Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure compute, storage, and databases practice sets

AZ-500 Secure compute, storage, and databases • Complete Question Bank

AZ-500 Secure compute, storage, and databases — All Questions With Answers

Complete AZ-500 Secure compute, storage, and databases question bank — all 0 questions with answers and detailed explanations.

243
Questions
Free
No signup
Certifications/AZ-500/Practice Test/Secure compute, storage, and databases/All Questions
Question 1hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

Question 2hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

Question 3hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

Question 4hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

Question 5hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

Question 6hardmulti select
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

Question 7mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company plans to enable Azure Disk Encryption (ADE) on a set of Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have enabled soft-delete and purge protection on the Key Vault. The encryption fails with an error indicating that the key vault does not have the required permissions. Which additional configuration is most likely required for ADE to use the KEK?

Question 8hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?

Question 9hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?

Question 10mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?

Question 12mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?

Question 13hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

Question 15hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?

Question 16mediummulti select
Read the full Secure compute, storage, and databases explanation →

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

Question 17hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?

Question 19hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?

Question 20hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

Question 21mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

Question 22hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?

Question 23mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

Question 24mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Blob Storage to store archival data that is rarely accessed. The security policy requires that the data must be encrypted at rest using a unique Microsoft-managed key per storage account, and the data must be stored cost-effectively while allowing retrieval within 15 minutes. Which storage account type and encryption configuration should they choose?

Question 25easymulti select
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive financial records in Azure Blob Storage. They want to ensure that if a blob is deleted or overwritten, it can be recovered within 30 days. They also want to protect against accidental deletion of the storage account itself. Which two configurations should they implement? (Choose two.)

Question 26hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive data in Azure Blob Storage. They want to enforce encryption at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they require that the key vault be in a different region than the storage account to protect against regional disasters. Can this be achieved, and if so, what is the implication?

Question 27hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores business records in Azure Blob Storage. Due to a legal investigation, they must prevent any modification or deletion of the blobs for an indefinite period until the legal hold is released. They also need to ensure that even storage account owners cannot alter the data during the hold. Which blob storage feature should they enable?

Question 28mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Azure Blob Storage to store sensitive documents. The security policy requires that the storage account can only be accessed from a specific Azure virtual network (VNet) and that all access must use Azure Active Directory (Azure AD) authentication. They want to block any access that uses storage account keys or shared access signatures (SAS). Which configuration should they implement?

Question 29mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company has an Azure SQL Database that stores personally identifiable information (PII) in columns. They need to encrypt those columns so that only authorized applications can decrypt the data, and even database administrators cannot view the plaintext. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they use?

Question 30mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?

Question 31mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company enabled Azure Disk Encryption on Windows virtual machines using Azure Key Vault to store encryption keys. They have enabled soft-delete and purge protection on the Key Vault. After a user accidentally deletes a key, the company tries to recover it but the recovery operation fails. What is the most likely reason for the recovery failure?

Question 32hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

Question 33hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company is migrating a sensitive database to Azure SQL Managed Instance. The security team requires that the managed instance is not accessible from the public internet and that only specific Azure services, such as Azure Data Factory, can connect. Which configuration should the team implement to meet these requirements?

Question 34easymultiple choice
Read the full Secure compute, storage, and databases explanation →

A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive healthcare data in Azure SQL Database. They need to encrypt specific columns containing patient diagnosis codes so that even database administrators with the 'sysadmin' role cannot view the plaintext. The application must be able to perform equality searches (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

Question 36mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive data in Azure Blob Storage. They use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. The security policy requires that the encryption keys be automatically rotated every 90 days. Which configuration should they implement to meet this requirement without manual intervention?

Question 37mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?

Question 38mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company enables Azure SQL Database auditing to log database events to a storage account. The security policy requires that the audit logs be protected from tampering and deletion after they are written. Which storage account feature should the company enable to ensure that audit log files cannot be modified or deleted by anyone for a specified retention period?

Question 39mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores critical business data in an Azure Storage account (Blob Storage). They want to ensure that all data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data quickly if a breach is suspected. Which feature should they enable on the storage account to enforce CMK?

Question 40mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?

Question 41hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?

Question 42hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company plans to enable Azure Disk Encryption (ADE) on their Windows virtual machines. They will use a Key Encryption Key (KEK) stored in Azure Key Vault. What additional configuration must be made in the Key Vault to allow the Azure platform to access the KEK for encrypting the VM disks?

Question 43mediummulti select
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Key Vault to store keys and secrets. They want to ensure that even if an administrator accidentally deletes a key, it can be recovered for up to 90 days. Additionally, they want to prevent anyone from permanently purging the key during that period. Which two features must be enabled?

Question 44mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

Question 45mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is a Microsoft service. How can the SQL server be granted access to the key vault to perform TDE operations?

Question 46mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?

Question 47hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores highly sensitive data in Azure Blob Storage. They require encryption at rest using a customer-managed key. Additionally, they want to ensure that the key can only be used from the same Azure region as the storage account. Which configuration must they implement?

Question 48mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Managed Disks for their virtual machines. They want to ensure that all managed disks are encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also want to automatically revoke access to the disks if the key is disabled or deleted. Which feature should they configure?

Question 49mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections use at least TLS 1.2 encryption and that connections not meeting this requirement are rejected. Which configuration should they implement on the Azure SQL Server?

Question 50hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company plans to enable Azure Disk Encryption (ADE) on a fleet of Windows virtual machines. They want to use a key stored in Azure Key Vault to encrypt the disks. Which additional access configuration must be made in the Key Vault to allow ADE to succeed?

Question 51mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores highly sensitive data in Azure Blob Storage. The security policy requires that all data is encrypted at rest using a key that is stored in Azure Key Vault, and that the storage account uses its system-assigned managed identity to access the key. Which encryption configuration should they use?

Question 52mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Key Vault to store secrets. They want to grant developers the ability to read secrets, but only for specific secret names (e.g., 'App--ConnectionString'). They also want to use Azure RBAC instead of the Key Vault access policy model. Which RBAC role should they assign, and at which scope?

Question 53mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores confidential data in Azure Blob Storage. They need to ensure that all data at rest is encrypted and they must be able to quickly rotate the encryption key on demand in case of a security breach. They also want to minimize administrative overhead. Which encryption option should they use?

