AZ-500

What Is the Difference Between Managed Identities and Service Principals for Securing Code? Prepare for the AZ-500 exam by learning how Managed Identities eliminate the need for credentials in code. Understand the key differences between Managed Identities and standard Service Principals for secure Azure AD authentication. Question Which of the following identities eliminate the need …

Can You Report an MFA Fraud Alert via Email in Azure AD? Discover the correct procedure for the AZ-500 exam on how users report fraudulent MFA attempts in Azure AD. Learn why the fraud alert feature uses interactive prompts on a phone or app and does not support reporting via email. Question With Azure AD …

Where Do You Go to Activate a Privileged Role? Get the correct procedure for the AZ-500 exam on how to activate an eligible privileged identity role. Learn why activation is done in the Azure portal via the PIM service and not the Authenticator app or user profile. Question You can activate an eligible privileged identity …

Does Azure Admin Consent Grant Permissions for All Users or Just One? Prepare for the AZ-500 exam by understanding how Azure AD admin consent works. Learn why it grants application permissions on behalf of all users in the tenant, not just a specific user, and how it differs from user consent. Question Admin consent grants …

What Security Posture Management Features Are in the Free Tier of Microsoft Defender for Cloud? Find out for the AZ-500 exam if the Standard tier of Azure Security Center (now Microsoft Defender for Cloud) is required for resource security hygiene. Learn what the Free tier offers, including continuous assessment and security recommendations. Question The Standard …

How Do You Connect an On-Premises Datacenter to an Azure VNet? Learn the right ways to connect your on-premises datacenter to an Azure site for the AZ-500 exam. Explore the differences between a Site-to-Site VPN, ExpressRoute, and a Point-to-Site VPN for secure hybrid networking. Question Which of the following can be used to connect your …

Can Users Perform Their Own Privileged Role Access Reviews in Azure PIM? Master Azure PIM for the AZ-500 exam. Learn how to configure access reviews to allow eligible members to perform a self-review of their own privileged role assignments and understand the different reviewer options available. Question You can configure access reviews in Privileged Identity …

Do Azure Network Security Groups Allow RDP Port 3389 by Default? Find out if Azure Network Security Groups include a default rule to allow RDP on port 3389. Understand the default NSG rule set and why remote access is denied by default for the AZ-500 exam. Question Network Security Groups include a rule to allow …

How Does Azure CNI Provide Advanced Networking for AKS, AKS Engine, and Docker? Learn which container solutions, including Azure Kubernetes Service (AKS), AKS Engine, and Docker, use the Azure Virtual Network CNI plugin for advanced networking capabilities. Get a clear explanation relevant for the AZ-500 exam on how this integration provides direct VNet connectivity. Question …

Can a Resource Forest in Azure AD Domain Services Sync On-Premises Accounts? Get a clear explanation for the AZ-500 exam on Azure AD Domain Services. Understand why a resource forest cannot sync on-premises accounts and learn the key differences between a user forest and a resource forest for hybrid identity. Question A resource forest in …

Do SAS Tokens Provide Limited or Root Access to Azure Storage Accounts? Prepare for the AZ-500 exam by learning the critical distinction between SAS tokens and storage account keys. Understand how SAS provides granular, time-bound delegated access, unlike the full root permissions of an account key. Question SAS tokens provide root access to an Azure …

Is BitLocker the Technology Behind Azure Disk Encryption? Prepare for the AZ-500 exam by understanding how Azure Disk Encryption utilizes the Windows BitLocker feature to provide volume encryption for both OS and data disks. Learn how this service integrates with Azure Key Vault to manage encryption keys. Question Azure Disk Encryption uses Bitlocker to encrypt …

Which Azure App Service Plans Support Microsoft Defender? Prepare for the AZ-500 exam by learning which Azure App Service plans are required for Advanced Threat Protection. Discover why Microsoft Defender for App Service needs dedicated machines and which tiers are supported. Question Advanced Threat Protection in Security Center can be enabled for an App Service …

Can You Disable Policy Checks in the Azure Security Center Free Tier? Get a detailed answer for the AZ-500 exam on whether you can change the default policy and disable checks in the Azure Security Center free tier. Learn how Azure Policy controls security recommendations. Question The Free tier of Azure Security Center (ASC) allows …

Why Must VMs in an Azure Application Security Group Share the Same VNet? Get clarity on Azure network security for the AZ-500 exam. Understand the regional limitations of an Application Security Group (ASG) and why its VMs must be in the same VNet. Question VMs included in an Application Security Group cannot be located in …

