Back to Microsoft Azure Security Engineer Associate AZ-500 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Microsoft Azure Security Engineer Associate AZ-500 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
AZ-500
exam code
Microsoft
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-500 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

Question 2easymultiple choice
Read the full NAT/PAT explanation →

A security team needs to analyze network traffic to and from Azure virtual machines to investigate a potential security incident. They want to capture information such as source IP, destination IP, port, and protocol. Which Azure service should they enable on the network security groups (NSGs) associated with the virtual machine subnets?

Question 3mediummultiple choice
Full question →

A security analyst is using Microsoft Sentinel to investigate a security incident. The analyst needs to view all related events, alerts, and entities (users, IPs, hosts) in a single, interactive graph to understand the full scope of the attack. Which Microsoft Sentinel feature should they use?

Question 4hardmultiple choice
Full question →

An analyst investigates a Defender for Cloud alert for suspicious process execution on a VM. Which next step best preserves evidence while enabling deeper endpoint investigation?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

Question 6hardmultiple choice
Read the full Ansible explanation →

A Sentinel playbook fails to update incidents even though the Logic App runs successfully. The playbook uses a managed identity. What is the most likely missing configuration?

Question 7hardmultiple choice
Full question →

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

Question 8mediummultiple choice
Full question →

You are troubleshooting a sign-in issue. A user reports that they are repeatedly prompted for authentication when accessing a cloud app, even though they already authenticated earlier in the day. You check the Conditional Access policy and see that 'Session control - Sign-in frequency' is set to 1 hour. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

You are troubleshooting an Azure virtual machine that cannot access the internet. The VM is in a subnet with a route table that has a default route (0.0.0.0/0) with next hop 'Virtual appliance' pointing to the private IP of an Azure Firewall. The Azure Firewall has a DNAT rule to allow outbound traffic. You verify that the VM's NSG allows outbound traffic. What is the most likely cause of the issue?

Question 10easymultiple choice
Full question →

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to investigate denied application rule traffic through Azure Firewall. The query returns no results, but you know that application rules are being applied and some traffic is being denied. What is the most likely cause?

Exhibit

Refer to the exhibit.

KQL query in Microsoft Sentinel:
```
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| where OperationName == "AzureFirewallApplicationRuleHit"
| where msg_s contains "Deny"
| project TimeGenerated, msg_s
| take 10
```
Question 11hardmultiple choice
Full question →

You are troubleshooting connectivity between two Azure virtual machines in different VNets that are peered. VM1 (10.0.1.4) cannot reach VM2 (10.0.2.4) on port 80. Both VNets have NSGs allowing HTTP traffic from each other's IP ranges. The VNet peering is in 'Connected' state. You verify that the VMs' operating system firewalls allow HTTP. What is the most likely cause of the connectivity issue?

Question 12mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing an Azure Firewall policy rule. The rule is intended to allow traffic from the 10.0.0.0/16 network to *.contoso.com on HTTPS. However, the rule is not working as expected. What is the most likely issue?

Exhibit

{
  "properties": {
    "policy": {
      "rules": [
        {
          "name": "AllowInternal",
          "ruleType": "ApplicationRule",
          "protocols": [
            {
              "protocolType": "Https",
              "port": 443
            }
          ],
          "targetFqdns": [
            "*.contoso.com"
          ],
          "sourceAddresses": [
            "10.0.0.0/16"
          ],
          "destinationAddresses": [
            "172.16.0.0/12"
          ]
        }
      ]
    }
  }
}
Question 13mediummultiple choice
Full question →

A company uses Azure Firewall to inspect traffic between a spoke VNet hosting a web application and a hub VNet hosting a SQL database. The web application fails to connect to the database after a recent network topology change. You verify that the Azure Firewall rules allow the traffic. Which Azure Network Watcher feature should you use to identify the root cause?

Question 14hardmultiple choice
Read the full VPN explanation →

You are troubleshooting connectivity from an on-premises network to an Azure VM. The connection uses a site-to-site VPN. The VM can be pinged from on-premises, but an application running on the VM cannot connect to an on-premises database server. The database server's firewall is configured to allow connections from the Azure VPN gateway public IP. What is the most likely cause of the issue?

Question 15hardmultiple choice
Read the full DNS explanation →

You are troubleshooting connectivity issues from an Azure VM to an on-premises server. The VM is in a VNet that uses a custom DNS server. The on-premises network is connected via ExpressRoute. You can ping the on-premises server by IP address but not by name. What is the most likely cause?

These AZ-500 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-500 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.