Prepare for Microsoft Certified: Cloud and AI Security Engineer Associate (SC-500) with a stable, blueprint-mapped IT Mastery bank, public samples, a free diagnostic, identity, Defender, Sentinel, Key Vault, posture, and secure AI workload drills.
SC-500 is Microsoft’s cloud and AI security route for security engineers who protect Microsoft Azure and Microsoft 365 environments, including identity, cloud infrastructure, Defender controls, security posture, and AI workload security.
Start with the free SC-500 diagnostic or the 24 public sample questions. See how Microsoft cloud and AI security questions handle identity, access, governance, storage, networking, compute, Defender, Sentinel, posture management, and AI workload controls before you subscribe; IT Mastery then gives you a stable, blueprint-mapped practice bank with timed mocks, topic drills, progress tracking, and detailed explanations across web and mobile.
Start a practice session for Microsoft Certified: Cloud and AI Security Engineer Associate (SC-500) below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.
Open Full App in a New TabA small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same app-family account they use on web and mobile.
Prefer to practice on your phone or tablet? Download the IT Mastery – AWS, Azure, GCP & CompTIA exam prep app for iOS or IT Mastery app on Google Play (Android) and use the same IT Mastery account across web and mobile.
Free diagnostic: Try the SC-500 full-length practice exam before subscribing. Use it as one Microsoft cloud-and-AI-security baseline, then return to IT Mastery for timed mocks, domain drills, explanations, and the full SC-500 question bank.
| Area | Practical focus |
|---|---|
| Identity and secrets | Secure access with Microsoft Entra ID, managed identities, and Azure Key Vault. |
| Compliance and posture | Enforce regulatory controls and monitor security posture across cloud environments. |
| Data, storage, and networking | Apply security boundaries to storage, databases, networking, and application paths. |
| Compute and infrastructure | Secure compute resources and hybrid or multicloud operating surfaces. |
| AI workload security | Secure platforms, data, identities, and infrastructure used by AI workloads and autonomous agents. |
| If you need to practice… | Best page | Why |
|---|---|---|
| baseline cybersecurity | Security+ SY0-701 | Best live route for security architecture, operations, and governance foundations. |
| Azure administration | AZ-104 | Reinforces identity, networking, compute, storage, monitoring, and operational controls. |
| Azure fundamentals | AZ-900 | Useful if your Azure service and governance language needs review first. |
| Azure AI fundamentals | AI-900 | Helpful for recognizing AI workload boundaries before securing them. |
Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.
Need concept review first? Read the Microsoft SC-500 Cheat Sheet for compact concept review before returning to timed practice.
These are original IT Mastery practice questions aligned to Microsoft cloud and AI security engineering, including identity, governance, storage, networking, compute, Defender, Sentinel, posture management, and AI workload controls. They are not Microsoft exam questions and are not copied from any exam sponsor. Use them to check readiness here, then continue in IT Mastery with mixed sets, topic drills, and timed mocks.
Topic: Manage Identity, Access, and Governance
A company has a Microsoft Entra administrative unit named Retail Users. A regional support group must update only a small set of user directory attributes for users in that administrative unit. Existing Microsoft Entra built-in roles include permissions the group must not receive, and the group must not receive access to Azure subscriptions. Which approach should you implement?
Options:
A. Create a Microsoft Entra custom role scoped to the administrative unit
B. Assign User Administrator scoped to the administrative unit
C. Use PIM approval for an existing directory role
D. Create an Azure RBAC custom role scoped to a resource group
Best answer: A
Explanation: Microsoft Entra custom roles are used for tailored directory-plane administration, such as limiting which user or application management actions an admin can perform. In this scenario, the required actions are Microsoft Entra directory permissions, not Azure resource management permissions. Assigning the custom role at the administrative unit scope also limits the affected objects to users in Retail Users. Administrative unit scoping controls the target objects, while the custom role controls the allowed actions. Azure RBAC, resource scopes, and subscription access apply to Azure resources rather than Microsoft Entra directory objects.
Topic: Manage Identity, Access, and Governance
An Azure Functions app uses a system-assigned managed identity to read the value of one secret, SqlPassword, from an Azure Key Vault that uses the Azure RBAC permission model. The app does not create, rotate, or read other vault objects. You must preserve least privilege. Which implementation should you use?
