Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-500Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

AZ-500 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Secure identity and access2. Secure compute, storage, and databases3. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel4. Manage identity and access5. Secure networking
1

Domain 1: Secure identity and access

All Secure identity and access questions
Q1
easyFull explanation →

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

A

One-time passcode (OTP)

Built-in feature sending passcode via SMS or email.

B

Microsoft Authenticator app

C

FIDO2 security keys

D

Certificate-based authentication

Why: Option A is correct because the one-time passcode (OTP) authentication method in Microsoft Entra ID allows users to sign in with a temporary code sent via SMS to their mobile device, requiring no additional app or software installation. This method is specifically designed for scenarios where users cannot or should not install the Microsoft Authenticator app, such as for guest users or in bring-your-own-device (BYOD) environments. The OTP is generated by Entra ID and delivered over the mobile network, satisfying the requirement of no extra software.
Q2
mediumFull explanation →

Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?

A

Configure conditional access policies to require device compliance

B

Enable Seamless Single Sign-On (SSO) for the domain

Allows automatic sign-in for domain-joined devices.

C

Enable B2B collaboration for the app

D

Set 'Session lifetime' to 'Permanent' in sign-in frequency

Why: Seamless Single Sign-On (SSO) for the domain integrates with Azure AD Application Proxy to automatically authenticate users against on-premises Active Directory without prompting for credentials. This eliminates repeated password prompts while maintaining security by leveraging Kerberos delegation and the user's existing domain session.
Q3
hardFull explanation →

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

A

Privileged Identity Management (PIM) with approval workflow

B

Conditional Access with session controls

C

Continuous Access Evaluation (CAE)

Provides real-time token validation and policy enforcement.

D

Identity Protection with sign-in risk policy

Why: Continuous Access Evaluation (CAE) is the correct feature because it enforces real-time access revocation based on critical events such as user behavior changes (e.g., account disablement, password change) and device posture shifts (e.g., device non-compliance). Unlike periodic token validation, CAE uses a near-real-time event-driven model via the Microsoft Entra ID event service and OAuth 2.0 token claims to immediately block access to sensitive applications when risk is detected.
Q4
easyFull explanation →

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

A

Include 'All cloud apps' and set 'Block access'

B

Include 'Select apps' and choose all apps except admin

C

Include 'All cloud apps' and exclude 'Microsoft Entra ID Administration'

Excludes the admin portal from blocking.

D

Include 'All cloud apps' and exclude 'Office 365'

Why: Option C is correct because the requirement is to block access from untrusted locations for all cloud apps except Microsoft Entra ID Administration. In Conditional Access, you include 'All cloud apps' to cover every app, then explicitly exclude 'Microsoft Entra ID Administration' to exempt it from the block. This ensures the policy applies broadly while honoring the exclusion.
Q5
mediumFull explanation →

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

A

Use an Azure Automation runbook to disable users after 90 days

B

Enable 'Inactive users' policy in Identity Protection

C

Configure an access review with 'Auto-apply results' enabled

Automatically removes users after review.

D

Create a dynamic group based on sign-in activity

Why: Option C is correct because configuring an access review with 'Auto-apply results' enabled in Microsoft Entra ID Governance allows you to automatically remove guest users who have not signed in for 90 days from the critical application's access. The access review can be set to evaluate sign-in activity and, upon completion, automatically apply the results (e.g., remove access) without manual intervention, fulfilling the requirement for automated removal.
Q6
hardFull explanation →

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

A

Entitlement Management access packages

Provides self-service access with approval and expiration.

B

Azure AD B2B collaboration

C

Privileged Identity Management (PIM)

D

Conditional Access with session restrictions

Why: Entitlement Management access packages are designed to allow external partners to request access to specific applications through a self-service portal. The feature supports approval workflows (e.g., manager approval) and automatically enforces time-bound access, such as a 30-day expiration. This directly matches the requirement for partner self-service with approval and expiration.

Want more Secure identity and access practice?

Practice this domain
2

Domain 2: Secure compute, storage, and databases

All Secure compute, storage, and databases questions
Q1
hardFull explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

A

Configure a private endpoint for the SQL server to the Key Vault.

