Microsoft Azure Security Engineer Associate Practice Test (AZ-500)
Use the form below to configure your Microsoft Azure Security Engineer Associate Practice Test (AZ-500). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft Azure Security Engineer Associate AZ-500 Information
About the Microsoft Azure Security Engineer Associate (AZ-500) Exam
The Microsoft Azure Security Engineer Associate certification, achieved by passing the AZ-500 exam, is a critical credential for professionals dedicated to securing Azure environments. This exam is designed for individuals who implement, manage, and monitor security for resources in Azure, as well as in multi-cloud and hybrid environments. Candidates are expected to have practical experience with the administration of Microsoft Azure and a solid understanding of security principles. The exam validates a candidate's expertise in managing identity and access, implementing platform protection, managing security operations, and securing data and applications. With 95% of Fortune 500 companies utilizing Azure, professionals with validated security skills are in high demand.
Key Domains and Skills Measured
The AZ-500 exam typically consists of 40–60 questions and requires a score of 700 out of 1,000 to pass. The questions, which can include multiple-choice, case studies, and scenario-based formats, are divided into four main domains. These domains include securing identity and access (15–20%), securing networking (20–25%), securing compute, storage, and databases (20–25%), and managing security with Microsoft Defender for Cloud and Microsoft Sentinel (30–35%). This structure ensures that certified professionals are proficient in a wide range of security tasks, from configuring Azure Active Directory for secure access to using advanced tools like Microsoft Sentinel for threat detection and response.
The Value of Practice Exams in Preparation
A crucial component of a successful study plan for the AZ-500 exam is the use of practice exams. These tools are invaluable for several reasons. Firstly, they provide a realistic simulation of the actual exam environment, helping to reduce anxiety and build confidence by familiarizing candidates with the question formats and time constraints. Secondly, practice tests are an excellent way to identify knowledge gaps. By reviewing incorrect answers and the provided explanations, you can pinpoint specific areas that require further study and focus your learning efforts more effectively. Finally, consistently taking practice exams helps in tracking progress over time, offering motivation as scores improve and ensuring a deep, practical understanding of Azure security technologies rather than mere memorization of facts. Microsoft even offers a free practice assessment on its official certification page to help candidates gauge their readiness.
Free Microsoft Azure Security Engineer Associate AZ-500 Practice Test
- 20 Questions
- Unlimited
- Secure identity and accessSecure networkingSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
You are exposing a custom multi-tenant web API through an Azure app registration. While defining the Finance.Read permission, you must ensure that:
- Only tenant administrators can grant consent for the permission.
- The permission can be granted to signed-in users, not to background daemon apps. Which combination of settings meets these requirements when you create the Finance.Read scope?
Permission type: Delegated; Who can consent: Administrators only
Permission type: Application; Who can consent: Administrators only
Permission type: Delegated; Who can consent: Administrators and users
Permission type: Application; Who can consent: Administrators and users
Answer Description
Finance.Read must be a delegated permission so it is presented only when a user is involved in the authorization flow; application permissions are intended for daemon or service scenarios without user context. Setting Who can consent to Administrators only ensures that only tenant admins can approve the permission for users or service principals, preventing end users from self-consenting. Choosing Application would make the permission available to daemon apps, contradicting the requirement, and allowing Users consent would let non-admin users approve the permission, which is also disallowed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between delegated and application permissions in Azure app registration?
Why would you restrict consent to Administrators only in Azure app registrations?
What are daemon apps and why are they incompatible with delegated permissions?
Your company hosts several production workloads in Azure Container Instances (ACI). The security team wants to analyze container start or stop events and console output in a central Log Analytics workspace to detect suspicious activity. You must configure the environment so that both existing and future container groups automatically stream these logs, without modifying any container images. Which action should you take?
Enable Azure Monitor for containers (Container Insights) for the subscription that hosts the container groups.
Create an Azure Policy assignment that deploys a diagnostic setting on container groups to send the ContainerInstanceConsoleLogs and ContainerInstanceEvents categories to the Log Analytics workspace.
Install the Azure Monitor agent inside each container image and configure data collection rules to send logs to the workspace.
Enable the Microsoft Defender for Containers plan in the subscription to onboard the container groups.