Options:
A. Add an access policy for secrets, keys, and certificates.
B. Assign Key Vault Secrets User at the SqlPassword secret scope.
C. Assign Key Vault Reader at the vault scope.
D. Assign Key Vault Secrets Officer at the vault scope.
Best answer: B
Explanation: For a Key Vault that uses Azure RBAC, assign data-plane roles at the narrowest feasible scope. Reading a secret value requires a secret-specific data-plane role, not a management-plane reader role. Because the app needs only the value of SqlPassword, the least-privilege implementation is to give its managed identity Key Vault Secrets User scoped to that specific secret. That avoids certificate permissions, key permissions, and secret management permissions. Vault-scoped officer roles or permissions across multiple object types expand the access boundary beyond the scenario.
Key Vault Reader can view metadata but cannot read secret values.Key Vault Secrets Officer can manage secrets and is broader than read-only access.Topic: Manage Identity, Access, and Governance
A security engineer cannot create a new Conditional Access policy in Microsoft Entra ID and receives an insufficient privileges message. Use the exhibit to choose the best next action.
Exhibit: Privileged access summary
| Item | Value |
|---|---|
| User | Maya Chen |
| Task | Create Conditional Access policy |
| Eligible role | Conditional Access Administrator |
| PIM status | Eligible, not active |
| Active roles | Security Reader |
| Activation requirement | MFA and justification |
Options:
A. Configure an authentication methods policy for Maya.
B. Assign Maya permanent Global Administrator access.
C. Activate the eligible role in PIM, then retry.
D. Grant admin consent to the Microsoft Entra app.
Best answer: C
Explanation: Privileged Identity Management separates eligible assignments from active privileges. An eligible role assignment does not grant administrative permissions until the user activates the role and satisfies the activation requirements, such as MFA and justification. In the exhibit, Maya has the Conditional Access Administrator role only as eligible, while her only active role is Security Reader. Security Reader cannot create Conditional Access policies, so the insufficient privileges message is expected until the PIM activation occurs. The key takeaway is that eligibility is not the same as usable administrative access.
Topic: Manage and Monitor Security Posture
A security team is onboarding a firewall and an email gateway to Microsoft Sentinel. Both products emit events only as CEF over Syslog and cannot run Azure agents. The team must preserve CEF normalization for Sentinel analytics while minimizing network exposure. Which configuration should the team implement?
Options:
A. Deploy a Linux CEF forwarder with Azure Monitor Agent and a CEF data collection rule.
B. Send raw CEF to a custom log table through HTTPS ingestion.
C. Enable Defender for Cloud recommendations for the appliance resource group.
D. Install Azure Monitor Agent directly on each appliance with a Security Events rule.
Best answer: A
Explanation: CEF-producing appliances typically send events by Syslog to a Linux log forwarder, because the appliances themselves cannot run Azure Monitor Agent. For Microsoft Sentinel, the forwarder runs Azure Monitor Agent and is associated with a data collection rule configured by the CEF connector. This keeps CEF events normalized for Sentinel analytics, commonly into the CEF/CommonSecurityLog experience, while letting the network team restrict Syslog inbound traffic to only the known appliance sources. The key control is to centralize collection on a hardened forwarder instead of opening broad ingestion paths or bypassing the CEF collection pipeline.
Topic: Secure Compute
An organization is expanding Microsoft 365 Copilot. Microsoft Purview Data Security Posture Management (DSPM) reports that HR files in SharePoint contain sensitive data, are broadly accessible, and may surface in Copilot responses. Defender for Cloud also shows medium VM vulnerabilities in a separate subscription; the VMs do not store the HR files. Data owners must retain access decisions and remediation must preserve least privilege. Which design is the best fit?
Options:
A. Close the Defender for Cloud VM vulnerability recommendations first.
B. Use Purview DSPM evidence to have HR owners reduce broad SharePoint access.
C. Require compliant devices for all Copilot access with Conditional Access.
D. Grant the security team site admin access to all HR sites.
Best answer: B
Explanation: AI data exposure findings focus on whether sensitive content can be discovered or summarized by Copilot because permissions or sharing are too broad. In this scenario, the risky asset is HR content in SharePoint, not the separate Azure VMs. The best remediation path is to use Purview DSPM evidence to identify the exposed locations and have the HR data owners tighten permissions to the intended audience. This preserves least privilege and addresses the condition that makes Copilot exposure possible. VM vulnerability remediation and device-based access controls can be valid security work, but they do not correct overshared content that Copilot can access through existing user permissions.
