Practice AZ-500 Secure compute, storage, and databases questions with full explanations on every answer.
Start practicing
Secure compute, storage, and databases — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
2A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?
3A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?
4A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?
5A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?
6A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)
7A company plans to enable Azure Disk Encryption (ADE) on a set of Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have enabled soft-delete and purge protection on the Key Vault. The encryption fails with an error indicating that the key vault does not have the required permissions. Which additional configuration is most likely required for ADE to use the KEK?
8A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?
9An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?
10A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?
11A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?
12A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?
13A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?
14A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?
15A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?
16A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)
17An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?
18A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?
19A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?
20A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?
21A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?
22A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?
23A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?
24A company uses Azure Blob Storage to store archival data that is rarely accessed. The security policy requires that the data must be encrypted at rest using a unique Microsoft-managed key per storage account, and the data must be stored cost-effectively while allowing retrieval within 15 minutes. Which storage account type and encryption configuration should they choose?
25A company stores sensitive financial records in Azure Blob Storage. They want to ensure that if a blob is deleted or overwritten, it can be recovered within 30 days. They also want to protect against accidental deletion of the storage account itself. Which two configurations should they implement? (Choose two.)
26A company stores sensitive data in Azure Blob Storage. They want to enforce encryption at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they require that the key vault be in a different region than the storage account to protect against regional disasters. Can this be achieved, and if so, what is the implication?
27A company stores business records in Azure Blob Storage. Due to a legal investigation, they must prevent any modification or deletion of the blobs for an indefinite period until the legal hold is released. They also need to ensure that even storage account owners cannot alter the data during the hold. Which blob storage feature should they enable?
28A company uses Azure Blob Storage to store sensitive documents. The security policy requires that the storage account can only be accessed from a specific Azure virtual network (VNet) and that all access must use Azure Active Directory (Azure AD) authentication. They want to block any access that uses storage account keys or shared access signatures (SAS). Which configuration should they implement?
29A company has an Azure SQL Database that stores personally identifiable information (PII) in columns. They need to encrypt those columns so that only authorized applications can decrypt the data, and even database administrators cannot view the plaintext. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they use?
30A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?
31A company enabled Azure Disk Encryption on Windows virtual machines using Azure Key Vault to store encryption keys. They have enabled soft-delete and purge protection on the Key Vault. After a user accidentally deletes a key, the company tries to recover it but the recovery operation fails. What is the most likely reason for the recovery failure?
32A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?
33A company is migrating a sensitive database to Azure SQL Managed Instance. The security team requires that the managed instance is not accessible from the public internet and that only specific Azure services, such as Azure Data Factory, can connect. Which configuration should the team implement to meet these requirements?
34A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?
35A company stores sensitive healthcare data in Azure SQL Database. They need to encrypt specific columns containing patient diagnosis codes so that even database administrators with the 'sysadmin' role cannot view the plaintext. The application must be able to perform equality searches (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?
36A company stores sensitive data in Azure Blob Storage. They use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. The security policy requires that the encryption keys be automatically rotated every 90 days. Which configuration should they implement to meet this requirement without manual intervention?
37A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?
38A company enables Azure SQL Database auditing to log database events to a storage account. The security policy requires that the audit logs be protected from tampering and deletion after they are written. Which storage account feature should the company enable to ensure that audit log files cannot be modified or deleted by anyone for a specified retention period?
39A company stores critical business data in an Azure Storage account (Blob Storage). They want to ensure that all data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data quickly if a breach is suspected. Which feature should they enable on the storage account to enforce CMK?
40A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?
41A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?
42A company plans to enable Azure Disk Encryption (ADE) on their Windows virtual machines. They will use a Key Encryption Key (KEK) stored in Azure Key Vault. What additional configuration must be made in the Key Vault to allow the Azure platform to access the KEK for encrypting the VM disks?
43A company uses Azure Key Vault to store keys and secrets. They want to ensure that even if an administrator accidentally deletes a key, it can be recovered for up to 90 days. Additionally, they want to prevent anyone from permanently purging the key during that period. Which two features must be enabled?
44A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?
45A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is a Microsoft service. How can the SQL server be granted access to the key vault to perform TDE operations?
46A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?
47A company stores highly sensitive data in Azure Blob Storage. They require encryption at rest using a customer-managed key. Additionally, they want to ensure that the key can only be used from the same Azure region as the storage account. Which configuration must they implement?
48A company uses Azure Managed Disks for their virtual machines. They want to ensure that all managed disks are encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also want to automatically revoke access to the disks if the key is disabled or deleted. Which feature should they configure?
49A company uses Azure SQL Database for a critical application. Security policy requires that all client connections use at least TLS 1.2 encryption and that connections not meeting this requirement are rejected. Which configuration should they implement on the Azure SQL Server?
50A company plans to enable Azure Disk Encryption (ADE) on a fleet of Windows virtual machines. They want to use a key stored in Azure Key Vault to encrypt the disks. Which additional access configuration must be made in the Key Vault to allow ADE to succeed?
