Question 611 of 1,000
Secure compute, storage, and databaseshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault. This is correct because when Azure Key Vault has a firewall that denies all public network access, it blocks all external traffic by default, including requests from Azure SQL Database. However, by enabling this bypass, Azure SQL Database—as a trusted Microsoft service—can authenticate using its system-assigned managed identity and reach the Key Vault over the Microsoft backbone network, allowing TDE with a customer-managed key to function without needing a private endpoint or VNet integration. On the AZ-500 exam, this scenario tests your understanding of how managed identities and Key Vault firewall exceptions work together for secure key access; a common trap is assuming a private endpoint is always required. Remember the mnemonic: "Trusted services bypass the firewall, no private endpoint required."

AZ-500 Secure compute, storage, and databases Practice Question

This AZ-500 practice question tests your understanding of secure compute, storage, and databases. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: azure Key Vault firewalls block all public network access by default when enabled.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.

Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.

Key principle: Azure Key Vault firewalls block all public network access by default when enabled.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure a private endpoint for the SQL server to the Key Vault.

    Why it's wrong here

    While a private endpoint could provide connectivity, it is not necessary because Azure SQL Database is a trusted service that can be granted an exception to the Key Vault firewall. Using a private endpoint would also require additional networking setup and is not the simplest solution.

  • Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.

    Why this is correct

    This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.

    Related concept

    Azure Key Vault firewalls block all public network access by default when enabled.

  • Change the Key Vault firewall to allow all Azure services.

    Why it's wrong here

    Allowing all Azure services is a broader setting than necessary and could expose the Key Vault to other services. The trusted service exception is the recommended and more secure option.

  • Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.

    Why it's wrong here

    Service endpoints enable a more secure connection from a VNet to Azure services, but they do not grant permission for a trusted managed service to bypass the Key Vault firewall. The trusted service exception is required.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume a private endpoint or VNet service endpoint is always required for Key Vault access when firewalls are enabled, but they overlook the 'Allow trusted Microsoft services' bypass which is specifically designed for Azure PaaS services like SQL Database to access Key Vault without additional network configuration.

Detailed technical explanation

How to think about this question

Under the hood, the 'Allow trusted Microsoft services' setting leverages Azure's internal service-to-service authentication, where Azure SQL Database's managed identity is validated by Azure Key Vault's control plane as a trusted resource, allowing the SQL server to authenticate via OAuth 2.0 token exchange over the Azure backbone without traversing public endpoints. This is distinct from network-based access controls like private endpoints or service endpoints, which require explicit VNet integration and are not automatically available for PaaS services like Azure SQL Database unless configured with VNet injection or managed private endpoints. In real-world scenarios, this setting is critical for TDE with CMK when Key Vault firewalls are enabled, as it avoids the complexity of setting up private endpoints while still maintaining a security boundary.

KKey Concepts to Remember

  • Azure Key Vault firewalls block all public network access by default when enabled.
  • The 'Allow trusted Microsoft services to bypass the firewall' setting grants specific Azure services network access.
  • Azure SQL Database is considered a trusted Microsoft service for Key Vault access.
  • Managed identities provide authentication; the trusted service bypass provides network authorization.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Azure Key Vault firewalls block all public network access by default when enabled.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review azure Key Vault firewalls block all public network access by default when enabled., then practise related AZ-500 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-500 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-500 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-500 question test?

Secure compute, storage, and databases — This question tests Secure compute, storage, and databases — Azure Key Vault firewalls block all public network access by default when enabled..

What is the correct answer to this question?

The correct answer is: Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault. — Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.

What should I do if I get this AZ-500 question wrong?

Review azure Key Vault firewalls block all public network access by default when enabled., then practise related AZ-500 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Azure Key Vault firewalls block all public network access by default when enabled.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

6 more ways this is tested on AZ-500

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

hard
  • A.Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
  • B.Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
  • C.Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
  • D.Change the Key Vault firewall to allow all networks.

Why B: The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.

