How to use AZ-500 flashcards effectively
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For AZ-500 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the AZ-500 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your AZ-500 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real AZ-500 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass AZ-500.
AZ-500 flashcard preview
Sample cards from the AZ-500 flashcard bank. Read the question, think of the answer, then read the explanation below.
A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
Conditional Access policies evaluate separately. The existing policy only covers high user risk for Finance. To require MFA for medium user risk for all users, a second Conditional Access policy must be created targeting all users with condition 'User risk level: Medium' and grant control 'Require MFA'. Modifying the existing policy to include both high and medium risk would not work because a single policy cannot block high risk for Finance and require MFA for medium risk for everyone; the block would apply to Finance for high risk but the MFA requirement for medium risk would also apply to Finance (which is acceptable, but the policy would not cover non-Finance users). The correct approach is separate policies.
A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
Disabling 'Virtual network gateway route propagation' prevents routes from the ExpressRoute gateway from being automatically added to the subnet's route table. However, the UDR with 0.0.0.0/0 only covers internet-bound traffic. Traffic destined to on-premises networks uses the specific prefix learned from ExpressRoute (e.g., 10.0.0.0/8). Even with propagation disabled, the route table does not have a route for that specific on-premises prefix. The 0.0.0.0/0 route is less specific, so traffic matching the on-premises prefix will not use it. To force on-premises traffic through the firewall, you must add an explicit UDR for the on-premises address prefix with next hop as the Azure Firewall. The Azure Firewall's location and route table association are not the issue here.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
Azure SQL Database is a trusted Microsoft service that can bypass the Key Vault firewall when the 'Allow trusted Microsoft services to bypass the firewall' setting is enabled. This allows the SQL server's managed identity to authenticate to Key Vault even when public network access is denied. The managed identity role assignment provides the necessary permissions, but the network access must be allowed via this exception. Configuring a private endpoint is not required because the SQL server can use the trusted service exception to reach the Key Vault over the Microsoft backbone network.
A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?
Defender for Cloud DevOps Security connector
Defender for Cloud DevOps Security connects repositories and pipelines to identify code, dependency, and secret risks.
A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?
Use an ingestion-time or event-time exclusion window in the query
When the lookback overlaps, the query should exclude records already processed in previous runs while still allowing enough lookback for delayed ingestion.
A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?
SigninLogs
SigninLogs contains Microsoft Entra authentication outcomes, user identifiers, IP addresses, and result codes needed for this detection.
A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?
Load the watchlist with _GetWatchlist() and join or filter SigninLogs by the account identifier
The detection query should actively reference the watchlist, usually through _GetWatchlist(), then join or filter the relevant log table.
A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?
Entity mapping
Entity mapping maps query columns to Sentinel entities such as Account, Host, and IP, enabling investigation graph and entity pivots.
A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?
Immutable blob storage with a time-based retention policy
Immutable blob storage enforces write-once-read-many retention and prevents modification or deletion during the retention period.
A team wants Sentinel incidents to automatically assign to the Tier 2 queue when severity is High and the product name is Microsoft Defender for Endpoint. What should they configure?
An automation rule that updates owner/status based on conditions
Automation rules can update incident properties or trigger playbooks when incident conditions match.
A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?
Service endpoint for Microsoft.Storage with storage firewall rules
Service endpoints extend the virtual network identity to the service and can be combined with storage firewall rules.
A team wants Sentinel to ingest firewall logs from an appliance that emits Common Event Format over Syslog. Which connector pattern is most appropriate?
CEF connector using a Linux log forwarder or AMA-supported collection path
CEF-formatted appliance logs are typically ingested through a CEF connector and a Linux forwarder/agent path into the Sentinel workspace.
A team wants to automatically deploy Defender for Cloud settings across new subscriptions under a management group. Which Azure capability should they use?
Azure Policy initiative assignment
Azure Policy initiatives can deploy and audit security configurations at scale across management groups and subscriptions.
An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?
Continuous export
Continuous export streams Defender for Cloud alerts and recommendations to destinations such as Log Analytics, Event Hubs, or storage.
A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?