51A company stores highly sensitive data in Azure Blob Storage. The security policy requires that all data is encrypted at rest using a key that is stored in Azure Key Vault, and that the storage account uses its system-assigned managed identity to access the key. Which encryption configuration should they use?
52A company uses Azure Key Vault to store secrets. They want to grant developers the ability to read secrets, but only for specific secret names (e.g., 'App--ConnectionString'). They also want to use Azure RBAC instead of the Key Vault access policy model. Which RBAC role should they assign, and at which scope?
53A company stores confidential data in Azure Blob Storage. They need to ensure that all data at rest is encrypted and they must be able to quickly rotate the encryption key on demand in case of a security breach. They also want to minimize administrative overhead. Which encryption option should they use?
54A company uses Azure SQL Database and wants to protect sensitive data (e.g., credit card numbers) from database administrators. They require that the data is encrypted at rest and in transit, and only a client application using a specific driver can decrypt it. Which technology should they implement?
55A company uses Azure SQL Database and wants to periodically scan the database for vulnerabilities such as misconfigurations, excessive permissions, and missing patches. The scans should generate actionable reports that the security team can use to remediate issues. Which built-in Azure feature should they enable?
56A company stores highly sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a key stored in Azure Key Vault, but they also want to prevent Microsoft Azure from having any access to the encryption key. Which encryption approach should they use?
57A company uses Azure SQL Database with Azure Active Directory authentication. To meet compliance requirements, they need to audit all failed login attempts and store the audit logs in a storage account located in a different Azure region for disaster recovery. What should they configure?
58A company generates shared access signature (SAS) tokens to grant time-limited access to blobs in an Azure Storage container. A security administrator needs the ability to immediately revoke all active SAS tokens for that container if a token is compromised. What should they use?
59A company stores sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they need the ability to immediately make the data inaccessible in case of a security breach. Which configuration on the storage account enables this?
60A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?
61A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?
62A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?
63An Azure SQL Database contains salary data. Support analysts need to query employee records but must not see full salary values. Which feature is most appropriate when the application cannot be changed immediately?
64A Kubernetes workload in AKS needs to pull images from Azure Container Registry without using admin credentials. Which configuration should be used?
65A Key Vault should be accessible only from selected private networks and approved Azure services. Which two settings are most relevant?
66A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?
67An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?
68A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?
69You are designing a secure storage strategy for an Azure Storage account that will host sensitive financial data. The solution must protect data at rest, in transit, and during processing. Which three of the following security controls should you implement? (Choose three.)
70Your company plans to deploy a set of Azure virtual machines (VMs) running a critical application. The security team requires that all operating system disks and temporary disks be encrypted, and that encryption keys are never stored in Azure but are managed in an on-premises HSM. Which three of the following actions should you take? (Choose three.)
71You are securing an Azure SQL Database that contains personally identifiable information (PII). The solution must prevent unauthorized access to sensitive columns by privileged users (e.g., DBAs) and ensure that data is encrypted on the wire. Which three of the following should you implement? (Choose three.)
72Your organization is planning to use Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) for running containerized workloads. The security policy mandates that container images be scanned for vulnerabilities, secrets never be stored in image layers, and network traffic between containers be encrypted. Which three of the following should you implement? (Choose three.)
73You are a Security Engineer for a company that is migrating critical workloads to Azure. You need to ensure the security of compute, storage, and databases. Which of the following actions should you take? (Choose four.)
74Drag and drop the steps to configure Azure Defender for SQL on an Azure SQL Database into the correct order.
75Drag and drop the steps to enable Azure Security Center's enhanced security features for a subscription into the correct order.
76Drag and drop the steps to implement Azure AD Identity Protection to detect risky sign-ins into the correct order.
77Match each Azure RBAC role to its typical permission scope.
78Match each Azure Key Vault feature to its purpose.
79Match each Azure encryption concept to its description.
80Your organization uses Azure Storage for sensitive customer data. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, you want to automatically rotate the key every 90 days. What should you configure?
81You have an Azure SQL Database that stores financial data. You need to prevent unauthorized access by encrypting specific columns containing credit card numbers. The solution must allow authorized applications to query the data transparently. What should you implement?
82You need to securely store secrets, such as connection strings and API keys, for use by an Azure Functions app. The solution must automatically rotate the secrets and audit access. What should you use?
83Your company runs a critical application on Azure Virtual Machines. You need to ensure that the OS disks and data disks are encrypted to meet compliance requirements. The solution must use Azure Key Vault to store encryption keys and support automated backup. What should you implement?
84You are designing a security solution for Azure Cosmos DB that stores Personally Identifiable Information (PII). You need to encrypt data at rest and in transit. You also need to implement row-level security to restrict access based on user role. What should you configure?
85You have an Azure Storage account that contains sensitive documents. You need to generate a time-limited, secure URL that allows a specific user to download a file without requiring storage account keys. What should you use?
