnet. You must minimise NSG rules and ensure policies automatically cover new scale-out instances. What should you configure?
Deploy an Azure Firewall in a dedicated subnet and configure user-defined routes so all traffic is forced through the firewall.
Associate both subnets with a single Network Security Group that contains individual CIDR-based allow and deny rules for each subnet.
Create two Application Security Groups (one for the web tier and one for the app tier) and reference them in the required NSG rules.
Use Azure Virtual Network Manager to create security admin rule collections that allow and deny the required traffic.
Answer Description
Application Security Groups (ASGs) let you attach VM NICs to logical groups and reference those groups in NSG rules. Create one ASG for the web tier and one for the app tier, then:
- On the NSG for WebSubnet, add an inbound rule that allows source Internet to destination Web-ASG on TCP 443.
- Add a rule that allows traffic from Web-ASG to App-ASG on TCP 8080; the stateful NSG permits the return traffic automatically.
- On the NSG for AppSubnet, add a high-priority deny outbound rule that blocks any destination Internet or Web-ASG, satisfying the isolation requirement. Because new VM instances are automatically added to their ASG when the scale set grows, no extra rules are needed, meeting the minimal-rule and autoscaling requirements. CIDR-based rules, Azure Firewall, or Virtual Network Manager security admin rules would meet the traffic requirements but add unnecessary maintenance or cost.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Application Security Group (ASG) in Azure?
Why are ASGs better than CIDR-based NSG rules for managing traffic in Azure VNets?
What is the difference between Azure NSGs and Azure Firewalls?
You are asked to onboard Contoso to Microsoft Defender External Attack Surface Management (EASM) so that the service can begin automatically discovering unknown Internet-facing assets. You have already created a new EASM resource in the Azure portal. Before discovery can start, which action must you perform?
Deploy the EASM discovery agent on every public virtual machine in Azure.
Connect the Azure subscription to Microsoft Defender for Cloud and enable Cloud Security Posture Management.
Create a discovery group and add a root Internet-facing asset (for example, contoso.com) as a seed.
Upload a list of on-premises private IP subnets to the EASM resource.
Answer Description
EASM needs at least one "seed" that represents something your organization already owns on the public Internet. You supply that seed by creating a discovery group and adding one or more root assets (for example, a domain name such as contoso.com, an IP address, or an IP range). The EASM discovery engine then pivots from those seeds-using data sources such as DNS, WHOIS, and TLS certificates-to enumerate additional related assets. Enabling Microsoft Defender for Cloud, deploying agents, or uploading internal networks are not required to start the discovery process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a discovery group in Microsoft Defender EASM?
What are root Internet-facing assets, and why are they important for EASM?
How does the EASM discovery engine work with the seed provided?
Your company's security policy requires the following:
- Helpdesk staff must be able to reset any user's password in Microsoft Entra ID.
- Helpdesk staff must not be able to create, delete, or update user properties other than the password.
You decide to create a custom Microsoft Entra (Azure AD) administrative role and assign it to the Helpdesk group.
Which Microsoft Graph permission should you include in the custom role to meet the requirements?
microsoft.directory/applications/standard/read
microsoft.directory/users/createAsOwner
microsoft.directory/users/password/update
microsoft.directory/users/basic/update
Answer Description
The microsoft.directory/users/password/update permission allows a principal to perform password resets for any user but does not grant rights to delete users or update other user properties. Therefore, including only this permission in the custom Microsoft Entra role lets Helpdesk staff reset passwords while preventing broader user management capabilities. The other listed permissions either allow additional user changes, such as creating or deleting users, or are unrelated to user password management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Graph and how does it relate to Microsoft Entra ID?
What is the significance of the microsoft.directory/users/password/update permission?
How do you create a custom role in Microsoft Entra ID to limit permissions?
You manage an Azure Storage account named mystorage that contains multiple containers. DevOps engineers need read and write access to only the container named source for the next 72 hours from a CI/CD pipeline. The solution must avoid exposing either of the storage account access keys and must rely on Azure AD for authorization. Which access mechanism should you recommend?
An access key stored in an Azure Key Vault secret
A user delegation SAS
A service SAS signed with the storage account key
A stored access policy that uses an account key
Answer Description
A user delegation SAS is signed with Microsoft Entra (Azure AD) credentials obtained by the storage account, so no storage account keys are exposed. It can be scoped to a single container and given an explicit expiration time such as 72 hours. A service SAS and a stored access policy both require the account key for signing, and supplying the key through Key Vault still exposes it to the pipeline, violating the requirement to keep keys hidden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a User Delegation SAS?
How does Azure AD integrate with User Delegation SAS?
Can you explain why a Service SAS is less secure than a User Delegation SAS?
You are deploying an Azure SQL Managed Instance in a dedicated subnet. To meet corporate policy you attach a Network Security Group (NSG) to the subnet and delete the default Allow Internet Outbound rule, effectively blocking all outbound Internet traffic. After the change, the managed instance remains stuck in the Creating state and eventually fails to provision. You must keep the Internet block in place but still allow the managed instance to deploy and operate. Which single NSG rule should you add?