Topic: Secure Compute
A security team manages Azure virtual machines in a virtual network. They must provide RDP and SSH access for administrators while ensuring the VMs have no public IP addresses and management ports are not exposed to the internet. Administrators should not need a VPN client. Which plan best meets the requirement?
Options:
A. Create private endpoints for each virtual machine.
B. Add NSG rules allowing administrators’ public IP addresses.
C. Deploy Azure Bastion for private-IP RDP and SSH access.
D. Enable just-in-time VM access for management ports.
Best answer: C
Explanation: Azure Bastion is designed for secure administrative connectivity to Azure VMs without exposing the VMs directly to the internet. It is deployed in a dedicated AzureBastionSubnet and lets administrators connect to VM private IP addresses for RDP or SSH. This matches the requirement to remove public IP addresses from the VMs, avoid opening management ports to the internet, and avoid requiring a VPN client on administrator workstations. Just-in-time access reduces exposure windows for management ports, but it does not provide the Bastion connection broker pattern by itself.
Topic: Secure Compute
A team is hardening an Azure Generation 2 VM that uses a supported OS and VM size. The VM currently has Security type set to Standard. The new baseline requires TPM 2.0-like measured boot and key protection semantics, but it does not require confidential-computing memory encryption. What is the best next implementation step?
Options:
A. Set Security type to Trusted launch and enable vTPM
B. Redeploy the workload as a Confidential VM
C. Enable Defender for Servers integrity monitoring first
D. Enable Secure Boot without changing Security type
Best answer: A
Explanation: For Azure VMs, vTPM is configured as part of the VM security profile for supported Generation 2 Trusted launch VMs. Because the current VM uses the Standard security type, the next implementation step is to move the VM to Trusted launch and enable vTPM. That provides TPM 2.0-like measured boot and key protection semantics without requiring the broader memory-encryption guarantees of confidential computing. Secure Boot is commonly paired with vTPM, but it does not replace vTPM when TPM-backed semantics are required. Monitoring controls can validate posture later, after the required security capability exists.
Topic: Manage and Monitor Security Posture
Your organization has a Microsoft Security Copilot workspace. The Microsoft Sentinel plugin is enabled, a Microsoft incident-triage agent and a Security Store phishing agent are available, and a Tier 1 analyst already has Microsoft Sentinel Reader on the target Sentinel workspace. You need the analyst to run prompts and available agents, but not manage Copilot workspace settings, plugins, or agents. Which configuration should you make?
Options:
A. Assign the Security Copilot Contributor workspace role.
B. Enable the Microsoft Sentinel plugin in the workspace.
C. Assign the Security Copilot Owner workspace role.
D. Install a Security Store agent for the analyst.
Best answer: A
Explanation: Microsoft Security Copilot access is controlled separately from the permissions in connected security products. In this scenario, the analyst already has the needed Microsoft Sentinel read permission, and the plugin and agents are already available. The remaining requirement is to allow the analyst to use Security Copilot without granting administrative control. A Contributor workspace role fits that need because it supports running prompts and using available capabilities, while an Owner role is for managing workspace configuration, access, plugins, and agent settings. Plugins, Microsoft agents, and Security Store agents extend what Copilot can do; they do not replace user access assignment or underlying data permissions.
Topic: Secure Storage, Databases, and Networking
A security team needs a searchable record of security-relevant activity for a production Azure SQL database, including database authentication events and completed T-SQL batches. The organization already uses a Log Analytics workspace for security investigations. Which configuration should you implement?
Options:
A. Configure a storage account firewall rule for the database subnet.
B. Enable Defender for Databases alerts only.
C. Enable Transparent Data Encryption for the database.
D. Enable Azure SQL auditing and send audit logs to Log Analytics.
Best answer: D
Explanation: Azure SQL Database auditing is the control used to record security-relevant database activity. It can capture events such as successful and failed authentications, permission changes, and completed batches, then write audit records to destinations such as Log Analytics, a storage account, or Event Hubs. Because the team needs searchable investigation data in an existing Log Analytics workspace, the auditing destination should be Log Analytics. Defender for Databases helps detect threats, but it does not replace audit logging for a required activity record.