Question 54mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database and wants to protect sensitive data (e.g., credit card numbers) from database administrators. They require that the data is encrypted at rest and in transit, and only a client application using a specific driver can decrypt it. Which technology should they implement?

Question 55easymultiple choice
Read the full NAT/PAT explanation →

A company uses Azure SQL Database and wants to periodically scan the database for vulnerabilities such as misconfigurations, excessive permissions, and missing patches. The scans should generate actionable reports that the security team can use to remediate issues. Which built-in Azure feature should they enable?

Question 56mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores highly sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a key stored in Azure Key Vault, but they also want to prevent Microsoft Azure from having any access to the encryption key. Which encryption approach should they use?

Question 57mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database with Azure Active Directory authentication. To meet compliance requirements, they need to audit all failed login attempts and store the audit logs in a storage account located in a different Azure region for disaster recovery. What should they configure?

Question 58mediummultiple choice
Read the full NAT/PAT explanation →

A company generates shared access signature (SAS) tokens to grant time-limited access to blobs in an Azure Storage container. A security administrator needs the ability to immediately revoke all active SAS tokens for that container if a token is compromised. What should they use?

Question 59easymultiple choice
Read the full Secure compute, storage, and databases explanation →

A company stores sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they need the ability to immediately make the data inaccessible in case of a security breach. Which configuration on the storage account enables this?

Question 60mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?

Question 61mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?

Question 62mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?

Question 63hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

An Azure SQL Database contains salary data. Support analysts need to query employee records but must not see full salary values. Which feature is most appropriate when the application cannot be changed immediately?

Question 64mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A Kubernetes workload in AKS needs to pull images from Azure Container Registry without using admin credentials. Which configuration should be used?

Question 65hardmulti select
Read the full Secure compute, storage, and databases explanation →

A Key Vault should be accessible only from selected private networks and approved Azure services. Which two settings are most relevant?

Question 66hardmulti select
Read the full Secure compute, storage, and databases explanation →

A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?

Question 67mediummulti select
Read the full Secure compute, storage, and databases explanation →

An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?

Question 68hardmulti select
Read the full Secure compute, storage, and databases explanation →

A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?

Question 69mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are designing a secure storage strategy for an Azure Storage account that will host sensitive financial data. The solution must protect data at rest, in transit, and during processing. Which three of the following security controls should you implement? (Choose three.)

Question 70mediummulti select
Read the full Secure compute, storage, and databases explanation →

Your company plans to deploy a set of Azure virtual machines (VMs) running a critical application. The security team requires that all operating system disks and temporary disks be encrypted, and that encryption keys are never stored in Azure but are managed in an on-premises HSM. Which three of the following actions should you take? (Choose three.)

Question 71mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are securing an Azure SQL Database that contains personally identifiable information (PII). The solution must prevent unauthorized access to sensitive columns by privileged users (e.g., DBAs) and ensure that data is encrypted on the wire. Which three of the following should you implement? (Choose three.)

Question 72mediummulti select
Read the full Secure compute, storage, and databases explanation →

Your organization is planning to use Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) for running containerized workloads. The security policy mandates that container images be scanned for vulnerabilities, secrets never be stored in image layers, and network traffic between containers be encrypted. Which three of the following should you implement? (Choose three.)

Question 73mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are a Security Engineer for a company that is migrating critical workloads to Azure. You need to ensure the security of compute, storage, and databases. Which of the following actions should you take? (Choose four.)

Question 74mediumdrag order
Read the full Secure compute, storage, and databases explanation →

Drag and drop the steps to configure Azure Defender for SQL on an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 75mediumdrag order
Read the full Secure compute, storage, and databases explanation →

Drag and drop the steps to enable Azure Security Center's enhanced security features for a subscription into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 76mediumdrag order
Read the full Secure compute, storage, and databases explanation →

Drag and drop the steps to implement Azure AD Identity Protection to detect risky sign-ins into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 77mediummatching
Read the full Secure compute, storage, and databases explanation →

Match each Azure RBAC role to its typical permission scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all resources including delegation

Create and manage resources but cannot grant access

View resources only

Manage user access to Azure resources

Manage security policies and view security alerts

Question 78mediummatching
Read the full Secure compute, storage, and databases explanation →

Match each Azure Key Vault feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Recover deleted vaults and objects within retention period

Prevents permanent deletion until retention period ends

Periodically replace cryptographic keys

Grant permissions to users, groups, or applications

Use Azure RBAC to manage access to vaults

Question 79mediummatching
Read the full Secure compute, storage, and databases explanation →

Match each Azure encryption concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is encrypted when stored on disk

Data is encrypted during network transmission

Azure encrypts data before writing to storage

Data encrypted by client before sending to Azure

Encrypts OS and data disks using BitLocker/DM-Crypt

Question 80mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Storage for sensitive customer data. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, you want to automatically rotate the key every 90 days. What should you configure?

Question 81hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure SQL Database that stores financial data. You need to prevent unauthorized access by encrypting specific columns containing credit card numbers. The solution must allow authorized applications to query the data transparently. What should you implement?

Question 82easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to securely store secrets, such as connection strings and API keys, for use by an Azure Functions app. The solution must automatically rotate the secrets and audit access. What should you use?

Question 83mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company runs a critical application on Azure Virtual Machines. You need to ensure that the OS disks and data disks are encrypted to meet compliance requirements. The solution must use Azure Key Vault to store encryption keys and support automated backup. What should you implement?

Question 84hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a security solution for Azure Cosmos DB that stores Personally Identifiable Information (PII). You need to encrypt data at rest and in transit. You also need to implement row-level security to restrict access based on user role. What should you configure?

Question 85mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure Storage account that contains sensitive documents. You need to generate a time-limited, secure URL that allows a specific user to download a file without requiring storage account keys. What should you use?

Question 86easymultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization is using Azure Database for MySQL. You need to ensure that only traffic from Azure services and specific client IP addresses can connect to the database. What should you configure?

Question 87hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a three-tier application on Azure VMs. The web tier must be accessible from the internet, but the application and database tiers must only accept traffic from the web tier. You need to implement network segmentation using Azure networking components. What is the most secure and manageable solution?

