Microsoft SC-500 Practice Test: Cloud and AI Security

SC-500 is Microsoft’s cloud and AI security route for security engineers who protect Microsoft Azure and Microsoft 365 environments, including identity, cloud infrastructure, Defender controls, security posture, and AI workload security.

Start with the free SC-500 diagnostic or the 24 public sample questions. See how Microsoft cloud and AI security questions handle identity, access, governance, storage, networking, compute, Defender, Sentinel, posture management, and AI workload controls before you subscribe; IT Mastery then gives you a stable, blueprint-mapped practice bank with timed mocks, topic drills, progress tracking, and detailed explanations across web and mobile.

Free diagnostic: Try the SC-500 full-length practice exam before subscribing. Use it as one Microsoft cloud-and-AI-security baseline, then return to IT Mastery for timed mocks, domain drills, explanations, and the full SC-500 question bank.

What this SC-500 practice page gives you

• a direct route into IT Mastery practice for SC-500
• 24 on-page sample questions with detailed explanations
• a free 60-question diagnostic across the SC-500 domains
• topic drills and mixed sets across identity, governance, storage, networking, compute, and security posture monitoring
• the same IT Mastery account across web and mobile

Who SC-500 is for

• security engineers protecting Azure, Microsoft 365, identity, network, application, data, compute, and AI workloads
• candidates comparing Azure-native AZ-500 security with newer AI-aware Microsoft security coverage
• teams that need practice around Defender, Entra ID, Key Vault, posture management, regulatory controls, and AI security boundaries

SC-500 exam snapshot

• Issuer: Microsoft
• Certification lane: Microsoft Certified: Cloud and AI Security Engineer Associate
• Exam code: SC-500
• Microsoft Learn course: Implement end-to-end security controls for cloud and AI workloads
• Current IT Mastery status: live practice available

Topic coverage for SC-500 planning

Use these live IT Mastery pages now

Practice options

• Current status: live IT Mastery practice available
• IT Mastery practice includes: SC-500 topic drills, mixed sets, timed mocks, detailed explanations, and progress tracking
• Best use right now: start with the free diagnostic or public sample set, then drill the SC-500 domains that produce misses
• Good comparison route: use AZ-500 for Azure-native security context; SC-500 is the Microsoft cloud-and-AI-security page on this site

Focused sample questions

Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.

• Free Microsoft SC-500 Full-Length Practice Exam
• Microsoft SC-500 Cheat Sheet
• Identity and Governance
• Storage and Networking Security
• Secure Compute
• Security Posture Monitoring

Free study resources

Need concept review first? Read the Microsoft SC-500 Cheat Sheet for compact concept review before returning to timed practice.

24 SC-500 sample questions with detailed explanations

These are original IT Mastery practice questions aligned to Microsoft cloud and AI security engineering, including identity, governance, storage, networking, compute, Defender, Sentinel, posture management, and AI workload controls. They are not Microsoft exam questions and are not copied from any exam sponsor. Use them to check readiness here, then continue in IT Mastery with mixed sets, topic drills, and timed mocks.

Question 1

Topic: Manage Identity, Access, and Governance

A company has a Microsoft Entra administrative unit named Retail Users. A regional support group must update only a small set of user directory attributes for users in that administrative unit. Existing Microsoft Entra built-in roles include permissions the group must not receive, and the group must not receive access to Azure subscriptions. Which approach should you implement?

Options:

• A. Create a Microsoft Entra custom role scoped to the administrative unit

• B. Assign User Administrator scoped to the administrative unit

• C. Use PIM approval for an existing directory role

• D. Create an Azure RBAC custom role scoped to a resource group

Best answer: A

Explanation: Microsoft Entra custom roles are used for tailored directory-plane administration, such as limiting which user or application management actions an admin can perform. In this scenario, the required actions are Microsoft Entra directory permissions, not Azure resource management permissions. Assigning the custom role at the administrative unit scope also limits the affected objects to users in Retail Users. Administrative unit scoping controls the target objects, while the custom role controls the allowed actions. Azure RBAC, resource scopes, and subscription access apply to Azure resources rather than Microsoft Entra directory objects.

• Azure RBAC boundary fails because Azure RBAC custom roles manage Azure Resource Manager resources, not Microsoft Entra user attributes.
• Built-in role scope fails because User Administrator may still grant more directory actions than the support group needs.
• PIM activation fails because PIM governs how a role assignment is activated, not which permissions the role contains.

Question 2

Topic: Manage Identity, Access, and Governance

An Azure Functions app uses a system-assigned managed identity to read the value of one secret, SqlPassword, from an Azure Key Vault that uses the Azure RBAC permission model. The app does not create, rotate, or read other vault objects. You must preserve least privilege. Which implementation should you use?

Options:

• A. Add an access policy for secrets, keys, and certificates.