Topic: Secure Storage, Databases, and Networking
A company hosts a billing API on VMs behind an internal Standard Load Balancer in a producer VNet. Partner teams in separate VNets and tenants must consume only this API over private IP. The producer must approve each consumer connection and must not provide broader network access to the producer VNet. Which configuration should you choose?
Options:
A. Expose a public endpoint restricted by IP rules
B. Publish a Private Link service and manually approve private endpoints
C. Build site-to-site VPN tunnels to each consumer VNet
D. Peer each consumer VNet with the producer VNet
Best answer: B
Explanation: Azure Private Link service is the producer-side pattern for publishing a service in one VNet to consumers through private endpoints. Because the API is already behind a Standard Load Balancer, the producer can create a Private Link service, control visibility, and require manual approval of each private endpoint connection. Each consumer reaches only the published service through a private IP in its own VNet. This avoids VNet peering or VPN routing that could expose broader address spaces or enable transitive access to the producer network. The key distinction is that Private Link publishes a service boundary, not a full network boundary.
Topic: Secure Storage, Databases, and Networking
A security team is securing three Azure VM tiers in the same virtual network: web, API, and database. The team must allow HTTPS from web VMs to API VMs and SQL traffic from API VMs to database VMs, while avoiding IP-based rules because VMs are frequently added and replaced. The network team does not want to redesign subnets. Which design best fits the requirement?
Options:
A. Create ASGs per tier and reference them in NSG rules
B. Move each tier to a dedicated subnet and apply subnet NSGs
C. Create service tags for each VM tier and use NSG rules
D. Route all east-west traffic through Azure Firewall application rules
Best answer: A
Explanation: Application security groups (ASGs) are the best fit when Azure VM workloads need network security rules based on application role rather than IP addresses. In this scenario, the web, API, and database VMs are in the same virtual network, change frequently, and should not require subnet redesign. By assigning each VM NIC to the appropriate ASG, NSG rules can allow only the needed tier-to-tier traffic, such as web-to-API over HTTPS and API-to-database over SQL. This keeps rule targeting aligned to workload ownership and supports least privilege as instances scale or are replaced. Subnet-based rules can work in some designs, but they miss the stated constraint to avoid subnet redesign.
Topic: Manage and Monitor Security Posture
A security team enabled Defender CSPM and is reviewing secure score recommendations for a subscription. The team now needs to configure vulnerability management specifically for Azure VMs so that software and CVE findings are produced for those machines, not just posture recommendations. Which two actions should the engineer take? Select TWO.
Options:
A. Review Defender CSPM attack paths for exposed VMs.
B. Enable Microsoft Defender for Servers for the subscription.
C. Add a regulatory compliance standard to Defender for Cloud.
D. Create a Defender CSPM governance rule for VM recommendations.
E. Configure vulnerability assessment for machines with Microsoft Defender Vulnerability Management.
F. Enable Microsoft Defender EASM discovery for public assets.
Correct answers: B, E
Explanation: Defender CSPM helps identify and prioritize posture risk through recommendations, secure score, attack paths, and governance workflows. Those features can show that VMs have security issues, but they are not the configuration point for VM vulnerability assessment. To produce software inventory and CVE findings for Azure VMs, configure the server workload protection and vulnerability assessment settings in Defender for Cloud, typically using Microsoft Defender Vulnerability Management for machines. EASM, compliance standards, and governance rules can add visibility or tracking, but they do not configure the VM vulnerability scanner itself.
Topic: Manage and Monitor Security Posture
A company uses Microsoft Sentinel and requires Windows Security events from domain-joined servers to be collected through an existing Windows Event Forwarding (WEF) design. Servers must not send telemetry directly to Azure. Which implementation should you use?
Options:
A. Export .evtx files from each server to storage and ingest them with a custom log table.
B. Deploy AMA to every server and configure a DCR for each local Security log.
C. Configure source-initiated WEF to a collector and deploy AMA with a DCR for Windows Forwarded Events on the collector.
D. Deploy AMA only to the collector and configure a DCR for the collector’s local Security log.
Best answer: C
Explanation: When WEF is part of the collection design, source computers forward selected Windows Security events to a Windows Event Collector by using WinRM and a WEF subscription, often configured through Group Policy. Microsoft Sentinel ingestion should then occur from the collector, not directly from every source server. Deploy Azure Monitor Agent on the collector and use an appropriate data collection rule for Windows Forwarded Events so the forwarded security events are sent to the Sentinel workspace. Collecting only the collector’s local Security log misses the forwarded event channel, and deploying agents to all source servers bypasses the stated WEF requirement.