86Your organization is using Azure Database for MySQL. You need to ensure that only traffic from Azure services and specific client IP addresses can connect to the database. What should you configure?
87You are deploying a three-tier application on Azure VMs. The web tier must be accessible from the internet, but the application and database tiers must only accept traffic from the web tier. You need to implement network segmentation using Azure networking components. What is the most secure and manageable solution?
88You need to ensure that an Azure Storage account is accessible only from a specific virtual network (VNet) and only over HTTPS. You also want to deny access from any public IP. What should you configure?
89You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement?
90You are designing a backup strategy for Azure Virtual Machines. Which THREE features should you enable to ensure recoverability and security?
91You need to secure an Azure Storage account that will host sensitive data. Which TWO configurations should you implement?
92Refer to the exhibit. You are reviewing the ARM template snippet for a managed disk. You need to ensure the disk uses a customer-managed key (CMK) from Azure Key Vault. However, you notice the deployment fails because the key version is specified. What is the likely issue?
93Refer to the exhibit. You are analyzing the Always Encrypted configuration for an Azure SQL Database. The SSN column uses randomized encryption, and the CreditCard column uses deterministic encryption. Which statement is true regarding querying these columns?
94Refer to the exhibit. You run the Azure CLI command to create a storage account. After creation, you need to ensure that the storage account can only be accessed using TLS 1.2. Does the command achieve this?
95You need to encrypt an Azure Storage account at rest using a customer-managed key stored in Azure Key Vault. Which feature should you enable?
96Your company hosts a web application on Azure Virtual Machines. You need to ensure that all disks attached to the VMs are encrypted. You plan to use Azure Disk Encryption. What should you configure first?
97You are designing a secure data solution for a financial application. The data must be encrypted at rest, in transit, and in use. You choose Azure SQL Database. Which combination of features should you implement?
98You need to prevent data exfiltration from Azure Storage accounts by controlling which networks can access them. Which Azure feature should you use?
99Your company uses Azure SQL Database to store customer data. You need to ensure that database administrators cannot access sensitive columns (e.g., credit card numbers) even during maintenance. What should you implement?
100Your organization uses Azure Storage blobs to store sensitive documents. You need to enforce that all blob access must be via HTTPS and that storage account keys are rotated every 90 days. Which two actions should you take? (Each correct answer presents part of the solution.)
101You have an Azure Cosmos DB account with multiple containers. You need to ensure that only specific Azure AD identities can access the data and that all access is logged. What should you use?
102You need to ensure that an Azure Key Vault is accessible only from a specific virtual network and that all operations are logged. What should you configure?
103Your company uses Azure SQL Managed Instance. You need to ensure that all connections from clients use TLS 1.2 or higher. What should you configure?
104You are designing a secure backup strategy for Azure Virtual Machines. The backup data must be encrypted at rest and in transit. Which combination should you use?
105You need to restrict access to an Azure Storage account so that only requests from a specific Azure Virtual Network are allowed. What should you configure?
106Your organization uses Azure Files shares. You need to ensure that users authenticate using on-premises Active Directory credentials and that access is logged. What should you do?
107You have an Azure SQL Database that stores Personally Identifiable Information (PII). You need to mask the PII columns for support staff but allow full access to managers. What should you implement?
108You are reviewing an Azure Resource Manager template for a storage account. The exhibit shows a snippet of the template. Which statement about the template is true?
109You are deploying an Azure SQL Database with a security alert policy as shown in the exhibit. Which statement is true?
110You need to ensure that an Azure Storage account only allows access from a specific virtual network. Which configuration should you use?
111Your company uses Azure SQL Database. You need to ensure that all queries are audited for compliance. Which feature should you enable?
112You are designing a solution to store sensitive documents in Azure Blob Storage. The documents must be encrypted at rest using a customer-managed key that is automatically rotated every 90 days. Microsoft Entra ID must be used to control access to the key. What should you use?
113You need to prevent data from being exfiltrated from an Azure SQL Database by unauthorized users. Which Microsoft Purview feature should you use?
114Your company has an Azure Cosmos DB account that stores customer profiles. You need to ensure that only authenticated and authorized users can access the data. Which access control method should you use?
115You are deploying a critical application on Azure Virtual Machines that must remain highly available. You need to implement a security solution that ensures the application can recover from a ransomware attack that encrypts all data disks. What is the most cost-effective approach?
116You need to enable transparent data encryption (TDE) for an Azure SQL Managed Instance. What is the prerequisite?
117Your company uses Azure Files shares to store business documents. You need to ensure that access to the shares is restricted to users who have been granted explicit permissions. What should you configure?
118You are deploying a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Disks for persistent storage. You need to ensure that the disks are encrypted at rest using a customer-managed key stored in a Key Vault in a different region. What should you do?
119Which TWO actions are required to enable Azure Defender for SQL on an Azure SQL Database?
120Which THREE capabilities are provided by Azure Storage Service Encryption (SSE) when using customer-managed keys?
121Which TWO features of Azure Database for PostgreSQL ensure data security at rest?