• B. Assign Key Vault Secrets User at the SqlPassword secret scope.

• C. Assign Key Vault Reader at the vault scope.

• D. Assign Key Vault Secrets Officer at the vault scope.

Best answer: B

Explanation: For a Key Vault that uses Azure RBAC, assign data-plane roles at the narrowest feasible scope. Reading a secret value requires a secret-specific data-plane role, not a management-plane reader role. Because the app needs only the value of SqlPassword, the least-privilege implementation is to give its managed identity Key Vault Secrets User scoped to that specific secret. That avoids certificate permissions, key permissions, and secret management permissions. Vault-scoped officer roles or permissions across multiple object types expand the access boundary beyond the scenario.

• Reader role trap fails because Key Vault Reader can view metadata but cannot read secret values.
• Officer role trap fails because Key Vault Secrets Officer can manage secrets and is broader than read-only access.
• Access policy trap fails because the vault uses Azure RBAC, and granting secrets, keys, and certificates is overbroad.

Question 3

Topic: Manage Identity, Access, and Governance

A security engineer cannot create a new Conditional Access policy in Microsoft Entra ID and receives an insufficient privileges message. Use the exhibit to choose the best next action.

Exhibit: Privileged access summary

Options:

• A. Configure an authentication methods policy for Maya.

• B. Assign Maya permanent Global Administrator access.

• C. Activate the eligible role in PIM, then retry.

• D. Grant admin consent to the Microsoft Entra app.

Best answer: C

Explanation: Privileged Identity Management separates eligible assignments from active privileges. An eligible role assignment does not grant administrative permissions until the user activates the role and satisfies the activation requirements, such as MFA and justification. In the exhibit, Maya has the Conditional Access Administrator role only as eligible, while her only active role is Security Reader. Security Reader cannot create Conditional Access policies, so the insufficient privileges message is expected until the PIM activation occurs. The key takeaway is that eligibility is not the same as usable administrative access.

• Permanent admin access is excessive because the exhibit already shows an eligible role that can be activated just-in-time.
• Authentication methods policy does not activate an eligible privileged role or grant Conditional Access administration rights.
• Admin consent affects application permissions, not whether a user’s PIM role is active for an administrative task.

Question 4

Topic: Manage and Monitor Security Posture

A security team is onboarding a firewall and an email gateway to Microsoft Sentinel. Both products emit events only as CEF over Syslog and cannot run Azure agents. The team must preserve CEF normalization for Sentinel analytics while minimizing network exposure. Which configuration should the team implement?

Options:

• A. Deploy a Linux CEF forwarder with Azure Monitor Agent and a CEF data collection rule.

• B. Send raw CEF to a custom log table through HTTPS ingestion.

• C. Enable Defender for Cloud recommendations for the appliance resource group.

• D. Install Azure Monitor Agent directly on each appliance with a Security Events rule.

Best answer: A

Explanation: CEF-producing appliances typically send events by Syslog to a Linux log forwarder, because the appliances themselves cannot run Azure Monitor Agent. For Microsoft Sentinel, the forwarder runs Azure Monitor Agent and is associated with a data collection rule configured by the CEF connector. This keeps CEF events normalized for Sentinel analytics, commonly into the CEF/CommonSecurityLog experience, while letting the network team restrict Syslog inbound traffic to only the known appliance sources. The key control is to centralize collection on a hardened forwarder instead of opening broad ingestion paths or bypassing the CEF collection pipeline.

• Direct agent install fails because the appliances cannot run Azure agents and Security Events targets Windows event collection, not CEF appliances.
• Custom log ingestion bypasses the built-in CEF collection path and can lose expected Sentinel normalization.
• Defender recommendations assess posture but do not configure CEF Syslog collection into Microsoft Sentinel.

Question 5

Topic: Secure Compute

An organization is expanding Microsoft 365 Copilot. Microsoft Purview Data Security Posture Management (DSPM) reports that HR files in SharePoint contain sensitive data, are broadly accessible, and may surface in Copilot responses. Defender for Cloud also shows medium VM vulnerabilities in a separate subscription; the VMs do not store the HR files. Data owners must retain access decisions and remediation must preserve least privilege. Which design is the best fit?

Options:

• A. Close the Defender for Cloud VM vulnerability recommendations first.

• B. Use Purview DSPM evidence to have HR owners reduce broad SharePoint access.

• C. Require compliant devices for all Copilot access with Conditional Access.

• D. Grant the security team site admin access to all HR sites.

Best answer: B

Explanation: AI data exposure findings focus on whether sensitive content can be discovered or summarized by Copilot because permissions or sharing are too broad. In this scenario, the risky asset is HR content in SharePoint, not the separate Azure VMs. The best remediation path is to use Purview DSPM evidence to identify the exposed locations and have the HR data owners tighten permissions to the intended audience. This preserves least privilege and addresses the condition that makes Copilot exposure possible. VM vulnerability remediation and device-based access controls can be valid security work, but they do not correct overshared content that Copilot can access through existing user permissions.