Topic: Secure Compute
A security team is deploying a new Azure VM for a sensitive workload. The image is a supported Generation 2 image, and the requirement is to validate the boot chain before the operating system starts to help prevent bootkits and rootkits. Which implementation should you use?
Options:
A. Enable Defender for Servers agentless scanning.
B. Deploy Azure Bastion and remove public IP access.
C. Create the VM as Trusted launch with Secure Boot enabled.
D. Enable only vTPM on a standard security VM.
Best answer: C
Explanation: Secure Boot for Azure VMs is implemented through the Trusted launch security type on supported Generation 2 images. Secure Boot validates trusted boot components before the operating system loads, helping protect against bootkits and rootkits. A virtual TPM can complement this by supporting measured boot and key protection, but it does not replace the Secure Boot setting. Defender for Servers and access controls can improve detection or reduce remote exposure, but they do not configure boot-chain validation.
Topic: Secure Compute
A subscription has Defender for Servers Plan 2 enabled. The security team must discover OS and software vulnerabilities on Azure VMs without deploying additional agents, but VMs tagged SecurityScan=Exclude must be left out of the scan. Which Defender for Cloud configuration should you apply?
Options:
A. Enable Defender for Endpoint integration in passive mode.
B. Enable the Microsoft Sentinel Defender for Cloud connector.
C. Enable the vulnerability assessment extension on all VMs.
D. Enable agentless scanning and add exclusion tag SecurityScan=Exclude.
Best answer: D
Explanation: Agentless VM scanning in Microsoft Defender for Cloud supports vulnerability discovery without installing a guest agent or VM extension. With Defender for Servers Plan 2 enabled, the relevant setting is Agentless scanning for machines. The scan applies at the subscription or cloud connector scope, and exclusion tags let you omit specific machines that match a tag name and value. This directly satisfies both requirements: discover vulnerabilities without deploying agents and skip VMs tagged SecurityScan=Exclude. Agent-based vulnerability assessment or EDR integration can provide useful signals, but they do not meet the no-additional-agent requirement in this scenario.
Topic: Secure Storage, Databases, and Networking
An application on an Azure VM uses its managed identity to list blobs in container reports. The same code succeeds from subnet-a but fails from a VM in subnet-b.
| Evidence | Value |
|---|---|
| Auth method | Microsoft Entra token |
| Role assignment | Storage Blob Data Reader on the storage account |
| Storage firewall | Selected networks |
| Allowed networks | subnet-a only |
| Error | 403 Client address is not authorized |
What is the most likely cause?
Options:
A. A stored access policy has expired.
B. The managed identity lacks blob data permissions.
C. Defender for Storage blocked the request.
D. The storage firewall does not allow subnet-b.
Best answer: D
Explanation: Azure Storage access failures can come from different enforcement layers. In this scenario, the identity evidence is already favorable: the VM uses a Microsoft Entra token, and the managed identity has Storage Blob Data Reader at the storage account scope, which is appropriate for listing blobs. The decisive clue is the network evidence: the storage account allows only selected networks, and only subnet-a is listed. A 403 Client address is not authorized message aligns with a storage firewall rule blocking traffic from subnet-b. Stored access policies apply to SAS-based access, not this Entra-authenticated request. Defender for Storage provides threat detection and alerts; it is not the likely access gate shown here.
Topic: Manage Identity, Access, and Governance
A member of the Privileged Operators group cannot access the Azure portal after a new sign-in requirement was deployed. The user can complete Microsoft Authenticator push MFA for other apps. What is the best interpretation and next action?
| Evidence | Value |
|---|---|
| App | Azure portal |
| Conditional Access result | Failure |
| Policy grant control | Authentication strength: Phishing-resistant MFA |
| User registered method | Microsoft Authenticator push |
| Methods enabled for group | Microsoft Authenticator only |
Options:
A. Change the policy to require any MFA method.
B. Enable per-user MFA for the affected account.
C. Remove the user from the Conditional Access policy.
D. Enable an eligible phishing-resistant method for the group.
Best answer: D
Explanation: Conditional Access decides when access requires a control, such as a specific authentication strength. Authentication-method configuration decides which methods users can register and use. In this exhibit, the Conditional Access policy is applying as designed by requiring phishing-resistant MFA. The available method, Microsoft Authenticator push, does not satisfy that phishing-resistant authentication strength. The right boundary to adjust is the authentication methods policy and user enrollment, such as enabling FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for the appropriate group. Weakening or bypassing the Conditional Access policy would solve the symptom by removing the security requirement, not by meeting it.
