Try 12 Microsoft Azure Security Technologies (AZ-500) sample questions on Microsoft Entra ID, RBAC, privileged access, network security, workload protection, data security, monitoring, and incident response.
AZ-500 is Microsoft’s Azure Security Engineer Associate exam route for candidates who implement, manage, and monitor security controls across Azure, hybrid, and multicloud environments.
Microsoft currently lists the Azure Security Engineer Associate certification, related exam, and renewal assessments as retiring on August 31, 2026. Use this page if AZ-500 is still your scheduled exam, your employer asks for Azure Security Engineer preparation, or you need to compare Azure-native security with newer Microsoft cloud and AI security routes such as SC-500 .
Practice option: Sample questions available
Start with the 12 sample questions on this page. Dedicated practice for AZ-500: Microsoft Azure Security Technologies is not currently included as a full web-app practice page; enter your email to get updates when full practice becomes available or expands for this exam.
Need live practice now? See SC-500 cloud and AI security page.
| Field | Detail |
|---|---|
| Issuer | Microsoft |
| Exam code | AZ-500 |
| Official exam name | Microsoft Azure Security Technologies |
| Certification route | Microsoft Certified: Azure Security Engineer Associate |
| Microsoft status to verify | Microsoft Learn lists retirement on August 31, 2026 |
| IT Mastery status | Sample questions available |
| Closest adjacent Microsoft page | SC-500 Cloud and AI Security Engineer Associate |
| Area | What to practice |
|---|---|
| Identity and access | Microsoft Entra ID, Conditional Access, role-based access control, privileged access, managed identities, and least privilege. |
| Network security | Network security groups, Azure Firewall, private endpoints, Bastion, just-in-time access, and secure administrative paths. |
| Compute, storage, and data protection | VM, container, storage, SQL, Key Vault, encryption, backup, and workload protection controls. |
| Security operations | Microsoft Defender for Cloud, Microsoft Sentinel, recommendations, alerts, evidence preservation, incident workflow, and posture management. |
| If your target is… | Open this page |
|---|---|
| Azure-native security implementation before the AZ-500 retirement date | Stay on this AZ-500 page and verify the current Microsoft Learn status before scheduling. |
| Microsoft’s newer cloud and AI security route | Open SC-500 . |
| Baseline cybersecurity foundations before Azure security | Open CompTIA Security+ SY0-701 . |
| Azure administration before security specialization | Open AZ-104 . |
Try these 12 original Microsoft AZ-500 sample questions. They are designed for self-assessment and are not official Microsoft exam questions.
What this tests: Conditional Access
A security team wants all users in privileged Microsoft Entra roles to complete multifactor authentication when they sign in from untrusted locations. The team also wants to block legacy authentication. Which control is the best fit?
Best answer: B
Explanation: Conditional Access is the policy engine for sign-in conditions such as user or role, location, authentication strength, and legacy authentication. Network security groups and storage firewalls protect network or storage paths, not identity sign-in conditions. Key Vault protects secrets but does not enforce user sign-in requirements.
What this tests: managed identities and Key Vault
An Azure App Service app needs to retrieve a secret from Key Vault. The team wants to avoid storing credentials in configuration files or deployment variables. What should it do?
Best answer: D
Explanation: Managed identities let Azure workloads authenticate to supported services without embedded credentials. Granting only the required Key Vault permission keeps access limited and auditable. Storing secrets in app settings, shared accounts, or spreadsheets increases exposure and weakens rotation and accountability.
What this tests: secure administrative access
A virtual machine must be administered without exposing RDP or SSH directly to the internet. Which design best reduces public attack surface?
Best answer: A
Explanation: AZ-500 scenarios often test secure access path selection. Removing public exposure and using private or controlled administrative access reduces risk. Strong passwords help but do not justify exposing management ports. Public IP expansion and disabled monitoring move in the wrong direction.
What this tests: storage security
A storage account contains private customer documents. The organization wants to prevent accidental public blob access and require secure transport. Which configuration is most appropriate?
Best answer: C
Explanation: Storage security combines public-access prevention, transport protection, network controls, and least privilege. Public containers and obscured URLs are not suitable for private customer documents. Broad data-owner access should be avoided unless the role is truly required.
What this tests: Defender for Cloud prioritization
Microsoft Defender for Cloud reports several recommendations across compute, storage, and identity. What is the best way to prioritize remediation?
Best answer: B
Explanation: Security posture management is risk-based. Severity, exposure, business criticality, and compliance obligations help determine what should be fixed first. Age alone is not enough, and ignoring production or compliance-sensitive findings creates avoidable risk.
What this tests: Key Vault governance
A team uses Azure Key Vault for production encryption keys. Which combination best supports secure operations?
Best answer: D
Explanation: Key Vault operations should be restricted, monitored, and protected from accidental or malicious deletion. Broad permissions, public backups, and disabled logs undermine the purpose of centralized key protection.
What this tests: RBAC versus network controls
A user can reach a storage endpoint over the network but receives an authorization error when trying to read blobs. What is the most likely control gap?
Best answer: A
Explanation: Network reachability and authorization are separate layers. A user can reach an endpoint but still fail if RBAC, ACLs, or data-plane permissions do not allow the requested action. AZ-500 questions often require separating reachability from permission.
What this tests: just-in-time VM access
A security engineer wants to reduce standing exposure for VM management ports while still allowing approved administrators to connect for short maintenance windows. Which feature is the best match?
Best answer: C
Explanation: Just-in-time VM access limits management-port exposure by opening access only when approved and only for a defined window and source. Permanent internet exposure and shared administrator credentials increase attack surface.
What this tests: database security monitoring
An Azure SQL workload stores sensitive data. The team needs audit evidence and alerts for suspicious activity. What should be part of the design?
Best answer: B
Explanation: Database security needs access control, audit evidence, and detection. SQL auditing and threat-protection capabilities help support investigation and compliance. Removing logs or assigning broad owner permissions weakens accountability.
What this tests: incident response
An alert suggests that a production VM may be compromised. What should the security engineer do before deleting the resource?
Best answer: D
Explanation: Incident response requires evidence preservation before destructive cleanup. Logs, alerts, disk snapshots, timeline data, and related signals may be needed to determine scope and root cause. Deleting resources first can destroy evidence.
What this tests: privileged access
An administrator needs occasional Global Administrator access for a planned change, but the organization wants to avoid standing privilege. Which Microsoft Entra feature is the best fit?
Best answer: A
Explanation: Privileged Identity Management supports just-in-time privileged role activation, approvals, MFA, justification, and auditing. Permanent broad roles and shared accounts make privilege harder to control and investigate.
What this tests: Azure Policy
A company wants to prevent new resources from being deployed in unapproved regions and audit existing resources that violate tagging standards. Which Azure capability is most appropriate?
Best answer: C
Explanation: Azure Policy can enforce, deny, audit, or remediate configuration rules at management-group, subscription, resource-group, or resource scope. It is designed for governance at scale. Manual checklists and VM scripts do not provide consistent policy enforcement across Azure resources.
| Cue | What to remember |
|---|---|
| Identity first | Many Azure security scenarios start with Microsoft Entra ID, Conditional Access, RBAC, PIM, or managed identity. |
| Reachability is not permission | NSGs, firewalls, and private endpoints control paths; RBAC and data-plane permissions control allowed actions. |
| Posture is risk-based | Defender recommendations should be prioritized by exposure, impact, severity, and compliance context. |
| Protect evidence | Incident response usually starts with preserving logs, alerts, snapshots, and timeline data before cleanup. |
| Verify status | AZ-500 has a published retirement date; check Microsoft Learn before scheduling or buying materials. |