• VM patch focus misses the stated evidence because the Defender for Cloud findings are separate workload vulnerabilities.
• Device compliance control may improve access security, but it does not fix broad SharePoint permissions.
• Security admin expansion weakens least privilege and bypasses the requirement for data-owner access decisions.

Question 6

Topic: Secure Compute

A security team manages Azure virtual machines in a virtual network. They must provide RDP and SSH access for administrators while ensuring the VMs have no public IP addresses and management ports are not exposed to the internet. Administrators should not need a VPN client. Which plan best meets the requirement?

Options:

• A. Create private endpoints for each virtual machine.

• B. Add NSG rules allowing administrators’ public IP addresses.

• C. Deploy Azure Bastion for private-IP RDP and SSH access.

• D. Enable just-in-time VM access for management ports.

Best answer: C

Explanation: Azure Bastion is designed for secure administrative connectivity to Azure VMs without exposing the VMs directly to the internet. It is deployed in a dedicated AzureBastionSubnet and lets administrators connect to VM private IP addresses for RDP or SSH. This matches the requirement to remove public IP addresses from the VMs, avoid opening management ports to the internet, and avoid requiring a VPN client on administrator workstations. Just-in-time access reduces exposure windows for management ports, but it does not provide the Bastion connection broker pattern by itself.

• JIT access can reduce open-port duration, but it is not the best fit when the requirement is no public VM exposure and no VPN client.
• NSG allow rules still expose management ports to selected public IP addresses, which violates the requirement.
• Private endpoints provide private access to supported PaaS services, not RDP or SSH brokering to VMs.

Question 7

Topic: Secure Compute

A team is hardening an Azure Generation 2 VM that uses a supported OS and VM size. The VM currently has Security type set to Standard. The new baseline requires TPM 2.0-like measured boot and key protection semantics, but it does not require confidential-computing memory encryption. What is the best next implementation step?

Options:

• A. Set Security type to Trusted launch and enable vTPM

• B. Redeploy the workload as a Confidential VM

• C. Enable Defender for Servers integrity monitoring first

• D. Enable Secure Boot without changing Security type

Best answer: A

Explanation: For Azure VMs, vTPM is configured as part of the VM security profile for supported Generation 2 Trusted launch VMs. Because the current VM uses the Standard security type, the next implementation step is to move the VM to Trusted launch and enable vTPM. That provides TPM 2.0-like measured boot and key protection semantics without requiring the broader memory-encryption guarantees of confidential computing. Secure Boot is commonly paired with vTPM, but it does not replace vTPM when TPM-backed semantics are required. Monitoring controls can validate posture later, after the required security capability exists.

• Secure Boot alone verifies boot components, but it does not provide TPM-backed key protection or measured boot state.
• Confidential VM adds stronger isolation and memory encryption, which the stated baseline does not require.
• Integrity monitoring first observes or validates boot-related posture, but it does not configure the missing vTPM capability.

Question 8

Topic: Manage and Monitor Security Posture

Your organization has a Microsoft Security Copilot workspace. The Microsoft Sentinel plugin is enabled, a Microsoft incident-triage agent and a Security Store phishing agent are available, and a Tier 1 analyst already has Microsoft Sentinel Reader on the target Sentinel workspace. You need the analyst to run prompts and available agents, but not manage Copilot workspace settings, plugins, or agents. Which configuration should you make?

Options:

• A. Assign the Security Copilot Contributor workspace role.

• B. Enable the Microsoft Sentinel plugin in the workspace.

• C. Assign the Security Copilot Owner workspace role.

• D. Install a Security Store agent for the analyst.

Best answer: A

Explanation: Microsoft Security Copilot access is controlled separately from the permissions in connected security products. In this scenario, the analyst already has the needed Microsoft Sentinel read permission, and the plugin and agents are already available. The remaining requirement is to allow the analyst to use Security Copilot without granting administrative control. A Contributor workspace role fits that need because it supports running prompts and using available capabilities, while an Owner role is for managing workspace configuration, access, plugins, and agent settings. Plugins, Microsoft agents, and Security Store agents extend what Copilot can do; they do not replace user access assignment or underlying data permissions.

• Owner role overgrants because it permits administration of workspace configuration, plugins, and agents.
• Plugin enablement misses access because the Sentinel plugin is already enabled and does not by itself grant workspace use.
• Agent installation misses access because a Security Store agent adds capability, not the analyst’s Copilot permission.