Topic: Manage Identity, Access, and Governance
A subscription is assigned the Microsoft cloud security benchmark in Defender for Cloud. The dashboard shows a recommendation that storage accounts should restrict network access, but a developer can still deploy a new storage account with public network access enabled. Before choosing a remediation path, what should you check first?
Options:
A. Defender for Storage malware scanning settings
B. The developer’s storage data-plane permissions
C. Microsoft Sentinel connector health
D. The underlying Azure Policy assignment effect
Best answer: D
Explanation: Defender for Cloud recommendations are posture findings generated from security standards and underlying policy assessments. They identify unhealthy resources and provide remediation guidance, but the recommendation itself does not automatically block deployments. Azure Policy is the governance engine that can audit, deny, modify, or deploy settings based on the assigned definition and effect. Because the noncompliant storage account can still be created, the useful diagnostic step is to inspect the related Azure Policy assignment and its effect before deciding whether to enforce, remediate, or only monitor the control.
Topic: Manage and Monitor Security Posture
A company is deploying Microsoft Sentinel for a new SOC. Security data from three Azure subscriptions must be collected and managed in Sentinel. The data must stay in West Europe, and the SOC does not want to mix security data with an existing East US Log Analytics workspace used for VM performance logs. What should you implement?
Options:
A. Create a West Europe Log Analytics workspace and enable Microsoft Sentinel.
B. Enable Microsoft Sentinel on the existing East US workspace.
C. Enable Defender for Cloud plans on each subscription.
D. Create an Event Hubs namespace in West Europe for all logs.
Best answer: A
Explanation: Microsoft Sentinel uses a Log Analytics workspace as the boundary for data collection, retention, access, and Sentinel operations. When security data must be managed in Sentinel and kept separate from nonsecurity logs, create or select the appropriate Log Analytics workspace first, in the required region, and then enable Microsoft Sentinel on that workspace. After the workspace exists, Azure and Microsoft security data sources can be connected to that Sentinel-enabled workspace. An Event Hubs namespace can route events, and Defender for Cloud can generate security findings, but neither replaces creating the Sentinel workspace where the SOC manages collected data.
Topic: Secure Compute
An organization publishes partner-facing REST APIs through Azure API Management. The back-end apps cannot be changed. Security requires rejecting calls that lack a Microsoft Entra-issued JWT with the expected audience and throttling each partner before requests reach the back-end API. Which control should you implement?
Options:
A. Azure Web Application Firewall rules
B. Inbound API Management policies
C. Network security group rules
D. Microsoft Entra app role assignments only
Best answer: B
Explanation: Azure API Management is the correct boundary for governed API access when the requirement is to enforce API-level policy before traffic reaches the back end. Inbound policies such as JWT validation, rate limiting, quotas, header checks, and IP filtering run at the API Management gateway and do not require changing back-end application code. WAF, Microsoft Entra ID, and network controls can be part of the broader architecture, but they do not replace API Management policy enforcement for per-request API governance and throttling.
Topic: Manage and Monitor Security Posture
A financial services team has ingested Azure Firewall logs into a Microsoft Sentinel workspace for 11 months. Compliance requires these firewall records to remain queryable for 1 year (365 days), while other Sentinel tables should keep default retention to limit cost. The SOC must prove the requirement without exporting logs to storage. Which evidence best validates the configuration?
Options:
A. Workspace retention at 365 days for all Sentinel tables
B. Purview Audit results for firewall administrator activity
C. Storage lifecycle retention for exported firewall log blobs
D. Table retention at 365 days with 11-month firewall query results
Best answer: D
Explanation: Microsoft Sentinel stores log data in a Log Analytics workspace, and retention can be managed at the table level. Because only the firewall log table requires extended retention, the best validation is evidence that the specific table is configured for 365-day retention and that an 11-month-old firewall record can be queried. This proves both the retention scope and the operational audit requirement. Workspace-wide retention would over-apply the setting to unrelated tables, while storage export would change the evidence source and violate the stated constraint.