B

Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.

C

Change the Key Vault firewall to allow all Azure services.

D

Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.

Why: Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.
Q2
hardFull explanation →

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A

No additional configuration is needed; Azure Files uses SMB encryption by default and cannot be disabled.

B

Enable 'Secure transfer required' in the storage account's configuration to enforce SMB 3.0 encryption.

When 'Secure transfer required' is enabled, the storage account accepts only encrypted connections (HTTPS and SMB 3.0 with encryption). For Azure Files, this means clients must use SMB 3.0 encryption to connect.

C

Configure a network security group (NSG) rule to block SMB traffic on port 445 that does not use encryption.

D

Set the Azure Files share to use the 'Premium' performance tier; encryption is only available on premium shares.

Why: Option B is correct because enabling 'Secure transfer required' on the storage account enforces that all client connections use SMB 3.0 with encryption, which is necessary for end-to-end encryption in transit. Even though encryption at rest is configured with a CMK, the storage account does not automatically require encrypted connections; this setting explicitly denies unencrypted SMB 2.1 or SMB 3.0 without encryption.
Q3
hardFull explanation →

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A

Enable the 'Secure transfer required' property on the storage account.

Correct. Enabling 'Secure transfer required' forces clients to use SMB 3.0 with encryption (or HTTPS) when connecting to the Azure Files share, ensuring encryption in transit.

B

Configure a network security group (NSG) to allow only encrypted traffic.

C

Set the minimum SMB protocol version to 3.0 on the file share.

D

Create a service endpoint for the storage account.

Why: Enabling the 'Secure transfer required' property on the storage account enforces encryption in transit for all client connections, including SMB 3.0 encryption for Azure Files. Without this setting, clients can connect using unencrypted SMB 2.1 or SMB 3.0 without encryption, even if the file share itself supports encryption. This property is a storage account-level flag that rejects any request not using HTTPS or SMB 3.0 with encryption.
Q4
hardFull explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

A

Add a network rule in the Key Vault firewall allowing the public IP range of the Azure SQL Database server.

B

Enable the 'Allow trusted Microsoft services to bypass this firewall' option in the Key Vault networking settings.

This setting allows trusted Microsoft services like Azure SQL Database to access the Key Vault even when the firewall is enabled, provided the service uses authentication and authorization.

C

Create a private endpoint for the Key Vault and connect it to the same virtual network as the Azure SQL Database.

D

Configure the Key Vault to use role-based access control (RBAC) and assign the 'Key Vault Crypto Service Encryption User' role to the SQL Database server's managed identity.

Why: Option B is correct because Azure SQL Database uses TDE with CMK stored in Azure Key Vault, and when the Key Vault firewall is enabled with virtual network service endpoints, Azure SQL Database must be able to bypass the firewall to retrieve the key. The 'Allow trusted Microsoft services to bypass this firewall' setting permits Azure services like Azure SQL Database, which are considered trusted by Microsoft, to access the Key Vault even when network restrictions are in place. This is the only configuration that satisfies the security policy while enabling the necessary encryption operations.
Q5
hardFull explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A

Enable the Azure SQL Database server's firewall to allow Azure services to access the server.

B

Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault when using a managed identity.

C

Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.

D

Change the Key Vault firewall to allow all networks.

Why: The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.
Q6
hardFull explanation →

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

A

Enable Transparent Data Encryption (TDE) with a customer-managed key.

This must be configured to use a customer-managed key stored in Azure Key Vault for encrypting the database at rest.

B

Configure Key Vault to automatically rotate the key on a schedule.

Key Vault supports key rotation policies that can automatically rotate the key every 12 months to meet the requirement.

C

Configure Azure SQL Database auditing to log key usage.

D

Enable Azure Information Protection for the database.

Why: Option A is correct because Transparent Data Encryption (TDE) with a customer-managed key (CMK) stored in Azure Key Vault is the mechanism that encrypts Azure SQL Database data at rest using a key you control. This meets the requirement for CMK-based encryption. Option B is correct because Azure Key Vault supports automatic key rotation on a schedule; by configuring a rotation policy (e.g., every 12 months), the key used for TDE is automatically replaced, satisfying the rotation requirement.

