Free Practice · No Signup Required
30 Free Azure AZ-500 Practice Questions
Real practice questions for the Azure Azure Security Engineer (AZ-500) exam, with answers and detailed explanations. Updated 2026.
Free questions
30
Passing score
700 out of 1000
Exam time
120 minutes
Question pool
300+ Questions
Below are 30 real practice questions for the Azure Azure Security Engineer (AZ-500) exam. Each question shows the correct answer and a detailed explanation when you reveal it. Use these to benchmark your readiness — if you score below 70% on these 30 questions, plan for at least 4 more weeks of study before booking.
AZ-500 Practice Questions
Question 1.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the settings of VNET1. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. In the Settings blade for virtual network VNET, select Locks. 2. To add a lock, select Add. 3. For Lock type select Delete lock, and click OK.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. In the Settings blade for virtual network VNET, select Locks. 2. To add a lock, select Add. 3. For Lock type select Delete lock, and click OK.
Explanation
Azure Resource Locks prevent accidental deletion or modification. A 'Delete' lock allows users to read and modify a resource but prevents them from deleting it.
Question 2.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. The developers at your company plan to create a web app named App10598168 and to publish the app to <https://www.contoso.com>. The developers at your company plan to create a web app named App12345678 and to publish the app to <https://www.contoso.com>. You need to perform the following tasks: Ensure that App12345678 is registered to Azure Active Directory (Azure AD). Generate a password for App12345678. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Sign in to your Azure Account through the Azure portal. 2. Select Azure Active Directory. 3. Select App registrations. 4. Select New registration. 5. Name the application 12345678. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI: https://www.contoso.com , where the access token is sent to. 6. Click Register. 7. Select Certificates & secrets. 8. Select Client secrets -> New client secret. 9. Provide a description of the secret, and a duration. When done, select Add. 10. After saving the client secret, the value of the client secret is displayed. Copy this value because you aren't able to retrieve the key later. You provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Sign in to your Azure Account through the Azure portal. 2. Select Azure Active Directory. 3. Select App registrations. 4. Select New registration. 5. Name the application 12345678. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI: https://www.contoso.com , where the access token is sent to. 6. Click Register. 7. Select Certificates & secrets. 8. Select Client secrets -> New client secret. 9. Provide a description of the secret, and a duration. When done, select Add. 10. After saving the client secret, the value of the client secret is displayed. Copy this value because you aren't able to retrieve the key later. You provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.
Explanation
Registering an application in Azure AD allows it to use Azure AD for authentication. Generating a client secret (password) provides the credential needed for the application to authenticate as itself.
Question 3.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to email an alert to a user named <admin1@contoso.com> if the average CPU usage of a virtual machine named VM1 is greater than 70 percent for a period of 15 minutes. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. In the portal, locate the resource, here VM1, you are interested in monitoring and select it. Select Alerts under the MONITORING section. Select New alert rule. Fill in Condition, Actions, Alert rule details. Click Create alert rule.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. In the portal, locate the resource, here VM1, you are interested in monitoring and select it. Select Alerts under the MONITORING section. Select New alert rule. Fill in Condition, Actions, Alert rule details. Click Create alert rule.
Explanation
Azure Monitor alerts notify you of critical conditions using metrics or logs. Setting a metric alert rule for CPU usage ensures you're notified when the VM exceeds the defined threshold.
