Microsoft Azure Security Engineer Associate Practice Test (AZ-500)
Use the form below to configure your Microsoft Azure Security Engineer Associate Practice Test (AZ-500). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft Azure Security Engineer Associate AZ-500 Information
About the Microsoft Azure Security Engineer Associate (AZ-500) Exam
The Microsoft Azure Security Engineer Associate certification, achieved by passing the AZ-500 exam, is a critical credential for professionals dedicated to securing Azure environments. This exam is designed for individuals who implement, manage, and monitor security for resources in Azure, as well as in multi-cloud and hybrid environments. Candidates are expected to have practical experience with the administration of Microsoft Azure and a solid understanding of security principles. The exam validates a candidate's expertise in managing identity and access, implementing platform protection, managing security operations, and securing data and applications. With 95% of Fortune 500 companies utilizing Azure, professionals with validated security skills are in high demand.
Key Domains and Skills Measured
The AZ-500 exam typically consists of 40–60 questions and requires a score of 700 out of 1,000 to pass. The questions, which can include multiple-choice, case studies, and scenario-based formats, are divided into four main domains. These domains include securing identity and access (15–20%), securing networking (20–25%), securing compute, storage, and databases (20–25%), and managing security with Microsoft Defender for Cloud and Microsoft Sentinel (30–35%). This structure ensures that certified professionals are proficient in a wide range of security tasks, from configuring Azure Active Directory for secure access to using advanced tools like Microsoft Sentinel for threat detection and response.
The Value of Practice Exams in Preparation
A crucial component of a successful study plan for the AZ-500 exam is the use of practice exams. These tools are invaluable for several reasons. Firstly, they provide a realistic simulation of the actual exam environment, helping to reduce anxiety and build confidence by familiarizing candidates with the question formats and time constraints. Secondly, practice tests are an excellent way to identify knowledge gaps. By reviewing incorrect answers and the provided explanations, you can pinpoint specific areas that require further study and focus your learning efforts more effectively. Finally, consistently taking practice exams helps in tracking progress over time, offering motivation as scores improve and ensuring a deep, practical understanding of Azure security technologies rather than mere memorization of facts. Microsoft even offers a free practice assessment on its official certification page to help candidates gauge their readiness.
Free Microsoft Azure Security Engineer Associate AZ-500 Practice Test
- 20 Questions
- Unlimited
- Secure identity and accessSecure networkingSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your company hosts multiple workloads in Azure SQL Managed Instance. The security team wants to centralize audit records with virtual machine logs that are already collected in an Azure Monitor Log Analytics workspace. They also require that every existing and future database in the managed instance be audited without additional configuration effort. What should you do first to meet these requirements?
Enable Azure SQL Auditing at the managed-instance level and configure the destination as the existing Log Analytics workspace.
Enable Microsoft Defender for SQL (Advanced Threat Protection) on the managed instance and send alerts to Azure Monitor.
Create an Azure Monitor diagnostic setting for the managed instance to stream SQLInsights metrics to an Azure Storage account.
Configure database-level auditing on each database and set the destination to an Event Hub.
Answer Description
Configuring instance-level auditing sends audit logs for every current and future database in the managed instance. By selecting Log Analytics as the audit target, the logs are written directly to the existing workspace, allowing centralized analysis with other Azure Monitor data. Database-level auditing must be enabled separately for each database and would not automatically cover new databases. Advanced Threat Protection produces security alerts but does not create audit records. Diagnostic settings for SQL Insights export performance metrics, not detailed audit events.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure SQL Auditing?
How does enabling instance-level auditing differ from database-level auditing?
What is an Azure Monitor Log Analytics workspace used for?
Your company runs multiple Azure workloads and is deciding whether to enable Azure DDoS Protection Standard for a new subscription. You must deploy the service only if there is a clear business justification beyond the default Basic protection. In which of the following scenarios would enabling Azure DDoS Protection Standard be most appropriate?