Question 88mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that an Azure Storage account is accessible only from a specific virtual network (VNet) and only over HTTPS. You also want to deny access from any public IP. What should you configure?

Question 89mediummulti select
Read the full Secure compute, storage, and databases explanation →

You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement?

Question 90hardmulti select
Read the full Secure compute, storage, and databases explanation →

You are designing a backup strategy for Azure Virtual Machines. Which THREE features should you enable to ensure recoverability and security?

Question 91easymulti select
Read the full Secure compute, storage, and databases explanation →

You need to secure an Azure Storage account that will host sensitive data. Which TWO configurations should you implement?

Question 92mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are reviewing the ARM template snippet for a managed disk. You need to ensure the disk uses a customer-managed key (CMK) from Azure Key Vault. However, you notice the deployment fails because the key version is specified. What is the likely issue?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://kv-vault.vault.azure.net/",
        "keyname": "diskencryptionkey",
        "keyversion": "1"
      }
    }
  }
}
Question 93hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are analyzing the Always Encrypted configuration for an Azure SQL Database. The SSN column uses randomized encryption, and the CreditCard column uses deterministic encryption. Which statement is true regarding querying these columns?

Network Topology
|
Question 94easymultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You run the Azure CLI command to create a storage account. After creation, you need to ensure that the storage account can only be accessed using TLS 1.2. Does the command achieve this?

Exhibit

az storage account create \
  --name mystorageaccount \
  --resource-group myResourceGroup \
  --location eastus \
  --sku Standard_GRS \
  --kind StorageV2 \
  --https-only true \
  --min-tls-version 1.2
Question 95easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to encrypt an Azure Storage account at rest using a customer-managed key stored in Azure Key Vault. Which feature should you enable?

Question 96mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company hosts a web application on Azure Virtual Machines. You need to ensure that all disks attached to the VMs are encrypted. You plan to use Azure Disk Encryption. What should you configure first?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a secure data solution for a financial application. The data must be encrypted at rest, in transit, and in use. You choose Azure SQL Database. Which combination of features should you implement?

Question 98easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to prevent data exfiltration from Azure Storage accounts by controlling which networks can access them. Which Azure feature should you use?

Question 99mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database to store customer data. You need to ensure that database administrators cannot access sensitive columns (e.g., credit card numbers) even during maintenance. What should you implement?

Question 100hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Storage blobs to store sensitive documents. You need to enforce that all blob access must be via HTTPS and that storage account keys are rotated every 90 days. Which two actions should you take? (Each correct answer presents part of the solution.)

Question 101mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure Cosmos DB account with multiple containers. You need to ensure that only specific Azure AD identities can access the data and that all access is logged. What should you use?

Question 102easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that an Azure Key Vault is accessible only from a specific virtual network and that all operations are logged. What should you configure?

Question 103mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Managed Instance. You need to ensure that all connections from clients use TLS 1.2 or higher. What should you configure?

Question 104hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a secure backup strategy for Azure Virtual Machines. The backup data must be encrypted at rest and in transit. Which combination should you use?

Question 105easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to restrict access to an Azure Storage account so that only requests from a specific Azure Virtual Network are allowed. What should you configure?

Question 106mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Files shares. You need to ensure that users authenticate using on-premises Active Directory credentials and that access is logged. What should you do?

Question 107hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure SQL Database that stores Personally Identifiable Information (PII). You need to mask the PII columns for support staff but allow full access to managers. What should you implement?

Question 108mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are reviewing an Azure Resource Manager template for a storage account. The exhibit shows a snippet of the template. Which statement about the template is true?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "encryption": {
      "services": {
        "blob": {
          "enabled": true
        },
        "file": {
          "enabled": true
        }
      },
      "keySource": "Microsoft.Storage"
    }
  }
}
Question 109hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying an Azure SQL Database with a security alert policy as shown in the exhibit. Which statement is true?

Exhibit

Refer to the exhibit.
{
  "type": "Microsoft.Sql/servers/databases/securityAlertPolicies",
  "apiVersion": "2023-08-01-preview",
  "properties": {
    "state": "Enabled",
    "emailAccountAdmins": true,
    "emailAddresses": ["admin@contoso.com"],
    "disabledAlerts": [],
    "retentionDays": 30
  }
}
Question 110easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that an Azure Storage account only allows access from a specific virtual network. Which configuration should you use?

Question 111mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database. You need to ensure that all queries are audited for compliance. Which feature should you enable?

Question 112hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a solution to store sensitive documents in Azure Blob Storage. The documents must be encrypted at rest using a customer-managed key that is automatically rotated every 90 days. Microsoft Entra ID must be used to control access to the key. What should you use?

Question 113easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to prevent data from being exfiltrated from an Azure SQL Database by unauthorized users. Which Microsoft Purview feature should you use?

Question 114mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company has an Azure Cosmos DB account that stores customer profiles. You need to ensure that only authenticated and authorized users can access the data. Which access control method should you use?

Question 115hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a critical application on Azure Virtual Machines that must remain highly available. You need to implement a security solution that ensures the application can recover from a ransomware attack that encrypts all data disks. What is the most cost-effective approach?

Question 116easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to enable transparent data encryption (TDE) for an Azure SQL Managed Instance. What is the prerequisite?

Question 117mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Files shares to store business documents. You need to ensure that access to the shares is restricted to users who have been granted explicit permissions. What should you configure?

Question 118hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Disks for persistent storage. You need to ensure that the disks are encrypted at rest using a customer-managed key stored in a Key Vault in a different region. What should you do?

Question 119mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO actions are required to enable Azure Defender for SQL on an Azure SQL Database?

Question 120hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which THREE capabilities are provided by Azure Storage Service Encryption (SSE) when using customer-managed keys?

Question 121easymulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO features of Azure Database for PostgreSQL ensure data security at rest?

Question 122mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are reviewing the ARM template for an Azure Disk Encryption Set. The template includes the JSON snippet shown. You notice that the key version is empty. What is the consequence?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "MyDiskEncryptionKey",
        "keyversion": "",
        "keyvaulturi": "https://mykeyvault.vault.azure.net/"
      }
    }
  }
}
```
Question 123hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying an Azure Storage account using the ARM template snippet shown. After deployment, you need to allow access from a specific public IP address. What should you do?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "properties": {
    "minimumTlsVersion": "TLS1_2",
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "supportsHttpsTrafficOnly": true
  }
}
```
Question 124easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You run the PowerShell cmdlet shown in the exhibit for an Azure SQL Database. What is the security implication?