Key rotation policy
Key rotation policy in Azure Key Vault allows automatic rotation of keys based on a schedule. Setting a key expiration date only deactivates the key after a certain date but does not rotate it. Soft-delete and purge protection are designed for recovery scenarios, not rotation. Therefore, to achieve automatic monthly rotation, the key rotation policy must be configured.
A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?
Create a private endpoint for Key Vault in the same VNet as the VM and disable public network access on the Key Vault.
To ensure traffic between a VM and Key Vault stays within the Azure network, you can use a private endpoint for Key Vault. This places the Key Vault on a virtual network, enabling communication over the Microsoft backbone network without going over the public internet. Access restrictions via service endpoints or firewall rules can limit access to specific VNets but still use public IPs for routing unless combined with a private endpoint. Managed identity provides authentication but does not restrict network paths.
A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?
The storage account's encryption type is set to Microsoft-managed keys
When a storage account is configured to use customer-managed keys, the encryption type at the storage account level must be explicitly set to 'Customer-managed keys'. If it remains set to 'Microsoft-managed keys', even if infrastructure encryption is enabled, the storage account will use Microsoft-managed keys for all new data. The CMK configuration in the storage account blade includes a toggle to select the key type. If the key is disabled or expired, writes would fail, not fall back to Microsoft-managed keys. Container-level policies cannot override storage account encryption settings.
A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?
Detection mode
Application Gateway WAF has two modes: Detection mode and Prevention mode. In Detection mode, the WAF monitors and logs all requests that match the WAF rules but does not block them. This is ideal for testing and tuning rule sets before switching to Prevention mode, which blocks malicious requests. Logging mode is not a valid WAF mode; logging is always enabled when WAF is active. Off mode disables WAF entirely.
A company has Azure AD Conditional Access policies that require multi-factor authentication (MFA) for all users accessing sensitive cloud apps. The security team wants to extend this protection by monitoring and controlling user activities within those applications (e.g., preventing data exfiltration during a session). Which Conditional Access session control should they implement?
Session control: Conditional Access Application Control
Conditional Access Application Control (also known as Microsoft Cloud App Security Conditional Access Application Control) enables real-time session monitoring and control. It can enforce policies such as blocking downloads, requiring additional authentication, or monitoring user actions within the app. Session control 'Use app enforced restrictions' delegates control to the application itself. 'Sign-in frequency' is for authentication refresh, not in-session control. 'Persistent browser session' allows keeping the user signed in, which is the opposite of security control.
A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?
Enable Azure Storage encryption with a CMK and enable automatic key rotation in Azure Key Vault by creating a rotation policy.
To automatically rotate a customer-managed key, you must enable a key rotation policy in Azure Key Vault. The storage account then remains configured to use the same key identifier, but the Key Vault will automatically use the latest version. The storage account itself does not have a key rotation policy.
A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?
Always Encrypted with a client-side encryption key stored in Azure Key Vault.
Always Encrypted is a technology that encrypts sensitive data at the client side, ensuring that the data is never revealed in plaintext to Azure SQL Database or its administrators. The encryption keys are stored in Azure Key Vault and are only accessible to the authorized client application. Options like Transparent Data Encryption (TDE) encrypt data at rest but DBAs with access can still read the data. Dynamic Data Masking only obfuscates the data in query results but the underlying data is still stored in plaintext. Row-Level Security restricts row access but does not encrypt data.
AZ-500 flashcards by domain
The AZ-500 flashcard bank covers all 4 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Manage identity and access
Secure networking
Secure compute, storage, and databases
Manage security operations
Flashcards vs practice tests: which is better for AZ-500?
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that AZ-500 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.AZ-500 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective AZ-500 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
AZ-500 flashcards — frequently asked questions
Are the AZ-500 flashcards free?
Yes — all AZ-500 flashcards on Courseiva are completely free, no account required. Every card includes the question, correct answer, and a full explanation. Create a free account to track which cards you have studied and get spaced repetition recommendations.
How many AZ-500 flashcards are on Courseiva?
Courseiva has 300+ original AZ-500 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
How are Courseiva flashcards different from Anki or Quizlet?
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official AZ-500 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Can I use AZ-500 flashcards offline?
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Track your AZ-500 flashcard progress
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included