Allow outbound TCP 443 to the service tag SqlManagement
Allow outbound TCP 443 to the service tag Internet
Allow outbound UDP 1194 to the service tag GatewayManager
Allow outbound TCP 1443 to the service tag VirtualNetwork
Answer Description
Azure SQL Managed Instance relies on Azure-hosted management endpoints that are not reachable through the local virtual network. Microsoft exposes the required addresses through the service tag "SqlManagement" and communicates with them over TCP port 443. If outbound traffic to that tag is blocked, provisioning and subsequent management operations (for example, automated patching) fail. Allowing outbound TCP 443 to the SqlManagement service tag opens only the minimum set of addresses required for the service while continuing to deny all other Internet traffic, so the managed instance can deploy and remain compliant with the security policy. The other options either target the wrong port, an unrelated service tag, or would reopen general Internet access, which violates the policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service tag in Azure?
Why does Azure SQL Managed Instance require access to SqlManagement over TCP 443?
How does allowing outbound TCP 443 to SqlManagement maintain security while enabling Azure SQL Managed Instance to function?
You manage an Azure Kubernetes Service (AKS) cluster that uses the Azure CNI network plugin. Workloads from several teams run in separate namespaces. The security team requires that pods be isolated so that traffic between namespaces is blocked unless explicitly allowed. You need to enforce this requirement without modifying the cluster network plugin or the container images. What should you do?
Associate a network security group with each node subnet that blocks traffic between the pod address ranges.
Deploy Azure Firewall and route all pod egress traffic through it, adding deny rules for other namespaces.
Enable the Azure network policy add-on for the cluster and apply Kubernetes NetworkPolicy objects to each namespace.
Enable Microsoft Defender for Cloud for Kubernetes and configure the "Block cross-namespace communication" security policy.
Answer Description
AKS supports Kubernetes network policies through either the Azure or Calico plug-ins. With the Azure CNI network plugin you can enable the Azure network policy add-on (for example, by running "az aks update --network-policy azure") and then apply Kubernetes NetworkPolicy resources that default-deny all traffic and selectively allow approved flows. This provides namespace-level and pod-level isolation inside the cluster. Azure Firewall and NSGs operate at the VNet or subnet boundary and cannot see pod-to-pod traffic that stays on the node's virtual NICs, so they cannot enforce the required isolation. Microsoft Defender for Cloud monitors and raises alerts but does not block traffic. Therefore, enabling network policies is the only action that meets the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure network policy add-on?
What are Kubernetes NetworkPolicy objects?
Why can't Azure Firewall or NSGs enforce pod-to-pod isolation?
Contoso wants to enforce multi-factor authentication (MFA) only when administrators manage Azure resources-not when they use other Microsoft 365 services.
You are asked to create a single Conditional Access policy that meets these requirements.
Which cloud app or action should you target in the policy so that MFA is required only when administrators sign in through the Azure portal, Azure PowerShell, Azure CLI, or the REST API?
All cloud apps
Office 365
Microsoft Azure Management
User action: Register security information
Answer Description
To scope MFA strictly to Azure management operations, the Conditional Access policy must be applied to the built-in cloud app named Microsoft Azure Management.
This cloud app represents every Azure Resource Manager endpoint: the Azure portal, Azure PowerShell, Azure CLI, REST API, and the mobile app. Because Microsoft 365 workloads such as Exchange Online or SharePoint Online are mapped to different cloud-app identifiers, they are not affected when the policy targets Microsoft Azure Management.
Choosing All cloud apps or Office 365 would also include Microsoft 365 workloads, violating the requirement. Selecting a user action such as Register security information does not relate to Azure management sessions and would not enforce MFA for administration tasks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is Microsoft Azure Management selected instead of All cloud apps?
What does Conditional Access do in Azure security?
How does the Microsoft Azure Management cloud app map Azure endpoints?
Your organization plans to enforce a new Azure Policy that denies the deployment of any storage account that is not encrypted with customer-managed keys (CMK). Because many existing deployment pipelines have not yet been updated, you need a transition period during which the policy records non-compliant resources but does not block their creation. You also want to avoid changing the policy definition itself during this period.
Which configuration should you apply to the policy assignment to meet these requirements?
Add the policy to an initiative and leave the initiative in draft state.
Create an exemption for the subscription that expires after the transition period.
Set the policy assignment's enforcement mode to "DoNotEnforce".
Add a custom non-compliance message to the policy assignment.
Answer Description
Setting the policy assignment's enforcement mode to "DoNotEnforce" tells Azure Policy to evaluate the assignment but not apply effects that would stop or change a deployment. For an assignment whose definition uses the Deny effect, Azure Policy logs the non-compliance instead of rejecting the request, giving administrators time to update deployment pipelines. Changing the enforcement mode is done at the assignment level, so the underlying policy definition remains unchanged.
Exemptions exclude specific resources or scopes from evaluation rather than keeping the policy active for all resources. A non-compliance message only customizes the error text that appears when a deny action is triggered; it does not stop the deny. An initiative groups policy assignments but does not override how individual assignments are enforced.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Policy enforcement mode?