Answer Description
Azure Container Instances exposes the ContainerInstanceConsoleLogs and ContainerInstanceEvents diagnostic categories. A diagnostic setting that targets a Log Analytics workspace streams those records, making them queriable with Kusto and suitable for alert rules. A built-in Azure Policy can deploy the required diagnostic setting at scale, ensuring that new and existing container groups are configured automatically. Azure Monitor for containers is limited to Kubernetes clusters, installing the Azure Monitor agent inside every container is unsupported for ACI, and enabling Microsoft Defender for Containers does not configure log collection for ACI diagnostic categories.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Policy, and how does it help configure diagnostic settings at scale?
What are ContainerInstanceConsoleLogs and ContainerInstanceEvents in Azure?
How does Azure Log Analytics workspace support log analysis?
You have two Azure virtual networks, VNet1 and VNet2. VNet1 contains a VPN gateway that connects to your on-premises datacenter. You create a peering between VNet1 and VNet2. You must allow on-premises traffic to reach resources in VNet2 through the existing gateway in VNet1 without deploying another gateway. Which peering setting should you enable on the VNet2 side of the peering?
Use remote gateways
Allow gateway transit
Allow virtual network access
Allow forwarded traffic
Answer Description
To use the VPN gateway that exists in a peered virtual network, you configure gateway transit. On the virtual network that owns the gateway (VNet1), you enable Allow gateway transit. On the peered virtual network that needs to route through that gateway (VNet2), you must enable Use remote gateways. The other options-Allow virtual network access, Allow forwarded traffic, and Allow gateway transit-either provide basic connectivity or are applied to the hub network, not the spoke that consumes the gateway.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Use remote gateways' mean in Azure virtual network peering?
What is 'Gateway transit,' and how does it relate to VPN gateways?
How does Azure virtual network peering impact network traffic routing?
A third-party multi-tenant SaaS application (service principal) is listed under Enterprise applications in Microsoft Entra ID. The app requests the Microsoft Graph delegated permission User.ReadBasic.All. To prevent users from seeing a consent prompt while still limiting the permission scope to only this delegated permission, you must pre-authorize the permission for all current and future users in the tenant. Which action should you take?
Assign the User.ReadBasic.All app role to a security group using Azure role-based access control (RBAC).
Enable the admin consent workflow so each user can request approval for the permission when they sign in.
In Enterprise applications, open the application, select Permissions, and choose Grant admin consent for the tenant.
In App registrations, add the User.ReadBasic.All permission to the manifest and set the requiredResourceAccess entry to Admin consent required.
Answer Description
Using Enterprise applications is recommended when you need to grant tenant-wide consent to an already-provisioned service principal. Selecting Grant admin consent approves the listed delegated and application permissions on behalf of every user and service in the directory. After the grant is completed, users are no longer prompted and the app receives the access token containing only the approved scope. Editing requiredResourceAccess in the app registration does not create the pre-authorization; it still requires an admin to grant consent later. Enabling the admin consent workflow simply inserts an approval process for individual users, so a prompt would still appear. Azure RBAC app-role assignments control who can sign in to the application but do not satisfy OAuth consent. Therefore, granting admin consent in Enterprise applications is the correct action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Graph permission User.ReadBasic.All?
What does 'Grant admin consent for the tenant' do?
How does assigning roles in Azure RBAC differ from granting admin consent?
You must require multi-factor authentication (MFA) whenever any user signs in to the Azure portal, Azure PowerShell, or the Azure CLI, while leaving access to Microsoft 365 apps unchanged. You decide to create a Conditional Access policy that applies to all users. Which cloud app selection should you configure in the policy to meet the requirement?
Microsoft Azure Management
All cloud apps
Azure Resource Manager API
Office 365
Answer Description
The built-in cloud app named Microsoft Azure Management represents Azure Resource Manager, the Azure portal, Azure PowerShell, Azure CLI, and other management endpoints. Targeting this single cloud app lets you enforce MFA for management plane access only, without affecting sign-ins to Microsoft 365 workloads. Selecting All cloud apps would also cover Microsoft 365. The Office 365 app scope would not include Azure management endpoints, and there is no built-in cloud app called Azure Resource Manager API that applies broadly to the portal, PowerShell, and CLI.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Conditional Access in Azure?
Why should you use 'Microsoft Azure Management' instead of 'All cloud apps' in a Conditional Access policy?
What is MFA and why is it important in Azure?
Your organization is developing a web API that is registered in Microsoft Entra ID. Security policy states that ordinary users must be prevented from granting the API any permissions themselves; only a tenant administrator can approve access. Within the API's app registration, which change will enforce this policy for every new permission scope you expose?
Mark each delegated permission scope as Admin consent required under Expose an API.
Assign a system-assigned managed identity to the app registration.
