Courseiva
Back to Microsoft Azure Security Engineer Associate AZ-500 questions

Scenario-based practice

AZ-500 Which Command Should the Administrator Use Practice Questions

Use this page to practise AZ-500 Which Command Should the Administrator Use Practice Questions practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

Start full practice testRead exam guide
15
scenario questions
AZ-500
exam code
Microsoft
vendor

Scenario guide

How to approach which command should the administrator use practice questions

Practise command-choice questions where the task is to identify the correct verification, configuration or troubleshooting command.

Quick answer

Which Command Should the Administrator Use Practice Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-500 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

AZ-500 fundamentals practice questions

Practise AZ-500 questions linked to AZ-500 fundamentals.

AZ-500 scenario practice questions

Practise AZ-500 questions linked to AZ-500 scenario.

AZ-500 troubleshooting practice questions

Practise AZ-500 questions linked to AZ-500 troubleshooting.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?

Full question →
Question 2hardmultiple choice
Full question →

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

Full question →
Question 3mediummultiple choice
Full question →

A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?

Full question →
Question 4mediummultiple choice
Full question →

A team wants Sentinel incidents to automatically assign to the Tier 2 queue when severity is High and the product name is Microsoft Defender for Endpoint. What should they configure?

Full question →
Question 5hardmultiple choice
Full question →

A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

Full question →
Question 6easymultiple choice
Full question →

A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?

Full question →
Question 7hardmultiple choice
Full question →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Full question →
Question 8mediummultiple choice
Full question →

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

Full question →
Question 9easymultiple choice
Full question →

A company has a subscription with Azure Active Directory (Azure AD). They want to enable a conditional access policy that requires all users to use multi-factor authentication (MFA) when accessing the Azure portal. The policy should only apply to users who are members of a group called 'AllUsers'. Which assignment should they configure in the policy?

Full question →
Question 10mediummultiple choice
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

Full question →
Question 11hardmultiple choice
Full question →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

Full question →
Question 12mediummultiple choice
Full question →

A company is setting up a site-to-site VPN between an on-premises network and an Azure virtual network using an Azure VPN gateway. The security policy mandates that the VPN tunnel must use the strongest available encryption and authentication. Which IPsec/IKE parameter combination should they configure on both sides?

Full question →
Question 13mediummultiple choice
Full question →

A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

Full question →
Question 14mediummultiple choice
Full question →

A security operations team uses Microsoft Sentinel. They want to automatically assign incidents to different tiers of analysts based on severity when incidents are created. Which feature should they configure?

Full question →
Question 15hardmultiple choice
Full question →

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Full question →

These AZ-500 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-500 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.