Exhibit

Refer to the exhibit.

```
PS Azure:\> Get-AzSqlDatabaseAdvancedThreatProtectionSetting -ResourceGroupName RG1 -ServerName sqlsrv1 -DatabaseName db1

ResourceGroupName : RG1
ServerName        : sqlsrv1
DatabaseName      : db1
State             : Disabled
```
Question 125mediummultiple choice
Read the full NAT/PAT explanation →

You are deploying a new application on Azure VMs. The application must be encrypted at rest and during transmission. Which combination of features should you implement?

Question 126hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database. You need to ensure that all queries from a specific application use Always Encrypted to protect sensitive columns. The application is developed in C#. What must you configure in the application and database?

Question 127easymultiple choice
Review the full subnetting walkthrough →

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network (VNet) subnet is allowed. Which Azure Storage firewall setting should you configure?

Question 128mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure Cosmos DB account with multiple containers. You need to ensure that data is encrypted at rest using a customer-managed key stored in Azure Key Vault. Which steps should you take?

Question 129hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Files shares. You need to enforce access control using on-premises Active Directory (AD) credentials. The Azure Files share is already created. What should you do?

Question 130easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to backup Azure SQL Managed Instance databases to a separate region for disaster recovery. Which Azure service should you use?

Question 131mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Blob Storage to store sensitive documents. You need to prevent data exfiltration by ensuring that all access to the storage account is through Microsoft's private network. What should you configure?

Question 132hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure SQL Database that stores credit card numbers. You need to encrypt the column containing the credit card numbers so that only authorized applications can decrypt the data. The database administrator should not be able to view the plaintext data. Which feature should you use?

Question 133easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that all new blobs uploaded to an Azure Storage account are automatically encrypted at rest. What is the simplest way to achieve this?

Question 134mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO actions should you take to ensure that an Azure Storage account is only accessible over HTTPS and that data in transit is encrypted?

Question 135hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which THREE components are part of Azure Disk Encryption for Windows VMs?

Question 136easymulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO database-level security features are available in Azure SQL Database to protect sensitive data?

Question 137hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are reviewing the JSON output of an Azure Storage account encryption configuration. What can you conclude about the encryption settings?

Exhibit

{
  "properties": {
    "encryption": {
      "services": {
        "blob": {
          "enabled": true
        },
        "file": {
          "enabled": true
        }
      },
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "MyCMK",
        "keyversion": "1",
        "keyvaulturi": "https://mykeyvault.vault.azure.net/"
      }
    }
  }
}
Question 138mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are querying the sys.column_master_keys view in an Azure SQL Database. What is the purpose of this query?

Exhibit

SELECT 
    DatabaseName,
    ProtectionLevel,
    KeyStoreProviderName,
    KeyPath
FROM sys.column_master_keys;
Question 139hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are reviewing an ARM template for an Azure Storage account. Which of the following is true about the deployment?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2023-01-01",
      "name": "mystorageaccount",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "Standard_GRS"
      },
      "kind": "StorageV2",
      "properties": {
        "supportsHttpsTrafficOnly": true,
        "encryption": {
          "keySource": "Microsoft.Storage"
        }
      }
    }
  ]
}
Question 140mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Storage for sensitive financial data. You need to restrict access to storage accounts based on the client's IP address. Which Azure Storage service feature should you configure?

Question 141easymultiple choice
Read the full Secure compute, storage, and databases explanation →

A company plans to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all data at rest be encrypted using customer-managed keys stored in Azure Key Vault. Which feature should be enabled?

Question 142hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a secure compute solution for a critical application that must comply with PCI DSS. The application runs on Azure Virtual Machines with sensitive data. You need to ensure that ephemeral disks are encrypted at the host level. Which Azure Disk Encryption option should you use?

Question 143mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database for a multitenant SaaS application. You need to ensure that one tenant cannot access another tenant's data, even if the application code has a bug. Which Azure SQL Database feature should you implement?

Question 144easymultiple choice
Read the full Secure compute, storage, and databases explanation →

A developer needs to securely connect to an Azure Storage account from a private virtual network without exposing the storage account to the public internet. Which Azure service should be used?

Question 145hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your security team wants to automatically detect and remediate misconfigurations in Azure Storage accounts, such as enabling public access. The solution should use Azure Policy and be centrally managed for multiple subscriptions. What should you configure?

Question 146mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company is deploying Azure Virtual Machines for a batch processing workload. The VMs process highly sensitive data and must ensure that the data on the OS and data disks is encrypted using a customer-managed key stored in Azure Key Vault. Which encryption option meets the requirement?

Question 147easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that Azure SQL Database connections are encrypted and the server's identity is verified. Which connection string parameter should be required?

Question 148hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A critical application uses Azure Functions with an Azure Storage account for input and output. The security team requires that all data in transit between the function app and storage be encrypted using a customer-managed key. Which configuration should you implement?

Question 149mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO actions should you take to secure an Azure Storage account that contains sensitive data? (Choose two.)

Question 150hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which THREE of the following are valid ways to encrypt data at rest in Azure SQL Database? (Choose three.)

Question 151easymulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO of the following are benefits of using managed identities for Azure resources to access Azure Storage? (Choose two.)

Question 152mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You receive the above ARM template snippet for an Azure Storage account. After deployment, a developer reports that they cannot access the storage account from a permitted virtual network. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault.vault.azure.net/keys/mykey",
        "keyname": "mykey",
        "keyversion": "1.0"
      },
      "services": {
        "blob": {
          "enabled": true
        },
        "file": {
          "enabled": true
        }
      }
    },
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}
Question 153hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You run the above PowerShell script to change the access tier of all block blobs in the 'data' container from Cool to Hot. However, you receive an error that the operation is not allowed. What is the most likely reason?

Exhibit

Refer to the exhibit.

