Microsoft · Free Practice Questions · Last reviewed May 2026
18 real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.
Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
Use Identity Protection's 'User risk policy' instead of Conditional Access
Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'
A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?
Set the activation maximum duration to 8 hours.
This limits how long the role can be active, meeting the time-bound requirement.
Enable approval workflow by adding the manager as an approver.
This requires manager approval before activation.
Require multi-factor authentication on activation.
Require justification on activation.
A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?
Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.
Correct. This is the recommended method for integrating PIM with Conditional Access. The authentication context is signaled during activation, and a separate CA policy enforces the device compliance requirement.
Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.
A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?
The activation approval requirement is not supported for the Global Administrator role
The user is a member of the approver group and is self-approving the request
PIM allows approvers to approve their own activation requests unless the 'Disable approver approval' policy setting is enabled. Since the user is in the approver group, they can self-approve.
The PIM policy has not been activated for the Global Administrator role
The role activation duration is set to zero, causing immediate activation
A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?
Trust multi-factor authentication from the partner tenant (inbound trust).
This setting accepts MFA claims from the partner tenant, avoiding redundant MFA prompts.
Trust device compliance from the partner tenant.
Enable a Conditional Access policy that grants access to the partner tenant.
Configure identity synchronization with the partner tenant.
A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?
Azure AD B2C (Business-to-Consumer).
Azure Application Gateway with Web Application Firewall (WAF).
Azure AD Application Proxy.
Application Proxy is specifically designed for this scenario: it allows on-premises HTTP/HTTPS applications to be published through Azure AD, providing pre-authentication, MFA, and Conditional Access.
Azure Front Door.
Want more Manage identity and access practice?
Practice this domainA company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
The Azure Firewall is not in the same region as the spoke.
The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.
The route table is not associated with the spoke subnet.
Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?
The on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the UDR
BGP-learned routes for on-premises networks are more specific than 0.0.0.0/0. They will be used even if a UDR for 0.0.0.0/0 exists. To force through firewall, you must either disable BGP route propagation or create specific UDRs for on-premises ranges.
The UDR must be applied to the subnet that hosts the Azure Firewall
The spoke subnet does not have 'GatewaySubnet' route propagation enabled
The Azure Firewall is not configured with a route to the on-premises network
A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?
The route table is not associated to the subnet.
The Azure Firewall is not configured with a default route.
The virtual machines have public IP addresses assigned.
When a VM has a public IP, Azure performs default outbound SNAT using that IP, bypassing the route table and the firewall.
The VNet peering is not configured properly.
A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?
The route table is not associated with the spoke subnet.
Correct. Without explicit association, the subnet uses system routes and traffic bypasses the firewall. The route table must be associated to the subnet to take effect.
Azure Firewall is not configured with DNAT rules for outbound traffic.
The spoke VNet peering does not allow gateway transit.
The route table has a higher priority than system routes.
A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?
The NVA's network interface must have 'IP forwarding' enabled.
IP forwarding allows the NVA to accept and forward traffic not destined to its own IP. Without it, the NVA drops the packets.
The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.
The route table is not associated with the subnet in VNet-B.
The NVA does not have a public IP address.
A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?
The NVA's private IP address is not reachable from VNet-B
VNet peering system routes override user-defined routes
The UDR must be applied to the gateway subnet of VNet-B
The NVA network interface does not have IP forwarding enabled
IP forwarding must be enabled on the NVA's NIC for it to forward traffic destined to other IPs. Without it, the NVA will drop the traffic, and the peering path remains active.
Want more Secure networking practice?
Practice this domainA company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
Configure a private endpoint for the SQL server to the Key Vault.
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.
Change the Key Vault firewall to allow all Azure services.
Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.
A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?
No additional configuration is needed; Azure Files uses SMB encryption by default and cannot be disabled.
Enable 'Secure transfer required' in the storage account's configuration to enforce SMB 3.0 encryption.
When 'Secure transfer required' is enabled, the storage account accepts only encrypted connections (HTTPS and SMB 3.0 with encryption). For Azure Files, this means clients must use SMB 3.0 encryption to connect.
Configure a network security group (NSG) rule to block SMB traffic on port 445 that does not use encryption.
Set the Azure Files share to use the 'Premium' performance tier; encryption is only available on premium shares.
A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?
Enable the 'Secure transfer required' property on the storage account.
Correct. Enabling 'Secure transfer required' forces clients to use SMB 3.0 with encryption (or HTTPS) when connecting to the Azure Files share, ensuring encryption in transit.
Configure a network security group (NSG) to allow only encrypted traffic.
Set the minimum SMB protocol version to 3.0 on the file share.
Create a service endpoint for the storage account.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?
Add a network rule in the Key Vault firewall allowing the public IP range of the Azure SQL Database server.
Enable the 'Allow trusted Microsoft services to bypass this firewall' option in the Key Vault networking settings.
This setting allows trusted Microsoft services like Azure SQL Database to access the Key Vault even when the firewall is enabled, provided the service uses authentication and authorization.
Create a private endpoint for the Key Vault and connect it to the same virtual network as the Azure SQL Database.
Configure the Key Vault to use role-based access control (RBAC) and assign the 'Key Vault Crypto Service Encryption User' role to the SQL Database server's managed identity.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?
Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault when using a managed identity.
Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
Change the Key Vault firewall to allow all networks.
A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)
Enable Transparent Data Encryption (TDE) with a customer-managed key.
This must be configured to use a customer-managed key stored in Azure Key Vault for encrypting the database at rest.
Configure Key Vault to automatically rotate the key on a schedule.
Key Vault supports key rotation policies that can automatically rotate the key every 12 months to meet the requirement.
Configure Azure SQL Database auditing to log key usage.
Enable Azure Information Protection for the database.
Want more Secure compute, storage, and databases practice?
Practice this domainThe AZ-500 exam has up to 60 questions and must be completed in 120 minutes. The passing score is 700/1000.
The AZ-500 exam uses multiple-choice, multiple-select, drag-and-drop, and exhibit-based questions. Exhibit questions show CLI output, network diagrams, or routing tables and ask you to interpret them — exactly the format Courseiva uses.
The exam covers 3 domains: Manage identity and access, Secure networking, Secure compute, storage, and databases. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Microsoft AZ-500 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.