Microsoft SC-500: Storage and Networking Security

Topic snapshot

Sample questions

These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Secure Storage, Databases, and Networking

A company runs a customer portal on Azure SQL Database. The application must continue using its existing approved network path. Security wants Microsoft Defender for Cloud to generate workload threat alerts for SQL injection attempts, anomalous access, and suspicious database activity. Which control should the security engineer configure?

Options:

• A. Enable Defender for Databases for the Azure SQL resource

• B. Enable Azure SQL auditing to a storage account

• C. Require a private endpoint for all database access

• D. Assign Defender CSPM to the subscription

Best answer: A

Explanation: Microsoft Defender for Databases is the workload protection control in Defender for Cloud for supported Azure database services, including Azure SQL Database. It analyzes database activity and related signals to detect threats such as SQL injection attempts, suspicious access patterns, and potentially compromised credentials. In this scenario, the requirement is threat protection without changing the application’s approved connectivity path, so enabling the database workload protection plan is the best fit.

Auditing and network isolation can be valuable supporting controls, but they do not replace Defender for Databases threat detection for database workloads.

• Auditing only records database events but does not provide the same Defender workload threat protection alerts.
• Posture management helps find misconfigurations and exposure, but Defender CSPM is not the database workload protection plan.
• Network isolation may reduce exposure, but requiring private endpoints could disrupt existing connectivity and does not directly configure Defender threat protection.

Question 2

Topic: Secure Storage, Databases, and Networking

An auditor asks for proof that Microsoft Defender for Storage is active for storage account stprodlogs01. The subscription’s Defender plans are managed centrally, but individual storage accounts can have resource-level settings. Which evidence best validates the configuration for the target storage account?

Options:

• A. The account-level Defender for Cloud status shows Defender for Storage enabled

• B. The storage account firewall allows only selected virtual networks

• C. An Azure Policy assignment audits storage accounts without private endpoints

• D. The subscription Defender plans page shows Storage enabled

Best answer: A

Explanation: To validate Defender for Storage for a specific storage account, use evidence that reports the protection state for that exact resource. Subscription-level Defender plan settings can indicate default coverage, but they may not prove the target account is protected when resource-level settings or exclusions are possible. A storage firewall or private endpoint policy can help reduce network exposure, but those controls do not confirm Defender for Storage threat protection. The key takeaway is to match the evidence to the resource and the Defender plan state, not to adjacent storage hardening controls.

• Subscription setting is broader than the audit target and may not reflect resource-level overrides.
• Firewall restriction validates network access control, not Defender for Storage protection.
• Private endpoint policy checks a different storage security requirement and does not prove threat protection is enabled.

Question 3

Topic: Secure Storage, Databases, and Networking

A company uses an Azure Storage account for customer file uploads. The account already has a private endpoint, public network access disabled, and diagnostic settings that send storage logs to Microsoft Sentinel. Security now requires alerts for suspicious storage activity and malware detection for newly uploaded blobs, but Defender for Cloud shows no Defender for Storage coverage for this account. What is the best next implementation step?

Options:

• A. Create a Sentinel analytics rule from storage logs.

• B. Add storage firewall rules for the upload subnets.

• C. Enable Defender for Storage and configure malware scanning.

• D. Apply a resource lock to the storage account.

Best answer: C

Explanation: Microsoft Defender for Storage is the workload protection capability that adds threat detection for Azure Storage, including alerts for suspicious access patterns and optional malware scanning for blob uploads. The stem says network isolation and log forwarding are already configured, but Defender for Cloud has no Defender for Storage coverage for the account. The logical next step is to enable and configure Defender for Storage for the target scope before relying on alerts, malware findings, or downstream Sentinel workflows.

Firewall rules, Sentinel analytics, and resource locks can support a broader security program, but they do not replace enabling the storage threat protection plan and its required scanning features.

• Firewall hardening is already addressed by the private endpoint and disabled public access; more rules do not add threat detection.
• Sentinel analytics can use logs, but it does not enable Defender for Storage malware scanning.
• Resource locks help prevent accidental deletion or modification, not suspicious activity detection.

Question 4

Topic: Secure Storage, Databases, and Networking

A security engineer configures an Azure SQL logical server that hosts production databases. The requirement is to reduce administrative exposure by requiring Microsoft Entra authentication and preventing SQL authentication, including use of the built-in SQL server admin login. Which evidence best validates that the platform-level control is working?

Options:

• A. Defender for SQL shows no active threat alerts.

• B. Entra-only authentication is enabled and SQL-auth login tests fail.

• C. Database users are assigned to an Entra security group.

• D. Database auditing records successful queries by administrators.