$storageAccount = Get-AzStorageAccount -ResourceGroupName "RG1" -Name "storagedata1"
$ctx = $storageAccount.Context
Get-AzStorageBlob -Container "data" -Context $ctx | Where-Object {$_.BlobType -eq "BlockBlob" -and $_.AccessTier -eq "Cool"} | Set-AzStorageBlobAccessTier -AccessTier "Hot" -PassThru
Question 154hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You run the above Kusto query in Azure Monitor Logs for an Azure Storage account. The query returns results showing multiple failed attempts to access PDF blobs with 403 errors from various IP addresses. What is the most likely cause of these failures?

Exhibit

Refer to the exhibit.

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STORAGE"
| where OperationName == "GetBlob"
| where ObjectKey endswith ".pdf"
| where StatusCode == 403
| summarize Count = count() by CallerIPAddress, UserAgentHeader
| top 10 by Count desc
Question 155mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Storage to store sensitive customer data. You need to ensure that only authorized applications running on Azure VMs can access the storage account without using shared keys or SAS tokens. What should you configure?

Question 156hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a secure database solution for a financial application using Azure SQL Database. The database contains highly sensitive columns (e.g., credit card numbers). Which combination of features should you implement to protect data at rest, in transit, and in use, while minimizing performance impact?

Question 157easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You are configuring security for an Azure App Service web app that connects to an Azure SQL Database. You need to ensure that the database connection string does not contain credentials in plaintext. What should you use?

Question 158mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure File shares for departmental file storage. You need to restrict access to only specific VMs in the same virtual network using Azure AD authentication. What should you configure?

Question 159hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a containerized application on Azure Kubernetes Service (AKS). The application needs to pull images from a private Azure Container Registry (ACR) and access secrets from Azure Key Vault. You want to minimize credential exposure. What should you configure?

Question 160easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that an Azure Storage account's blob data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. What should you do first?

Question 161hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Database for PostgreSQL flexible server. You need to enable auditing of all database-level events and ensure audit logs are retained for compliance purposes for 5 years. What should you configure?

Question 162mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a backup strategy for Azure VMs running critical workloads. The VMs have Azure Disk Encryption enabled with Azure Key Vault. You need to ensure that backups can be restored securely. What should you configure?

Question 163easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that only users with a valid Azure AD token can invoke an Azure Function app. No other authentication methods should be allowed. What should you configure?

Question 164mediummulti select
Read the full Secure compute, storage, and databases explanation →

You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement? (Choose TWO.)

Question 165hardmulti select
Read the full Secure compute, storage, and databases explanation →

You are configuring secure access to Azure Blob Storage for a third-party partner application that runs outside Azure. The partner needs to upload files to a specific container. You want to grant least-privilege access without storing static credentials in the partner's code. Which TWO actions should you take? (Choose TWO.)

Question 166mediummulti select
Read the full Secure compute, storage, and databases explanation →

You need to ensure that Azure Disk Encryption (ADE) is enabled on all Azure VMs in a subscription. Which THREE actions are required to implement ADE? (Choose THREE.)

Question 167mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure Storage accounts with blob containers. You need to ensure that only authorized applications can access the storage account, without using shared keys or shared access signatures. What should you configure?

Question 168hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database and wants to protect sensitive data stored in a column named 'CreditCardNumber'. You need to ensure that the data is encrypted at rest and that only authorized users can decrypt the data at the application layer. Additionally, you want to prevent unauthorized administrators from accessing the plaintext. Which solution should you implement?

Question 169easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You are configuring an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can securely access Azure Container Registry (ACR) without storing image pull secrets in the pod specification. What should you do?

Question 170mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are deploying an Azure Storage account with the ARM template snippet shown. The deployment fails with an error about the encryption configuration. What is the most likely cause?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://mykeyvault.vault.azure.net/",
        "keyname": "myencryptionkey",
        "keyversion": "1234567890abcdef"
      }
    }
  }
}
Question 171easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure virtual machine that runs a line-of-business application. You need to ensure that the disks attached to the VM are encrypted at rest using platform-managed keys. What should you do?

Question 172hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company stores sensitive documents in Azure Blob Storage. You need to implement a solution that automatically scans uploaded blobs for malware and quarantines any infected files. The solution must minimize administrative overhead and integrate with Azure Security Center. What should you use?

Question 173mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are configuring network access for an Azure Storage account. After applying this configuration, users report that they cannot access the storage account from their on-premises network (public IP: 198.51.100.50). What is the most likely reason?

Exhibit

{
  "properties": {
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [
        {
          "action": "Allow",
          "value": "203.0.113.0/24"
        }
      ],
      "virtualNetworkRules": []
    }
  }
}
Question 174easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to securely connect to an Azure SQL Database from an on-premises application without exposing the database to the public internet. Which solution should you use?

Question 175hardmultiple choice
Read the full VPN explanation →

Your organization uses Azure Files shares with Azure AD DS authentication. You need to ensure that users can access the file share from on-premises Windows clients using their on-premises AD credentials, without exposing the storage account to the internet. The on-premises network is connected to Azure via a site-to-site VPN. What should you configure?

Question 176mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO actions should you take to secure an Azure Cosmos DB account? (Choose two.)

Question 177hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which THREE components are required to enable Azure Disk Encryption for Windows VMs using Azure Key Vault? (Choose three.)

Question 178mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO security features can be enabled on an Azure SQL Database to protect sensitive data from unauthorized access by database administrators? (Choose two.)

Question 179mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are deploying an Azure Disk Encryption Set using this ARM template. The deployment succeeds, but when you try to create a disk using this encryption set, the disk creation fails with an error about key vault permissions. What is the most likely cause?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://mykeyvault.vault.azure.net/",
        "keyname": "mykey",
        "keyversion": ""
      }
    },
    "identity": {
      "type": "SystemAssigned"
    }
  }
}
Question 180easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a solution for Azure Blob Storage that must prevent data from being overwritten or deleted for a specified retention period. Which feature should you enable?

Question 181hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company has an Azure SQL Managed Instance that stores sensitive customer data. You need to implement a solution that automatically classifies and protects the sensitive data in the database, with minimal manual intervention. The solution should integrate with Microsoft Purview. What should you use?

Question 182mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company stores sensitive customer data in Azure Blob Storage. You need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. The key must be automatically rotated every 90 days. Which Azure policy should you configure to enforce this requirement?

