20+ practice questions focused on Secure compute, storage, and databases — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Secure compute, storage, and databases PracticeA company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
Explanation: Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.
A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?
Explanation: Option B is correct because enabling 'Secure transfer required' on the storage account enforces that all client connections use SMB 3.0 with encryption, which is necessary for end-to-end encryption in transit. Even though encryption at rest is configured with a CMK, the storage account does not automatically require encrypted connections; this setting explicitly denies unencrypted SMB 2.1 or SMB 3.0 without encryption.
A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?
Explanation: Enabling the 'Secure transfer required' property on the storage account enforces encryption in transit for all client connections, including SMB 3.0 encryption for Azure Files. Without this setting, clients can connect using unencrypted SMB 2.1 or SMB 3.0 without encryption, even if the file share itself supports encryption. This property is a storage account-level flag that rejects any request not using HTTPS or SMB 3.0 with encryption.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?
Explanation: Option B is correct because Azure SQL Database uses TDE with CMK stored in Azure Key Vault, and when the Key Vault firewall is enabled with virtual network service endpoints, Azure SQL Database must be able to bypass the firewall to retrieve the key. The 'Allow trusted Microsoft services to bypass this firewall' setting permits Azure services like Azure SQL Database, which are considered trusted by Microsoft, to access the Key Vault even when network restrictions are in place. This is the only configuration that satisfies the security policy while enabling the necessary encryption operations.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?
Explanation: The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.
+15 more Secure compute, storage, and databases questions available
Practice all Secure compute, storage, and databases questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Secure compute, storage, and databases. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Secure compute, storage, and databases questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Secure compute, storage, and databases is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Secure compute, storage, and databases questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Secure compute, storage, and databases is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Secure compute, storage, and databases practice session with instant scoring and detailed explanations.
Start Secure compute, storage, and databases Practice →