Question 4.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a user named user12345678 who is configured to sign in by using Azure Multi-Factor Authentication (MFA). To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Browse to the Azure portal and sign in with an account that has an Azure subscription. 2. Select the plus icon (+) and search for Azure Active Directory. 3. Select Azure Active Directory in the search results. 4. Select Create. 5. Provide an Organization name (12345678) and an Initial domain name (12345678). Then select Create. This will create the directory named 12345678.onmicrosoft.com. 6. After directory creation is complete, select the information box to manage your new directory. 7. In the Azure portal, make sure you are on the Azure Active Directory fly out. If not, select the Azure Active Directory icon from the left services navigation. 8. Under Manage, select Users. 9. Select All users and then select + New user. 10. Provide a Name and User name (user12345678) for the user. When you're done, select Create. 11. In the Azure portal, make sure you are on the Azure Active Directory fly out. If not, select the Azure Active Directory icon from the left services navigation. 12. Under Manage, select Users. 13. Click on the Multi-Factor Authentication link. 14. Tick the checkbox next to the user's name and click the Enable link.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Browse to the Azure portal and sign in with an account that has an Azure subscription. 2. Select the plus icon (+) and search for Azure Active Directory. 3. Select Azure Active Directory in the search results. 4. Select Create. 5. Provide an Organization name (12345678) and an Initial domain name (12345678). Then select Create. This will create the directory named 12345678.onmicrosoft.com. 6. After directory creation is complete, select the information box to manage your new directory. 7. In the Azure portal, make sure you are on the Azure Active Directory fly out. If not, select the Azure Active Directory icon from the left services navigation. 8. Under Manage, select Users. 9. Select All users and then select + New user. 10. Provide a Name and User name (user12345678) for the user. When you're done, select Create. 11. In the Azure portal, make sure you are on the Azure Active Directory fly out. If not, select the Azure Active Directory icon from the left services navigation. 12. Under Manage, select Users. 13. Click on the Multi-Factor Authentication link. 14. Tick the checkbox next to the user's name and click the Enable link.
Explanation
Creating a new Azure AD tenant provides a separate identity boundary. Enabling MFA for a user adds an extra layer of security by requiring multiple forms of verification.
Question 5.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod1234578 Azure Storage account. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Go to the storage account. 2. Under 'Security + networking' SELECT 'Networking'. 2. Select 'Firewalls and virtual networks' on the top (next to Custom domain). 3. Under Public network access, CHOOSE the 'Enable from selected virtual network and IP addresses RADIO button. 4. Under 'Virtual networks' add existing virtual network. 5. Add the network with the CIDR.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Go to the storage account. 2. Under 'Security + networking' SELECT 'Networking'. 2. Select 'Firewalls and virtual networks' on the top (next to Custom domain). 3. Under Public network access, CHOOSE the 'Enable from selected virtual network and IP addresses RADIO button. 4. Under 'Virtual networks' add existing virtual network. 5. Add the network with the CIDR.
Explanation
Storage firewalls and virtual networks allow you to restrict access to your storage account to specific IP addresses or virtual networks, enhancing data security.
Question 6.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to collect all the audit failure data from the security log of a virtual machine named VM1 to an Azure Storage account. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Go to VM. 2. Diagnostic Settings. 3. Enable it. 4. Point to storage account. 5. Under Logs check (Security > Audit Failure) is ticked.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Go to VM. 2. Diagnostic Settings. 3. Enable it. 4. Point to storage account. 5. Under Logs check (Security > Audit Failure) is ticked.
Explanation
Azure Diagnostic Settings allow you to collect guest-level metrics and logs (like security audit failures) and send them to a Storage account, Log Analytics, or Event Hub.
Question 7.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to configure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack surface of VM1.To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Sign in to the Azure portal. 2. In Virtual Machines, select VM1. 3. In Settings, select Networking. 4. In Inbound port rules, check whether the port for RDP is set correctly. The following is an example of the configuration: Priority: 300. Name: Port_3389. Port(Destination): 3389. Protocol: TCP. Source: Service Tag - Internet. Destinations: Any. Action: Allow.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Sign in to the Azure portal. 2. In Virtual Machines, select VM1. 3. In Settings, select Networking. 4. In Inbound port rules, check whether the port for RDP is set correctly. The following is an example of the configuration: Priority: 300. Name: Port_3389. Port(Destination): 3389. Protocol: TCP. Source: Service Tag - Internet. Destinations: Any. Action: Allow.
Explanation
Configuring an inbound rule on the Network Security Group (NSG) for port 3389 allows RDP traffic. Minimizing the attack surface involves restricting the source to specific IPs or service tags where possible.