Question 183easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a virtual machine that will host a legacy application. The application writes temporary files to the local disk. You must ensure that any data written to the temporary disk is encrypted at rest with a platform-managed key. What should you do?

Question 184hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a secure Azure SQL Database deployment. The database must support real-time analytics and reporting without impacting the performance of the transactional workload. You need to ensure that the reporting queries have an isolated copy of the data that is automatically kept up to date. The solution must also encrypt the data at rest using a customer-managed key. What should you include in the design?

Question 185mediummulti select
Read the full Secure compute, storage, and databases explanation →

You have an Azure Cosmos DB account that stores sensitive data. You need to ensure that all data in transit between the client application and Cosmos DB is encrypted using TLS 1.2 or higher. Additionally, you want to enforce that only Azure services within the same region can access the Cosmos DB account. What two configurations should you implement? (Choose two.)

Question 186mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are responsible for securing Azure Storage accounts that contain confidential documents. You need to implement a solution that prevents accidental deletion of storage accounts and ensures that deleted blobs can be recovered within 30 days. Which two actions should you take?

Question 187hardmulti select
Read the full Secure compute, storage, and databases explanation →

You are securing an Azure Kubernetes Service (AKS) cluster that runs a microservices application. You need to ensure that pods can only communicate with other pods in the same namespace, and that all egress traffic from the cluster is inspected for malicious content. Which three components should you include in the solution?

Question 188hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are reviewing the above Azure Policy definition. What does this policy do?

Exhibit

Refer to the exhibit.
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
        "equals": "Deny"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
Question 189mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying an Azure Disk Encryption set with the above ARM template snippet. What is the result of this configuration?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "MyCMK",
        "keyversion": "",
        "keyvaulturi": "https://mykeyvault.vault.azure.net/keys/MyCMK"
      },
      "infrastructureEncryption": "Enabled"
    }
  }
}
Question 190easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You run the above PowerShell script. What is the effect on the storage account?

Exhibit

Refer to the exhibit.
$config = New-AzStorageAccountManagementPolicyFilter -PrefixMatch 'logs' -BlobType 'blockBlob'
$action = Add-AzStorageAccountManagementPolicyAction -BaseBlobAction Delete -DaysAfterModificationGreaterThan 30
$rule = New-AzStorageAccountManagementPolicyRule -Name 'DeleteLogs' -Action $action -Filter $config -Enabled $true
Set-AzStorageAccountManagementPolicy -ResourceGroupName 'rg1' -StorageAccountName 'st1' -Rule $rule
Question 191hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Microsoft Defender for Cloud to manage security posture. You have an Azure SQL Database that stores PII. You need to ensure that all sensitive columns are automatically discovered and classified. Additionally, you want to audit access to these columns. What should you configure?

Question 192easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to securely store connection strings and secrets for an Azure function app. The solution must automatically rotate the secrets every 90 days and provide audit logs for access. What should you use?

Question 193mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are designing a backup strategy for Azure virtual machines. You need to ensure that backups are encrypted at rest and can be restored in a different Azure region in case of a regional disaster. Which two configurations should you use?

Question 194hardmulti select
Read the full Secure compute, storage, and databases explanation →

You are configuring security for an Azure Functions app that processes credit card numbers. You need to ensure that the function can securely access a storage account without storing any credentials in code or configuration, and that all data in the storage account is encrypted with a customer-managed key. Which three actions should you take?

Question 195easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You are deploying a web application that stores user-uploaded files in Azure Blob Storage. You need to ensure that only authenticated users can upload files, and that uploaded files are automatically scanned for malware. What should you use?

Question 196mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure SQL Managed Instance that hosts a line-of-business application. The application requires that all connections use Windows Authentication. You need to ensure that the authentication is secure and that the managed instance can integrate with on-premises Active Directory. What should you configure?

Question 197mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You manage Azure Storage accounts for a healthcare organization. To comply with HIPAA, you need to ensure that all data at rest is encrypted and that access keys are rotated automatically every 90 days. What should you implement?

Question 198hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to restrict a user to only view data from the 'Sales' schema, without granting permissions to other schemas. What should you do?

Question 199easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to protect Azure VMs from ransomware by ensuring that encrypted file systems cannot be read by attackers. Which solution should you implement?

Question 200mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company has a policy to disable TLS versions older than 1.2 for Azure Storage accounts. You configure the minimum TLS version setting to 1.2. After a week, an audit reveals that some clients are still connecting with TLS 1.0. What is the most likely reason?

Question 201hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a secure data solution for a financial services company. Data must be encrypted at rest and in transit. Additionally, you need to prevent administrators from accessing the encryption keys. What should you use?

Question 202mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You have an Azure SQL Database that contains sensitive customer data. You need to ensure that database administrators (DBAs) cannot view the data in the 'CreditCard' column. What should you implement?

Question 203easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that only approved applications can access your Azure storage account. What should you configure?

Question 204hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Cosmos DB with API for MongoDB. You need to encrypt data at rest using a customer-managed key stored in Azure Key Vault, and you must ensure that the key is automatically rotated every year. What should you do?

Question 205mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to protect Azure VM disks from unauthorized snapshot creation. Which configuration should you implement?

Question 206mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which two actions should you take to secure Azure Storage accounts against data exfiltration?

Question 207hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which three security configurations should you apply to an Azure SQL Database to meet a requirement for data protection at rest and in transit?

Question 208easymulti select
Read the full Secure compute, storage, and databases explanation →

Which two options are valid methods to authenticate to Azure Storage from on-premises servers?

Question 209hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You have an Azure Storage account with the encryption configuration shown. Users report that they cannot upload files to the storage account. What is the most likely cause?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "MyKey",
        "keyversion": "c3910b4a7a924e6e8f9a1b2c3d4e5f6g",
        "keyvaulturi": "https://myvault.vault.azure.net/keys/MyKey/"
      }
    }
  }
}
Question 210mediummultiple choice
Read the full NAT/PAT explanation →

You are a security engineer for Contoso Ltd., a multinational company that uses Azure extensively. The company has a custom line-of-business application hosted on Azure VMs. The application stores sensitive customer data in Azure SQL Database. The security policy requires: (1) All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. (2) Encryption keys must be rotated automatically every 90 days. (3) Access to the keys must be audited. (4) The application must not have direct access to the key vault; only Azure services should access keys on behalf of the application. You need to recommend a solution. What should you do?