Topic: Secure Storage, Databases, and Networking
A security team manages a spoke VNet that hosts a VM-based API. The VM cannot connect to a partner endpoint on TCP 443 after an NSG update and a UDR change that sends internet-bound traffic to a hub Azure Firewall. You must determine the cause without weakening isolation or changing production rules. Which diagnostic approach is the best design fit?
Options:
A. Use Network Watcher flow checks and correlate Azure Firewall logs.
B. Review Azure Policy compliance for the affected subnet.
C. Temporarily remove the NSG and retest the connection.
D. Enable Defender for Cloud recommendations for the VM.
Best answer: A
Explanation: Azure Network Watcher is the right starting point when you need evidence for a connectivity issue without changing production controls. IP flow verify can test the VM NIC, direction, protocol, destination IP, and port to show whether an effective NSG rule allows or denies the flow. Effective security rules can then identify which combined subnet and NIC rules apply. Because the UDR sends internet-bound traffic to Azure Firewall, the investigation should also correlate the routed flow with Azure Firewall diagnostic logs to determine whether a firewall rule collection allowed or denied TCP 443. This separates NSG enforcement from firewall behavior while preserving network isolation.
Topic: Secure Storage, Databases, and Networking
A security team is designing access to an Azure Storage account used by an internal analytics app in a spoke virtual network. The account must be reachable by the app over a private IP address, public network access must be disabled, and on-premises users connected through VPN must use the same private path. The DNS team can manage private DNS zones. Which design best meets the requirement?
Options:
A. Force egress through Azure Firewall with an application rule.
B. Allow the VPN gateway public IP in the storage firewall.
C. Create a private endpoint, link Private DNS, and disable public access.
D. Add the app subnet to the storage account firewall.
Best answer: C
Explanation: Private endpoints use Azure Private Link to place a private IP for a PaaS resource inside a virtual network. In this scenario, the decisive requirements are private IP access, disabled public network access, and VPN users using the same private path. The design should create the private endpoint in the spoke VNet, configure private DNS so the storage FQDN resolves to the private endpoint, and disable public network access on the storage account. A service firewall rule can restrict who reaches the service endpoint, but it does not create private network access through a private IP.
Topic: Manage Identity, Access, and Governance
During an Azure RBAC review, the BackupOps Microsoft Entra group is found to have the Owner role at the subscription scope. The group must continue to configure backup policies and trigger restores for Recovery Services vaults in RG-Backup, and view VM metadata in RG-Prod. The group must not grant access or modify nonbackup resources. Which RBAC configuration should you implement?
Options:
A. Remove Owner; assign Contributor at the subscription scope.
B. Remove Owner; assign Backup Contributor on RG-Backup and Reader on RG-Prod.
C. Remove Owner; assign Backup Contributor on RG-Backup only.
D. Keep Owner; require PIM activation for the assignment.
Best answer: B
Explanation: Azure RBAC remediation should replace broad assignments with the least-privileged roles at the narrowest scope that still supports required work. Owner at the subscription scope grants role assignment and broad control-plane permissions beyond backup operations. Backup Contributor on RG-Backup supports managing backup policies and restores for the vaults, while Reader on RG-Prod preserves the required VM visibility without allowing changes. PIM can reduce standing privilege, but it does not fix an assignment whose active permissions are still too broad.
RG-Prod.Use this map to connect the sample questions to the decision pattern Microsoft usually tests for this security route.
flowchart LR
S1["Cloud or AI workload"] --> S2
S2["Secure identity and secrets"] --> S3
S3["Protect network and data paths"] --> S4
S4["Apply posture and compliance controls"] --> S5
S5["Monitor Defender signals"] --> S6
S6["Respond and improve"]
| Cue | What to remember |
|---|---|
| AI security | Protect prompts, data sources, identities, plugins, agents, and model-connected infrastructure. |
| Identity | Use managed identities, least privilege, Conditional Access, and workload access boundaries. |
| Data protection | Classify sensitive data, restrict exposure, and log access to high-value data sources. |
| Posture | Use recommendations, policy, secure score, and regulatory controls to drive remediation. |
| Detection | Correlate Defender and Azure signals across cloud resources, identity, data, and AI workloads. |
Use this page to review public sample questions, start the free diagnostic, open the live SC-500 practice page, and compare related IT Mastery pages.