Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-500TopicsSecure compute, storage, and databases
Free · No Signup RequiredMicrosoft · AZ-500

AZ-500 Secure compute, storage, and databases Practice Questions

20+ practice questions focused on Secure compute, storage, and databases — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Secure compute, storage, and databases Practice

Exam Domains

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networkingAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Secure compute, storage, and databases Questions

Practice all 20+ →
1.

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

A.Configure a private endpoint for the SQL server to the Key Vault.
B.Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
C.Change the Key Vault firewall to allow all Azure services.
D.Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.

Explanation: Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.

2.

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A.No additional configuration is needed; Azure Files uses SMB encryption by default and cannot be disabled.
B.Enable 'Secure transfer required' in the storage account's configuration to enforce SMB 3.0 encryption.
C.Configure a network security group (NSG) rule to block SMB traffic on port 445 that does not use encryption.
D.Set the Azure Files share to use the 'Premium' performance tier; encryption is only available on premium shares.

Explanation: Option B is correct because enabling 'Secure transfer required' on the storage account enforces that all client connections use SMB 3.0 with encryption, which is necessary for end-to-end encryption in transit. Even though encryption at rest is configured with a CMK, the storage account does not automatically require encrypted connections; this setting explicitly denies unencrypted SMB 2.1 or SMB 3.0 without encryption.

3.

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A.Enable the 'Secure transfer required' property on the storage account.
B.Configure a network security group (NSG) to allow only encrypted traffic.
C.Set the minimum SMB protocol version to 3.0 on the file share.
D.Create a service endpoint for the storage account.

Explanation: Enabling the 'Secure transfer required' property on the storage account enforces encryption in transit for all client connections, including SMB 3.0 encryption for Azure Files. Without this setting, clients can connect using unencrypted SMB 2.1 or SMB 3.0 without encryption, even if the file share itself supports encryption. This property is a storage account-level flag that rejects any request not using HTTPS or SMB 3.0 with encryption.

4.

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

A.Add a network rule in the Key Vault firewall allowing the public IP range of the Azure SQL Database server.
B.Enable the 'Allow trusted Microsoft services to bypass this firewall' option in the Key Vault networking settings.
C.Create a private endpoint for the Key Vault and connect it to the same virtual network as the Azure SQL Database.
D.Configure the Key Vault to use role-based access control (RBAC) and assign the 'Key Vault Crypto Service Encryption User' role to the SQL Database server's managed identity.

Explanation: Option B is correct because Azure SQL Database uses TDE with CMK stored in Azure Key Vault, and when the Key Vault firewall is enabled with virtual network service endpoints, Azure SQL Database must be able to bypass the firewall to retrieve the key. The 'Allow trusted Microsoft services to bypass this firewall' setting permits Azure services like Azure SQL Database, which are considered trusted by Microsoft, to access the Key Vault even when network restrictions are in place. This is the only configuration that satisfies the security policy while enabling the necessary encryption operations.

5.

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A.Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
B.Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
C.Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
D.Change the Key Vault firewall to allow all networks.

Explanation: The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.

+15 more Secure compute, storage, and databases questions available

Practice all Secure compute, storage, and databases questions

How to master Secure compute, storage, and databases for AZ-500

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Secure compute, storage, and databases. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Secure compute, storage, and databases questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many AZ-500 Secure compute, storage, and databases questions are on the real exam?

The exact number varies per candidate. Secure compute, storage, and databases is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Secure compute, storage, and databases questions ensures you can handle any format or difficulty that appears.

Are these AZ-500 Secure compute, storage, and databases practice questions free?

Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Secure compute, storage, and databases one of the harder AZ-500 topics?

Difficulty is subjective, but Secure compute, storage, and databases is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Secure compute, storage, and databases practice session with instant scoring and detailed explanations.

Start Secure compute, storage, and databases Practice →

Topic Info

Topic

Secure compute, storage, and databases

Exam

AZ-500

Questions available

20+