Question 9

Topic: Secure Storage, Databases, and Networking

A security team needs a searchable record of security-relevant activity for a production Azure SQL database, including database authentication events and completed T-SQL batches. The organization already uses a Log Analytics workspace for security investigations. Which configuration should you implement?

Options:

• A. Configure a storage account firewall rule for the database subnet.

• B. Enable Defender for Databases alerts only.

• C. Enable Transparent Data Encryption for the database.

• D. Enable Azure SQL auditing and send audit logs to Log Analytics.

Best answer: D

Explanation: Azure SQL Database auditing is the control used to record security-relevant database activity. It can capture events such as successful and failed authentications, permission changes, and completed batches, then write audit records to destinations such as Log Analytics, a storage account, or Event Hubs. Because the team needs searchable investigation data in an existing Log Analytics workspace, the auditing destination should be Log Analytics. Defender for Databases helps detect threats, but it does not replace audit logging for a required activity record.

• Encryption at rest protects stored data but does not create an activity trail.
• Threat alerts only can surface suspicious behavior but do not provide the required audit record.
• Network firewalling controls connectivity but does not record database-level security activity.

Question 10

Topic: Secure Storage, Databases, and Networking

A company hosts a billing API on VMs behind an internal Standard Load Balancer in a producer VNet. Partner teams in separate VNets and tenants must consume only this API over private IP. The producer must approve each consumer connection and must not provide broader network access to the producer VNet. Which configuration should you choose?

Options:

• A. Expose a public endpoint restricted by IP rules

• B. Publish a Private Link service and manually approve private endpoints

• C. Build site-to-site VPN tunnels to each consumer VNet

• D. Peer each consumer VNet with the producer VNet

Best answer: B

Explanation: Azure Private Link service is the producer-side pattern for publishing a service in one VNet to consumers through private endpoints. Because the API is already behind a Standard Load Balancer, the producer can create a Private Link service, control visibility, and require manual approval of each private endpoint connection. Each consumer reaches only the published service through a private IP in its own VNet. This avoids VNet peering or VPN routing that could expose broader address spaces or enable transitive access to the producer network. The key distinction is that Private Link publishes a service boundary, not a full network boundary.

• VNet peering provides private routing, but it extends network reachability beyond the single published service.
• Site-to-site VPNs create network-level connectivity and do not give producer-controlled private endpoint approval.
• Public endpoint IP restrictions still expose a public address and do not meet the private connectivity requirement.

Question 11

Topic: Secure Storage, Databases, and Networking

A security team is securing three Azure VM tiers in the same virtual network: web, API, and database. The team must allow HTTPS from web VMs to API VMs and SQL traffic from API VMs to database VMs, while avoiding IP-based rules because VMs are frequently added and replaced. The network team does not want to redesign subnets. Which design best fits the requirement?

Options:

• A. Create ASGs per tier and reference them in NSG rules

• B. Move each tier to a dedicated subnet and apply subnet NSGs

• C. Create service tags for each VM tier and use NSG rules

• D. Route all east-west traffic through Azure Firewall application rules

Best answer: A

Explanation: Application security groups (ASGs) are the best fit when Azure VM workloads need network security rules based on application role rather than IP addresses. In this scenario, the web, API, and database VMs are in the same virtual network, change frequently, and should not require subnet redesign. By assigning each VM NIC to the appropriate ASG, NSG rules can allow only the needed tier-to-tier traffic, such as web-to-API over HTTPS and API-to-database over SQL. This keeps rule targeting aligned to workload ownership and supports least privilege as instances scale or are replaced. Subnet-based rules can work in some designs, but they miss the stated constraint to avoid subnet redesign.

• Service tags represent Microsoft-managed service address ranges, not custom VM workload tiers.
• Dedicated subnets could enforce tier boundaries, but they overbuild the solution and conflict with the no-redesign constraint.
• Azure Firewall routing may centralize inspection, but it is unnecessary for NSG workload grouping and adds operational complexity.

Question 12

Topic: Manage and Monitor Security Posture

A security team enabled Defender CSPM and is reviewing secure score recommendations for a subscription. The team now needs to configure vulnerability management specifically for Azure VMs so that software and CVE findings are produced for those machines, not just posture recommendations. Which two actions should the engineer take? Select TWO.

Options:

• A. Review Defender CSPM attack paths for exposed VMs.

• B. Enable Microsoft Defender for Servers for the subscription.

• C. Add a regulatory compliance standard to Defender for Cloud.

• D. Create a Defender CSPM governance rule for VM recommendations.

• E. Configure vulnerability assessment for machines with Microsoft Defender Vulnerability Management.

• F. Enable Microsoft Defender EASM discovery for public assets.