Want more Secure compute, storage, and databases practice?

Practice this domain
3

Domain 3: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

All Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions
Q1
hardFull explanation →

A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?

A

The user does not have Security Admin permissions on the subscription.

B

The subscription does not have any tags applied.

C

The subscription does not have the default policy initiative assigned.

D

The subscription is not registered with the Microsoft.Security resource provider.

Registration is required for Defender for Cloud to assess the subscription.

Why: Option C is correct because a subscription must be registered with the Microsoft Defender for Cloud resource provider (Microsoft.Security) to be assessed. Option A is wrong because user permissions do not affect compliance data generation. Option B is wrong because tags are not required for compliance scanning. Option D is wrong because the default policy initiative applies automatically; there is no need to assign it manually.
Q2
mediumFull explanation →

An organization uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that several VMs are not receiving vulnerability assessment findings, even though they are in a scope where the integrated Qualys VA solution is enabled. What should they verify first?

A

The VM does not have the Log Analytics agent installed.

The agent is required for the Qualys extension to report findings.

B

The VM is in a resource group that is excluded from the vulnerability assessment solution.

C

The VM is behind a network security group that blocks outbound traffic.

D

The VM does not have a valid Qualys license.

Why: Option B is correct because if the VM does not have the Log Analytics agent (or Azure Monitor Agent) installed, the Qualys extension cannot communicate findings. Option A is wrong because the vulnerability assessment solution is deployed at the subscription level, not per VM. Option C is wrong because the Qualys solution is included with Defender for Servers P2; no separate license is needed. Option D is wrong because network security groups are not the primary reason for missing findings; the agent is required.
Q3
easyFull explanation →

A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?

A

Azure Sentinel analytics rule

B

Azure Activity Log alert

C

Custom alert rule in Defender for Cloud

D

Custom recommendation based on Azure Policy

Custom recommendations in Defender for Cloud are built on Azure Policy initiatives.

Why: Option D is correct because custom alerts in Defender for Cloud are created using custom recommendations based on Azure Policy. Option A is wrong because Azure Activity Log alerts are in Azure Monitor, not Defender for Cloud. Option B is wrong because Azure Sentinel analytics rules are for Sentinel, not Defender for Cloud. Option C is wrong because Microsoft Defender for Cloud does not have native custom alert rules via a portal wizard; it uses Azure Policy.
Q4
mediumFull explanation →

Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?

A

Use the Office 365 connector to collect sign-in logs.

B

Use the Windows Security Events connector via Azure Monitor Agent.

This connector collects OS-level sign-in events from VMs.

C

Use the Common Event Format connector to forward syslog.

D

Use the Azure Activity connector to collect sign-in logs.

Why: Option C is correct because Windows and Linux VMs can be connected to Sentinel via the Azure Monitor Agent to stream security events. Option A is wrong because the connector for Azure Activity logs captures management plane events, not OS-level sign-in attempts. Option B is wrong because the Office 365 connector is for Microsoft 365 logs. Option D is wrong because the Common Event Format connector is for on-premises appliances, not Azure VMs.
Q5
hardFull explanation →

A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?

A

The resources do not have the required custom assessment.

B

The compliance dashboard requires a Microsoft Purview Compliance Manager license.

C

The resources are in a subscription that is not included in the scope of the compliance standard.

Scope determines which resources are assessed.

D

The resources have not been manually claimed as compliant.

Why: Option A is correct because the regulatory compliance dashboard by default only assesses resources that are in scope for the selected standard. If a subscription or resource group is not included in the scope, controls will show as 'N/A'. Option B is wrong because the dashboard only assesses resources, not manual claims. Option C is wrong because the dashboard uses built-in assessments; it does not require custom assessments. Option D is wrong because the dashboard is available even without a compliance manager license.
Q6
easyFull explanation →

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?

A

Azure Activity and Azure Active Directory Audit logs

B

Office 365 and Azure Active Directory Sign-in logs

C

Azure Active Directory Sign-in logs and Azure Active Directory Audit logs

These two connectors cover the required log types.