How do customer-managed keys (CMKs) enhance security in Azure?
What is an exemption in Azure Policy?
You enabled soft-delete and purge protection on an Azure Key Vault that stores an RSA key named AppKey. The operations team used Azure CLI to create a backup of AppKey to a Blob storage container. A week later, AppKey is accidentally deleted, but has not been purged from the vault. To bring the key back into service as quickly as possible while preserving all existing versions, which action should you perform?
Create a new key named AppKey with
az keyvault key create.Run
az keyvault key restore --vault-name <vaultName> --file appkey_backup.Run
az keyvault key import --vault-name <vaultName> --file appkey_backup.Run
az keyvault key recover --vault-name <vaultName> --name AppKey.
Answer Description
Because soft-delete is active and the key has not been purged, the object still exists in the vault's deleted state. The fastest way to return it to active use is to call the recover operation, which simply changes the key's state from deleted to active and retains every version and attribute. Restoring from a backup is intended for situations where the key or the entire vault has been purged or recreated. Importing a key or recreating one with the same name would generate a new object identifier and break version history or references.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Key Vault soft-delete and purge protection?
What is the difference between `recover`, `restore`, and `import` commands in the context of Azure Key Vault?
Why is versioning important for Azure Key Vault keys?
Your team wants to detect whether any VM in subnet-prod is opening outbound connections to unapproved IP addresses. All VMs are protected by a single network security group named nsg-prod. You must collect logs of every allowed and denied outbound flow with source and destination information for later analysis in Log Analytics. Which Network Watcher feature should you enable?
Configure a packet capture session on each VM's network interface.
Set up Connection Monitor between the VMs and the unapproved IP ranges.
Run IP flow verify for outbound traffic from each VM.
Enable NSG flow logs on nsg-prod.
Answer Description
Network Security Group (NSG) flow logs, a Network Watcher feature, capture metadata for every allowed or denied flow that passes through an NSG and store the data in JSON format for further aggregation in services such as Traffic Analytics or Log Analytics. Packet capture records full packet payloads and is typically scoped per NIC and used for short-term troubleshooting, not continuous monitoring. IP flow verify provides an on-demand yes/no reachability test for a single flow and does not generate continuous logs. Connection monitor measures end-to-end connectivity and latency for specified endpoints but does not log every flow traversing the NSG. Therefore, enabling NSG flow logs on nsg-prod best meets the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Network Security Group (NSG) flow logs in Azure?
How do NSG flow logs compare to packet capture?
How are NSG flow logs integrated with Azure Log Analytics?
You manage an Azure subscription that is protected by Microsoft Defender for Cloud. The Regulatory compliance dashboard currently shows only the Azure Security Benchmark. Auditors now require the environment to be evaluated against ISO/IEC 27001:2013, and the compliance results must appear in the same dashboard.
What is the first change you must make in Microsoft Defender for Cloud to meet this requirement?
Manually assign the built-in Azure Policy initiative "Audit ISO 27001" at each resource group.
Deploy an Azure Monitor workbook that tracks ISO 27001 controls.
Create a continuous export rule that sends secure score and compliance data to an Event Hub.
Enable the ISO 27001 regulatory standard in Microsoft Defender for Cloud Environment settings for the subscription.
Answer Description
In Microsoft Defender for Cloud, each compliance framework is represented by a regulatory standard that contains an Azure Policy initiative. The Regulatory compliance dashboard displays results only for standards that have been enabled for the selected subscription or management group. Enabling the ISO 27001 standard from Environment settings automatically assigns its built-in Azure Policy initiative to the subscription and immediately starts evaluating resources. Export rules, workbooks, or manual policy assignments are unnecessary until after the standard has been enabled, and creating them alone will not surface the framework in the dashboard.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is ISO/IEC 27001:2013, and why is it important for cloud environments?
How does the Regulatory compliance dashboard in Microsoft Defender for Cloud work?
What are Azure Policy initiatives, and how do they relate to compliance standards like ISO 27001?
Your company uses an Azure SQL Database that stores customer records. A new compliance mandate states that the data files, transaction logs, and all automated backups must be encrypted at rest. The mandate explicitly allows database administrators to view the data, and the development team must not change existing client applications. Which Azure SQL feature should you enable to meet the requirements?
Enforcing TLS 1.2 for all client connections
Transparent Data Encryption (TDE)
Dynamic Data Masking
Always Encrypted
Answer Description
Transparent Data Encryption (TDE) encrypts the entire database, its transaction logs, and all backups while the data is at rest. Because encryption and decryption occur transparently at the storage layer, no application or driver changes are required, and database administrators can still query data in plaintext. Always Encrypted would prevent administrators from seeing sensitive data and needs client-side driver changes. Dynamic Data Masking only obscures query results, leaving storage and backups unencrypted. Enforcing TLS protects data in transit but provides no encryption for database files or backups.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Transparent Data Encryption (TDE)?
How does Transparent Data Encryption (TDE) differ from Always Encrypted?
Why doesn’t Dynamic Data Masking meet the encryption requirements?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.