Correct answers: B, E

Explanation: Defender CSPM helps identify and prioritize posture risk through recommendations, secure score, attack paths, and governance workflows. Those features can show that VMs have security issues, but they are not the configuration point for VM vulnerability assessment. To produce software inventory and CVE findings for Azure VMs, configure the server workload protection and vulnerability assessment settings in Defender for Cloud, typically using Microsoft Defender Vulnerability Management for machines. EASM, compliance standards, and governance rules can add visibility or tracking, but they do not configure the VM vulnerability scanner itself.

• Governance rule helps assign and track recommendations but does not enable VM vulnerability assessment.
• Compliance standard maps resources to controls but does not produce machine-level CVE findings.
• EASM discovery focuses on external attack surface assets, not Azure VM vulnerability assessment settings.
• Attack paths prioritize exposure chains but are not the scanner configuration for VM software vulnerabilities.

Question 13

Topic: Manage and Monitor Security Posture

A company uses Microsoft Sentinel and requires Windows Security events from domain-joined servers to be collected through an existing Windows Event Forwarding (WEF) design. Servers must not send telemetry directly to Azure. Which implementation should you use?

Options:

• A. Export .evtx files from each server to storage and ingest them with a custom log table.

• B. Deploy AMA to every server and configure a DCR for each local Security log.

• C. Configure source-initiated WEF to a collector and deploy AMA with a DCR for Windows Forwarded Events on the collector.

• D. Deploy AMA only to the collector and configure a DCR for the collector’s local Security log.

Best answer: C

Explanation: When WEF is part of the collection design, source computers forward selected Windows Security events to a Windows Event Collector by using WinRM and a WEF subscription, often configured through Group Policy. Microsoft Sentinel ingestion should then occur from the collector, not directly from every source server. Deploy Azure Monitor Agent on the collector and use an appropriate data collection rule for Windows Forwarded Events so the forwarded security events are sent to the Sentinel workspace. Collecting only the collector’s local Security log misses the forwarded event channel, and deploying agents to all source servers bypasses the stated WEF requirement.

• Per-server AMA bypasses WEF and violates the requirement that servers not send telemetry directly to Azure.
• Collector local log only captures the collector’s own Security log, not the forwarded events received from source servers.
• Custom file ingestion is operationally unnecessary and does not implement the standard Sentinel WEF collection path.

Question 14

Topic: Secure Compute

A security team is deploying a new Azure VM for a sensitive workload. The image is a supported Generation 2 image, and the requirement is to validate the boot chain before the operating system starts to help prevent bootkits and rootkits. Which implementation should you use?

Options:

• A. Enable Defender for Servers agentless scanning.

• B. Deploy Azure Bastion and remove public IP access.

• C. Create the VM as Trusted launch with Secure Boot enabled.

• D. Enable only vTPM on a standard security VM.

Best answer: C

Explanation: Secure Boot for Azure VMs is implemented through the Trusted launch security type on supported Generation 2 images. Secure Boot validates trusted boot components before the operating system loads, helping protect against bootkits and rootkits. A virtual TPM can complement this by supporting measured boot and key protection, but it does not replace the Secure Boot setting. Defender for Servers and access controls can improve detection or reduce remote exposure, but they do not configure boot-chain validation.

• vTPM only fails because measured boot support is complementary and does not enable Secure Boot by itself.
• Agentless scanning detects vulnerabilities and risk but does not enforce pre-OS boot validation.
• Bastion access reduces management-plane exposure but is unrelated to trusted boot protection.

Question 15

Topic: Secure Compute

A subscription has Defender for Servers Plan 2 enabled. The security team must discover OS and software vulnerabilities on Azure VMs without deploying additional agents, but VMs tagged SecurityScan=Exclude must be left out of the scan. Which Defender for Cloud configuration should you apply?

Options:

• A. Enable Defender for Endpoint integration in passive mode.

• B. Enable the Microsoft Sentinel Defender for Cloud connector.

• C. Enable the vulnerability assessment extension on all VMs.

• D. Enable agentless scanning and add exclusion tag SecurityScan=Exclude.

Best answer: D

Explanation: Agentless VM scanning in Microsoft Defender for Cloud supports vulnerability discovery without installing a guest agent or VM extension. With Defender for Servers Plan 2 enabled, the relevant setting is Agentless scanning for machines. The scan applies at the subscription or cloud connector scope, and exclusion tags let you omit specific machines that match a tag name and value. This directly satisfies both requirements: discover vulnerabilities without deploying agents and skip VMs tagged SecurityScan=Exclude. Agent-based vulnerability assessment or EDR integration can provide useful signals, but they do not meet the no-additional-agent requirement in this scenario.

• Assessment extension fails because it requires deploying an extension to VMs.
• Endpoint integration supports EDR and related signals, but it is not the agentless VM scanning setting.
• Sentinel connector ingests security data; it does not configure VM vulnerability scanning.

