Here are 10 AZ-500 Microsoft Azure Security Engineer Associate Exam practice exam questions to help you gauge your readiness for the actual exam.
Question 1
You have an Azure subscription and need to assign a role to a team member who must adhere to the principle of least privilege.
This team member’s task is to audit and report on Microsoft Entra ID, requiring view-only access to all settings and configurations without modifying, deleting, or managing permissions.
Which Microsoft Entra built-in role should you assign to fulfill these requirements?
1. Directory Reader
2. Security Reader
3. Global Reader
4. Global Administrator
Correct Answer: 3
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
– External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
– Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.
In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
The Global Reader role is specifically designed for comprehensive auditing, providing read-only access to all Microsoft Entra ID settings and configurations, including detailed configuration and setting information, without granting unnecessary modify or manage permissions.
Hence, the correct answer is: Global Reader.
Directory Reader is incorrect. The Directory Readers role offers limited visibility, primarily restricted to basic directory data. It does not include access to important auditing information like sign-in logs, audit logs, and detailed configurations of Microsoft Entra services.
Security Reader is incorrect. The Security Reader role grants read-only access to security information but does not provide the full range of access required.
Global Administrator is incorrect. The Global Administrator role has extensive manage permissions, which greatly exceeds the least privilege necessary for a role focused solely on auditing and reporting, and it does not adhere to the principle of least privilege.
References:
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview
Azure Microsoft Entra ID Cheat Sheet:
Question 2
Your company is planning to expand its cloud infrastructure on Azure to support a multi-region deployment of its services.
To ensure compliance and maintain consistent configurations across all Azure resources, the company wants to automate the deployment of Azure resources.
The solution must also enforce organizational standards and security requirements across different subscriptions within the Azure environment.
What should you use?
1. Azure Blueprints
2. Azure Resource Manager (ARM) templates
3. Azure Policy
4. Azure Automation
Correct Answer: 1
Azure Blueprints allows organizations to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Unlike Azure Resource Manager (ARM) templates that focus on deploying individual resources and Azure Policy that enforces rules across resources in Azure, Azure Blueprints integrates both resource deployment and policy enforcement in a single package.
This makes it an ideal choice for automating the deployment of complex environments across multiple subscriptions while ensuring compliance with organizational standards, cost management, and security requirements. Blueprints can be applied to multiple subscriptions, making it easier to replicate environments for multi-region deployments or across various departments within an organization.
Hence, the correct answer is: Azure Blueprints.
Azure Policy is incorrect. Azure Policy helps enforce organizational standards and assess compliance at scale through policy definitions that enforce rules for Azure resources, ensuring that resources stay compliant with corporate standards and service-level agreements.
Azure Resource Manager (ARM) templates is incorrect. ARM templates are a powerful tool for deploying and managing resources in Azure, allowing for the automation of resource deployment through Infrastructure as Code (IaC). However, while they support the deployment of complex cloud environments, ARM templates alone do not enforce compliance or organizational policies across multiple subscriptions.Â
Azure Automation is incorrect. Azure Automation provides a way to automate frequent, time-consuming, and error-prone cloud management tasks. This service is focused on automating operational tasks such as managing virtual machines, networks, and databases, but it does not specifically address the deployment of resources in a compliant and standardized manner across multiple subscriptions.
References:
https://azure.microsoft.com/en-au/services/blueprints/
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
Azure Blueprints Cheat Sheet:
Question 3
You have an Azure subscription that contains an App service named TD1.
You own a domain named tutorialsdojo.com
You need to ensure that users can access TD1 by visiting the URL <code>https://tutorialsdojo.com.</code>
Which three actions should you perform in sequence?
Instructions: To answer, drag the appropriate item from the column on the left to its description on the right. Each correct match is worth one point.
Correct Answer:
Add a custom domain. 1
Create DNS record. 2
Upload certificate (.pfx). 3
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile backends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, other sources, package management, staging environments, custom domains, and TLS/SSL certificates.
To ensure that TD1 is accessible by visiting the URL https://tutorialsdojo.com, the sequence of actions provided is correct. Let’s break down each step and explain why this sequence is necessary:
1. Add a custom domain: The first step involves adding a custom domain to your Azure App Service. This is because, by default, Azure App Services are accessible via a subdomain of azurewebsites.net (e.g., yourapp.azurewebsites.net). To make your app accessible through a more professional and recognizable domain name (in this case, tutorialsdojo.com), you need to configure the App Service to recognize the custom domain as its own.