Why Is the Az Module Required for Azure Automation Runbooks? Prepare for the AZ-500 exam by understanding why Azure Automation runbooks use the modern Az module for Azure Storage key rotation, not the deprecated AzureRM module. Question When automating key rotation, Azure Automation runbooks require the use of the AzureRM module with key rotation for …

What Are the Available Permitted Operations for Keys in Azure Key Vault? Master Azure Key Vault security for the AZ-500 exam by learning how to limit key functions using permitted operations like Encrypt, Decrypt, Sign, and Verify. Question You can limit operations on a key in Azure Key Vault by configuring the settings under Permitted …

What Role Does Azure Policy Play in Azure Security Center’s Default Behaviors? Discover how Azure Security Center leverages Azure Policy for default monitoring and remediation configurations in AZ-500 certification preparation. Question Azure Security Center (ASC) uses Azure Policy to configure default monitoring and remediation behaviors. A. FALSE B. TRUE Answer B. TRUE Explanation Azure Security …

What Azure Roles Control Management Plane Access for Azure Key Vault? Learn how Azure AD authentication secures the Key Vault management plane using Azure RBAC roles. Understand the critical difference between the management plane (creating/deleting vaults) and the data plane (accessing secrets) for the AZ-500 exam. Question You can use Azure AD authentication to secure …

Can You Use Azure AD Credentials to Secure Access to HDInsight Clusters? Discover how Azure HDInsight supports Azure AD authentication for secure service access. Learn the role of the Enterprise Security Package (ESP) and Azure RBAC for resource and data-level security, a key topic for the AZ-500 certification exam. Question Azure HDInsight supports Azure AD …

What’s the Difference Between Using Security Groups and M365 Groups to Secure Azure Resources? Learn why both Security Groups and Microsoft 365 groups can be used to secure Azure resources through role-based access control (RBAC). Understand the key distinctions and best use cases for each group type, a critical concept for the AZ-500 exam. Question …

Which SQL Security Feature Prevents Database Admins From Viewing Sensitive Data? Discover why Always Encrypted is the only SQL security option that ensures database admins cannot see sensitive data like credit card information. A critical concept for the AZ-500 exam, this feature separates data ownership from data management. Question You need to implement security in …

Which App Service Plan Tiers Support Client Certificate Authentication? For your AZ-500 exam, it’s essential to know that client certificate authentication is available on the Basic, Standard, Premium, and Isolated App Service Plan tiers. Understand which plans support this feature and how it enhances web app security. Question You can bind client certificates to which …

What Methods Support Zero-Downtime Key Rotation in Azure Key Vault? For your AZ-500 exam, learn how Azure Key Vault’s key versioning enables zero-downtime rotation. Discover how to rotate keys manually, via the REST API, or with Azure Automation without impacting application behavior. Question You can rotate keys in Azure Key Vault without affecting behavior of …

What Is Microsoft’s Recommended Method for Securely Rolling Storage Account Keys? For AZ-500 exam, discover why Azure Key Vault is Microsoft’s recommended service for the secure, automated rotation of Azure Storage account keys. Learn how this native feature eliminates manual effort and custom scripting. Question Microsoft recommends Shared Keys should be rolled automatically using which …

Why Is a Shared Access Signature (SAS) the Best Way to Grant Temporary Storage Access? Learn the best method to grant an application temporary, read-only access to Azure Storage that automatically expires after 90 days. Understand why a Shared Access Signature (SAS) is the ideal solution for time-bound, permission-scoped access over shared keys or RBAC …

Is SSH Enabled on Azure Kubernetes Service (AKS) Nodes by Default? Learn why SSH is enabled by default on AKS nodes for maintenance and troubleshooting. Understand the default security model, including key-based authentication and network restrictions, and discover the secure methods for connecting for AZ-500 exam. Question SSH is disabled on AKS nodes by default. …

Does Azure Container Registry Support Docker and Kubernetes Outside of Azure? Learn how Azure Container Registry (ACR), a standards-compliant Docker V2 registry, supports Kubernetes and Docker workloads on any cloud platform, including AWS and GCP. Discover the authentication methods needed for secure cross-cloud image pulls. Question Azure Container Registry (ACR) supports Kubernetes and Docker running …

Why Does Physical Isolation in AKS Reduce Pod Density Compared to Logical Isolation? Understand the trade-offs between physical and logical isolation in AKS for AZ-500 exam. Learn why physical isolation using dedicated nodes provides strong security but results in lower pod density compared to logical isolation methods like network policies and namespaces. Question Physical isolation …