Question 8.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to add the network interface of a virtual machine named VM1 to an application security group named ASG1. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine that has a network interface that you want to add to, or remove from, an application security group. When the name of your VM appears in the search results, select it. 2. Under SETTINGS, select Networking. Select Application Security Groups then Configure the application security groupselect the application security groups that you want to add the network interface to, or unselect the application security groups that you want to remove the network interface from, and then select Save. Only network interfaces that exist in the same virtual network can be added to the same application security group. The application security group must exist in the same location as the network interface.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. In the Search resources, services, and docs box at the top of the portal, begin typing the name of a virtual machine that has a network interface that you want to add to, or remove from, an application security group. When the name of your VM appears in the search results, select it. 2. Under SETTINGS, select Networking. Select Application Security Groups then Configure the application security groupselect the application security groups that you want to add the network interface to, or unselect the application security groups that you want to remove the network interface from, and then select Save. Only network interfaces that exist in the same virtual network can be added to the same application security group. The application security group must exist in the same location as the network interface.
Explanation
Application Security Groups (ASGs) allow you to group network interfaces and define network security policies based on those groups, rather than explicit IP addresses.
Question 9.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the principle of least privilege. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Sign in to the Azure portal. 2. Browse to Resource Groups. 3. Select the RG1lod12345678 resource group. 4. Select Access control (IAM). 5. Select Add > role assignment. 6. Select Virtual Machine Contributor (you can filter the list of available roles by typing 'virtual' in the search box) then click Next. 7. Select the +Select members option and select user2-12345678 then click the Select button. 8. Click the Review + assign button twice.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Sign in to the Azure portal. 2. Browse to Resource Groups. 3. Select the RG1lod12345678 resource group. 4. Select Access control (IAM). 5. Select Add > role assignment. 6. Select Virtual Machine Contributor (you can filter the list of available roles by typing 'virtual' in the search box) then click Next. 7. Select the +Select members option and select user2-12345678 then click the Select button. 8. Click the Review + assign button twice.
Explanation
The Virtual Machine Contributor role allows a user to manage virtual machines, but not access them, and not manage the virtual network or storage account they are connected to. This follows the principle of least privilege for managing VM properties.
Question 10.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to ensure that the rg1lod1234578n1 Azure Storage account is encrypted by using a key stored in the KeyVault12345678 Azure Key Vault. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. Go to Storage Accounts. 2. Click on your storage account. 3. In the search box type encryption and select it. 4. From the encryption page select Customer-managed keys. 5. And then click the link to select a key vault and key. 6. A new page opens and then you select the appropriate key vault and key.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. Go to Storage Accounts. 2. Click on your storage account. 3. In the search box type encryption and select it. 4. From the encryption page select Customer-managed keys. 5. And then click the link to select a key vault and key. 6. A new page opens and then you select the appropriate key vault and key.
Explanation
Azure Storage encryption with customer-managed keys (CMK) allows for more control over the encryption of data. By using a key from a Key Vault, you can manage the key lifecycle and access policies.
Question 11.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to perform a full malware scan every Sunday at 02:00 on a virtual machine named VM1 by using Microsoft Antimalware for Virtual Machines. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. In Azure Portal, go to the Azure VM1's blade, navigate to the Extensions section and press Add. 2. Select the Microsoft Antimalware extension and press Create. 3. Fill the Install extension form as desired and press OK. Scheduled: Enable. Scan type: Full. Scan day: Sunday (note: picture wrongly shows 'Saturday'). The scan time is measured in minutes after midnight so 60 would be 01:00, 120 would be 02:00 etc.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. In Azure Portal, go to the Azure VM1's blade, navigate to the Extensions section and press Add. 2. Select the Microsoft Antimalware extension and press Create. 3. Fill the Install extension form as desired and press OK. Scheduled: Enable. Scan type: Full. Scan day: Sunday (note: picture wrongly shows 'Saturday'). The scan time is measured in minutes after midnight so 60 would be 01:00, 120 would be 02:00 etc.
Explanation
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. Scheduling scans ensures regular health checks.
