Reinforce AZ-500 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For AZ-500 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the AZ-500 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your AZ-500 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real AZ-500 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass AZ-500.
Sample cards from the AZ-500 flashcard bank. Read the question, think of the answer, then read the explanation below.
Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?
One-time passcode (OTP)
Option A is correct because the one-time passcode (OTP) authentication method in Microsoft Entra ID allows users to sign in with a temporary code sent via SMS to their mobile device, requiring no additional app or software installation. This method is specifically designed for scenarios where users cannot or should not install the Microsoft Authenticator app, such as for guest users or in bring-your-own-device (BYOD) environments. The OTP is generated by Entra ID and delivered over the mobile network, satisfying the requirement of no extra software.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.
A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?
The subscription is not registered with the Microsoft.Security resource provider.
Microsoft Defender for Cloud relies on the Microsoft.Security resource provider to collect security configurations, apply policy initiatives, and report compliance data. If a subscription is not registered with the Microsoft.Security resource provider, Defender for Cloud cannot evaluate policies or generate compliance results, even if the subscription is in the same tenant and has identical tags. Registering the resource provider is a prerequisite for any Defender for Cloud functionality, including policy assignment and compliance reporting.
A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).
A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall. Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.
Your organization uses Microsoft Sentinel to manage security incidents. You need to configure automated response to block a user account when a high-severity incident is triggered. The response should be automatically executed when the incident is created. What should you create?
An automation rule that triggers a playbook
Option C is correct because automation rules in Microsoft Sentinel allow you to define automated responses that trigger when an incident is created, including running a playbook to block a user account. This directly meets the requirement for an automatic response upon incident creation without manual intervention.
You are configuring Microsoft Sentinel data connectors. Which data connector should you use to ingest logs from Microsoft Entra ID (Azure AD) audit logs and sign-in logs?
Microsoft Entra ID connector
The Microsoft Entra ID connector (formerly Azure AD connector) is specifically designed to ingest both audit logs and sign-in logs from Microsoft Entra ID into Microsoft Sentinel. This connector uses the Microsoft Graph API to pull the data, enabling security monitoring of identity-related activities such as user sign-ins, directory changes, and risky sign-in events. The other connectors either focus on different data sources or do not capture the full set of Entra ID logs.
A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?
Secure Score
The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their potential impact on your overall security posture. Each recommendation is assigned a score contribution, allowing you to focus on the actions that will most improve your secure score. This directly matches the requirement to view recommendations prioritized by impact.
Your company uses Microsoft Defender for Cloud with the default auto-provisioning configuration. A security engineer reports that critical vulnerabilities in Azure Virtual Machines are being detected but not automatically remediated. The engineer wants to enable automatic remediation for all supported findings. What should the engineer configure?
Enable the 'Auto-provision vulnerability assessment' setting and configure an automation rule with a 'Remediate' action.
Option D is correct because the default auto-provisioning configuration in Microsoft Defender for Cloud does not automatically remediate vulnerabilities; it only detects them. To enable automatic remediation, you must enable the 'Auto-provision vulnerability assessment' setting, which deploys the integrated Qualys or Microsoft vulnerability assessment solution to VMs, and then configure an automation rule with a 'Remediate' action, which triggers a Logic App to apply the necessary patches or configuration changes based on the vulnerability findings.
Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to ensure that only approved container images from a private Azure Container Registry (ACR) can run in the cluster. The solution must also enforce that pods run with least privilege. What should you configure?
Apply Azure Policy with built-in initiatives 'Kubernetes cluster containers should only use allowed images' and 'Kubernetes cluster pods should use specified service account'
Option D is correct because Azure Policy for AKS includes built-in initiatives such as 'Kubernetes cluster containers should only use allowed images' to restrict container images to those from approved registries like ACR, and 'Kubernetes cluster pods should use specified service account' to enforce least privilege by requiring pods to use a specific service account with minimal permissions. Option A is incorrect because a NetworkPolicy controls network traffic but cannot enforce image source or privileges; Secrets are for storing sensitive data, not for policy enforcement. Option B is incorrect because ACR tasks scan images during build, but do not enforce runtime restrictions on which images are allowed to run in the cluster; pod security policies are deprecated. Option C is incorrect because Azure AD pod-managed identities authenticate pods to Azure resources but do not enforce image source restrictions or least privilege beyond authentication.
A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able to access a specific application, and prevent them from discovering other users or applications in the directory. Which configuration should they apply to the external users?
Set the 'Guest user access' level to 'Guest user access is limited to properties and memberships of directory objects'
Option C is correct because setting the 'Guest user access' level to 'Guest user access is limited to properties and memberships of directory objects' restricts external B2B users from enumerating the full directory, including other users and applications. This configuration ensures vendors can only access the specific application they are invited to, while preventing discovery of other directory objects, which aligns with the principle of least privilege for external identities.
You need to securely connect two Azure virtual networks in the same region to allow VM-to-VM communication using private IP addresses. The solution must minimize latency and administrative overhead. What should you use?
VNet peering
VNet peering is the correct choice because it connects two Azure virtual networks in the same region using the Microsoft backbone infrastructure, enabling VM-to-VM communication over private IP addresses with near-zero latency and no intermediate hops. It requires no additional gateways or bandwidth charges within the same region, minimizing administrative overhead as it is a simple, one-time configuration.