2. Create DNS record: After adding the custom domain to your App Service, the next step is to create a DNS record. This is done through your domain registrar or DNS hosting provider, where tutorialsdojo.com is managed. You need to create a DNS record that points to your Azure App Service. Typically, this involves creating a CNAME record that points your custom domain (e.g., tutorialsdojo.com) to the Azure App Service’s default domain (e.g., yourapp.azurewebsites.net).
3. Upload certificate (.pfx): The final step is to secure the connection between your custom domain and the Azure App Service using SSL/TLS, which encrypts data transmitted to and from your site, ensuring that sensitive information is securely exchanged. Uploading a certificate (.pfx file) to your App Service achieves this. The .pfx file is a digital certificate that includes both the public key (certificate) and the private key, encrypted together. By uploading this certificate and binding it to your custom domain, you enable HTTPS for tutorialsdojo.com, thus ensuring that visitors can access TD1 securely via https://tutorialsdojo.com.
Hence, the correct order of deployment is:
1. Add a custom domain.
2. Create DNS record.
3. Upload certificate (.pfx).
References:
https://docs.microsoft.com/en-us/azure/app-service/overview
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
Check out this Azure App Service Cheat Sheet:
Question 4
You plan on facilitating secure remote access to Azure SQL Database for your organization’s workforce, which includes employees working from home or other remote locations.
You need to ensure these remote employees authenticate using their Windows credentials even if their devices are not domain-joined.
What should you implement?
1. Microsoft Entra ID – Integrated
2. SQL Server Authentication
3. Windows Authentication
4. Microsoft Entra ID – Password
Correct Answer: 4
With Microsoft Entra authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management. Some of the benefits include the following:
– It provides an alternative to SQL Server authentication.
– It helps stop the proliferation of user identities across servers.
– It allows password rotation in a single place.
– It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra ID.Â
When you’re using Microsoft Entra ID – Password, it’s essentially for scenarios where you need to authenticate using a Microsoft Entra principal name within a Microsoft Entra managed domain.
This is particularly useful for accounts that are federated, meaning they might not have direct access to the domain—this is common in remote work situations. What this means is that you can securely authenticate to services like Azure SQL Database or SQL Managed Instance, even if you’re using Microsoft Entra’s cloud-only identities or a mix of cloud and on-premises (hybrid) identities.
It’s ideal for those instances where you want to leverage your Windows credentials for authentication but find yourself working on a device that isn’t directly connected to your organization’s domain.
In such cases, you simply use your domain account and password for authentication.
Hence, the correct answer is: Microsoft Entra ID – Password.
Microsoft Entra ID – Integrated is incorrect. You use this method if you’re logged into Windows using your Microsoft Entra credentials from a federated domain, or a managed domain configured for seamless single sign-on for pass-through and password hash authentication.
SQL Server Authentication is incorrect. SQL Server Authentication uses a username and password specific to the SQL Server. While it’s a viable option for remote access, it doesn’t leverage the organizational identities or Windows credentials.
Windows Authentication is incorrect. Windows Authentication is designed primarily for scenarios where the user’s device is part of the organization’s domain network. This method leverages the user’s domain credentials to authenticate against the database, ensuring a secure and streamlined access method within a domain-joined environment.
References:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure
Check out this Microsoft Entra ID Cheat Sheet:
Question 5
You have an Azure subscription that contains multiple virtual machines. You are planning to deploy additional virtual machines and need to manage admin passwords securely.
The ARM template you are using includes a static ID, and you must use a method for handling admin passwords that adhere to best practices for security and management.
What should you do?
1. Store the admin passwords directly in the ARM template as plaintext.
2. Store the admin password in Azure Key Vault and reference the secret from the Key Vault in the parameter file.
3. Include the admin passwords in a parameters file and upload it to your source control.
4. Use Azure Automation to run a PowerShell script that retrieves the admin password from an encrypted file stored in Azure Blob Storage during the deployment process.
Correct Answer: 2
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.
Storing the admin password in Azure Key Vault and referencing it in the parameter file ensures that sensitive information is securely managed and dynamically retrieved during deployment without being directly included in the ARM template or deployment scripts. Azure Key Vault is designed to safeguard cryptographic keys and other secrets, offering robust security features like access policies and secret versioning. This method prevents the exposure of the password by keeping it outside of the deployment scripts and enables controlled access and auditability, maintaining the confidentiality and integrity of the admin password throughout the deployment process.
If you want to reference secrets with dynamic ID, you need to use a linked template.