Best answer: B

Explanation: For Azure SQL platform security, Microsoft Entra-only authentication is a server-level control that disables SQL authentication for the logical server. The strongest validation combines the intended setting with an enforcement result: SQL-authenticated connection attempts, including the built-in SQL server admin login, are rejected. That proves the administrative exposure has been reduced at the authentication boundary. Audit records, alerts, and database user mappings can be useful, but they do not by themselves prove that SQL authentication is blocked at the server level.

• Audit activity shows what administrators did, but not whether SQL authentication is prevented.
• No threat alerts indicates no detected threat activity, not that the authentication boundary is enforced.
• Group assignment controls database authorization for Entra users, but it does not validate SQL authentication is disabled.

Question 5

Topic: Secure Storage, Databases, and Networking

An organization hosts regulated customer data in Azure SQL Database. The security team must meet both requirements:

• Detect suspicious database activity, such as potential SQL injection attempts and anomalous access.
• Retain database audit events in Log Analytics for compliance review.

Which two controls should the team implement? Select TWO.

Options:

• A. Create Microsoft Sentinel analytics rules without enabling auditing.

• B. Enable Microsoft Defender for Databases.

• C. Configure Azure SQL auditing to Log Analytics.

• D. Assign an Azure Policy that denies public network access.

• E. Configure a private endpoint for the SQL server.

• F. Enable Transparent Data Encryption with customer-managed keys.

Correct answers: B and C

Explanation: Defender for Databases and platform-level database settings solve different security needs. Defender for Databases, enabled through Microsoft Defender for Cloud, is used for database threat protection, vulnerability-related recommendations, and alerts about suspicious activity. Azure SQL auditing is a database platform setting that records audit events and can send them to a Log Analytics workspace for compliance review and investigation. Network isolation, encryption, and policy enforcement can improve security posture, but they do not replace threat detection or audit-event collection. Sentinel analytics can help after data is collected, but it does not by itself enable Azure SQL auditing.

• Private endpoint reduces public exposure but does not provide database threat alerts or audit-event retention.
• TDE with CMK protects data at rest but does not monitor suspicious activity or collect audit records.
• Azure Policy denial can enforce a network posture rule, but it does not generate database security alerts or audit logs.
• Sentinel rules alone cannot analyze Azure SQL audit events if auditing is not configured to send the events.

Question 6

Topic: Secure Storage, Databases, and Networking

A security team uses Azure Virtual Network Manager at management-group scope to govern production VNets across subscriptions. Review the deployed configuration and subnet rule. What is the best interpretation of inbound RDP from the Internet to VMs in VNets that are members of the listed network group?

Exhibit:

Options:

• A. The rule only reports compliance and does not affect traffic.

• B. The configuration manages routing only, not network access.

• C. Inbound RDP remains allowed because the NSG rule permits it.

• D. Inbound RDP is centrally denied before the NSG allow rule.

Best answer: D

Explanation: Azure Virtual Network Manager can enforce centralized network access policies by deploying security admin configurations to network groups. Security admin rules are evaluated before subnet or NIC network security group rules. A deployed Deny rule blocks matching traffic even when a local NSG contains an allow rule. In this exhibit, the configuration succeeded, targets the production network group, and denies TCP 3389 from the Internet, which matches inbound RDP. Local NSGs still control traffic that is not blocked by a centralized security admin rule, but they cannot override this central deny.

• NSG override fails because a local NSG allow rule cannot override a deployed security admin deny rule.
• Compliance-only view fails because security admin rules enforce traffic decisions, not just posture reporting.
• Routing-only assumption fails because Azure Virtual Network Manager includes security admin configurations for access control.

Question 7

Topic: Secure Storage, Databases, and Networking

An application on an Azure VM uses its managed identity to list blobs in container reports. The same code succeeds from subnet-a but fails from a VM in subnet-b.

What is the most likely cause?

Options:

• A. The managed identity lacks blob data permissions.

• B. Defender for Storage blocked the request.

• C. A stored access policy has expired.

• D. The storage firewall does not allow subnet-b.

Best answer: D

Explanation: Azure Storage access failures can come from different enforcement layers. In this scenario, the identity evidence is already favorable: the VM uses a Microsoft Entra token, and the managed identity has Storage Blob Data Reader at the storage account scope, which is appropriate for listing blobs. The decisive clue is the network evidence: the storage account allows only selected networks, and only subnet-a is listed. A 403 Client address is not authorized message aligns with a storage firewall rule blocking traffic from subnet-b. Stored access policies apply to SAS-based access, not this Entra-authenticated request. Defender for Storage provides threat detection and alerts; it is not the likely access gate shown here.