Question 12.Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time. Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: <admin@abc.com>. Azure Password: XXXXXXXX. The following information is for technical support purposes only: Lab Instance: 12345678. You need to prevent HTTP connections to the rg1lod1234578n1 Azure Storage account. To complete this task, sign in to the Azure portal. This task might take several minutes to complete. You can perform other tasks while the task completes.    
- A.1. In Azure Portal select you Azure Storage account rg1lod12345678n1. 2. Select Configuration, and Secure Transfer required.(correct answer)
Show answer & explanationHide answer
Correct answer: A
1. In Azure Portal select you Azure Storage account rg1lod12345678n1. 2. Select Configuration, and Secure Transfer required.
Explanation
The 'Secure transfer required' option enhances the security of your storage account by only allowing requests from secure connections (HTTPS). Any requests made via HTTP will be rejected.
Question 13.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the security of the network communication between the virtual machines in Sub2. From VM1, you can successfully ping the public IP address of VM3.             
- A.Yes.(correct answer)
- B.No.
Show answer & explanationHide answer
Correct answer: A
Yes.
Explanation
Pinging a public IP address involves traffic leaving the VNet via the internet and returning. If the destination's NSG and internal firewall allow ICMP traffic from the internet, the ping will succeed.
Question 14.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the security of the network communication between the virtual machines in Sub2. From VM1, you can successfully ping the private IP address of VM3.             
- A.Yes.(correct answer)
- B.No.
Show answer & explanationHide answer
Correct answer: A
Yes.
Explanation
If VM1 and VM3 are in the same Virtual Network (VNet), they can communicate using private IP addresses by default via the 'AllowVNetInBound' system rule.
Question 15.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the security of the network communication between the virtual machines in Sub2. From VM1, you can successfully ping the private IP address of VM5.             
- A.Yes.
- B.No.(correct answer)
Show answer & explanationHide answer
Correct answer: B
No.
Explanation
If VM1 and VM5 are in different Virtual Networks that are not peered, they cannot communicate via private IP addresses without a VPN gateway or VNet peering.
Question 16.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2. From VM1, you can successfully ping the private IP address of VM4.             
- A.Yes.
- B.No.(correct answer)
Show answer & explanationHide answer
Correct answer: B
No.
Explanation
If VM4 is in a different subnet and is protected by an Application Security Group (ASG) that doesn't explicitly allow traffic from VM1's source, then the communication will be blocked.
Question 17.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2. From VM2, you can successfully ping the private IP address of VM4.             
- A.Yes.(correct answer)
- B.No.
Show answer & explanationHide answer
Correct answer: A
Yes.
Explanation
VM2 and VM4 are in the same Virtual Network. Communication using private IP addresses is allowed by default between subnets in the same VNet unless blocked by specific NSG rules.
Question 18.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2. From VM1, you can connect to the web server on VM4.             
- A.Yes.(correct answer)
- B.No.
Show answer & explanationHide answer
Correct answer: A
Yes.
Explanation
If VM1 is allowed to access the web server on VM4 via its private IP address, it suggests that the NSG rules (possibly leveraging ASGs) are correctly configured to permit traffic on port 80/443.
Question 19.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. You need to ensure that User2 can implement PIM. What should you do first?             
- A.Assign User2 the Global administrator role.(correct answer)
- B.Configure authentication methods for contoso.com.
- C.Configure the identity secure score for contoso.com.
- D.Enable multi-factor authentication (MFA) for User2.
Show answer & explanationHide answer
Correct answer: A
Assign User2 the Global administrator role.
Explanation
To enable and manage Azure AD Privileged Identity Management (PIM), the user must be a Global Administrator, Privileged Role Administrator, or Security Administrator. Assigning the Global Administrator role satisfies this requirement.