Question 211hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You work for a financial institution that uses Azure Cosmos DB with API for NoSQL to store transaction data. The security requirements mandate: (1) All data at rest must be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. (2) The encryption keys must be automatically rotated every 60 days. (3) Network access to the Cosmos DB account must be restricted to only specific virtual networks. (4) Access to the keys must be logged and monitored. (5) The Cosmos DB account must be configured to use private endpoints. You have configured the Cosmos DB account with CMK and private endpoints. However, after setting up automatic key rotation in Key Vault, the Cosmos DB account starts returning 403 (Forbidden) errors for some requests. What is the most likely cause?

Question 212easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that all data at rest in an Azure Storage account is encrypted using a customer-managed key. Which feature should you enable?

Question 213mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

A company has an Azure SQL Database that contains sensitive financial data. They want to audit all successful and failed login attempts for the database. What should they configure?

Question 214hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure Files shares for user home directories. You need to enforce that users access these shares only from trusted locations (corporate IP ranges) and that all access is logged. Which combination of actions should you take?

Question 215mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are designing a backup strategy for Azure Virtual Machines that host a critical database. Compliance requires that backups be stored in a separate Azure region and be immutable for 90 days. What should you use?

Question 216hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

A company uses Azure Cosmos DB with SQL API to store user profiles. They need to ensure that only authorized applications can access the data, and that the data is encrypted in transit and at rest. Currently, the application uses a master key to connect. What should they implement to improve security?

Question 217mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization stores sensitive documents in Azure Blob Storage. You need to prevent data exfiltration by ensuring that authorized users can only access blobs from within the corporate network, and that any attempt to download blobs from outside the network is blocked. What should you configure?

Question 218easymultiple choice
Read the full Secure compute, storage, and databases explanation →

You need to ensure that Azure SQL Database automatically detects and alerts on potential SQL injection attacks. Which Microsoft Defender for Cloud plan should you enable?

Question 219mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO actions should you take to secure managed database backups in Azure SQL Managed Instance?

Question 220hardmulti select
Read the full Secure compute, storage, and databases explanation →

Which THREE measures should you implement to secure a Linux virtual machine running a web application on Azure?

Question 221mediummulti select
Read the full Secure compute, storage, and databases explanation →

Which TWO configurations are required to ensure that an Azure Storage account is accessible only via HTTPS and that access keys are not used?

Question 222mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You have an Azure Disk Encryption policy assignment. An administrator reports that encryption of a new VM fails. What is the most likely cause?

Exhibit

{
  "properties": {
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "MyDiskEncryptionKey",
        "keyversion": "a1b2c3d4e5f6...",
        "keyvaulturi": "https://mykeyvault.vault.azure.net/"
      }
    }
  }
}
Question 223hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Refer to the exhibit. You are implementing an Azure Policy to enforce encryption on managed disks. A user reports that they cannot create a VM even though they specified a disk encryption set. What is the most likely reason?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 224hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

You are the security engineer for a healthcare company that uses Azure to store electronic health records (EHR) in Azure Blob Storage. Compliance requires that all data be encrypted at rest with customer-managed keys stored in a hardware security module (HSM), that the storage account be accessible only from a specific virtual network, and that all access to the storage account be logged and sent to a central security information and event management (SIEM) system. Additionally, you must ensure that any blobs containing protected health information (PHI) are automatically labeled with a sensitivity label that prevents them from being shared externally. You have decided to use Azure Key Vault Managed HSM for key storage, Azure Private Endpoint for network access, and Azure Monitor for logging. However, you are unsure how to automatically apply sensitivity labels to blobs based on content inspection. Which service should you use to achieve automatic labeling of PHI data in Azure Blob Storage?

Question 225mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization runs a critical application on Azure Virtual Machines (VMs) that processes credit card transactions. Compliance with PCI DSS requires that all cardholder data be encrypted at rest and that the encryption keys be stored in a FIPS 140-2 Level 3 validated hardware security module (HSM). You have chosen to use Azure Disk Encryption with customer-managed keys stored in Azure Key Vault Managed HSM. During a security review, you discover that the VMs are using unmanaged disks. You need to migrate them to managed disks without downtime and ensure that encryption is applied. You also need to maintain the existing encryption keys and ensure that the encryption set is in the same region as the VMs. What should you do?

Question 226easymultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure SQL Database for a line-of-business application. The security team requires that all queries executed against the database be audited, including the actual query text, and that the audit logs be retained for one year. You configure auditing to store logs in an Azure Storage account with a retention policy of 365 days. However, after some time, you notice that the audit logs are being deleted after only 30 days. You verify that the storage account's retention policy is set to 365 days and that the audit configuration is correct. What is the most likely cause of the logs being deleted prematurely?

Question 227easymulti select
Read the full Secure compute, storage, and databases explanation →

You need to restrict access to a storage account containing sensitive financial data. The storage account is used by multiple Azure VMs and Azure App Service web apps. Only authorized applications and users should be able to access the storage account. Which TWO options should you implement?

Question 228mediummulti select
Read the full Secure compute, storage, and databases explanation →

Your company is deploying a new application on Azure Kubernetes Service (AKS). The application needs to read and write data to an Azure Storage account. Security requirements mandate that no storage account keys or connection strings be stored in the application code or configuration files. Which TWO actions should you take?

Question 229mediummulti select
Read the full Secure compute, storage, and databases explanation →

You are designing security for an Azure SQL Database that will store personally identifiable information (PII). The database will be accessed by multiple applications, some of which are legacy and cannot use Azure AD authentication. Your requirements include: encrypting data at rest, encrypting data in transit, and dynamically masking PII columns for non-privileged users. Which THREE features should you implement?

Question 230mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. A recent assessment shows that a standard-tier storage account (storageaccount1) used for backup data has the following findings: 1) 'Storage account should use a private endpoint' is unhealthy; 2) 'Storage account should use customer-managed keys (CMK) for encryption' is healthy; 3) 'Storage account should restrict network access' is unhealthy; 4) 'Storage account should enable soft delete for blobs' is healthy. Management requires that all storage accounts used for backup be protected against accidental deletion and have network access restricted to a specific virtual network (vnet-backup). Currently, the storage account is accessible from all networks. You need to remediate the unhealthy findings while maintaining the healthy status of the other controls. Which combination of actions should you take?