Variation 2. A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

hard
  • A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings
  • B.Configure a service endpoint for Microsoft.KeyVault on the SQL server's subnet
  • C.Assign the SQL server's server identity the 'Contributor' role on the Key Vault
  • D.Create a private endpoint for the Key Vault in the SQL server's virtual network

Why A: When Azure Key Vault has a firewall that blocks all public access, Azure services like SQL Database that need to access the key for TDE operations must be explicitly allowed. Enabling 'Allow trusted Microsoft services to bypass this firewall' permits the SQL server's managed service identity to authenticate and retrieve the CMK from Key Vault, even when public network access is denied. This setting is required because the SQL server, as a platform-as-a-service (PaaS) resource, does not reside in a virtual network by default and cannot use a private endpoint or service endpoint without additional networking configuration.

Variation 3. A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

medium
  • A.Enable the Key Vault firewall to allow trusted Microsoft services
  • B.Create a private endpoint for the SQL server to access the Key Vault
  • C.Enable public network access on the Key Vault
  • D.Assign the SQL server's managed identity the 'Reader' role on the Key Vault

Why A: When Azure Key Vault has its firewall enabled to deny all public network access, it blocks all traffic, including requests from Azure SQL Database. By enabling the 'Allow trusted Microsoft services' exception, Azure Key Vault permits specific Azure platform services (like Azure SQL Database) to bypass the firewall, provided the service authenticates using a managed identity with appropriate permissions. This setting is essential for TDE with CMK because the SQL server's system-assigned managed identity must reach the Key Vault to unwrap the encryption key, even when public access is disabled.

Variation 4. A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

medium
  • A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings.
  • B.Disable public network access on the Key Vault.
  • C.Add the SQL Database server's system-assigned managed identity to the Key Vault access policy.
  • D.Enable soft-delete on the Key Vault.

Why A: Azure SQL Database uses TDE with a customer-managed key stored in Key Vault. When the Key Vault has a firewall enabled, Azure SQL Database must be able to bypass that firewall to access the key. Enabling 'Allow trusted Microsoft services to bypass this firewall' is required because Azure SQL Database is a trusted Microsoft service that needs to reach the Key Vault endpoint for TDE operations, even when the firewall blocks public network access.

Variation 5. A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?

hard
  • A.Configure a private endpoint for the Key Vault and assign it to the SQL server's virtual network.
  • B.Enable soft-delete on the Key Vault.
  • C.Enable the 'Allow trusted Microsoft services to bypass this firewall' setting.
  • D.Add a firewall rule to allow traffic from the Azure SQL Database's public IP address.

Why C: Option C is correct because when Azure Key Vault is protected by a firewall that denies all public access, the Azure SQL Database service (a trusted Microsoft service) must be explicitly allowed to bypass the firewall to retrieve the customer-managed key for TDE operations. Enabling the 'Allow trusted Microsoft services to bypass this firewall' setting permits the SQL server's managed identity to authenticate and access the key vault without requiring a public IP address or network rule.

Variation 6. A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

hard
  • A.Add a network rule in the Key Vault firewall allowing the public IP range of the Azure SQL Database server.
  • B.Enable the 'Allow trusted Microsoft services to bypass this firewall' option in the Key Vault networking settings.
  • C.Create a private endpoint for the Key Vault and connect it to the same virtual network as the Azure SQL Database.
  • D.Configure the Key Vault to use role-based access control (RBAC) and assign the 'Key Vault Crypto Service Encryption User' role to the SQL Database server's managed identity.

Why B: Option B is correct because Azure SQL Database uses TDE with CMK stored in Azure Key Vault, and when the Key Vault firewall is enabled with virtual network service endpoints, Azure SQL Database must be able to bypass the firewall to retrieve the key. The 'Allow trusted Microsoft services to bypass this firewall' setting permits Azure services like Azure SQL Database, which are considered trusted by Microsoft, to access the Key Vault even when network restrictions are in place. This is the only configuration that satisfies the security policy while enabling the necessary encryption operations.

Keep practising

More AZ-500 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.