Free · No account needed · No credit card

Microsoft Azure Security Engineer Associate AZ-500 Practice Test

1,000 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 120 min
Pass mark: 700%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Manage identity and accesshard
Full explanation →

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'Correct
BModify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
CUse Identity Protection's 'User risk policy' instead of Conditional Access
DCreate a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'

Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for…Read full explanation

Q2Manage identity and accesshard
Full explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Set the activation maximum duration to 8 hours.Correct
Enable approval workflow by adding the manager as an approver.Correct
CRequire multi-factor authentication on activation.
DRequire justification on activation.

Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the appr…Read full explanation

Q3Manage identity and accesshard
Full explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

AConfigure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
BIn PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.Correct
DUse Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.

Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authenticat…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All AZ-500 questionsAZ-500 exam guideStudy guidePractice by domain