Question 16

Topic: Secure Storage, Databases, and Networking

An application on an Azure VM uses its managed identity to list blobs in container reports. The same code succeeds from subnet-a but fails from a VM in subnet-b.

What is the most likely cause?

Options:

• A. A stored access policy has expired.

• B. The managed identity lacks blob data permissions.

• C. Defender for Storage blocked the request.

• D. The storage firewall does not allow subnet-b.

Best answer: D

Explanation: Azure Storage access failures can come from different enforcement layers. In this scenario, the identity evidence is already favorable: the VM uses a Microsoft Entra token, and the managed identity has Storage Blob Data Reader at the storage account scope, which is appropriate for listing blobs. The decisive clue is the network evidence: the storage account allows only selected networks, and only subnet-a is listed. A 403 Client address is not authorized message aligns with a storage firewall rule blocking traffic from subnet-b. Stored access policies apply to SAS-based access, not this Entra-authenticated request. Defender for Storage provides threat detection and alerts; it is not the likely access gate shown here.

• RBAC role trap fails because Storage Blob Data Reader at account scope supports listing blobs with Microsoft Entra authentication.
• Stored policy trap fails because stored access policies constrain SAS tokens, while the request uses a Microsoft Entra token.
• Threat protection trap fails because Defender for Storage detects suspicious activity but is not the firewall-style control indicated by the error.

Question 17

Topic: Manage Identity, Access, and Governance

A member of the Privileged Operators group cannot access the Azure portal after a new sign-in requirement was deployed. The user can complete Microsoft Authenticator push MFA for other apps. What is the best interpretation and next action?

Options:

• A. Change the policy to require any MFA method.

• B. Enable per-user MFA for the affected account.

• C. Remove the user from the Conditional Access policy.

• D. Enable an eligible phishing-resistant method for the group.

Best answer: D

Explanation: Conditional Access decides when access requires a control, such as a specific authentication strength. Authentication-method configuration decides which methods users can register and use. In this exhibit, the Conditional Access policy is applying as designed by requiring phishing-resistant MFA. The available method, Microsoft Authenticator push, does not satisfy that phishing-resistant authentication strength. The right boundary to adjust is the authentication methods policy and user enrollment, such as enabling FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for the appropriate group. Weakening or bypassing the Conditional Access policy would solve the symptom by removing the security requirement, not by meeting it.

• Policy exclusion would bypass the intended admin protection instead of resolving the missing eligible method.
• Per-user MFA does not enable a phishing-resistant method or satisfy the Conditional Access authentication strength.
• Any MFA weakens the requirement and ignores that the deployed control specifically requires phishing-resistant MFA.

Question 18

Topic: Manage Identity, Access, and Governance

A subscription is assigned the Microsoft cloud security benchmark in Defender for Cloud. The dashboard shows a recommendation that storage accounts should restrict network access, but a developer can still deploy a new storage account with public network access enabled. Before choosing a remediation path, what should you check first?

Options:

• A. Defender for Storage malware scanning settings

• B. The developer’s storage data-plane permissions

• C. Microsoft Sentinel connector health

• D. The underlying Azure Policy assignment effect

Best answer: D

Explanation: Defender for Cloud recommendations are posture findings generated from security standards and underlying policy assessments. They identify unhealthy resources and provide remediation guidance, but the recommendation itself does not automatically block deployments. Azure Policy is the governance engine that can audit, deny, modify, or deploy settings based on the assigned definition and effect. Because the noncompliant storage account can still be created, the useful diagnostic step is to inspect the related Azure Policy assignment and its effect before deciding whether to enforce, remediate, or only monitor the control.

• Defender for Storage settings affect workload protection for storage accounts, not whether Azure Resource Manager blocks creation.
• Data-plane permissions control access to stored data, not the policy evaluation for creating the storage account.
• Sentinel connector health affects ingestion and analytics, not Defender for Cloud recommendation enforcement.

Question 19

Topic: Manage and Monitor Security Posture

A company is deploying Microsoft Sentinel for a new SOC. Security data from three Azure subscriptions must be collected and managed in Sentinel. The data must stay in West Europe, and the SOC does not want to mix security data with an existing East US Log Analytics workspace used for VM performance logs. What should you implement?

Options:

• A. Create a West Europe Log Analytics workspace and enable Microsoft Sentinel.

• B. Enable Microsoft Sentinel on the existing East US workspace.

• C. Enable Defender for Cloud plans on each subscription.

• D. Create an Event Hubs namespace in West Europe for all logs.

Best answer: A

Explanation: Microsoft Sentinel uses a Log Analytics workspace as the boundary for data collection, retention, access, and Sentinel operations. When security data must be managed in Sentinel and kept separate from nonsecurity logs, create or select the appropriate Log Analytics workspace first, in the required region, and then enable Microsoft Sentinel on that workspace. After the workspace exists, Azure and Microsoft security data sources can be connected to that Sentinel-enabled workspace. An Event Hubs namespace can route events, and Defender for Cloud can generate security findings, but neither replaces creating the Sentinel workspace where the SOC manages collected data.