Development and test virtual machines that occasionally expose Remote Desktop over a public IP
An internal line-of-business API that is reachable only through a Private Endpoint
A publicly accessible static website hosted in Azure Storage fronted by Azure Front Door Premium
An internet-facing payment processing application that requires an SLA-backed DDoS mitigation service and cost protection against scale-out during volumetric attacks
Answer Description
Azure DDoS Protection Standard is designed for internet-facing resources that could suffer large-scale network attacks and where rapid, SLA-backed mitigation, cost protection, and access to the DDoS Rapid Response team are valuable. A payment-processing web app exposed through public IP addresses matches these criteria. Development/test VMs, private-only endpoints, and workloads already fronted by a service such as Azure Front Door Premium either have lower risk or include their own edge-level protection, so purchasing the standalone DDoS Standard service is usually unnecessary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure DDoS Protection Standard?
How does Azure DDoS Protection Standard differ from Basic protection?
What types of workloads benefit most from Azure DDoS Protection Standard?
You registered an Azure AD application named WebApp1 and created its service principal. A GitHub Actions workflow will use this service principal, authenticated by a client secret, to add and update secrets in a single Azure Key Vault. Following the principle of least privilege, which built-in Azure role and scope should you assign to the service principal?
Key Vault Administrator at the subscription scope
Contributor at the resource group scope
Key Vault Secrets Officer at the Key Vault scope
Key Vault Reader at the Key Vault scope
Answer Description
Key Vault Secrets Officer grants permission to list, get, set, and delete secrets within a specific vault but does not allow modification of access policies, keys, or the vault itself. Assigning the role at the Key Vault scope limits the service principal to exactly the resource it must manage. Key Vault Administrator or Contributor would allow broader management capabilities that are unnecessary for the pipeline, and Key Vault Reader cannot create or update secrets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
What tasks does the Key Vault Secrets Officer role allow?
How does scoping permissions to a single Key Vault improve security?
You manage an Azure virtual network with a subnet named ProdSubnet. A user-defined route forces 0.0.0.0/0 traffic through a network virtual appliance (NVA). Application VMs must reach an Azure SQL database with the lowest latency, and SQL traffic must stay on the Microsoft backbone, bypassing the NVA. All other outbound traffic must continue through the NVA. Which configuration change should you make on ProdSubnet?
Add a route to the ProdSubnet route table that directs the Azure SQL public IP prefix to the Internet next hop.
Associate a NAT gateway with ProdSubnet to provide direct outbound connectivity.
Enable a virtual network service endpoint for the Microsoft.Sql service on ProdSubnet.
Create a private endpoint for the Azure SQL database and remove the 0.0.0.0/0 user-defined route.
Answer Description
Enabling a virtual network service endpoint for the Microsoft.Sql service on ProdSubnet extends the subnet's identity to Azure SQL Database over the Azure backbone. Service-endpoint traffic ignores user-defined routes, so SQL packets bypass the 0.0.0.0/0 route to the NVA while all other outbound traffic still follows the existing route table. NAT gateway would override the UDR for all traffic, a private endpoint would not require removing the UDR, and adding a specific Internet route would send traffic over the public Internet rather than the backbone.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a virtual network service endpoint in Azure?
How does the user-defined route (UDR) affect traffic flow in an Azure virtual network?
Why is it important for Azure SQL traffic to stay on the Microsoft backbone network?
You are a security engineer for a subscription protected by Microsoft Defender for Cloud. The alert "Brute force attack against an Azure virtual machine" is triggered several times a day against test VMs. The traffic originates from your organization's approved penetration-testing IP range and should no longer raise alerts, but you must still detect the same attack from other sources. What should you do?
Mark the affected virtual machines as exempt items in Secure Score.
Disable the related recommendation in the subscription's Security policy.
Create an alert suppression rule in Microsoft Defender for Cloud that targets the alert type and specifies the penetration-testing IP range.
Configure an Azure Monitor alert rule with a filter that excludes the penetration-testing IP addresses.