Question 20.Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The company hosts its entire server infrastructure in Azure. Contoso has two Azure subscriptions named Sub1 and Sub2. Both subscriptions are associated to an Azure Active Directory (Azure AD) tenant named contoso.com. Contoso identifies the following technical requirements: Deploy Azure Firewall to VNetwork1 in Sub2. Register an application named App2 in contoso.com. Whenever possible, use the principle of least privilege. Enable Azure AD Privileged Identity Management (PIM) for contoso.com. Contoso.com contains the users shown in the following table. Contoso.com contains the security groups shown in the following table. Sub1 contains six resource groups named RG1, RG2, RG3, RG4, RG5, and RG6. User9 creates the virtual networks shown in the following table. Sub1 contains the locks shown in the following table. Sub1 contains the Azure policies shown in the following table. Sub2 contains the virtual networks shown in the following table. Sub2 contains the virtual machines shown in the following table. All virtual machines have the public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests. Sub2 contains the network security groups (NSGs) shown in the following table. NSG1 has the inbound security rules shown in the following table. NSG2 has the inbound security rules shown in the following table. NSG3 has the inbound security rules shown in the following table. NSG4 has the inbound security rules shown in the following table. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. Which virtual networks in Sub1 can User9 modify and delete in their current state?              
- A.Virtual networks that User9 can modify: VNET4 and VNET1 only. Virtual networks that User9 can delete: VNET4 only.(correct answer)
- B.Virtual networks that User9 can modify: VNET4 and VNET1 only. Virtual networks that User9 can delete: VNET4, VNET3,VNET 2 and VNET1.
- C.Virtual networks that User9 can modify: VNET4, VNET3, and VNET1 only. Virtual networks that User9 can delete: VNET4, VNET3,VNET 2 and VNET1.
- D.Virtual networks that User9 can modify: VNET4, VNET3,VNET 2 and VNET1. Virtual networks that User9 can delete: VNET4 only.
Show answer & explanationHide answer
Correct answer: A
Virtual networks that User9 can modify: VNET4 and VNET1 only. Virtual networks that User9 can delete: VNET4 only.
Explanation
Azure Resource Locks prevent deletion or modification. 'ReadOnly' locks prevent any changes (VNET2). 'CanNotDelete' locks prevent deletion but allow modification (VNET3). VNET1 and VNET4 have no locks, but the question logic might restrict User9 based on resource group permissions or other factors mentioned in the exhibit.
Question 21.Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant. You need to recommend an integration solution that meets the following requirements: Ensures that password policies and user logon restrictions apply to user accounts that are synced to the Tenant. Minimizes the number of servers required for the solution. Which authentication method should you include in the recommendation?
- A.Federated identity with Active Directory Federation Services (AD FS).
- B.Password hash synchronization with seamless single sign-on (SSO).
- C.Pass-through authentication with seamless single sign-on (SSO)(correct answer)
Show answer & explanationHide answer
Correct answer: C
Pass-through authentication with seamless single sign-on (SSO)
Explanation
Pass-through authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. It ensures that on-premises password policies and logon restrictions are enforced during the authentication process.
Question 22.You need to deploy Microsoft Antimalware to meet the platform protection requirements. What should you do? 
- A.Create a custom policy definition that has effect set to: Append. Create a policy assignment and modify: The exclusion settings.
- B.Create a custom policy definition that has effect set to: Deny. Create a policy assignment and modify: The Create a Managed Identity setting.
- C.Create a custom policy definition that has effect set to: DeployIfNotExists. Create a policy assignment and modify: The scope.(correct answer)
- D.Create a custom policy definition that has effect set to: DeployIfNotExists. Create a policy assignment and modify: The exclusion settings.
Show answer & explanationHide answer
Correct answer: C
Create a custom policy definition that has effect set to: DeployIfNotExists. Create a policy assignment and modify: The scope.
Explanation
To ensure that Microsoft Antimalware is automatically deployed to virtual machines, you should use an Azure Policy with the 'DeployIfNotExists' effect. Modifying the scope of the policy assignment ensures it target the correct resources.