• RBAC role trap fails because Storage Blob Data Reader at account scope supports listing blobs with Microsoft Entra authentication.
• Stored policy trap fails because stored access policies constrain SAS tokens, while the request uses a Microsoft Entra token.
• Threat protection trap fails because Defender for Storage detects suspicious activity but is not the firewall-style control indicated by the error.

Question 8

Topic: Secure Storage, Databases, and Networking

A security engineer is validating effective inbound NSG rules for an API VM. NSG rules are evaluated by priority, with lower numbers first. The required path is asg-web to asg-api on TCP 8443 only; all other inbound traffic to the API tier must be blocked. Which next action best satisfies the requirement?

Exhibit: Effective inbound rules

Options:

• A. Keep the rules because Internet traffic is explicitly denied.

• B. Add a VNet-to-asg-api deny below rule 100 and above defaults.

• C. Remove rule 100 and rely on the default VNet allow.

• D. Change rule 100 source from asg-web to VirtualNetwork.

Best answer: B

Explanation: The effective rules show that the required asg-web to asg-api TCP 8443 path is already allowed by a specific ASG-based rule. However, the default AllowVNetInBound rule at priority 65000 still permits other VNet-to-VNet traffic unless a higher-priority custom deny overrides it. To limit exposure, keep the specific allow first, then add a deny from VirtualNetwork to asg-api for remaining inbound traffic at a priority after 100 and before the default rules. Because NSGs stop at the first matching rule, the required flow matches the allow before the broader deny. Denying only Internet traffic does not restrict lateral traffic inside the VNet.

• Internet deny only fails because it does not block other subnets or ASGs inside the VNet.
• Broadening the allow fails because VirtualNetwork would expand the permitted source set.
• Default VNet allow fails because it preserves connectivity by allowing too much lateral traffic.

Question 9

Topic: Secure Storage, Databases, and Networking

An organization has an existing site-to-site VPN between its datacenter and an Azure virtual network. A datacenter workload must read from one Azure Storage account. Security requires the storage account to be reachable only through a private IP in the virtual network, with public network access disabled. Which implementation meets the requirement?

Options:

• A. Configure a Microsoft.Storage service endpoint on the workload subnet.

• B. Create a storage private endpoint, disable public access, configure private DNS.

• C. Route storage traffic through the existing VPN to the public endpoint.

• D. Allow the datacenter public IPs in the storage firewall.

Best answer: B

Explanation: A site-to-site VPN provides private connectivity between the datacenter and the Azure virtual network, but it does not by itself make an Azure PaaS resource available through a private IP. A private endpoint maps a specific service subresource, such as Azure Storage, to a private IP address in the VNet. With public network access disabled and private DNS configured, the datacenter workload can use the existing VPN as transport while resolving the storage account to the private endpoint address. The key distinction is that VPN connects networks, while private endpoints privately expose a specific Azure service instance.

• VPN alone fails because the storage account would still be reached through its public endpoint.
• Firewall allowlisting fails because it depends on public IP access, which the requirement prohibits.
• Service endpoint fails because it does not assign a private IP to the storage account for on-premises access over VPN.

Question 10

Topic: Secure Storage, Databases, and Networking

An app uses a managed identity to read blobs from an Azure Storage account. Public network access is disabled, and the security team requires private-only access.

Current evidence:

What is the best next step?

Options:

• A. Enable public network access on the storage account.

• B. Add a virtual network rule to the storage firewall.

• C. Assign Storage Blob Data Reader to the managed identity.

• D. Create another private endpoint in the app subnet.

Best answer: C

Explanation: The evidence separates network reachability from authorization. The approved private endpoint, private DNS resolution to a 10.x address, and successful TCP connection show that the app can reach the storage service over the private path. The failure is an HTTP 403 AuthorizationPermissionMismatch, and the managed identity only has the Azure Resource Manager Reader role. That role does not grant blob data access. The next remediation is to grant the least-privilege blob data-plane role, such as Storage Blob Data Reader, at the appropriate container or storage account scope. Creating more network controls would not fix a data authorization failure.

• More private endpoints fails because the existing private endpoint and DNS path are already validated.
• Public access violates the private-only requirement and does not address the missing blob permission.
• Virtual network rule targets service endpoint-style access, while this design is already using Private Link.

Continue with full practice

Use the Microsoft SC-500 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try Microsoft SC-500 on Web View Microsoft SC-500 Practice Test

Related focused pages

• Free Microsoft SC-500 Full-Length Practice Exam
• Identity and Governance
• Secure Compute
• Security Posture Monitoring

Free review resource

Read the Microsoft SC-500 Cheat Sheet for compact concept review before returning to timed practice.