Microsoft SC-500: Identity and Governance

Topic snapshot

Sample questions

These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Manage Identity, Access, and Governance

Your organization enabled Defender Cloud Security Posture Management (Defender CSPM) with agentless secret scanning. During a key and secret review, you must identify a finding that represents an exposed secret requiring remediation, not just a configuration or monitoring issue. Which signal should you prioritize?

Options:

• A. A CSPM finding for a plaintext storage key on a VM disk

• B. A Defender for Key Vault alert for unusual vault access

• C. A Microsoft Sentinel incident from Key Vault audit logs

• D. An Azure Policy result requiring Key Vault purge protection

Best answer: A

Explanation: Defender CSPM secret scanning identifies exposed credentials or secret material discovered in scanned resources, such as files on VM disks. That signal is used to find secrets that should be removed from the exposed location and rotated or otherwise remediated. This is different from monitoring access to a vault, evaluating Key Vault configuration compliance, or correlating audit events in Microsoft Sentinel. Those signals can support investigation or governance, but they do not by themselves show that a secret value has been discovered outside its intended protection boundary.

• Vault access alert may indicate suspicious use of Key Vault, but it is not a CSPM secret discovery signal.
• Policy compliance can enforce vault settings, but it does not prove a secret value is exposed.
• Sentinel correlation helps analyze events, but it is not the Defender CSPM secret scanning finding itself.

Question 2

Topic: Manage Identity, Access, and Governance

A security engineer is reviewing Microsoft Defender for Cloud recommendations for a production subscription. The team wants to identify the missing or weak control that must be remediated before closing the finding.

Exhibit: Defender for Cloud recommendations

What is the best next action?

Options:

• A. Enable purge protection on kv-prod-01.

• B. Attach an NSG to snet-app.

• C. Enable Defender for Storage on stprodlogs.

• D. Rotate all secrets in kv-prod-01.

Best answer: A

Explanation: Defender for Cloud recommendations identify specific Azure resources whose configuration does not meet a security control or standard. In the exhibit, only the Key Vault recommendation is Unhealthy, and the evidence explicitly states that purge protection is disabled for kv-prod-01. The storage account and subnet entries are already Healthy, so they are not the active control gaps. Remediation should target the affected resource and setting named by the recommendation: enable purge protection for the Key Vault so deleted vaults, keys, secrets, or certificates cannot be immediately purged outside the intended recovery protections. Recommendation evidence should drive the action, not unrelated security improvements.

• Storage protection is not indicated because the storage network recommendation is already Healthy.
• Subnet association is unnecessary because snet-app already has an NSG attached.
• Secret rotation may be useful hygiene, but the finding identifies purge protection, not stale or exposed secrets.

Question 3

Topic: Manage Identity, Access, and Governance

A security team must harden administrator access without changing how admins activate roles. Members of SecOps-Admins can use standard MFA for most apps, but when they access Azure portal, Azure CLI, or Azure PowerShell from a device that is not marked compliant, they must use phishing-resistant MFA. Which policy pattern should you implement?

Options:

• A. Conditional Access targeting the admin group, Microsoft Azure Management, noncompliant devices, and phishing-resistant MFA

• B. Conditional Access targeting all cloud apps and requiring compliant devices

• C. Authentication methods policy enabling FIDO2 security keys for the admin group

• D. Privileged Identity Management requiring MFA during admin role activation

Best answer: A

Explanation: Conditional Access is the right enforcement boundary for sign-in requirements that depend on context. This requirement is scoped to a user group, Azure management access, and device compliance state, then requires a stronger authentication method only when those conditions match. The target resource should be the Microsoft Azure Management cloud app, which covers Azure portal, Azure CLI, and Azure PowerShell access. An authentication strength grant control can require phishing-resistant MFA without changing role activation behavior. PIM and authentication methods policies are related controls, but they do not express this app-and-device-specific sign-in rule.

• PIM activation applies to role elevation, not to each Azure management sign-in based on device context.
• Method enablement makes FIDO2 available, but does not require it only for matching sign-ins.
• All apps compliance broadens the resource scope and enforces device compliance instead of phishing-resistant MFA for the specified access path.

Question 4

Topic: Manage Identity, Access, and Governance

A security engineer reviews Microsoft Entra ID after a user reports an unexpected consent prompt. An enterprise application has this state:

The app is not approved by IT and no business owner can justify the access. What should the engineer do next?