Question 231hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company is migrating a legacy on-premises application to Azure VMs. The application writes log files to a local folder. You need to collect these logs centrally for security analysis using Microsoft Sentinel. The application runs on Windows Server 2022 and is expected to generate about 50 GB of logs per day. The security team requires that logs be encrypted at rest and in transit, and that log collection has minimal latency. You set up Azure Monitor Agent (AMA) on the VM and configure a Data Collection Rule (DCR) to stream custom logs to a Log Analytics workspace. However, after 24 hours, no custom logs appear in the workspace. The AMA is reporting as healthy. You need to troubleshoot and resolve the issue. What is the most likely cause?

Question 232mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are the security administrator for a company that uses Azure Blob Storage to store sensitive documents. You need to ensure that all blob data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. You have enabled encryption with CMK on the storage account. However, after a key rotation in Key Vault, you notice that newly uploaded blobs are encrypted with the new key, but existing blobs are still encrypted with the old key. You need to ensure that all blobs are re-encrypted with the new key. What should you do?

Question 233hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization has an Azure SQL Database that stores credit card numbers. The compliance team requires that credit card numbers be encrypted at rest and that only authorized applications can decrypt the data. The applications access the database using different service principals. You decide to implement Always Encrypted with secure enclaves. You create a column master key (CMK) in Azure Key Vault and a column encryption key (CEK) for the credit card column. You configure the column with deterministic encryption. However, after deployment, the applications report that they cannot insert or query the encrypted column. The error indicates that the column cannot be decrypted. You verify that the applications have the necessary permissions to access the CMK in Key Vault. What is the most likely cause of the issue?

Question 234easymultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Files shares for user home directories. Security policy requires that all data be encrypted at rest and in transit. You have enabled encryption at rest using Azure Storage Service Encryption (SSE). For encryption in transit, you require SMB clients to use SMB 3.0 or later with encryption. You configure the storage account to require secure transfer. A user reports that they cannot mount the file share from a Windows 10 machine that is not domain-joined. The user can mount other file shares without issues. What is the most likely reason for the failure?

Question 235hardmultiple choice
Read the full network assurance explanation →

Your organization has an Azure Cosmos DB account that stores IoT telemetry data. The data is ingested from multiple devices and is time-sensitive. Security requirements mandate that all data be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. You configure CMK for the Cosmos DB account. After a security incident, you need to revoke access to the data immediately by disabling the CMK in Key Vault. However, you find that data can still be read from Cosmos DB. You need to ensure that disabling the key renders the data inaccessible. What should you do?

Question 236mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company uses Azure Managed Disks for VMs running a production database. The disks are encrypted with Azure Disk Encryption (ADE) using Azure Key Vault. Security policy requires that all encryption keys be rotated every 90 days. You have automated key rotation in Key Vault. However, after rotating the key, you find that the disks are still using the old key. You need to ensure that the disks use the new key after rotation. What should you do?

Question 237mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Azure Storage to host sensitive financial data. You need to ensure that all access to the storage account is encrypted in transit and that access keys are rotated automatically every 90 days. You also need to prevent access from public IP addresses. Which combination of configurations should you implement?

Question 238hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your company has a large number of Azure SQL databases that contain personally identifiable information (PII). You need to classify and protect sensitive columns across all databases. The solution must automatically discover and label sensitive data, and enable auditing of access to that data. What should you implement?

Question 239easymultiple choice
Review the full subnetting walkthrough →

You need to secure a Linux virtual machine running a web application in Azure. The solution must ensure that only traffic on port 443 (HTTPS) is allowed from the internet, and that SSH access is restricted to a management subnet. What should you configure?

Question 240hardmultiple choice
Read the full Secure compute, storage, and databases explanation →

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to ensure that only approved container images from a private Azure Container Registry (ACR) can run in the cluster. The solution must also enforce that pods run with least privilege. What should you configure?

Question 241mediummulti select
Read the full Secure compute, storage, and databases explanation →

Your company plans to use Azure SQL Managed Instance to store customer data. You need to comply with regulatory requirements for data encryption at rest and in transit, and you must ensure that only authorized applications can access the database. Which TWO actions should you take? (Choose two.)

Question 242mediummultiple choice
Read the full Secure compute, storage, and databases explanation →

You are reviewing an Azure Policy definition. You need to determine the effect of this policy when a user attempts to create a new storage account with 'Secure transfer required' set to 'Disabled'. What happens?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 243hardmultiple choice
Review the full subnetting walkthrough →

You are the Azure Security Engineer for a financial services company. The company has a multi-tier application deployed on Azure Virtual Machines (VMs) in a hub-spoke network topology. The application consists of web servers, application servers, and database servers. The database servers run SQL Server on Windows Server 2022 and store sensitive financial data. Compliance requires that all data at rest be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, all network traffic between tiers must be encrypted, and the database must be accessible only from the application servers. You have the following resources: a Key Vault with an HSM-backed key (key1) for disk encryption, and a Key Vault with a software-protected key (key2) for SQL Server TDE. Current configuration: The web servers are in subnet A, application servers in subnet B, and database servers in subnet C. Network Security Groups (NSGs) allow traffic from subnet B to subnet C on TCP 1433. The database servers are not using TDE. You need to implement the required security controls. What should you do first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-500 Practice Test 1 — 10 Questions→AZ-500 Practice Test 2 — 10 Questions→AZ-500 Practice Test 3 — 10 Questions→AZ-500 Practice Test 4 — 10 Questions→AZ-500 Practice Test 5 — 10 Questions→AZ-500 Practice Exam 1 — 20 Questions→AZ-500 Practice Exam 2 — 20 Questions→AZ-500 Practice Exam 3 — 20 Questions→AZ-500 Practice Exam 4 — 20 Questions→Free AZ-500 Practice Test 1 — 30 Questions→Free AZ-500 Practice Test 2 — 30 Questions→Free AZ-500 Practice Test 3 — 30 Questions→AZ-500 Practice Questions 1 — 50 Questions→AZ-500 Practice Questions 2 — 50 Questions→AZ-500 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure compute, storage, and databases setsAll Secure compute, storage, and databases questionsAZ-500 Practice Hub