• Existing workspace fails because it is in East US and mixes SOC data with performance logs.
• Event Hubs routing can help move events but is not the Sentinel workspace used for management.
• Defender plans improve workload protection but do not create the Sentinel analytics workspace.

Question 20

Topic: Secure Compute

An organization publishes partner-facing REST APIs through Azure API Management. The back-end apps cannot be changed. Security requires rejecting calls that lack a Microsoft Entra-issued JWT with the expected audience and throttling each partner before requests reach the back-end API. Which control should you implement?

Options:

• A. Azure Web Application Firewall rules

• B. Inbound API Management policies

• C. Network security group rules

• D. Microsoft Entra app role assignments only

Best answer: B

Explanation: Azure API Management is the correct boundary for governed API access when the requirement is to enforce API-level policy before traffic reaches the back end. Inbound policies such as JWT validation, rate limiting, quotas, header checks, and IP filtering run at the API Management gateway and do not require changing back-end application code. WAF, Microsoft Entra ID, and network controls can be part of the broader architecture, but they do not replace API Management policy enforcement for per-request API governance and throttling.

• WAF rules help block common web attacks, but they are not the primary control for JWT claim validation and partner throttling in API Management.
• App role assignments only can help issue or authorize tokens, but they do not enforce gateway throttling or reject malformed API requests by themselves.
• NSG rules filter network traffic, but they do not inspect API tokens or apply API consumer quotas.

Question 21

Topic: Manage and Monitor Security Posture

A financial services team has ingested Azure Firewall logs into a Microsoft Sentinel workspace for 11 months. Compliance requires these firewall records to remain queryable for 1 year (365 days), while other Sentinel tables should keep default retention to limit cost. The SOC must prove the requirement without exporting logs to storage. Which evidence best validates the configuration?

Options:

• A. Workspace retention at 365 days for all Sentinel tables

• B. Purview Audit results for firewall administrator activity

• C. Storage lifecycle retention for exported firewall log blobs

• D. Table retention at 365 days with 11-month firewall query results

Best answer: D

Explanation: Microsoft Sentinel stores log data in a Log Analytics workspace, and retention can be managed at the table level. Because only the firewall log table requires extended retention, the best validation is evidence that the specific table is configured for 365-day retention and that an 11-month-old firewall record can be queried. This proves both the retention scope and the operational audit requirement. Workspace-wide retention would over-apply the setting to unrelated tables, while storage export would change the evidence source and violate the stated constraint.

• Workspace-wide retention fails because it extends all Sentinel tables instead of only the firewall log table.
• Storage lifecycle retention fails because the scenario requires proof without exporting logs to a storage account.
• Purview Audit activity fails because it shows administrative audit events, not Sentinel log retention or queryability.

Question 22

Topic: Secure Storage, Databases, and Networking

A security team manages a spoke VNet that hosts a VM-based API. The VM cannot connect to a partner endpoint on TCP 443 after an NSG update and a UDR change that sends internet-bound traffic to a hub Azure Firewall. You must determine the cause without weakening isolation or changing production rules. Which diagnostic approach is the best design fit?

Options:

• A. Use Network Watcher flow checks and correlate Azure Firewall logs.

• B. Review Azure Policy compliance for the affected subnet.

• C. Temporarily remove the NSG and retest the connection.

• D. Enable Defender for Cloud recommendations for the VM.

Best answer: A

Explanation: Azure Network Watcher is the right starting point when you need evidence for a connectivity issue without changing production controls. IP flow verify can test the VM NIC, direction, protocol, destination IP, and port to show whether an effective NSG rule allows or denies the flow. Effective security rules can then identify which combined subnet and NIC rules apply. Because the UDR sends internet-bound traffic to Azure Firewall, the investigation should also correlate the routed flow with Azure Firewall diagnostic logs to determine whether a firewall rule collection allowed or denied TCP 443. This separates NSG enforcement from firewall behavior while preserving network isolation.

• Removing the NSG weakens isolation and may hide the actual rule that caused the failure.
• Azure Policy compliance evaluates configuration state, not the live effective flow decision for a VM connection.
• Defender recommendations are posture guidance and do not directly prove whether this specific TCP flow is blocked.

Question 23

Topic: Secure Storage, Databases, and Networking

A security team is designing access to an Azure Storage account used by an internal analytics app in a spoke virtual network. The account must be reachable by the app over a private IP address, public network access must be disabled, and on-premises users connected through VPN must use the same private path. The DNS team can manage private DNS zones. Which design best meets the requirement?

Options:

• A. Force egress through Azure Firewall with an application rule.