Hence, the correct answer is: Store the admin password in Azure Key Vault and reference the secret from the Key Vault in the parameter file.
The option that says: Store the admin passwords directly in the ARM template as plaintext is incorrect. Storing admin passwords in plaintext directly within the ARM template is highly insecure. This method exposes sensitive information to anyone who has access to the template, including version control systems or shared environments where templates are stored. It goes against security best practices by not providing any form of encryption or protection for sensitive data, making it vulnerable to unauthorized access and potential security breaches.
The option that says: Include the admin passwords in a parameters file and upload it to your source control is incorrect. Including admin passwords in a parameters file and uploading it to source control poses significant security risks. Source control systems are designed for versioning and sharing code, not for securely storing sensitive information. Even with private repositories, there’s a risk of exposure to unauthorized personnel or through misconfiguration. This approach lacks the security measures necessary to protect sensitive information like admin passwords effectively.
The option that says: Use Azure Automation to run a PowerShell script that retrieves the admin password from an encrypted file stored in Azure Blob Storage during the deployment process is incorrect. Using Azure Automation and a PowerShell script to retrieve admin passwords from an encrypted file in Azure Blob Storage introduces unnecessary complexity and potential security vulnerabilities. While encryption adds a layer of security, managing encryption keys securely is challenging, and decrypting the passwords at runtime can expose them to risk if not handled properly. This method also does not take full advantage of Azure Key Vault’s built-in capabilities for securely managing and automating access to secrets, keys, and certificates, making it a less optimal choice compared to directly integrating with Azure Key Vault.
References:
https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter
Check out this Azure Key Vault Cheat Sheet:
Question 6
You have a Microsoft Entra ID tenant with the following groups:
An administrator accidentally deleted the three groups on March 1, 2024.
You only found out on March 16, 2024.
For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.
Correct Answer: No, No, Yes
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
– External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
– Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.
When you delete a Microsoft 365 group in Microsoft Entra ID, the deleted group is retained but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Microsoft Entra ID.
Take note that for security groups and distribution groups, once they are deleted, you will not be able to restore them.
Meanwhile, for Microsoft Entra ID users that have been deleted, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can’t be stopped.
During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios.
Since it has not been 30 days since TD3 was deleted, you can still restore the Microsoft 365 group.
Hence, the correct statement is: You can still restore TD3.
The following options are incorrect because you can’t restore security and distribution groups even if you are still within the 30-day retention period
– You can still restore TD1.
– You can still restore TD2.
References:
https://learn.microsoft.com/en-us/entra/identity/users/groups-restore-deleted
https://learn.microsoft.com/en-us/entra/fundamentals/users-restore
Azure Microsoft Entra ID Cheat Sheet:
Question 7
You have a Microsoft Defender for Cloud recommendations below:
You plan to address the Encrypt data in transit recommendation by enabling secure transfer score for 3 unhealthy storage accounts in your Azure subscriptions.
How many points will the Azure secure score increase after enabling secure transfer on the 3 unhealthy storage accounts?
1. 0.29
2. 0.57
3. 1.14
4. 2.28
Correct Answer: 2
Microsoft Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.
Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyberattacks, and streamline security management. Because it’s natively integrated, deployment of Defender for Cloud is easy, providing you with simple auto-provisioning to secure your resources by default.
The secure score in Microsoft Defender for Cloud can help you to improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is.
The current score for each control is a measure of the status of the resources within the control. Each individual security control contributes toward the secure score. Each resource that’s affected by a recommendation within the control contributes toward the control’s current score.
To calculate the increase in the current score, we need to know the formula first. The formula to determine the current score is:
Once we enable secure transfer on the 3 unhealthy storage accounts, our total healthy resources will be at 22.
With the formula, we can substitute the following fields with their corresponding values:
– Max score: 4
– Healthy resources = 22. (24 – 2)
– Unhealthy resources= 2
The maximum score of 4 is divided by 24 because that’s the sum of the healthy and unhealthy resources. So, 4 / 24 = 0.16. Multiplying that by the number of healthy resources (22) results in the current score: 0.16* 22 = 3.66
Since we have the new current score of 3.66, we simply subtract it from the old current score of 3.09 to get the increase in score. So 3.66 – 3.09 = 0.57.
Hence, the correct answer is: 0.57.
References:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
Check out this Microsoft Defender for Cloud Cheat Sheet:
Question 8
You have an Azure subscription that contains the following resources:
You have an Azure subscription that contains the following resources:
You created a network security group with default rules named Bilibid and associated it with TD1 and TD3.
