- A
Configure a private endpoint for the SQL server to the Key Vault.
Why wrong: While a private endpoint could provide connectivity, it is not necessary because Azure SQL Database is a trusted service that can be granted an exception to the Key Vault firewall. Using a private endpoint would also require additional networking setup and is not the simplest solution.
- B
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.
- C
Change the Key Vault firewall to allow all Azure services.
Why wrong: Allowing all Azure services is a broader setting than necessary and could expose the Key Vault to other services. The trusted service exception is the recommended and more secure option.
- D
Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.
Why wrong: Service endpoints enable a more secure connection from a VNet to Azure services, but they do not grant permission for a trusted managed service to bypass the Key Vault firewall. The trusted service exception is required.
Quick Answer
The answer is to enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault. This is correct because when Azure Key Vault has a firewall that denies all public network access, it blocks all external traffic by default, including requests from Azure SQL Database. However, by enabling this bypass, Azure SQL Database—as a trusted Microsoft service—can authenticate using its system-assigned managed identity and reach the Key Vault over the Microsoft backbone network, allowing TDE with a customer-managed key to function without needing a private endpoint or VNet integration. On the AZ-500 exam, this scenario tests your understanding of how managed identities and Key Vault firewall exceptions work together for secure key access; a common trap is assuming a private endpoint is always required. Remember the mnemonic: "Trusted services bypass the firewall, no private endpoint required."
AZ-500 Secure compute, storage, and databases Practice Question
This AZ-500 practice question tests your understanding of secure compute, storage, and databases. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: azure Key Vault firewalls block all public network access by default when enabled.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.
Key principle: Azure Key Vault firewalls block all public network access by default when enabled.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Configure a private endpoint for the SQL server to the Key Vault.
Why it's wrong here
While a private endpoint could provide connectivity, it is not necessary because Azure SQL Database is a trusted service that can be granted an exception to the Key Vault firewall. Using a private endpoint would also require additional networking setup and is not the simplest solution.
- ✓
Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
Why this is correct
This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.
Related concept
Azure Key Vault firewalls block all public network access by default when enabled.
- ✗
Change the Key Vault firewall to allow all Azure services.
Why it's wrong here
Allowing all Azure services is a broader setting than necessary and could expose the Key Vault to other services. The trusted service exception is the recommended and more secure option.
- ✗
Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.
Why it's wrong here
Service endpoints enable a more secure connection from a VNet to Azure services, but they do not grant permission for a trusted managed service to bypass the Key Vault firewall. The trusted service exception is required.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume a private endpoint or VNet service endpoint is always required for Key Vault access when firewalls are enabled, but they overlook the 'Allow trusted Microsoft services' bypass which is specifically designed for Azure PaaS services like SQL Database to access Key Vault without additional network configuration.
Detailed technical explanation
How to think about this question
Under the hood, the 'Allow trusted Microsoft services' setting leverages Azure's internal service-to-service authentication, where Azure SQL Database's managed identity is validated by Azure Key Vault's control plane as a trusted resource, allowing the SQL server to authenticate via OAuth 2.0 token exchange over the Azure backbone without traversing public endpoints. This is distinct from network-based access controls like private endpoints or service endpoints, which require explicit VNet integration and are not automatically available for PaaS services like Azure SQL Database unless configured with VNet injection or managed private endpoints. In real-world scenarios, this setting is critical for TDE with CMK when Key Vault firewalls are enabled, as it avoids the complexity of setting up private endpoints while still maintaining a security boundary.
KKey Concepts to Remember
- Azure Key Vault firewalls block all public network access by default when enabled.
- The 'Allow trusted Microsoft services to bypass the firewall' setting grants specific Azure services network access.
- Azure SQL Database is considered a trusted Microsoft service for Key Vault access.
- Managed identities provide authentication; the trusted service bypass provides network authorization.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Azure Key Vault firewalls block all public network access by default when enabled.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review azure Key Vault firewalls block all public network access by default when enabled., then practise related AZ-500 questions on the same topic to reinforce the concept.
- →
Secure compute, storage, and databases — study guide chapter
Learn the concepts, then practise the questions
- →
Secure compute, storage, and databases practice questions
Targeted practice on this topic area only
- →
All AZ-500 questions
1,000 questions across all exam domains
- →
Microsoft Azure Security Engineer Associate AZ-500 study guide
Full concept coverage aligned to exam objectives
- →
AZ-500 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-500 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Secure identity and access practice questions
Practise AZ-500 questions linked to Secure identity and access.
Secure compute, storage, and databases practice questions
Practise AZ-500 questions linked to Secure compute, storage, and databases.
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice questions
Practise AZ-500 questions linked to Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel.
Manage identity and access practice questions
Practise AZ-500 questions linked to Manage identity and access.
Secure networking practice questions
Practise AZ-500 questions linked to Secure networking.
AZ-500 fundamentals practice questions
Practise AZ-500 questions linked to AZ-500 fundamentals.
AZ-500 scenario practice questions
Practise AZ-500 questions linked to AZ-500 scenario.
