Back to Microsoft Azure Security Engineer Associate AZ-500 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Microsoft Azure Security Engineer Associate AZ-500 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
AZ-500
exam code
Microsoft
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-500 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Question 2mediummulti select
Full question →

A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only configuration?

Question 3mediummulti select
Full question →

A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?

Question 4mediummulti select
Study the full multicast explanation →

A company manages Azure AD roles with Privileged Identity Management (PIM). They want to enforce that when a user activates the Global Administrator role, they must provide a justification and also use Multi-Factor Authentication. Which PIM settings should they configure? (Choose two.)

Question 5hardmulti select
Full question →

A Defender for Cloud alert indicates possible credential theft on a VM. Which two response actions are sensible early containment steps?

Question 6mediummulti select
Full question →

A security engineer needs to collect custom application logs from Azure VMs using Azure Monitor Agent for Sentinel analysis. Which two components are required?

Question 7hardmulti select
Full question →

A security team uses Microsoft Defender for Cloud to centralize security alerts. They want to continuously export all security alerts to a Log Analytics workspace for long-term retention and custom analysis. Which two actions must be taken to achieve this? (Choose two that apply.)

Question 8mediummulti select
Full question →

A hub-and-spoke Azure network uses Azure Firewall for egress inspection. Which two settings are typically required on spoke workloads?

Question 9mediummulti select
Full question →

An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?

Question 10mediummulti select
Study the full multicast explanation →

Your organization uses Azure AD Privileged Identity Management (PIM) to manage admin roles. Which three of the following are valid configurations for role activation? (Choose three.)

Question 11hardmulti select
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Question 12hardmulti select
Full question →

A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?

Question 13mediummulti select
Full question →

Your company is implementing an Azure AD B2B collaboration strategy for external partners. Which three of the following statements about Azure AD B2B collaboration are correct? (Choose three.)

Question 14mediummulti select
Full question →

Your company has deployed an Azure Firewall in a hub virtual network to inspect traffic from spoke virtual networks. You need to ensure that all outbound traffic from a spoke virtual network to the internet is forced through the Azure Firewall. Which three of the following actions are required? (Choose three.)

Question 15mediummulti select
Full question →

You are designing a secure hybrid network that connects an on-premises datacenter to Azure. The solution must provide high availability and encrypt all traffic between the two sites. Which three of the following should you consider? (Choose three.)

Question 16mediummulti select
Full question →

You are planning a network security strategy for a multi-tier application deployed on Azure virtual machines. You need to ensure that traffic between the web tier and the application tier is encrypted and that the application tier is not directly accessible from the internet. Which three of the following should you implement? (Choose three.)

Question 17mediummulti select
Full question →

A team enables Microsoft Defender for Storage. Which two threats can the plan help detect?

Question 18mediummulti select
Full question →

A security team wants to use Microsoft Sentinel to detect potential data exfiltration events from Azure Blob Storage. Which two logs should they ingest to best identify unauthorized read access and data transfer activities? (Choose two.)

Question 19hardmulti select
Full question →

A security team is reviewing risky OAuth applications in Microsoft Entra ID. Which two actions reduce future consent risk?

Question 20hardmulti select
Read the full VPN explanation →

A KQL query in Microsoft Sentinel detects impossible travel but returns many false positives from known VPN egress IP addresses. Which two changes would best reduce noise while preserving useful detections?

These AZ-500 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-500 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.