Question 23.Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York. Fabrikam has IT, human resources (HR), and finance departments. Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1. The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1. The Azure resources hierarchy is shown in the following exhibit. The Azure Active Directory (Azure AD) tenant contains the users shown in the following table. Azure AD contains the resources shown in the following table. Subscription1 contains the virtual networks shown in the following table. Subscription1 contains the network security groups (NSGs) shown in the following table. Subscription1 contains the virtual machines shown in the following table. Subscription1 contains the Azure Key Vaults shown in the following table. Subscription1 contains a storage account named storage1 in the West US Azure region. Fabrikam plans to implement the following changes: Create two application security groups as shown in the following table. Associate the network interface of VM1 to ASG1. Deploy SecPol1 by using Azure Security Center. Deploy a third-party app named App1. A version of App1 exists for all available operating systems. Create a resource group named RG2. Sync OU2 to Azure AD. Add User1 to Group1. Fabrikam identifies the following technical requirements: The finance department users must reauthenticate after three hours when they access SharePoint Online. Storage1 must be encrypted by using customer-managed keys and automatic key rotation. From Sentinel1, you must ensure that the following notebooks can be launched: Entity Explorer – Account. Entity Explorer – Windows Host. Guided Investigation Process Alerts. VM1, VM2, and VM3 must be encrypted by using Azure Disk Encryption. Just in time (JIT) VM access for VM1, VM2, and VM3 must be enabled. App1 must use a secure connection string stored in KeyVault1. KeyVault1 traffic must NOT travel over the internet. You need to configure support for Microsoft Sentinel notebooks to meet the technical requirements. What is the minimum number of Azure container registries and Azure Machine Learning workspaces required?         
- A.Container registries: 0. Workspaces: 2.
- B.Container registries: 1. Workspaces: 3.
- C.Container registries: 2. Workspaces: 0.
- D.Container registries: 0. Workspaces: 1.(correct answer)
Show answer & explanationHide answer
Correct answer: D
Container registries: 0. Workspaces: 1.
Explanation
Microsoft Sentinel notebooks run in Azure Machine Learning (AML) workspaces. To minimize requirements, a single AML workspace can be used. Azure Container Registry is not strictly required to be created by the user for this scenario as AML can handle the underlying infrastructure.
Question 24.You have an Azure web app named WebApp1. You upload a certificate to WebApp1. You need to make the certificate accessible to the app code of WebApp1. What should you do?
- A.Add a user-assigned managed identity to WebApp1.
- B.Add an app setting to the WebApp1 configuration.(correct answer)
- C.Enable system-assigned managed identity for the WebApp1.
- D.Configure the TLS/SSL binding for WebApp1.
Show answer & explanationHide answer
Correct answer: B
Add an app setting to the WebApp1 configuration.
Explanation
To make an uploaded certificate available to the application code in Azure App Service, you must add the 'WEBSITE_LOAD_CERTIFICATES' app setting with the certificate thumbprint (or '*' for all).
Question 25.Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active Directory (Azure AD) tenant. You need to configure each subscription to have the same role assignments. What should you use?
- A.Azure Security Center.
- B.Azure Blueprints.(correct answer)
- C.Azure AD Privileged Identity Management (PIM).
- D.Azure Policy.
Show answer & explanationHide answer
Correct answer: B
Azure Blueprints.
Explanation
Azure Blueprints allows you to define a repeatable set of Azure resources that implement and adhere to your organization's standards, patterns, and requirements. It can include role assignments, policy assignments, and ARM templates.
Question 26.You have an Azure subscription that contains the resources shown in the following table. User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1. On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. User2 is assigned an access policy to Vault1. The policy has the following configurations: Key Management Operations: Get, List, and Restore. Cryptographic Operations: Decrypt and Unwrap Key. Secret Management Operations: Get, List, and Restore. Group1 is assigned an access to Vault1. The policy has the following configurations: Key Management Operations: Get and Recover. Secret Management Operations: List, Backup, and Recover. On January 1, 2019, User1 can view the value of Password1.  
- A.Yes.
- B.No.(correct answer)
Show answer & explanationHide answer
Correct answer: B
No.
Explanation
To view a secret's value, a user needs the 'Secret Management Operations: Get' permission in the Key Vault access policy. Although User1 is in Group1, Group1 only has List, Backup, and Recover permissions, not Get.