D

Security Events and Azure Active Directory Sign-in logs

Why: Option A is correct because Azure Active Directory logs require two connectors: one for Sign-in logs and one for Audit logs. Option B is wrong because the Office 365 connector does not include Azure AD logs. Option C is wrong because the Azure Activity connector is for Azure subscription management logs. Option D is wrong because the Security Events connector is for VMs.

Want more Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice?

Practice this domain
4

Domain 4: Manage identity and access

All Manage identity and access questions
Q1
hardFull explanation →

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

A

Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'

A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.

B

Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'

C

Use Identity Protection's 'User risk policy' instead of Conditional Access

D

Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'

Why: Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).
Q2
hardFull explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

A

Set the activation maximum duration to 8 hours.

This limits how long the role can be active, meeting the time-bound requirement.

B

Enable approval workflow by adding the manager as an approver.

This requires manager approval before activation.

C

Require multi-factor authentication on activation.

D

Require justification on activation.

Why: Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the approval workflow and adding the manager as an approver ensures that the manager must approve each activation request, meeting the requirement for manager approval. Together, these two configurations satisfy both the time-bound and approval constraints.
Q3
hardFull explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

A

Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.

B

In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.

C

In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.

Correct. This is the recommended method for integrating PIM with Conditional Access. The authentication context is signaled during activation, and a separate CA policy enforces the device compliance requirement.

D

Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.

Why: Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authentication context with the 'Require compliant device' grant control, you enforce device compliance specifically during role activation. This approach ensures the device compliance check is applied only when the user activates the Global Administrator role, not during regular access.
Q4
hardFull explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

A

The activation approval requirement is not supported for the Global Administrator role

B

The user is a member of the approver group and is self-approving the request

PIM allows approvers to approve their own activation requests unless the 'Disable approver approval' policy setting is enabled. Since the user is in the approver group, they can self-approve.

C

The PIM policy has not been activated for the Global Administrator role

D

The role activation duration is set to zero, causing immediate activation

Why: Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.
Q5
hardFull explanation →

A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?

A

Trust multi-factor authentication from the partner tenant (inbound trust).

This setting accepts MFA claims from the partner tenant, avoiding redundant MFA prompts.

B

Trust device compliance from the partner tenant.

C

Enable a Conditional Access policy that grants access to the partner tenant.

D

Configure identity synchronization with the partner tenant.

Why: Option A is correct because cross-tenant access settings in Azure AD allow you to configure inbound trust for MFA from an external Azure AD tenant. When enabled, Azure AD B2B collaboration will accept the partner tenant's MFA claims, so partner users who have already satisfied MFA in their home tenant will not be prompted again when accessing your resources. This is configured under 'Cross-tenant access settings' > 'Inbound trust settings' for the specific partner tenant.
Q6
mediumFull explanation →

A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?

A

Azure AD B2C (Business-to-Consumer).

B

Azure Application Gateway with Web Application Firewall (WAF).

C

Azure AD Application Proxy.

Application Proxy is specifically designed for this scenario: it allows on-premises HTTP/HTTPS applications to be published through Azure AD, providing pre-authentication, MFA, and Conditional Access.

D

Azure Front Door.

Why: Azure AD Application Proxy is the correct choice because it allows publishing on-premises web applications to external users without requiring a VPN, supports Modern Authentication (including Azure MFA), and enforces Conditional Access policies. It works by installing a connector on-premises that proxies traffic through Azure AD, enabling authentication and policy enforcement even for legacy applications that do not support SAML or OAuth.

Want more Manage identity and access practice?

Practice this domain
5

Domain 5: Secure networking

All Secure networking questions
Q1
hardFull explanation →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

A

The Azure Firewall is not in the same region as the spoke.

B

The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.

C

The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.

The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.

D

The route table is not associated with the spoke subnet.

Why: The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall. Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.
Q2
hardFull explanation →

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

A

The on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the UDR

BGP-learned routes for on-premises networks are more specific than 0.0.0.0/0. They will be used even if a UDR for 0.0.0.0/0 exists. To force through firewall, you must either disable BGP route propagation or create specific UDRs for on-premises ranges.