Options:

• A. Revoke the OAuth grants and require admin-reviewed consent

• B. Reset the affected user’s password

• C. Convert the app to a managed identity

• D. Require MFA for the affected user

Best answer: A

Explanation: The risk is an unapproved application with user-consented, high-impact delegated permissions. Files.ReadWrite.All can allow broad file modification, Mail.Read can expose email content, and offline_access can allow continued access through refresh tokens. The next step is to remove the existing OAuth consent grant and route future requests for sensitive permissions through admin review, such as an admin consent workflow or stricter user consent settings. Identity controls like MFA are useful, but they do not by themselves remove an already granted application permission.

• Password reset does not remove the OAuth consent grant or the app’s delegated access.
• Managed identity applies to Azure resource identities, not to governing a third-party user-consented enterprise app.
• MFA requirement improves user sign-in assurance but does not remediate excessive OAuth permissions already granted.

Question 5

Topic: Manage Identity, Access, and Governance

A payments API hosted on Azure App Service uses a database connection string, a signing key, and a TLS certificate. The security team requires centralized protection, access auditing, and lifecycle management for these sensitive values. The app already has a system-assigned managed identity. Which configuration should you implement?

Options:

• A. Use Azure Dedicated HSM for all values

• B. Store the values in Azure App Configuration

• C. Store the values in an Azure Storage account

• D. Deploy Azure Key Vault and grant the managed identity access

Best answer: D

Explanation: Azure Key Vault is the Azure service designed to centralize protection and management of cryptographic keys, secrets, and certificates. In this scenario, the workload needs to protect multiple sensitive value types and already has a managed identity, so the secure pattern is to place those values in a Key Vault and grant the workload only the required permissions. Key Vault also provides auditing integration and lifecycle capabilities such as certificate management and key rotation support. Azure App Configuration can reference Key Vault but is not the primary secret store, and storage accounts are not purpose-built for secret lifecycle management.

• App Configuration is useful for application settings, but sensitive values should be stored in Key Vault rather than directly in configuration.
• Storage account storage can restrict network access, but it does not provide Key Vault’s purpose-built key, secret, and certificate controls.
• Dedicated HSM is for dedicated hardware-backed key storage, not general centralized management of secrets and certificates.

Question 6

Topic: Manage Identity, Access, and Governance

A security engineer must provide audit evidence showing whether the production subscription meets the organization’s NIST SP 800-53 Rev. 5 framework. They review Microsoft Defender for Cloud.

Exhibit: Defender for Cloud regulatory compliance

What is the best interpretation of the exhibit?

Options:

• A. Use the NIST control results as audit evidence.

• B. Report that NIST compliance has fully passed.

• C. Enable Microsoft Sentinel connectors before reporting compliance.

• D. Use only the Microsoft cloud security benchmark result.

Best answer: A

Explanation: Microsoft Defender for Cloud regulatory compliance evaluates assigned standards at the selected scope and maps framework controls to compliance results and underlying recommendations. In this exhibit, the requested evidence is for NIST SP 800-53 Rev. 5 on the production subscription, so the NIST rows are the relevant evidence. AC-2 is failed with 4 unhealthy resources, while SC-7 is passed. The Microsoft cloud security benchmark row may be useful for posture management, but it is not the requested framework evidence.

• Wrong framework fails because the Microsoft cloud security benchmark row does not answer the NIST-specific audit request.
• Sentinel collection fails because log ingestion is not required to interpret Defender for Cloud regulatory compliance results.
• Fully passed fails because the NIST AC-2 control shows a failed status with unhealthy resources.

Question 7

Topic: Manage Identity, Access, and Governance

A security engineer must provide audit evidence that a production Azure Key Vault is covered by Defender for Key Vault before approving additional secret operations. Defender for Cloud workload protection was recently configured at the subscription level. What evidence should the engineer collect next?

Options:

• A. Defender for Cloud settings showing Defender for Key Vault enabled

• B. Key Vault access policy assignments for secret users

• C. Microsoft Sentinel incidents from Key Vault alerts

• D. Key Vault diagnostic logs showing recent secret reads

Best answer: A

Explanation: Defender for Key Vault coverage is validated from Defender for Cloud configuration, not from activity that happens inside the vault. Because the plan was configured at the subscription level, the next evidence should show that Defender for Key Vault is enabled for the subscription that contains the production vault. Diagnostic logs, Sentinel incidents, and access policy assignments can support monitoring or access reviews, but they do not prove that the workload protection plan is active for that vault.