122You are reviewing the ARM template for an Azure Disk Encryption Set. The template includes the JSON snippet shown. You notice that the key version is empty. What is the consequence?
123You are deploying an Azure Storage account using the ARM template snippet shown. After deployment, you need to allow access from a specific public IP address. What should you do?
124You run the PowerShell cmdlet shown in the exhibit for an Azure SQL Database. What is the security implication?
125You are deploying a new application on Azure VMs. The application must be encrypted at rest and during transmission. Which combination of features should you implement?
126Your company uses Azure SQL Database. You need to ensure that all queries from a specific application use Always Encrypted to protect sensitive columns. The application is developed in C#. What must you configure in the application and database?
127You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network (VNet) subnet is allowed. Which Azure Storage firewall setting should you configure?
128You have an Azure Cosmos DB account with multiple containers. You need to ensure that data is encrypted at rest using a customer-managed key stored in Azure Key Vault. Which steps should you take?
129Your organization uses Azure Files shares. You need to enforce access control using on-premises Active Directory (AD) credentials. The Azure Files share is already created. What should you do?
130You need to backup Azure SQL Managed Instance databases to a separate region for disaster recovery. Which Azure service should you use?
131Your company uses Azure Blob Storage to store sensitive documents. You need to prevent data exfiltration by ensuring that all access to the storage account is through Microsoft's private network. What should you configure?
132You have an Azure SQL Database that stores credit card numbers. You need to encrypt the column containing the credit card numbers so that only authorized applications can decrypt the data. The database administrator should not be able to view the plaintext data. Which feature should you use?
133You need to ensure that all new blobs uploaded to an Azure Storage account are automatically encrypted at rest. What is the simplest way to achieve this?
134Which TWO actions should you take to ensure that an Azure Storage account is only accessible over HTTPS and that data in transit is encrypted?
135Which THREE components are part of Azure Disk Encryption for Windows VMs?
136Which TWO database-level security features are available in Azure SQL Database to protect sensitive data?
137Refer to the exhibit. You are reviewing the JSON output of an Azure Storage account encryption configuration. What can you conclude about the encryption settings?
138Refer to the exhibit. You are querying the sys.column_master_keys view in an Azure SQL Database. What is the purpose of this query?
139Refer to the exhibit. You are reviewing an ARM template for an Azure Storage account. Which of the following is true about the deployment?
140Your organization uses Azure Storage for sensitive financial data. You need to restrict access to storage accounts based on the client's IP address. Which Azure Storage service feature should you configure?
141A company plans to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all data at rest be encrypted using customer-managed keys stored in Azure Key Vault. Which feature should be enabled?
142You are designing a secure compute solution for a critical application that must comply with PCI DSS. The application runs on Azure Virtual Machines with sensitive data. You need to ensure that ephemeral disks are encrypted at the host level. Which Azure Disk Encryption option should you use?
143Your company uses Azure SQL Database for a multitenant SaaS application. You need to ensure that one tenant cannot access another tenant's data, even if the application code has a bug. Which Azure SQL Database feature should you implement?
144A developer needs to securely connect to an Azure Storage account from a private virtual network without exposing the storage account to the public internet. Which Azure service should be used?
145Your security team wants to automatically detect and remediate misconfigurations in Azure Storage accounts, such as enabling public access. The solution should use Azure Policy and be centrally managed for multiple subscriptions. What should you configure?
146A company is deploying Azure Virtual Machines for a batch processing workload. The VMs process highly sensitive data and must ensure that the data on the OS and data disks is encrypted using a customer-managed key stored in Azure Key Vault. Which encryption option meets the requirement?
147You need to ensure that Azure SQL Database connections are encrypted and the server's identity is verified. Which connection string parameter should be required?
148A critical application uses Azure Functions with an Azure Storage account for input and output. The security team requires that all data in transit between the function app and storage be encrypted using a customer-managed key. Which configuration should you implement?
149Which TWO actions should you take to secure an Azure Storage account that contains sensitive data? (Choose two.)
150Which THREE of the following are valid ways to encrypt data at rest in Azure SQL Database? (Choose three.)
151Which TWO of the following are benefits of using managed identities for Azure resources to access Azure Storage? (Choose two.)
152You receive the above ARM template snippet for an Azure Storage account. After deployment, a developer reports that they cannot access the storage account from a permitted virtual network. What is the most likely cause?
153You run the above PowerShell script to change the access tier of all block blobs in the 'data' container from Cool to Hot. However, you receive an error that the operation is not allowed. What is the most likely reason?
154You run the above Kusto query in Azure Monitor Logs for an Azure Storage account. The query returns results showing multiple failed attempts to access PDF blobs with 403 errors from various IP addresses. What is the most likely cause of these failures?
155Your company uses Azure Storage to store sensitive customer data. You need to ensure that only authorized applications running on Azure VMs can access the storage account without using shared keys or SAS tokens. What should you configure?
