Back to Microsoft Azure Security Engineer Associate AZ-500 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft Azure Security Engineer Associate AZ-500 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
AZ-500
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-500 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Question 2hardmultiple choice
Full question →

A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

Question 5hardmultiple choice
Full question →

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

Question 6hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

Question 7hardmultiple choice
Full question →

A custom Azure role should allow operators to restart virtual machines but not delete them or change networking. Which permission design is most appropriate?

Question 8hardmultiple choice
Read the full Ansible explanation →

A security operations team uses Microsoft Sentinel. They have created a playbook that sends an email notification to the security team when a high-severity incident is created by a specific analytics rule named 'CriticalRDPAccess'. They want the playbook to trigger automatically only when the incident has severity 'High' AND the incident was created by the rule named 'CriticalRDPAccess'. Which automation rule configuration should they use?

Question 9hardmulti select
Full question →

A Defender for Cloud alert indicates possible credential theft on a VM. Which two response actions are sensible early containment steps?

Question 10hardmulti select
Full question →

A security team uses Microsoft Defender for Cloud to centralize security alerts. They want to continuously export all security alerts to a Log Analytics workspace for long-term retention and custom analysis. Which two actions must be taken to achieve this? (Choose two that apply.)

Question 11hardmultiple choice
Full question →

A KQL hunting query joins SecurityIncident with SecurityAlert but returns duplicate rows for incidents with multiple alerts. What KQL approach best preserves one row per incident while summarizing alert details?

Question 12hardmultiple choice
Full question →

A Sentinel analytics rule creates a new incident every time the same brute-force activity is detected for the same account within an hour. The SOC wants one incident that continues to group related alerts. What should be changed?

Question 13hardmultiple choice
Full question →

An organization wants to detect when a privileged Azure role assignment is created outside the approved change window. Which log source should a Sentinel rule query?

Question 14hardmultiple choice
Full question →

A Sentinel data connector based on Azure Monitor Agent stops collecting Windows Security Events after migration from the legacy agent. What should the engineer verify first?

Question 15hardmultiple choice
Full question →

A security operations team uses Microsoft Sentinel. They have a scheduled analytics rule that generates an incident when a user signs in from an unusual location. They want to automatically assign the incident to the 'Security Engineering' team and set its severity to 'High' when it is created. Which feature should they use?

Question 16hardmultiple choice
Full question →

A Sentinel analyst needs to preserve investigation notes, related entities, and ownership while escalating a case to another analyst. Which object should be updated?

Question 17hardmultiple choice
Full question →

A Sentinel rule using a threat intelligence table fires on stale indicators that expired last week. What should be added to the query?

Question 18hardmultiple choice
Full question →

A security team uses Microsoft Sentinel. They create a scheduled analytics rule that queries Azure Activity Logs to detect virtual machines deployed in non-approved regions. The rule generates an incident. The team wants the incident to be automatically assigned to the 'Infrastructure' team and its severity set to 'High' when it is created. Which automation feature should they use?

Question 19hardmultiple choice
Read the full VPN explanation →

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

Question 20hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

These AZ-500 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-500 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.