Answer Description
Microsoft Defender for Cloud lets you create alert suppression rules that automatically dismiss specific alert types when they match defined conditions, such as particular source IP addresses. By creating a suppression rule scoped to the "Brute force attack against an Azure virtual machine" alert and listing the penetration-testing IP range as the matching entity, the alert will be silently dismissed only for that traffic. Disabling recommendations, excluding the VMs from secure score, or crafting separate Azure Monitor alert rules do not prevent Defender for Cloud from producing the original security alert for other sources.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are alert suppression rules in Microsoft Defender for Cloud?
How do suppression rules affect the detection of other sources of the same alert?
Can alert suppression rules help improve Secure Score in Microsoft Defender for Cloud?
You clone the built-in Contributor role to create a custom role. The new role should allow operators to start and stop Azure virtual machines but must prevent them from deleting any VM. According to the Azure role definition schema for custom roles, what is the correct way to block the delete permission?
Remove the "Microsoft.Compute/virtualMachines/delete" operation from the Actions property inherited from Contributor.
Add the "Microsoft.Compute/virtualMachines/delete" operation to the NotActions property of the role definition.
Add the "Microsoft.Compute/virtualMachines/write" operation to the NotDataActions property of the role definition.
Add the "Microsoft.Compute/virtualMachines/delete" operation to the DataActions property of the role definition.
Answer Description
In an Azure custom role, the Actions array grants permissions, while the NotActions array explicitly excludes operations that would otherwise be allowed. Cloning the Contributor role includes broad permissions such as Microsoft.Compute/virtualMachines/delete by default. To keep all Contributor capabilities except VM deletion, list Microsoft.Compute/virtualMachines/delete in the NotActions property. Removing the operation from Actions is ineffective because inherited wildcard entries (such as Microsoft.Compute/*) still grant it. DataActions and NotDataActions apply only to data-plane operations, so they do not affect management-plane actions like VM deletion. Therefore, placing Microsoft.Compute/virtualMachines/delete in NotActions is the correct approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between Actions and NotActions in Azure role definitions?
What are the differences between management-plane and data-plane operations in Azure?
Why is cloning a built-in role necessary for advanced custom role creation in Azure?
You are securing an Azure SQL Database named SalesDB hosted on the logical server sqlprod01. You need to create Microsoft Entra ID contained database users in SalesDB and allow interactive sign-in with multifactor authentication. Before you can create the users, which prerequisite must be completed on sqlprod01?
Assign a Microsoft Entra administrator to the SQL server.
Add a server-level firewall rule that allows the public Internet.
Enable Azure AD-only authentication on the server.
Set the database containment option to PARTIAL.
Answer Description
Microsoft Entra (Azure AD) authentication cannot be enabled in a database until an Entra administrator has been assigned at the logical server or managed-instance level. The administrator account is used to establish the first token-based connection and to create or manage subsequent Entra principals inside the databases. Enabling Azure AD-only authentication is optional, because mixed (SQL and Entra) authentication is permitted. Database containment is already set to PARTIAL for every Azure SQL Database, so no additional work is required. Firewall rules control network access but have no bearing on the ability to create Entra principals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID authentication in Azure SQL Database?
Why must an Entra administrator be assigned to the SQL logical server?
Is enabling Azure AD-only authentication mandatory for Azure SQL Database connections?
Your team runs an Azure App Service web app that is bound to the custom domain contoso.com. Security policy requires that: 1) clients can connect only over TLS 1.2 or later, and 2) the certificate must renew automatically without additional cost or downtime. Which approach should you implement to satisfy both requirements?
Upload a third-party PFX certificate for the domain and enable HTTPS Only.
Migrate the app to an App Service Environment and bind a wildcard certificate purchased from Azure.
Store a third-party certificate in Azure Key Vault, reference it from the app, and set the Minimum TLS Version to 1.0.
Generate an App Service managed certificate for contoso.com and set the app's Minimum TLS Version to 1.2.