156You are designing a secure database solution for a financial application using Azure SQL Database. The database contains highly sensitive columns (e.g., credit card numbers). Which combination of features should you implement to protect data at rest, in transit, and in use, while minimizing performance impact?
157You are configuring security for an Azure App Service web app that connects to an Azure SQL Database. You need to ensure that the database connection string does not contain credentials in plaintext. What should you use?
158Your company uses Azure File shares for departmental file storage. You need to restrict access to only specific VMs in the same virtual network using Azure AD authentication. What should you configure?
159You are deploying a containerized application on Azure Kubernetes Service (AKS). The application needs to pull images from a private Azure Container Registry (ACR) and access secrets from Azure Key Vault. You want to minimize credential exposure. What should you configure?
160You need to ensure that an Azure Storage account's blob data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. What should you do first?
161Your company uses Azure Database for PostgreSQL flexible server. You need to enable auditing of all database-level events and ensure audit logs are retained for compliance purposes for 5 years. What should you configure?
162You are designing a backup strategy for Azure VMs running critical workloads. The VMs have Azure Disk Encryption enabled with Azure Key Vault. You need to ensure that backups can be restored securely. What should you configure?
163You need to ensure that only users with a valid Azure AD token can invoke an Azure Function app. No other authentication methods should be allowed. What should you configure?
164You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement? (Choose TWO.)
165You are configuring secure access to Azure Blob Storage for a third-party partner application that runs outside Azure. The partner needs to upload files to a specific container. You want to grant least-privilege access without storing static credentials in the partner's code. Which TWO actions should you take? (Choose TWO.)
166You need to ensure that Azure Disk Encryption (ADE) is enabled on all Azure VMs in a subscription. Which THREE actions are required to implement ADE? (Choose THREE.)
167Your organization uses Azure Storage accounts with blob containers. You need to ensure that only authorized applications can access the storage account, without using shared keys or shared access signatures. What should you configure?
168Your company uses Azure SQL Database and wants to protect sensitive data stored in a column named 'CreditCardNumber'. You need to ensure that the data is encrypted at rest and that only authorized users can decrypt the data at the application layer. Additionally, you want to prevent unauthorized administrators from accessing the plaintext. Which solution should you implement?
169You are configuring an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can securely access Azure Container Registry (ACR) without storing image pull secrets in the pod specification. What should you do?
170Refer to the exhibit. You are deploying an Azure Storage account with the ARM template snippet shown. The deployment fails with an error about the encryption configuration. What is the most likely cause?
171You have an Azure virtual machine that runs a line-of-business application. You need to ensure that the disks attached to the VM are encrypted at rest using platform-managed keys. What should you do?
172Your company stores sensitive documents in Azure Blob Storage. You need to implement a solution that automatically scans uploaded blobs for malware and quarantines any infected files. The solution must minimize administrative overhead and integrate with Azure Security Center. What should you use?
173Refer to the exhibit. You are configuring network access for an Azure Storage account. After applying this configuration, users report that they cannot access the storage account from their on-premises network (public IP: 198.51.100.50). What is the most likely reason?
174You need to securely connect to an Azure SQL Database from an on-premises application without exposing the database to the public internet. Which solution should you use?
175Your organization uses Azure Files shares with Azure AD DS authentication. You need to ensure that users can access the file share from on-premises Windows clients using their on-premises AD credentials, without exposing the storage account to the internet. The on-premises network is connected to Azure via a site-to-site VPN. What should you configure?
176Which TWO actions should you take to secure an Azure Cosmos DB account? (Choose two.)
177Which THREE components are required to enable Azure Disk Encryption for Windows VMs using Azure Key Vault? (Choose three.)
178Which TWO security features can be enabled on an Azure SQL Database to protect sensitive data from unauthorized access by database administrators? (Choose two.)
179Refer to the exhibit. You are deploying an Azure Disk Encryption Set using this ARM template. The deployment succeeds, but when you try to create a disk using this encryption set, the disk creation fails with an error about key vault permissions. What is the most likely cause?
180You are designing a solution for Azure Blob Storage that must prevent data from being overwritten or deleted for a specified retention period. Which feature should you enable?
181Your company has an Azure SQL Managed Instance that stores sensitive customer data. You need to implement a solution that automatically classifies and protects the sensitive data in the database, with minimal manual intervention. The solution should integrate with Microsoft Purview. What should you use?
182Your company stores sensitive customer data in Azure Blob Storage. You need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. The key must be automatically rotated every 90 days. Which Azure policy should you configure to enforce this requirement?
183You are deploying a virtual machine that will host a legacy application. The application writes temporary files to the local disk. You must ensure that any data written to the temporary disk is encrypted at rest with a platform-managed key. What should you do?
184You are designing a secure Azure SQL Database deployment. The database must support real-time analytics and reporting without impacting the performance of the transactional workload. You need to ensure that the reporting queries have an isolated copy of the data that is automatically kept up to date. The solution must also encrypt the data at rest using a customer-managed key. What should you include in the design?