You need to add a new security rule to Bilibid that permits TD1 and TD3 to accept traffic from Azure Storage accounts only.
What should the source of the new security rule be set to?
1. Any
2. IP address
3. Service tag
 4. My IP address
Correct Answer: 3
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center but brings with it additional benefits of Azure’s infrastructure, such as scale, availability, and isolation.
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as Storage, in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service.
There are two requirements stated in the question:
1. TD1 and TD3 must be able to communicate with each other.
2. TD1 and TD3 must receive traffic from Azure storage.
With the default security rules of Bilibid, the first requirement is already satisfied. The default security rule allows resources deployed to the same virtual network to communicate with one another unimpeded.
With service tags, you can allow traffic from Azure storage. You need to create a rule in Bilibid, set the source to service tag, and the source service tag should be Storage, and set the action to Allow.
Hence, the correct answer is: Service tag.
Any is incorrect because it allows traffic from all sources, not just Azure Storage accounts.
IP Address is incorrect because it requires specifying individual IP addresses, which is not practical for services like Azure Storage that use multiple, dynamic IPs.
My IP address is incorrect because it would only allow traffic from the IP address of the rule creator, not from Azure Storage accounts.
References:
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
Check out this Azure Virtual Network Cheat Sheet:
Question 9
Your company is planning to launch an internal web app using an AKS cluster.
The app should be accessible via the pod’s IP address.
Which of the following network settings should you configure to meet this requirement?
1. Azure NSG
2. kubenet
3. Azure Private Link
4. Azure CNI
Correct Answer: 4
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.
A Kubernetes cluster provides two options to configure your network:
– By default, AKS clusters use kubenet, and a virtual network and subnet are created for you. With kubenet, nodes get an IP address from a virtual network subnet.
– With Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly.
Since you will connect to the app using the pod’s IP address, you need to select Azure CNI upon creation of your cluster.
Hence, the correct answer is: Azure CNI.
kubenet is incorrect because, as stated in the scenario, you need to connect via the pods IP address. With this option, network address translation is then configured on the nodes, and pods receive an IP address behind the node IP.
Azure NSG is incorrect because you don’t need to allow or deny inbound and outbound network traffic.Â
Azure Private Link is incorrect because this just provides private access to Azure-hosted services. It will not allow you to configure the cluster network type to assign IP addresses to pods.
References:
https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni
https://learn.microsoft.com/en-us/azure/aks/concepts-network
Check out this Azure Kubernetes Service Cheat Sheet:
Question 10
Note: The question is included in a number of questions that depict the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
You are managing a Microsoft Entra ID for a company that relies heavily on cloud services. A recent security evaluation highlighted a critical gap in the authentication system for these applications: the absence of a secondary verification method, posing a potential risk of unauthorized access.
You are tasked with enhancing the security of the authentication process by implementing an additional form of identification for these applications.
Solution: Implement Microsoft Entra smart lockout.
Does the solution meet the goal?
1. Yes
2. No
Correct Answer: 2
Smart lockout helps lock out bad actors that try to guess your users’ passwords or use brute-force methods to get in. The Smart lockout can recognize sign-ins that come from valid users and treat them differently than those attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.
While smart lockout provides enhanced security by preventing the use of weak or commonly used passwords and locking accounts after multiple failed sign-in attempts, while these features significantly improve password security, they do not inherently add a new form of identification for authentication but rather strengthen an existing one (passwords).
Hence, the correct answer is: No.
References:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout
Azure Microsoft Entra ID Cheat Sheet:
For more practice questions like these and to further prepare you for the actual AZ-500 Microsoft Azure Security Engineer Associate Exam, we recommend that you take our top-notch AZ-500 Microsoft Azure Security Engineer Associate Practice Exam, which simulate the real unique question types in the AZ-305 exam such as drag and drop, dropdown, and hotspot.
Also, check out our AZ-500 Microsoft Azure Security Engineer Associate exam study guide here.
AWS PlayCloud Sale – 10% OFF ALL PLANS. Use Coupon Code: TD-SANDBOX2024
Be Inspired and Mentored with Cloud Career Journeys!
Enroll Now – Our Azure Certification Exam Reviewers
Enroll Now – Our Google Cloud Certification Exam Reviewers
Tutorials Dojo Exam Study Guide eBooks
FREE AWS Exam Readiness Digital Courses
Subscribe to our YouTube Channel
FREE Intro to Cloud Computing for Beginners
FREE AWS, Azure, GCP Practice Test Samplers
Written by: Tutorials Dojo