Switch the app registration from multitenant to single-tenant access only.
Enable the User assignment required property on the enterprise application that represents the API.
Answer Description
When you define or edit a delegated permission scope for a custom API under Expose an API, select the option Admin consent required. This sets the scope's type property to "Admin" (Who can consent: Admins only). Once configured, regular users can no longer grant the permission; a tenant administrator with the appropriate role must provide consent on behalf of the organization. Settings such as User assignment required, single-tenant versus multitenant configuration, or managed identity assignments do not influence whether users can self-consent to API permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Admin consent required' mean in Microsoft Entra ID?
What is the difference between 'delegated permissions' and 'application permissions' in Entra ID?
What is the purpose of the 'Expose an API' section in Microsoft Entra ID?
You manage an Azure SQL Database that has a dynamic data masking rule applied to the Salary column of the dbo.Employees table. Members of the Analytics database role must run ad-hoc read-only queries that display the real Salary values, but they must not be able to modify data, alter the table schema, or change masking policies. Following the principle of least privilege, which single permission should you grant to the Analytics role?
Grant the UNMASK permission on OBJECT::dbo.Employees to the Analytics role.
Grant the ALTER ANY MASK permission on the database to the Analytics role.
Grant the CONTROL permission on dbo.Employees to the Analytics role.
Grant the UNMASK permission on the database to the Analytics role.
Answer Description
Granting the UNMASK permission on the dbo.Employees table lets the Analytics role bypass masking only for that specific table, exposing the true Salary values while conferring no data-modification or schema-alteration rights. Granting UNMASK at the database scope would reveal unmasked data in every masked column across the database, which is broader than required. ALTER ANY MASK would allow users to create, alter, or drop masking rules, and CONTROL on the table would provide full DDL and DML access-both exceed least-privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is dynamic data masking in Azure SQL Database?
What is the UNMASK permission in Azure SQL Database?
What is the principle of least privilege in Azure role-based permissions?
You are creating a custom Azure role that security analysts will use when responding to incidents. The role must let them read the diagnostic settings for any Azure resource but must not allow them to change those settings or perform other configuration tasks. Which action should you include in the role definition to meet the requirement?
Microsoft.Insights/diagnosticSettings/delete
Microsoft.Insights/diagnosticSettings/read
Microsoft.Insights/diagnosticSettings/write
Microsoft.Resources/deployments/read
Answer Description
The action Microsoft.Insights/diagnosticSettings/read grants read-only access to existing diagnostic settings, letting users see which logs and metrics are collected and where they are sent. It does not permit creating, updating, or deleting diagnostic settings.
The write and delete variants would allow modifications, violating the requirement. Microsoft.Resources/deployments/read is unrelated to diagnostic settings and therefore does not satisfy the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Azure diagnostic settings?
What is the purpose of the Microsoft.Insights/diagnosticSettings/read action?
How can custom Azure roles be used to manage access control in a secure way?
Your company hosts 200 Azure SQL Databases in the same logical server, and additional databases are created weekly by an automation pipeline. The security team mandates that every database emit audit logs without any action from database administrators. Which action meets the requirement with the least administrative effort?
Enable Azure Monitor diagnostic settings for each database as they are created.
Deploy a SQL Server Audit object in each user database by using a T-SQL script.
Enable database auditing only in the master database.
Enable Azure SQL auditing at the server level for the logical server and send the logs to an Azure Storage account.
Answer Description
Enabling Azure SQL auditing at the server level automatically applies to every existing database on the logical server and to any database created in the future, so no additional configuration is needed. Auditing the master database alone does not cascade to user databases. Configuring Azure Monitor diagnostic settings or deploying SQL Server Audit objects per database would have to be repeated each time a new database is created, increasing administrative overhead. Therefore, server-level auditing is the correct and most efficient choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure SQL auditing?
How does enabling Azure SQL auditing at the server level affect databases?
Why is enabling database auditing in the master database not sufficient?
You are designing access for an Azure Virtual Machine Scale Set and an Azure App Service web app that are deployed in the same tenant. Both workloads must retrieve secrets from the same Azure Key Vault. Management wants to minimize the number of role assignments and ensure the identity persists even if either workload is redeployed. Which managed identity approach should you recommend?
Enable a system-assigned managed identity on the scale set and share it with the web app.
Create a separate user-assigned managed identity for each resource and grant each identity access to the Key Vault.
Register a new application in Microsoft Entra ID, generate a client secret, and store the secret in each workload's configuration settings.