• B. Allow the VPN gateway public IP in the storage firewall.

• C. Create a private endpoint, link Private DNS, and disable public access.

• D. Add the app subnet to the storage account firewall.

Best answer: C

Explanation: Private endpoints use Azure Private Link to place a private IP for a PaaS resource inside a virtual network. In this scenario, the decisive requirements are private IP access, disabled public network access, and VPN users using the same private path. The design should create the private endpoint in the spoke VNet, configure private DNS so the storage FQDN resolves to the private endpoint, and disable public network access on the storage account. A service firewall rule can restrict who reaches the service endpoint, but it does not create private network access through a private IP.

• Subnet firewall rule can restrict access but still relies on the service endpoint model rather than a private endpoint IP.
• VPN public IP allowlist uses public network access, which conflicts with the stated isolation requirement.
• Azure Firewall egress can govern outbound traffic but does not make the storage account privately reachable.

Question 24

Topic: Manage Identity, Access, and Governance

During an Azure RBAC review, the BackupOps Microsoft Entra group is found to have the Owner role at the subscription scope. The group must continue to configure backup policies and trigger restores for Recovery Services vaults in RG-Backup, and view VM metadata in RG-Prod. The group must not grant access or modify nonbackup resources. Which RBAC configuration should you implement?

Options:

• A. Remove Owner; assign Contributor at the subscription scope.

• B. Remove Owner; assign Backup Contributor on RG-Backup and Reader on RG-Prod.

• C. Remove Owner; assign Backup Contributor on RG-Backup only.

• D. Keep Owner; require PIM activation for the assignment.

Best answer: B

Explanation: Azure RBAC remediation should replace broad assignments with the least-privileged roles at the narrowest scope that still supports required work. Owner at the subscription scope grants role assignment and broad control-plane permissions beyond backup operations. Backup Contributor on RG-Backup supports managing backup policies and restores for the vaults, while Reader on RG-Prod preserves the required VM visibility without allowing changes. PIM can reduce standing privilege, but it does not fix an assignment whose active permissions are still too broad.

• Subscription Contributor still allows modifications across the subscription, including nonbackup resources outside the stated job.
• PIM for Owner limits when access is active but still exposes Owner permissions when activated.
• Backup-only access preserves vault operations but omits the required VM metadata visibility in RG-Prod.

SC-500 cloud and AI security map

Use this map to connect the sample questions to the decision pattern Microsoft usually tests for this security route.

    flowchart LR
	  S1["Cloud or AI workload"] --> S2
	  S2["Secure identity and secrets"] --> S3
	  S3["Protect network and data paths"] --> S4
	  S4["Apply posture and compliance controls"] --> S5
	  S5["Monitor Defender signals"] --> S6
	  S6["Respond and improve"]

Quick Cheat Sheet

Mini Glossary

• AI workload: Application, agent, or service flow that uses AI models, prompts, data, and supporting infrastructure.
• Defender: Microsoft security product family for cloud, endpoint, identity, email, and other signals.
• Key Vault: Azure service for protecting secrets, keys, and certificates.
• Posture management: Continuous assessment and improvement of security configuration and exposure.
• Workload identity: Identity used by an application, service, or automation instead of a human user.

Open Microsoft SC-500 in IT Mastery

Use this page to review public sample questions, start the free diagnostic, open the live SC-500 practice page, and compare related IT Mastery pages.

Official sources

• Microsoft Learn course SC-500T00-A
• Microsoft retired courses page showing AZ-500T00 replacement course

What to open next

• Need live security practice now? Open Security+ SY0-701 .
• Need the broader Microsoft transition hub? Open Microsoft Certification Practice Hub .

In this section

• Microsoft SC-500: Identity and Governance
  Try 10 focused Microsoft SC-500 questions on Identity and Governance, with explanations, then continue with IT Mastery.
• Microsoft SC-500: Storage and Networking Security
  Try 10 focused Microsoft SC-500 questions on Storage and Networking Security, with explanations, then continue with IT Mastery.
• Microsoft SC-500: Secure Compute
  Try 10 focused Microsoft SC-500 questions on Secure Compute, with explanations, then continue with IT Mastery.
• Microsoft SC-500: Security Posture Monitoring
  Try 10 focused Microsoft SC-500 questions on Security Posture Monitoring, with explanations, then continue with IT Mastery.
• Microsoft SC-500 Cheat Sheet: Cloud and AI Security
  Review the Microsoft Cloud and AI Security Engineer Associate (SC-500) scope, identity, posture, storage, compute, networking, and AI workload security traps before practicing in IT Mastery.
• Free Microsoft SC-500 Full-Length Practice Exam: 60 Questions
  Try 60 free Microsoft SC-500 questions across the exam domains, with explanations, then continue with full IT Mastery practice.