185You have an Azure Cosmos DB account that stores sensitive data. You need to ensure that all data in transit between the client application and Cosmos DB is encrypted using TLS 1.2 or higher. Additionally, you want to enforce that only Azure services within the same region can access the Cosmos DB account. What two configurations should you implement? (Choose two.)
186You are responsible for securing Azure Storage accounts that contain confidential documents. You need to implement a solution that prevents accidental deletion of storage accounts and ensures that deleted blobs can be recovered within 30 days. Which two actions should you take?
187You are securing an Azure Kubernetes Service (AKS) cluster that runs a microservices application. You need to ensure that pods can only communicate with other pods in the same namespace, and that all egress traffic from the cluster is inspected for malicious content. Which three components should you include in the solution?
188You are reviewing the above Azure Policy definition. What does this policy do?
189You are deploying an Azure Disk Encryption set with the above ARM template snippet. What is the result of this configuration?
190You run the above PowerShell script. What is the effect on the storage account?
191Your organization uses Microsoft Defender for Cloud to manage security posture. You have an Azure SQL Database that stores PII. You need to ensure that all sensitive columns are automatically discovered and classified. Additionally, you want to audit access to these columns. What should you configure?
192You need to securely store connection strings and secrets for an Azure function app. The solution must automatically rotate the secrets every 90 days and provide audit logs for access. What should you use?
193You are designing a backup strategy for Azure virtual machines. You need to ensure that backups are encrypted at rest and can be restored in a different Azure region in case of a regional disaster. Which two configurations should you use?
194You are configuring security for an Azure Functions app that processes credit card numbers. You need to ensure that the function can securely access a storage account without storing any credentials in code or configuration, and that all data in the storage account is encrypted with a customer-managed key. Which three actions should you take?
195You are deploying a web application that stores user-uploaded files in Azure Blob Storage. You need to ensure that only authenticated users can upload files, and that uploaded files are automatically scanned for malware. What should you use?
196You have an Azure SQL Managed Instance that hosts a line-of-business application. The application requires that all connections use Windows Authentication. You need to ensure that the authentication is secure and that the managed instance can integrate with on-premises Active Directory. What should you configure?
197You manage Azure Storage accounts for a healthcare organization. To comply with HIPAA, you need to ensure that all data at rest is encrypted and that access keys are rotated automatically every 90 days. What should you implement?
198Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to restrict a user to only view data from the 'Sales' schema, without granting permissions to other schemas. What should you do?
199You need to protect Azure VMs from ransomware by ensuring that encrypted file systems cannot be read by attackers. Which solution should you implement?
200Your company has a policy to disable TLS versions older than 1.2 for Azure Storage accounts. You configure the minimum TLS version setting to 1.2. After a week, an audit reveals that some clients are still connecting with TLS 1.0. What is the most likely reason?
201You are designing a secure data solution for a financial services company. Data must be encrypted at rest and in transit. Additionally, you need to prevent administrators from accessing the encryption keys. What should you use?
202You have an Azure SQL Database that contains sensitive customer data. You need to ensure that database administrators (DBAs) cannot view the data in the 'CreditCard' column. What should you implement?
203You need to ensure that only approved applications can access your Azure storage account. What should you configure?
204Your organization uses Azure Cosmos DB with API for MongoDB. You need to encrypt data at rest using a customer-managed key stored in Azure Key Vault, and you must ensure that the key is automatically rotated every year. What should you do?
205You need to protect Azure VM disks from unauthorized snapshot creation. Which configuration should you implement?
206Which two actions should you take to secure Azure Storage accounts against data exfiltration?
207Which three security configurations should you apply to an Azure SQL Database to meet a requirement for data protection at rest and in transit?
208Which two options are valid methods to authenticate to Azure Storage from on-premises servers?
209Refer to the exhibit. You have an Azure Storage account with the encryption configuration shown. Users report that they cannot upload files to the storage account. What is the most likely cause?
210You are a security engineer for Contoso Ltd., a multinational company that uses Azure extensively. The company has a custom line-of-business application hosted on Azure VMs. The application stores sensitive customer data in Azure SQL Database. The security policy requires: (1) All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. (2) Encryption keys must be rotated automatically every 90 days. (3) Access to the keys must be audited. (4) The application must not have direct access to the key vault; only Azure services should access keys on behalf of the application. You need to recommend a solution. What should you do?
211You work for a financial institution that uses Azure Cosmos DB with API for NoSQL to store transaction data. The security requirements mandate: (1) All data at rest must be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. (2) The encryption keys must be automatically rotated every 60 days. (3) Network access to the Cosmos DB account must be restricted to only specific virtual networks. (4) Access to the keys must be logged and monitored. (5) The Cosmos DB account must be configured to use private endpoints. You have configured the Cosmos DB account with CMK and private endpoints. However, after setting up automatic key rotation in Key Vault, the Cosmos DB account starts returning 403 (Forbidden) errors for some requests. What is the most likely cause?
212You need to ensure that all data at rest in an Azure Storage account is encrypted using a customer-managed key. Which feature should you enable?