Create a single user-assigned managed identity, assign it to both resources, and grant it access to the Key Vault.
Answer Description
A user-assigned managed identity is created as an independent Azure resource. Because its lifecycle is not tied to any single workload, the identity continues to exist if the scale set or the web app is deleted or redeployed. The same user-assigned identity can be attached to multiple Azure resources, allowing you to grant Key Vault access once and reuse the assignment. A system-assigned identity cannot be shared and is removed with its parent resource, and using separate identities or client secrets would increase the number of role assignments and management overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between a user-assigned and system-assigned managed identity?
Why is minimizing the number of role assignments important in this scenario?
How does Azure Key Vault handle secret access for managed identities?
You manage an existing route-based VPN gateway that uses the VpnGw2 SKU and currently provides a site-to-site connection to your on-premises datacenter. The security team asks you to add point-to-site (P2S) remote access so that users authenticate with Azure Active Directory and perform multifactor authentication (MFA). In addition, the SSTP tunneling protocol must not be allowed. Which action should you perform on the VPN gateway to meet these requirements?
Replace the route-based gateway with a policy-based VPN gateway and enable IKEv1 for P2S connections.
Configure Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) with user certificates and enforce MFA through Conditional Access.
Downgrade the gateway to the Basic SKU and configure RADIUS authentication for P2S users.
Enable the OpenVPN protocol on the existing VpnGw2 gateway and configure Azure AD as the P2S authentication method.
Answer Description
Azure AD-based authentication for point-to-site VPN connections in Azure is only supported when the OpenVPN tunneling protocol is enabled on a route-based VPN gateway that uses a VpnGw1 or higher SKU. OpenVPN supports Azure AD tokens and allows Conditional Access policies such as MFA. SSTP is not compatible with Azure AD authentication, and certificate (EAP-TLS) or RADIUS methods do not satisfy the requirement of Azure AD-based MFA without additional infrastructure. A policy-based gateway cannot be used for OpenVPN or Azure AD authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a route-based VPN gateway?
Why is OpenVPN required for Azure AD-based authentication?
What is the difference between route-based and policy-based VPN gateways?
Your company is deploying Azure Front Door Standard/Premium in front of an Azure App Service that already listens on HTTPS. A compliance audit requires that every hop is encrypted: traffic from clients to Front Door and from Front Door to the App Service must use TLS, and no clear-text HTTP must be permitted. Which Front Door configuration meets the requirement without changing the application code?
Enable the built-in HTTP-to-HTTPS redirection feature in the App Service.
Enable HTTPS on the front-end endpoint and set the origin protocol policy for the App Service origin to HTTPS only.
Configure a Private Link origin connection for the App Service backend.
Attach a Web Application Firewall policy that allows only HTTPS traffic.
Answer Description
Enabling HTTPS on the front-end endpoint provides TLS encryption between clients and Azure Front Door. Setting the origin protocol policy of the App Service origin to HTTPS only forces Front Door to use TLS when it forwards requests to the backend, preventing any fallback to HTTP. A WAF policy can block or allow requests but does not control the protocol used between Front Door and its origin. Configuring HTTP-to-HTTPS redirection in App Service protects only direct traffic to the site and does not stop Front Door from using HTTP. Using Private Link changes the network path but still allows either HTTP or HTTPS, so it does not by itself guarantee encryption on the second hop.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Front Door's origin protocol policy?
How does HTTPS ensure data encryption during communication?
Why doesn't a Web Application Firewall (WAF) control the protocol used by Azure Front Door?
You manage an Azure Application Gateway deployed on the v1 SKU. The gateway terminates TLS by using a PFX certificate that you uploaded manually. New security policy mandates that certificates must be stored in Azure Key Vault and rotated automatically, while keeping administrative overhead to a minimum. What should you do first to meet the new requirement?
Migrate the Application Gateway to the v2 SKU and assign it a managed identity.
Enable the Auto-Rotation setting on the certificate object within the current Application Gateway.
Create an Azure Automation runbook that uploads the certificate to the gateway whenever the Key Vault secret is updated.
Import the current TLS certificate into Azure Key Vault and reference its secret identifier from the existing listener.
Answer Description
Automatic certificate rotation from Azure Key Vault is supported only by Application Gateway instances that run on the v2 SKU. Integrating Key Vault requires the gateway to have a managed identity that is granted secret-level access to the vault. A v1 gateway cannot be linked directly to Key Vault, so the initial step is to migrate or redeploy the gateway to the v2 SKU and assign it a managed identity. Importing the certificate into Key Vault, configuring runbooks, or trying to enable rotation on a v1 gateway will not satisfy the requirement because v1 does not support native Key Vault integration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure Application Gateway v2 SKU?