What Is the Difference Between TDE and Always Encrypted for Azure Database Security? For your AZ-500 exam, understand that Transparent Data Encryption (TDE) encrypts the entire database at rest and cannot be used for individual column encryption. Learn the critical difference between TDE for encryption-at-rest and Always Encrypted for selective, column-level protection. Question You can …

Can You Use Always Encrypted for Selective Column-Level Encryption? Learn how Azure SQL’s Always Encrypted feature enables selective, column-level encryption of sensitive data. For AZ-500 exam, master client-side encryption by understanding how to protect individual database columns while the data is in use, in transit, and at rest. Question You cannot configure Always Encrypted for …

Can You Grant Fine-Grained Permissions in Data Lake Using Azure AD Users and Groups? Master Azure Data Lake security for AZ-500 exam. Learn how Azure Data Lake Gen2 uses Azure AD identities (users, groups, service principals) in Access Control Lists (ACLs) to provide POSIX-like, fine-grained permissions on individual files and folders. Question Azure Data Lake …

Are Defender for Cloud Recommendations Ordered by Severity or Secure Score Impact? Ace your AZ-500 exam by understanding how Microsoft Defender for Cloud prioritizes recommendations. Learn why recommendations are sorted by their impact on your Secure Score, not just by severity, to guide you in improving your security posture effectively. Question Security Center recommendations are …

Why Can’t Microsoft Sentinel Playbooks Use Standard Logic App Triggers? Pass AZ-500 exam by understanding why Microsoft Sentinel playbooks require specific Sentinel triggers. Learn the difference between standard Logic App triggers and the specialized incident/alert triggers used for security automation and response (SOAR). Question Logic Apps created for use in the Security Playbooks feature of …

Why Should You Grant RBAC Roles at the Resource Group, Not Subscription Scope? For AZ-500 exam, master the principle of least privilege in Azure RBAC. Learn why assigning roles like Contributor at the resource group scope is crucial for security, and how granting permissions at the subscription level can create unnecessary risk. Question To provide …

Why Doesn’t Azure SQL Support Azure AD Domain Services Authentication? Prepare for AZ-500 exam by understanding why Azure SQL supports modern Azure AD authentication but not Azure AD Domain Services. Learn the difference between cloud-native identities and managed domain services for database access. Question With Azure SQL, you can configure Azure AD Domain Services authentication. …

Can You Configure Recurring Scans in Defender for SQL Vulnerability Assessment? Pass your AZ-500 exam by learning how Microsoft Defender for SQL (formerly Azure Defender for SQL) uses its vulnerability assessment feature to automatically perform weekly scans. Understand how this key automated security tool identifies, tracks, and helps remediate database vulnerabilities. Question Azure Defender for …

What Security Principals Can Be Granted Access to an Azure Key Vault? Learn how to grant access to an Azure Key Vault for AZ-500 exam. Understand the different security principals—users, groups, and applications—and the two access control models: Azure RBAC and Key Vault access policies, to securely manage your secrets, keys, and certificates. Question You …

Why Is Azure Policy the Best Way to Restrict Deployments to Specific Azure Regions? Learn how to enforce data residency and sovereignty for your AZ-500 exam using Azure Policy’s “allowed locations” policy. Restrict resource deployment to approved Azure regions to meet compliance and data sovereignty requirements. Question You can enforce data residency and sovereignty using …

What’s the Difference Between AIP Premium Plan 1 and Plan 2 for Document Classification? Master Azure Information Protection licensing for AZ-500 exam by understanding that automatic classification is exclusive to Premium Plan 2. Learn the key differences between Plan 1’s manual classification and Plan 2’s advanced automatic classification capabilities. Question With Azure Information Protection Premium …

What Is the Process for Rolling Cosmos DB Keys with No Application Downtime? Learn the zero-downtime process for Cosmos DB key rotation for your AZ-500 exam. Understand how to use the secondary key to regenerate your primary key without causing application downtime, following a step-by-step security procedure. Question When rolling keys in Cosmos DB, the …

Which Azure Storage Services Support Azure AD Authentication Integration? Master Azure Storage authentication for your AZ-500 exam by learning that only Azure Blob Storage and Queue Storage support Azure AD authentication. Understand why Table Storage and File Storage still rely on shared access keys or SAS tokens for access control. Question You can configure Azure …