213A company has an Azure SQL Database that contains sensitive financial data. They want to audit all successful and failed login attempts for the database. What should they configure?
214Your organization uses Azure Files shares for user home directories. You need to enforce that users access these shares only from trusted locations (corporate IP ranges) and that all access is logged. Which combination of actions should you take?
215You are designing a backup strategy for Azure Virtual Machines that host a critical database. Compliance requires that backups be stored in a separate Azure region and be immutable for 90 days. What should you use?
216A company uses Azure Cosmos DB with SQL API to store user profiles. They need to ensure that only authorized applications can access the data, and that the data is encrypted in transit and at rest. Currently, the application uses a master key to connect. What should they implement to improve security?
217Your organization stores sensitive documents in Azure Blob Storage. You need to prevent data exfiltration by ensuring that authorized users can only access blobs from within the corporate network, and that any attempt to download blobs from outside the network is blocked. What should you configure?
218You need to ensure that Azure SQL Database automatically detects and alerts on potential SQL injection attacks. Which Microsoft Defender for Cloud plan should you enable?
219Which TWO actions should you take to secure managed database backups in Azure SQL Managed Instance?
220Which THREE measures should you implement to secure a Linux virtual machine running a web application on Azure?
221Which TWO configurations are required to ensure that an Azure Storage account is accessible only via HTTPS and that access keys are not used?
222Refer to the exhibit. You have an Azure Disk Encryption policy assignment. An administrator reports that encryption of a new VM fails. What is the most likely cause?
223Refer to the exhibit. You are implementing an Azure Policy to enforce encryption on managed disks. A user reports that they cannot create a VM even though they specified a disk encryption set. What is the most likely reason?
224You are the security engineer for a healthcare company that uses Azure to store electronic health records (EHR) in Azure Blob Storage. Compliance requires that all data be encrypted at rest with customer-managed keys stored in a hardware security module (HSM), that the storage account be accessible only from a specific virtual network, and that all access to the storage account be logged and sent to a central security information and event management (SIEM) system. Additionally, you must ensure that any blobs containing protected health information (PHI) are automatically labeled with a sensitivity label that prevents them from being shared externally. You have decided to use Azure Key Vault Managed HSM for key storage, Azure Private Endpoint for network access, and Azure Monitor for logging. However, you are unsure how to automatically apply sensitivity labels to blobs based on content inspection. Which service should you use to achieve automatic labeling of PHI data in Azure Blob Storage?
225Your organization runs a critical application on Azure Virtual Machines (VMs) that processes credit card transactions. Compliance with PCI DSS requires that all cardholder data be encrypted at rest and that the encryption keys be stored in a FIPS 140-2 Level 3 validated hardware security module (HSM). You have chosen to use Azure Disk Encryption with customer-managed keys stored in Azure Key Vault Managed HSM. During a security review, you discover that the VMs are using unmanaged disks. You need to migrate them to managed disks without downtime and ensure that encryption is applied. You also need to maintain the existing encryption keys and ensure that the encryption set is in the same region as the VMs. What should you do?
226Your company uses Azure SQL Database for a line-of-business application. The security team requires that all queries executed against the database be audited, including the actual query text, and that the audit logs be retained for one year. You configure auditing to store logs in an Azure Storage account with a retention policy of 365 days. However, after some time, you notice that the audit logs are being deleted after only 30 days. You verify that the storage account's retention policy is set to 365 days and that the audit configuration is correct. What is the most likely cause of the logs being deleted prematurely?
227You need to restrict access to a storage account containing sensitive financial data. The storage account is used by multiple Azure VMs and Azure App Service web apps. Only authorized applications and users should be able to access the storage account. Which TWO options should you implement?
228Your company is deploying a new application on Azure Kubernetes Service (AKS). The application needs to read and write data to an Azure Storage account. Security requirements mandate that no storage account keys or connection strings be stored in the application code or configuration files. Which TWO actions should you take?
229You are designing security for an Azure SQL Database that will store personally identifiable information (PII). The database will be accessed by multiple applications, some of which are legacy and cannot use Azure AD authentication. Your requirements include: encrypting data at rest, encrypting data in transit, and dynamically masking PII columns for non-privileged users. Which THREE features should you implement?
230Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. A recent assessment shows that a standard-tier storage account (storageaccount1) used for backup data has the following findings: 1) 'Storage account should use a private endpoint' is unhealthy; 2) 'Storage account should use customer-managed keys (CMK) for encryption' is healthy; 3) 'Storage account should restrict network access' is unhealthy; 4) 'Storage account should enable soft delete for blobs' is healthy. Management requires that all storage accounts used for backup be protected against accidental deletion and have network access restricted to a specific virtual network (vnet-backup). Currently, the storage account is accessible from all networks. You need to remediate the unhealthy findings while maintaining the healthy status of the other controls. Which combination of actions should you take?