How does Azure Key Vault handle certificate rotation?
What is a managed identity in Azure, and why is it important?
You need to grant a group of on-premises developers temporary read and write access to a specific Azure Blob Storage container. You must avoid exposing the storage account access key and be able to revoke the developers' access without rotating the account keys. What should you use?
Generate a service SAS for the container by using the storage account access key.
Distribute the storage account access key to the developers and configure Shared Key authentication stored in Azure Key Vault.
Generate a shared access signature (SAS) that is signed with a user-delegation key.
Enable public anonymous access for the container and share its URL.
Answer Description
Create a shared access signature (SAS) that is signed with a user-delegation key. The user-delegation key is obtained through Microsoft Entra ID authentication by whoever creates the SAS, so the storage account access key never leaves Azure. If the SAS is later compromised or no longer needed, you can immediately invalidate it by calling the Revoke User Delegation Keys operation (or the corresponding CLI/PowerShell command), which cancels all user-delegation keys issued before the revocation time. A service SAS relies on the account key, public anonymous access removes all authentication, and distributing the account key grants full account permissions and is hard to revoke granularly.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a shared access signature (SAS) in Azure Blob Storage?
How does a user-delegation key improve security compared to an account key?
How can you revoke permissions granted by an SAS token?
You administer an Azure Container Registry (ACR) named contosoacr that holds several image repositories, including one named dev. An on-premises build server must be able to pull images from the dev repository only and must not be able to list or access any other repositories in the registry. You also want to issue short-lived credentials that are independent of Azure Active Directory. What should you do?
Assign the built-in Azure role AcrPull to the build server's service principal at the registry scope.
Create a scope map that grants content/read on the dev repository, generate an ACR token associated with the scope map, and supply the token's password to the build server.
Enable the admin user for contosoacr and share the admin username and password with the build server.
Enable anonymous pull on contosoacr and use an Azure Storage firewall rule to restrict access to the dev repository path.
Answer Description
ACR tokens let you create repository-scoped, non-Azure-AD credentials. By first defining a scope map that grants only the content/read (pull) action on the dev repository and then creating a token linked to that scope map, you obtain a username/password pair that is limited to that repository. The credentials can be regenerated or revoked at any time, providing the desired short-lived access. Assigning the AcrPull role at registry scope or enabling the admin user would grant access to every repository. Anonymous pull cannot be restricted to a single repository and does not meet the security goal.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a scope map in Azure Container Registry?
What is an ACR token, and how is it used?
Why can't anonymous pull or admin access be used for this scenario?
You manage an Azure subscription that already has Microsoft Defender for Servers Plan 1 enabled. The security team asks you to assess operating-system vulnerabilities and detect malicious files on 200 existing Azure virtual machines without deploying or maintaining any additional agents on those machines. You must minimize administrative overhead while meeting the requirement. Which action should you perform?
Deploy the built-in Qualys vulnerability assessment extension to all virtual machines.
Upgrade the subscription to Microsoft Defender for Servers Plan 2 and turn on Agentless scanning for machines in Microsoft Defender for Cloud.
Enable Microsoft Defender Vulnerability Management preview for the subscription.
Install the Log Analytics agent on each virtual machine and keep using the SecurityCenterFree pricing tier.
Answer Description
Agentless scanning for Azure virtual machines is provided only with Microsoft Defender for Servers Plan 2. After upgrading the subscription to Plan 2, you enable the Agentless scanning for machines setting under Environment settings in Microsoft Defender for Cloud. Vulnerability assessment and malware detection are then performed from storage-based snapshots, so no Qualys, Log Analytics, or Microsoft Defender agents are required or deployed. The other options continue to rely on agents (Qualys extension, Microsoft Defender Vulnerability Management via the MDE sensor, or the Log Analytics agent) and therefore do not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Servers Plan 2?
How does Agentless scanning in Defender for Cloud work?
Why is the Qualys extension or Log Analytics agent not suitable in this scenario?
You registered an ASP.NET Core web API named ContosoApi in Microsoft Entra ID. Background services in other Azure AD tenants will call the API by using the OAuth 2.0 client-credentials flow. Each consuming tenant's administrator must grant consent, and the API must not expose any delegated permissions.