Answer Description
An App Service managed certificate is a free, domain-validated TLS certificate that App Service issues and renews automatically, so it meets the zero-cost and no-downtime renewal requirement. After creating the managed certificate and binding it to the custom domain, you can enforce the required protocol strength by setting the web app's Minimum TLS Version setting to 1.2. Uploading or referencing a third-party certificate incurs purchase costs and manual renewal, and an App Service Environment is unnecessary for these goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an App Service managed certificate?
What does Minimum TLS Version mean in Azure App Service?
What is the difference between Azure Key Vault usage and App Service managed certificates?
You are designing a new Azure Kubernetes Service (AKS) cluster for a confidential workload. Security requirements state that:
- The Kubernetes API server endpoint must not be reachable from the public Internet.
- Pods must be able to communicate with resources located in the same virtual network without network address translation (SNAT).
Which AKS deployment option satisfies both requirements?
Create an AKS private cluster that uses the Azure CNI network plugin.
Create an AKS public cluster that uses Kubenet networking and Azure Network Policies.
Create an AKS public cluster behind an Application Gateway Ingress Controller with a private frontend.
Create an AKS public cluster and restrict the API server using authorized IP address ranges.
Answer Description
A private AKS cluster places the API server behind a private endpoint in the node resource group's virtual network, removing any public-facing endpoint. When the cluster is configured with the Azure CNI network plugin, every pod receives an IP address from the virtual network subnet, allowing direct, routable communication to other resources in that subnet without requiring SNAT. Public clusters with authorized IP ranges still expose the API server over the Internet, Kubenet relies on source NAT for pod egress, and an Application Gateway Ingress Controller secures application ingress but does not hide the control-plane endpoint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure CNI network plugin?
How does a private AKS cluster differ from a public AKS cluster?
Why does Kubenet require SNAT for pod communication?
You manage security for hundreds of Windows and Linux Azure virtual machines across several production subscriptions. The security team must receive operating-system and software vulnerability findings, but they refuse to allow any new agents, extensions, or scripts to run inside the guest operating systems because of performance and change-control concerns. Which action should you take to satisfy the requirement?
Enable Microsoft Defender for Servers Plan 1 on all subscriptions and deploy the Log Analytics agent to every VM.
Use Defender for Cloud auto-provisioning to install the built-in Qualys vulnerability assessment extension on each VM.
Onboard every VM to Microsoft Defender for Endpoint by applying the onboarding script from the security center.
Enable Microsoft Defender for Servers Plan 2 on all subscriptions and turn on agentless vulnerability assessments for machines.
Answer Description
Agentless vulnerability assessments in Microsoft Defender for Cloud take snapshots of VM disks and use cloud APIs for out-of-band analysis, so no software is installed or executed inside the guest operating system. This capability is available when Microsoft Defender for Servers Plan 2 (which includes Microsoft Defender Vulnerability Management) is enabled. Defender for Servers Plan 1 can also produce vulnerability findings, but only through agent-based methods that install the Log Analytics agent or the Qualys/MDVM extension inside each VM, violating the stated constraint. Likewise, manually installing the Qualys extension or onboarding the machines to Microsoft Defender for Endpoint would place additional agents in the guest OS and therefore do not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Servers Plan 2?
How does agentless vulnerability assessment work in Azure?
What is the difference between Defender for Servers Plan 1 and Plan 2?
An Azure virtual network contains a Windows Server 2022 VM named VM1 that has no public IP. Administrators connect to VM1 through an Azure Bastion host in the same virtual network. You need to enable just-in-time (JIT) access so that VM1 remains reachable only via Bastion. Which JIT rule configuration should you apply?
Open TCP port 3389 for the Internet service tag.
Open TCP port 3389 for the VirtualNetwork service tag.
Open TCP port 22 for any source address.
Open TCP port 443 for the AzureBastionSubnet address range.