• Secret read logs show activity, not whether Defender for Key Vault protection is enabled.
• Sentinel incidents depend on alert generation and ingestion, so they are not baseline coverage evidence.
• Access policies validate who can use secrets, not whether Defender for Key Vault monitors the vault.

Question 8

Topic: Manage Identity, Access, and Governance

An organization detects password-spray attempts against users in the Cloud Admins Microsoft Entra group. The security team must require stronger sign-in assurance when these users access Azure management tools, while avoiding impact to standard users and Microsoft 365 app access. Which configuration should you implement?

Options:

• A. Conditional Access for all users and all cloud apps blocking access

• B. Conditional Access for Cloud Admins and Microsoft Azure Management requiring MFA

• C. Authentication methods policy enabling FIDO2 keys for Cloud Admins

• D. Security defaults for the tenant requiring MFA for all users

Best answer: B

Explanation: Conditional Access is the right control when MFA must be required for a specific access scenario. Targeting the Cloud Admins group scopes the policy to the users with elevated risk, and selecting the Microsoft Azure Management cloud app scopes enforcement to Azure management access. The grant control should require multifactor authentication, which increases sign-in assurance without blocking access or affecting unrelated Microsoft 365 usage. Security defaults and all-user policies are broader than the stated requirement, while authentication methods policies control which methods are available but do not by themselves require MFA for a specific app.

• Tenant-wide defaults are too broad because they affect more users and scenarios than the requirement describes.
• Block access fails because the goal is stronger assurance, not preventing administrators from signing in.
• Method availability is insufficient because enabling FIDO2 does not enforce MFA for Azure management access.

Question 9

Topic: Manage Identity, Access, and Governance

An Azure Functions app uses its managed identity to read a TLS certificate object from Azure Key Vault. The same identity can read a secret named db-password. The app does not need to export the certificate private key.

What is the best root cause?

Options:

• A. The identity requires Key Vault Administrator access.

• B. The vault firewall blocks the function app.

• C. The identity lacks key Unwrap permission.

• D. The identity lacks certificate Get permission.

Best answer: D

Explanation: Key Vault separates permissions for keys, secrets, and certificates. A principal that can get secrets is not automatically allowed to get certificate objects. In this case, the diagnostic evidence is specific: SecretGet succeeds, while CertificateGet is forbidden, and the access configuration shows no certificate permissions. The least-privilege fix would be to grant only the certificate read permission needed for the scenario, such as certificate Get through the applicable Key Vault access model. Adding key permissions or broad administrator rights would exceed the stated need.

• Key permission trap fails because the denied operation is CertificateGet, not a cryptographic key operation.
• Firewall trap fails because the same app successfully reaches the vault for SecretGet.
• Administrator role trap fails because broad administrative access is unnecessary for read-only certificate access.

Question 10

Topic: Manage Identity, Access, and Governance

A central security team is deploying an Azure Policy initiative that denies public network exposure for approved production workloads. The control must apply to all current and future production subscriptions, must not apply to development subscriptions, and must not depend on app teams creating resource groups correctly.

Corp management group
  ├─ Prod: current and future production subscriptions
  └─ Dev: development subscriptions

At which scope should the initiative be assigned?

Options:

• A. The Corp management group with Dev excluded

• B. The Prod management group

• C. Each current production resource group

• D. Each current production subscription

Best answer: B

Explanation: Azure Policy assignments inherit down from the selected scope. A management group assignment applies to subscriptions, resource groups, and resources beneath that management group, including future subscriptions placed there. Because the intended boundary is exactly the production hierarchy, the Prod management group is the narrowest scope that satisfies all requirements. It avoids applying the initiative to Dev and avoids relying on app-team resource group creation patterns. The key design principle is to assign policy at the highest scope that exactly matches the governance boundary, not higher or lower.

• Corp with exclusions is broader than the intended boundary and adds exclusion management where a precise Prod scope already exists.
• Current subscriptions misses future production subscriptions unless each new subscription receives a separate assignment.
• Current resource groups misses new resource groups and does not match the subscription-level production governance boundary.

Continue with full practice

Use the Microsoft SC-500 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try Microsoft SC-500 on Web View Microsoft SC-500 Practice Test

Related focused pages

• Free Microsoft SC-500 Full-Length Practice Exam
• Storage and Networking Security
• Secure Compute
• Security Posture Monitoring

Free review resource

Read the Microsoft SC-500 Cheat Sheet for compact concept review before returning to timed practice.