In the Azure portal, which change should you make to the ContosoApi app registration to satisfy these requirements?
Add a delegated permission scope and set "User consent enabled" to Yes.
Change Supported account types to "Accounts in this organizational directory only".
Add an application role that has Allowed member type set to "Application" and admin consent required enabled.
Enable the "Allow public client flows" option in Authentication settings.
Answer Description
Background services that call an API without a signed-in user need an application permission usable with the client-credentials flow. In an app registration, such a permission is created by defining an application role whose Allowed member type is set to Application. Application permissions always require admin consent, ensuring administrators in external tenants must approve access before tokens can be issued. Delegated scopes, public-client settings, or single-tenant configurations would not meet the stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the OAuth 2.0 client-credentials flow?
What is the significance of an application role in Azure AD app registration?
Why don’t delegated permissions work in this scenario?
Your company stores secrets in an Azure Key Vault that currently allows traffic only from selected networks. An Azure Function app is deployed in a dedicated App Service plan and is integrated with the subnet AppSubnet in VNet CorpNet. You must permit the function app to retrieve secrets while keeping all other Azure services blocked. What should you configure on the Key Vault?
Turn on the Allow trusted Microsoft services to bypass the firewall setting.
Enable a service endpoint for Microsoft.KeyVault on AppSubnet and add AppSubnet as a virtual network rule.
Set Public network access to Enabled and configure the function app to use its system-assigned managed identity.
Add the function app's outbound IP addresses as firewall IP address rules.
Answer Description
The most restrictive option is to grant access only to the subnet that hosts the function app. First, enable the Microsoft.KeyVault virtual network service endpoint on AppSubnet, then add that subnet to the Key Vault's virtual network rules. Traffic from resources in the subnet is routed to the vault over the Azure backbone, and all other sources, including other Microsoft services, remain blocked.
Allowing trusted Microsoft services would open access for many Azure platforms you do not use. Relying on the function app's outbound IP addresses is fragile because those addresses can change and does not prevent other services using the same public IP range. Enabling public network access defeats the requirement to block other Azure services, even if a managed identity is used.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Key Vault service endpoint?
How does virtual network integration work with Azure Function apps?
Why are outbound IP addresses unreliable for security configurations?
You have an Azure Storage account named contososa and create a private endpoint for it in VNET1. Virtual machines in VNET1 resolve contososa.blob.core.windows.net to the private IP, but on-premises servers connected through a site-to-site VPN still receive the public IP. You must ensure on-premises servers use the private endpoint without changing connection strings. What should you do?
Configure the on-premises DNS servers to forward the zone privatelink.blob.core.windows.net to a DNS forwarder hosted in VNET1.
Enable an Azure Storage service endpoint on the VPN gateway subnet.
Disable public network access on the storage account.
Add an A record for contososa.blob.core.windows.net in the on-premises DNS zone that points to the private IP address.
Answer Description
The on-premises DNS servers must resolve the storage account's FQDN to the private IP that Azure assigned to the private endpoint. The recommended approach is to create a conditional forwarder that sends all queries for the privatelink.blob.core.windows.net zone to a DNS forwarder (for example, Azure DNS Private Resolver or a custom DNS server) located inside VNET1, where the private DNS zone is linked. This causes on-premises queries for contososa.blob.core.windows.net to be answered with the private IP.
Adding a static A record on-premises is not advised because the private IP can change if the endpoint is recreated. Disabling public network access does not fix DNS resolution; the name would still resolve to the public IP and connectivity would fail. Service endpoints are unrelated to private endpoints and do not influence DNS behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a DNS forwarder used instead of a static A record?
What is the privatelink.blob.core.windows.net DNS zone?
What is the Azure DNS Private Resolver and how does it help here?
You are designing an Azure Policy that enforces the presence of the CostCenter tag on every resource group in the production subscription. The policy must automatically add the tag and value to existing and future resource groups, and it must block the deployment only if the tag cannot be added automatically. Which policy effect should you use?
Audit
Append
Modify
Deny
Answer Description
The Modify effect can change or set resource properties during create or update operations and can also be used by remediation tasks to update existing resources. If the required change cannot be applied, the request is denied. Audit only records non-compliance, Deny blocks every non-compliant request without remediation, and Append adds properties only during creation or update but cannot remediate existing resources. Therefore, Modify is the only effect that meets all the requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Modify policy effect in Azure?
How is the Modify policy effect different from Append?
How do remediation tasks work in Azure Policy using the Modify effect?
Wow!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.