Question 27.You have an Azure subscription that contains the resources shown in the following table. User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1. On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. User2 is assigned an access policy to Vault1. The policy has the following configurations: Key Management Operations: Get, List, and Restore. Cryptographic Operations: Decrypt and Unwrap Key. Secret Management Operations: Get, List, and Restore. Group1 is assigned an access to Vault1. The policy has the following configurations: Key Management Operations: Get and Recover. Secret Management Operations: List, Backup, and Recover. On June 1, 2019, User2 can view the value of Password1.  
- A.Yes.(correct answer)
- B.No.
Show answer & explanationHide answer
Correct answer: A
Yes.
Explanation
User2 has the 'Secret Management Operations: Get' permission. Since the secret becomes active on Jan 1 and has no expiration date (or it's well in the future), User2 can view it on June 1.
Question 28.You have an Azure subscription that contains the resources shown in the following table. User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1. On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. User2 is assigned an access policy to Vault1. The policy has the following configurations: Key Management Operations: Get, List, and Restore. Cryptographic Operations: Decrypt and Unwrap Key. Secret Management Operations: Get, List, and Restore. Group1 is assigned an access to Vault1. The policy has the following configurations: Key Management Operations: Get and Recover. Secret Management Operations: List, Backup, and Recover. On June 1, 2019, User1 can view the value of Password1.  
- A.Yes.
- B.No.(correct answer)
Show answer & explanationHide answer
Correct answer: B
No.
Explanation
As noted previously, User1 (via Group1) lacks the 'Secret Management Operations: Get' permission required to view the secret value.
Question 29.You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?
- A.Device compliance policies in Microsoft Intune.
- B.Azure Automation State Configuration.(correct answer)
- C.Application security groups.
- D.Azure Advisor.
Show answer & explanationHide answer
Correct answer: B
Azure Automation State Configuration.
Explanation
Azure Automation State Configuration (built on PowerShell DSC) allows you to define the desired state of your virtual machines, including which Windows features should be enabled or disabled, and ensures they stay in that state.
Question 30.You have a Azure subscription. You enable Azure Active Directory (Azure AD) Privileged identify (PIM). Your company's security policy for administrator accounts has the following conditions: The accounts must use multi-factor authentication (MFA). The account must use 20-character complex passwords. The passwords must be changed every 180 days. The account must be managed by using PIM. You receive alerts about administrator who have not changed their password during the last 90 days. You need to minimize the number of generated alerts. Which PIM alert should you modify?
- A.Roles don't require multi-factor authentication for activation.
- B.Administrator aren't using their privileged roles.
- C.Roles are being assigned outside of Privileged identity Management.
- D.Potential stale accounts in a privileged role.(correct answer)
Show answer & explanationHide answer
Correct answer: D
Potential stale accounts in a privileged role.
Explanation
The 'Potential stale accounts in a privileged role' alert triggers when accounts haven't changed their password for a certain period. By default, this might be 90 days. Changing it to 180 days will align with the company policy and minimize alerts.
Ready for the full AZ-500 exam?
Get all 300+ Questions, timed simulation, and weak-area analytics. Plans from $2.99 — credits never expire.
Frequently Asked Questions
Are these real AZ-500 practice questions?+
Yes. These 30 questions are taken directly from our 300+ Questions pool, written and reviewed by certified practitioners. They mirror the style, difficulty, and scope of the official Azure AZ-500 exam.
Is the AZ-500 exam hard?+
The Azure Azure Security Engineer (AZ-500) is considered a pass-mark exam (passing score: 700 out of 1000). Most candidates need 4–8 weeks of focused preparation. Use these free questions to gauge where you stand before committing to a full study plan.
How many questions are on the real AZ-500 exam?+
The official AZ-500 exam has 40-60 questions.
Do I need to sign up to use these questions?+
No. These 30 questions are free and require no signup. If you want timed simulation, performance analytics, and access to all 300+ Questions, our paid plans start at $2.99 per exam with credits that never expire.
Keep studying
Pass AZ-500 on your first try
Join candidates using DummyExams to practice with realistic timed exams, detailed explanations, and weak-area analytics.
Start full AZ-500 practice exam