Answer Description
Azure Bastion connects to the target VM over its private network using the standard management port (TCP 3389 for Windows). The traffic originates from an address inside the same virtual network, which is represented in NSG and JIT rules by the VirtualNetwork service tag. Therefore, the JIT rule should open TCP port 3389 only for the VirtualNetwork tag. Allowing the Internet tag would expose the port publicly, opening port 443 would not let Bastion reach the VM, and opening port 22 targets SSH rather than RDP.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VirtualNetwork service tag in Azure?
How does Azure Bastion securely connect to VMs without a public IP?
Why is TCP port 3389 used for JIT access to a Windows VM via Azure Bastion?
You manage an Azure Storage account in the hot access tier. Developers occasionally delete or overwrite blobs by mistake. You must allow authorized users to restore any blob to its previous state for up to 14 days after the delete or overwrite, without changing existing client code and while minimizing storage costs. Which feature should you enable on the storage account?
Enable blob versioning.
Configure immutable blob storage with time-based retention.
Add code to create blob snapshots before every update.
Enable soft delete for blobs.
Answer Description
Soft delete for blobs protects data from accidental deletes or overwrites by retaining a recoverable copy for a configurable period of 1-365 days. Because the feature operates entirely within the storage service, client applications need no modification. Blob versioning retains every version unless you add lifecycle rules, potentially increasing storage costs. Immutable storage prevents any updates during the retention window, which would block legitimate writes. Adding snapshot logic requires code changes, violating the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Blob Soft Delete?
How does Blob Soft Delete differ from Blob Versioning?
How does Immutable Blob Storage differ from Blob Soft Delete?
You assigned the built-in Azure Policy "Allowed locations" at the production subscription scope. After a merger, three resource groups must remain in an unsupported region for the next six months. You need to prevent those resource groups from being reported as non-compliant without removing or modifying the existing policy assignment. What should you configure?
Wrap the existing policy in an initiative definition and assign the initiative instead.
Create a policy exemption for each of the three resource groups.
Create a new policy assignment with the Allowed locations policy but set the effect to Disabled at the resource-group scope.
Add a role assignment granting the Policy Contributor role to each resource group.
Answer Description
A policy exemption is designed for temporary or permanent waivers when a resource cannot meet a policy requirement. When an exemption is applied to a specific scope, resources in that scope are excluded from compliance evaluation results, yet the original assignment and its auditing history remain intact and can be re-enabled at any time. Placing the policy inside an initiative does not exclude the resource groups; it only groups definitions. Granting the Policy Contributor role changes who can edit policies, not how they are evaluated. Creating a second assignment with the Disabled effect at a lower scope does not override a Deny assignment at a higher scope because Deny has higher precedence than Disabled.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a policy exemption in Azure?
What is the difference between a policy exemption and a policy assignment?
Why does the Deny effect have higher precedence than Disabled in Azure Policy?
Your organization operates several Azure Kubernetes Service (AKS) clusters. You must prevent developers from deploying containers that request host networking or run privileged containers. Violations must be denied at admission time and surfaced as policy compliance results in Microsoft Defender for Cloud. Which feature should you enable on each cluster?
Azure Policy add-on for Kubernetes in the AKS cluster
Only enable Microsoft Defender for Cloud at the subscription level
Azure Monitor Container Insights
Kubernetes Pod Security Admission enforcement
Answer Description
The Azure Policy add-on for AKS installs the Gatekeeper admission controller in the cluster. Gatekeeper evaluates every resource request against the Azure Policy assignments that target the cluster, can deny non-compliant manifests during admission, and reports compliance data back to Azure Policy and Defender for Cloud. Container Insights only collects metrics and logs. Upstream Pod Security Admission is not integrated with Azure Policy or Defender for Cloud, and enabling Defender for Cloud at the subscription level does not itself block non-compliant deployments inside the cluster.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure Policy add-on for Kubernetes?
How does Gatekeeper admission controller enforce policies?
What is the role of Microsoft Defender for Cloud in AKS compliance monitoring?