You have a hub-spoke network with Azure Firewall in the hub. Spoke VNet1 contains a VM that needs to communicate with a VM in Spoke VNet2. Both spoke VNets are peered to the hub. You configure Azure Firewall DNAT rules to forward traffic to specific VMs, but the communication fails. You verify that the firewall rules allow the traffic and that the VMs can reach each other's private IPs if the firewall is bypassed. What is the most likely issue?
The firewall's Outbound SNAT is disabled for the spoke VNet ranges.
When Azure Firewall DNAT rules forward traffic to spoke VMs, the firewall performs Destination Network Address Translation (DNAT) to change the destination IP to the VM's private IP. However, by default, Azure Firewall also performs Source Network Address Translation (SNAT) on outbound traffic from the firewall to the destination. If Outbound SNAT is disabled for the spoke VNet ranges (e.g., via a DNAT rule's 'Translate to IP' or by disabling SNAT for private IP ranges), the firewall sends traffic with the original source IP of the source VM. Since the spoke VNets are peered to the hub but not directly peered to each other, the destination VM's network interface expects traffic from the firewall's private IP (after SNAT) to route back through the hub. Without SNAT, return traffic from the destination VM goes directly to the source VM's private IP via the peering, bypassing the firewall and breaking stateful inspection, causing asymmetric routing and communication failure.
You need to allow a specific IP address (203.0.113.5) to access an Azure Storage account over the internet. All other internet traffic must be denied. You have enabled the storage account firewall. What should you configure?
Add the IP address to the firewall rules of the storage account.
Option B is correct because the Azure Storage account firewall allows you to configure IP-based access control rules. By adding the specific IP address 203.0.113.5 to the firewall rules, you explicitly permit traffic from that IP while denying all other internet traffic, as the default rule is to deny when the firewall is enabled.
Refer to the exhibit. You are reviewing an NSG rule configuration for a subnet. The source subnet is 10.0.0.0/24 and the destination subnet is 10.0.1.0/24. What is the effect of this rule?
Allows inbound SSH traffic from 10.0.0.0/24 to 10.0.1.0/24.
The rule shown in the exhibit is an inbound security rule with source 10.0.0.0/24, destination 10.0.1.0/24, protocol TCP, destination port 22 (SSH), and action Allow. This explicitly permits inbound SSH traffic from the source subnet to the destination subnet. Therefore, option D is correct.
A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the subscription's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They need to view a detailed compliance report and track progress over time. What should they do in Defender for Cloud?
Add the PCI DSS standard from the regulatory compliance dashboard.
Option B is correct because the regulatory compliance dashboard in Microsoft Defender for Cloud allows you to add built-in compliance standards like PCI DSS. Once added, the dashboard automatically assesses your subscription against the standard's controls, provides a detailed compliance report, and tracks progress over time with a compliance score and historical trend. This is the direct method to monitor PCI DSS compliance without needing to enable specific Defender plans or create custom initiatives.
A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?
Near-real-time analytics rule
Near-real-time (NRT) analytics rules in Microsoft Sentinel are designed to run at 1-minute intervals, providing the minimal delay for alert generation against supported data sources. This rule type queries data with low latency, ensuring alerts are produced close to the event time, which is critical for timely threat detection.
A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall. Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.
A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?
DDoS Protection Standard
DDoS Protection Standard is the correct tier because it provides automatic attack mitigation, adaptive tuning based on traffic patterns, and access to DDoS Rapid Response Support (DRRS) for Azure virtual networks. The Basic tier only offers always-on traffic monitoring and basic mitigation without adaptive tuning or DRRS, while Premium and Advanced are not valid Azure DDoS Protection tiers.
A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?
Azure Firewall.
Azure Firewall is a managed, cloud-based network security service that can inspect and filter outbound traffic from Azure virtual networks to the internet. It supports application rules based on fully qualified domain names (FQDNs), allowing or denying traffic by FQDN, which directly meets the requirement. Unlike simpler filtering options, Azure Firewall provides stateful inspection and integrates with Azure Monitor for logging.
A company has a subscription with Azure Active Directory (Azure AD). They want to enable a conditional access policy that requires all users to use multi-factor authentication (MFA) when accessing the Azure portal. The policy should only apply to users who are members of a group called 'AllUsers'. Which assignment should they configure in the policy?
Assign the 'AllUsers' group to the 'Users' section and select 'Azure portal' as the cloud app
Option B is correct because in an Azure AD Conditional Access policy, the 'Users' section is where you specify which users or groups the policy applies to, and the 'Cloud apps' section is where you select the target application (Azure portal). By assigning the 'AllUsers' group to 'Users' and selecting 'Azure portal' as the cloud app, the policy enforces MFA for all members of that group when they access the Azure portal.
A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?
Azure Bastion
Azure Bastion provides secure, seamless RDP/SSH connectivity to Azure VMs directly from the Azure portal over TLS, without exposing the VMs to a public IP address. It also integrates with Azure AD and Conditional Access to enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions, meeting both the security and compliance requirements.
A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?
Azure Firewall
Azure Firewall is a managed, cloud-native network security service that can centrally enforce outbound FQDN-based rules. It allows you to create application rules that permit HTTPS traffic to specific FQDNs (e.g., *.microsoft.com) while blocking all other outbound internet access, meeting the security team's requirement for granular, centralized control.
The AZ-500 flashcard bank covers all 5 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Secure identity and access
Secure compute, storage, and databases
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Manage identity and access
Secure networking
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that AZ-500 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.AZ-500 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective AZ-500 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free AZ-500 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1000+ original AZ-500 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official AZ-500 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included