AZ-500 troubleshooting practice questions
Practise AZ-500 questions linked to AZ-500 troubleshooting.
Practice this exam
Start a free AZ-500 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-500 question test?
Secure compute, storage, and databases — This question tests Secure compute, storage, and databases — Azure Key Vault firewalls block all public network access by default when enabled..
What is the correct answer to this question?
The correct answer is: Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault. — Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.
What should I do if I get this AZ-500 question wrong?
Review azure Key Vault firewalls block all public network access by default when enabled., then practise related AZ-500 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Azure Key Vault firewalls block all public network access by default when enabled.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
6 more ways this is tested on AZ-500
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?
hard- A.Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
- ✓ B.Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
- C.Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
- D.Change the Key Vault firewall to allow all networks.
Why B: The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.
Variation 2. A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?
hard- ✓ A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings
- B.Configure a service endpoint for Microsoft.KeyVault on the SQL server's subnet
- C.Assign the SQL server's server identity the 'Contributor' role on the Key Vault
- D.Create a private endpoint for the Key Vault in the SQL server's virtual network
Why A: When Azure Key Vault has a firewall that blocks all public access, Azure services like SQL Database that need to access the key for TDE operations must be explicitly allowed. Enabling 'Allow trusted Microsoft services to bypass this firewall' permits the SQL server's managed service identity to authenticate and retrieve the CMK from Key Vault, even when public network access is denied. This setting is required because the SQL server, as a platform-as-a-service (PaaS) resource, does not reside in a virtual network by default and cannot use a private endpoint or service endpoint without additional networking configuration.
Variation 3. A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?
medium- ✓ A.Enable the Key Vault firewall to allow trusted Microsoft services
- B.Create a private endpoint for the SQL server to access the Key Vault
- C.Enable public network access on the Key Vault
- D.Assign the SQL server's managed identity the 'Reader' role on the Key Vault
Why A: When Azure Key Vault has its firewall enabled to deny all public network access, it blocks all traffic, including requests from Azure SQL Database. By enabling the 'Allow trusted Microsoft services' exception, Azure Key Vault permits specific Azure platform services (like Azure SQL Database) to bypass the firewall, provided the service authenticates using a managed identity with appropriate permissions. This setting is essential for TDE with CMK because the SQL server's system-assigned managed identity must reach the Key Vault to unwrap the encryption key, even when public access is disabled.
Variation 4. A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?
medium- ✓ A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings.
- B.Disable public network access on the Key Vault.
- C.Add the SQL Database server's system-assigned managed identity to the Key Vault access policy.
- D.Enable soft-delete on the Key Vault.
Why A: Azure SQL Database uses TDE with a customer-managed key stored in Key Vault. When the Key Vault has a firewall enabled, Azure SQL Database must be able to bypass that firewall to access the key. Enabling 'Allow trusted Microsoft services to bypass this firewall' is required because Azure SQL Database is a trusted Microsoft service that needs to reach the Key Vault endpoint for TDE operations, even when the firewall blocks public network access.
Variation 5. A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?
hard- A.Configure a private endpoint for the Key Vault and assign it to the SQL server's virtual network.
- B.Enable soft-delete on the Key Vault.
- ✓ C.Enable the 'Allow trusted Microsoft services to bypass this firewall' setting.
- D.Add a firewall rule to allow traffic from the Azure SQL Database's public IP address.
Why C: Option C is correct because when Azure Key Vault is protected by a firewall that denies all public access, the Azure SQL Database service (a trusted Microsoft service) must be explicitly allowed to bypass the firewall to retrieve the customer-managed key for TDE operations. Enabling the 'Allow trusted Microsoft services to bypass this firewall' setting permits the SQL server's managed identity to authenticate and access the key vault without requiring a public IP address or network rule.
Variation 6. A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?
hard- A.Add a network rule in the Key Vault firewall allowing the public IP range of the Azure SQL Database server.
- ✓ B.Enable the 'Allow trusted Microsoft services to bypass this firewall' option in the Key Vault networking settings.
- C.Create a private endpoint for the Key Vault and connect it to the same virtual network as the Azure SQL Database.
- D.Configure the Key Vault to use role-based access control (RBAC) and assign the 'Key Vault Crypto Service Encryption User' role to the SQL Database server's managed identity.
Why B: Option B is correct because Azure SQL Database uses TDE with CMK stored in Azure Key Vault, and when the Key Vault firewall is enabled with virtual network service endpoints, Azure SQL Database must be able to bypass the firewall to retrieve the key. The 'Allow trusted Microsoft services to bypass this firewall' setting permits Azure services like Azure SQL Database, which are considered trusted by Microsoft, to access the Key Vault even when network restrictions are in place. This is the only configuration that satisfies the security policy while enabling the necessary encryption operations.
Keep practising
More AZ-500 practice questions
- A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure se…
- A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their…
- A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able…
- A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only confi…
- A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?
- A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the sub…
Last reviewed: Jun 11, 2026
This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.