You are an Azure Security Engineer for Contoso. A storage account named contosodata currently relies on Microsoft-managed keys for encryption at rest. Compliance now requires Bring your own key (BYOK) encryption that uses a key your organization generated on-premises and imported into Azure Key Vault. The key's URI is https://kv-prod.vault.azure.net/keys/ContosoKey. Before you can switch contosodata to customer-managed keys, which Key Vault configuration must you complete so that the storage service can successfully access the key?
Enable soft-delete for keys in the Key Vault.
Grant the storage service principal or managed identity Get, Wrap Key, and Unwrap Key permissions on the ContosoKey object.
Upload the same key as a secret in the Key Vault and reference the secret's URI instead of the key URI.
Configure the Key Vault firewall to allow access only through a private endpoint.
Answer Description
When Azure Storage is configured to use a customer-managed key, the storage service needs to call Azure Key Vault to wrap and unwrap data-encryption keys. The identity that represents the storage service (Microsoft Storage service principal or the storage account's managed identity) therefore needs Key Vault permissions. Specifically, the storage service must be able to:
- Read the current version of the key (Get)
- Wrap and unwrap data-encryption keys (Wrap Key and Unwrap Key)
Granting these three permissions (Get, Wrap Key, Unwrap Key) via an access policy or Azure RBAC role assignment is a required step before you can select the key for BYOK. Enabling soft-delete, uploading the key as a secret, or restricting the firewall are optional or unrelated to allowing Storage to use the key, so they do not satisfy the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Bring Your Own Key (BYOK) in Azure?
How does Azure Storage use customer-managed keys for encryption?
Why are Get, Wrap Key, and Unwrap Key permissions needed in Key Vault?
You need to give Tier 1 support engineers the ability to view Microsoft Defender for Cloud recommendations and Azure AD Identity Protection risk events across all subscriptions, while ensuring they cannot change any security settings or other Azure resources. Which Azure built-in role should you assign to the support engineers at the subscription scope?
Security Reader
Security Admin
Reader
Global Reader
Answer Description
The Security Reader role grants read-only access to security-related information such as Microsoft Defender for Cloud recommendations, secure score, and Azure AD Identity Protection data. It does not permit any configuration changes. The Reader role can view most Azure resources but lacks permissions for many Microsoft.Security actions, so it may not display all security findings. Security Admin includes write permissions to security settings, which is more access than required. Global Reader is an Azure AD role that provides directory-wide read-only access but does not extend to Defender for Cloud data at the subscription level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the Security Reader role specifically provide access to?
How does the Security Reader role differ from the Reader role?
Why is Security Admin not appropriate for this scenario?
You need to create an alert rule that notifies the security team whenever a container in an Azure Container Instance (ACI) is stopped because it exceeds the memory limit defined in its YAML template. You will stream diagnostic data from the container group to an existing Log Analytics workspace and then query that data for alerting. Which diagnostic log category must you enable on the container group so the required stop-event information is available in the workspace?
ContainerSystemLogs
ContainerInstanceEvents
ContainerInstanceLogs
ContainerGroupInsights
Answer Description
Container lifecycle and resource-limit violations (for example, a container being killed because it ran out of memory) are surfaced as Kubernetes-style events in the ContainerInstanceEvents diagnostic log category. Streaming this category to Log Analytics lets you query for events whose reason equals "OutOfMemory" (or similar) and build an alert. Console output is captured by ContainerInstanceLogs, and there are no categories named ContainerGroupInsights or ContainerSystemLogs for Azure Container Instances.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Container Instance (ACI) and how does it differ from Azure Kubernetes Service (AKS)?
What is the purpose of a Log Analytics workspace in Azure, and how does it help monitor container instances?
What kind of information does the ContainerInstanceEvents diagnostic log provide in Azure Container Instances?
Your company has a resource group named RG1 that contains only virtual machines plus their disks and network interfaces. You need to allow a developer named dev1 to start, stop, create, and delete virtual machines within RG1. dev1 must not grant permissions to others or manage any non-VM resources. Following the principle of least privilege, which Azure built-in role should you assign to dev1 on RG1?