B

The UDR must be applied to the subnet that hosts the Azure Firewall

C

The spoke subnet does not have 'GatewaySubnet' route propagation enabled

D

The Azure Firewall is not configured with a route to the on-premises network

Why: The most likely cause is that the on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the user-defined route (UDR). In Azure, when a UDR and a BGP-propagated route both match traffic, the route with the most specific prefix (longest prefix match) wins. Since on-premises networks are typically advertised with specific IP prefixes (e.g., 10.0.0.0/16) rather than 0.0.0.0/0, the BGP-learned routes take precedence, causing traffic to bypass the Azure Firewall.
Q3
hardFull explanation →

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A

The route table is not associated to the subnet.

B

The Azure Firewall is not configured with a default route.

C

The virtual machines have public IP addresses assigned.

When a VM has a public IP, Azure performs default outbound SNAT using that IP, bypassing the route table and the firewall.

D

The VNet peering is not configured properly.

Why: When a virtual machine in Azure has a public IP address assigned, Azure's default routing logic gives it a 'default outbound access' path that bypasses any user-defined route (UDR) pointing to the Azure Firewall. This is because Azure prefers the host's public IP route over a UDR for internet-bound traffic, unless the VM is explicitly configured to use a NAT gateway or Azure Firewall as the next hop. Therefore, even with the route table correctly associated, the VM will send traffic directly to the internet via its public IP.
Q4
hardFull explanation →

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

A

The route table is not associated with the spoke subnet.

Correct. Without explicit association, the subnet uses system routes and traffic bypasses the firewall. The route table must be associated to the subnet to take effect.

B

Azure Firewall is not configured with DNAT rules for outbound traffic.

C

The spoke VNet peering does not allow gateway transit.

D

The route table has a higher priority than system routes.

Why: The most likely reason is that the route table containing the default route (0.0.0.0/0) pointing to the Azure Firewall private IP has not been associated with the spoke subnet. Without this association, the subnet continues to use system routes, which include a default route to the internet via the Azure default gateway, allowing traffic to bypass the firewall. Associating the route table with the subnet is a required step to override the system default route.
Q5
hardFull explanation →

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

A

The NVA's network interface must have 'IP forwarding' enabled.

IP forwarding allows the NVA to accept and forward traffic not destined to its own IP. Without it, the NVA drops the packets.

B

The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.

C

The route table is not associated with the subnet in VNet-B.

D

The NVA does not have a public IP address.

Why: The most likely cause is that IP forwarding is disabled on the NVA's network interface. Even with a correct user-defined route (UDR) pointing 0.0.0.0/0 traffic to the NVA's private IP, Azure will drop packets destined to the NVA unless the NIC is configured to accept and forward traffic not addressed to itself. Enabling IP forwarding allows the NVA to act as a router, processing and forwarding packets between VNets.
Q6
hardFull explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

A

The NVA's private IP address is not reachable from VNet-B

B

VNet peering system routes override user-defined routes

C

The UDR must be applied to the gateway subnet of VNet-B

D

The NVA network interface does not have IP forwarding enabled

IP forwarding must be enabled on the NVA's NIC for it to forward traffic destined to other IPs. Without it, the NVA will drop the traffic, and the peering path remains active.

Why: Option D is correct because a network virtual appliance (NVA) requires IP forwarding to be enabled on its network interface to forward traffic not destined for itself. Without this setting, the NVA drops packets that arrive with a destination IP other than its own, causing the traffic to bypass the NVA and follow the default VNet peering route. Enabling IP forwarding allows the NVA to act as a router and forward traffic between VNets as specified by the user-defined route.

Want more Secure networking practice?

Practice this domain

Frequently asked questions

How many questions are on the AZ-500 exam?

The AZ-500 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the AZ-500 exam?

Security scenario questions covering Microsoft Entra ID, Defender for Cloud, Azure Key Vault, and application and data security. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are AZ-500 questions organised by domain?

The exam covers 5 domains: Secure identity and access, Secure compute, storage, and databases, Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel, Manage identity and access, Secure networking. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual AZ-500 exam questions?

No. These are original exam-style practice questions written against the official Microsoft AZ-500 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 AZ-500 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all AZ-500 questionsTake a timed practice test