231Your company is migrating a legacy on-premises application to Azure VMs. The application writes log files to a local folder. You need to collect these logs centrally for security analysis using Microsoft Sentinel. The application runs on Windows Server 2022 and is expected to generate about 50 GB of logs per day. The security team requires that logs be encrypted at rest and in transit, and that log collection has minimal latency. You set up Azure Monitor Agent (AMA) on the VM and configure a Data Collection Rule (DCR) to stream custom logs to a Log Analytics workspace. However, after 24 hours, no custom logs appear in the workspace. The AMA is reporting as healthy. You need to troubleshoot and resolve the issue. What is the most likely cause?
232You are the security administrator for a company that uses Azure Blob Storage to store sensitive documents. You need to ensure that all blob data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. You have enabled encryption with CMK on the storage account. However, after a key rotation in Key Vault, you notice that newly uploaded blobs are encrypted with the new key, but existing blobs are still encrypted with the old key. You need to ensure that all blobs are re-encrypted with the new key. What should you do?
233Your organization has an Azure SQL Database that stores credit card numbers. The compliance team requires that credit card numbers be encrypted at rest and that only authorized applications can decrypt the data. The applications access the database using different service principals. You decide to implement Always Encrypted with secure enclaves. You create a column master key (CMK) in Azure Key Vault and a column encryption key (CEK) for the credit card column. You configure the column with deterministic encryption. However, after deployment, the applications report that they cannot insert or query the encrypted column. The error indicates that the column cannot be decrypted. You verify that the applications have the necessary permissions to access the CMK in Key Vault. What is the most likely cause of the issue?
234Your company uses Azure Files shares for user home directories. Security policy requires that all data be encrypted at rest and in transit. You have enabled encryption at rest using Azure Storage Service Encryption (SSE). For encryption in transit, you require SMB clients to use SMB 3.0 or later with encryption. You configure the storage account to require secure transfer. A user reports that they cannot mount the file share from a Windows 10 machine that is not domain-joined. The user can mount other file shares without issues. What is the most likely reason for the failure?
235Your organization has an Azure Cosmos DB account that stores IoT telemetry data. The data is ingested from multiple devices and is time-sensitive. Security requirements mandate that all data be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. You configure CMK for the Cosmos DB account. After a security incident, you need to revoke access to the data immediately by disabling the CMK in Key Vault. However, you find that data can still be read from Cosmos DB. You need to ensure that disabling the key renders the data inaccessible. What should you do?
236Your company uses Azure Managed Disks for VMs running a production database. The disks are encrypted with Azure Disk Encryption (ADE) using Azure Key Vault. Security policy requires that all encryption keys be rotated every 90 days. You have automated key rotation in Key Vault. However, after rotating the key, you find that the disks are still using the old key. You need to ensure that the disks use the new key after rotation. What should you do?
237Your organization uses Azure Storage to host sensitive financial data. You need to ensure that all access to the storage account is encrypted in transit and that access keys are rotated automatically every 90 days. You also need to prevent access from public IP addresses. Which combination of configurations should you implement?
238Your company has a large number of Azure SQL databases that contain personally identifiable information (PII). You need to classify and protect sensitive columns across all databases. The solution must automatically discover and label sensitive data, and enable auditing of access to that data. What should you implement?
239You need to secure a Linux virtual machine running a web application in Azure. The solution must ensure that only traffic on port 443 (HTTPS) is allowed from the internet, and that SSH access is restricted to a management subnet. What should you configure?
240Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to ensure that only approved container images from a private Azure Container Registry (ACR) can run in the cluster. The solution must also enforce that pods run with least privilege. What should you configure?
241Your company plans to use Azure SQL Managed Instance to store customer data. You need to comply with regulatory requirements for data encryption at rest and in transit, and you must ensure that only authorized applications can access the database. Which TWO actions should you take? (Choose two.)
242You are reviewing an Azure Policy definition. You need to determine the effect of this policy when a user attempts to create a new storage account with 'Secure transfer required' set to 'Disabled'. What happens?
243You are the Azure Security Engineer for a financial services company. The company has a multi-tier application deployed on Azure Virtual Machines (VMs) in a hub-spoke network topology. The application consists of web servers, application servers, and database servers. The database servers run SQL Server on Windows Server 2022 and store sensitive financial data. Compliance requires that all data at rest be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, all network traffic between tiers must be encrypted, and the database must be accessible only from the application servers. You have the following resources: a Key Vault with an HSM-backed key (key1) for disk encryption, and a Key Vault with a software-protected key (key2) for SQL Server TDE. Current configuration: The web servers are in subnet A, application servers in subnet B, and database servers in subnet C. Network Security Groups (NSGs) allow traffic from subnet B to subnet C on TCP 1433. The database servers are not using TDE. You need to implement the required security controls. What should you do first?
The Secure compute, storage, and databases domain covers the key concepts tested in this area of the AZ-500 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-500 domains — no account required.
The Courseiva AZ-500 question bank contains 243 questions in the Secure compute, storage, and databases domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Secure compute, storage, and databases domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included