User Access Administrator
Contributor
Owner
Virtual Machine Contributor
Answer Description
Virtual Machine Contributor grants rights to create, start, stop, restart, and delete virtual machines and the resources required for them, but it does not permit managing role assignments. Because it is scoped to virtual-machine resources only, it satisfies the least-privilege requirement. Contributor would permit dev1 to manage every resource type in RG1, which is broader than necessary. Owner includes full access plus the ability to delegate permissions, violating the restriction on access management. User Access Administrator can manage role assignments but cannot perform VM operations. Therefore, Virtual Machine Contributor is the correct role.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in Azure?
How do Azure built-in roles differ and when would you use 'Virtual Machine Contributor' over 'Contributor'?
What is the difference between 'Owner' and 'Virtual Machine Contributor' roles in Azure?
Your virtual network has a Spoke-App subnet with a route table that contains one user-defined route (0.0.0.0/0 → virtual appliance 10.10.100.4). Virtual network gateway route propagation is disabled on the table. A site-to-site VPN gateway advertises 172.16.0.0/16 to Azure by BGP. After the route table is applied, Spoke-App can no longer reach 172.16.0.0/16. You must restore that connectivity without changing the default egress through the firewall. What should you do?
Enable virtual network gateway route propagation for the route table.
Add a route for 172.16.0.0/16 with next hop type Virtual appliance and next hop IP 10.10.100.4.
Remove the 0.0.0.0/0 route and rely on system routes.
Change the next hop type of the 0.0.0.0/0 route to Virtual network gateway.
Answer Description
Because virtual network gateway route propagation is disabled, the BGP-learned prefix 172.16.0.0/16 is not added to the subnet's effective routes. The only matching entry is the user-defined default route, so traffic is sent to the firewall and then dropped. Re-enabling gateway route propagation adds the more specific 172.16.0.0/16 route (next hop Virtual network gateway). Longest-prefix match then directs traffic for 172.16.0.0/16 through the VPN gateway, while all other traffic continues to follow the 0.0.0.0/0 default route through the firewall. The other options either still forward the on-premises traffic to the firewall or remove the desired forced-tunnelling behaviour.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'virtual network gateway route propagation' mean in Azure?
What is the 'longest-prefix match' routing principle in networking?
What is a virtual appliance in Azure networking?
You manage a three-tier solution in a single Azure virtual network. Ten VMs in the app subnet must reach ten VMs in the db subnet over TCP 1433. One NSG is associated with both subnets, and VM NICs receive new private IPs whenever the solution scales. You need the fewest, maintenance-free NSG rules that allow only the application tier to initiate the SQL traffic. What should you do?
Create two Application Security Groups, add the application VMs to one and the database VMs to the other, and add a single NSG rule that allows TCP 1433 from the application ASG to the database ASG.
Create an NSG rule that allows TCP 1433 from the current private IP addresses of the application VMs to the database subnet.
Enable a Microsoft.Sql service endpoint on the app subnet and delete all existing NSG rules that block port 1433.
Deploy Azure Firewall, force-tunnel all subnet traffic through it, and create a firewall rule that permits TCP 1433 from the app subnet to the db subnet.
Answer Description
Application Security Groups (ASGs) let you group NICs logically and reference those groups as the source and destination in a single NSG rule. Because membership is evaluated by NIC association at runtime, rules do not change when VMs scale or receive new IP addresses. Creating one ASG for the application VMs and another for the database VMs, then adding a single NSG rule that allows TCP 1433 from the application ASG to the database ASG, meets the requirement with minimal ongoing maintenance. The other options rely on static IP addresses, grant overly broad access, or add unnecessary infrastructure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Application Security Groups (ASGs) in Azure?
How do ASGs ensure maintenance-free network security in Azure?
Why is using ASGs better than relying on static IP addresses in Azure NSGs?
Woo!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.