AZ-500 · topic practice

Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice questions

Practise Microsoft Azure Security Engineer Associate AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

What the exam tests

What to know about Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions

20 questions · select your answer, then reveal the explanation

A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?

An organization uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that several VMs are not receiving vulnerability assessment findings, even though they are in a scope where the integrated Qualys VA solution is enabled. What should they verify first?

A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?

Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?

A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?

An organization uses Microsoft Defender for Cloud to protect Azure SQL databases. They want to receive alerts when a SQL database is accessed from a suspicious location. What should they enable?

Your company uses Microsoft Sentinel to correlate data from multiple sources. You need to create an analytics rule that triggers an incident when a user signs in from an unfamiliar location and then performs a high-risk action in Azure. What is the best approach?

A security analyst needs to view all incidents generated by Microsoft Defender for Cloud across multiple subscriptions in a single pane of glass. What should they use?

You need to ensure that Microsoft Sentinel can detect threats across your Azure environment, including virtual machines, network traffic, and user activities. Which TWO data sources should you connect?

A company uses Microsoft Defender for Cloud's workload protection for Azure Storage. They want to receive alerts when there is suspicious access to blob storage. Which TWO features should they enable?

You are deploying Microsoft Sentinel in a new Azure environment. Which THREE resources are required to deploy a Sentinel workspace?

Refer to the exhibit. You are assigning this Azure Policy to a management group. The goal is to automatically deploy the Azure Monitor Agent to Windows VMs that do not have it. However, after assignment, you notice that the policy is not deploying the agent. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Deploy Azure Monitor Agent for Windows VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "parameters": {
      "effect": {
        "type": "String",
        "defaultValue": "DeployIfNotExists",
        "allowedValues": [
          "DeployIfNotExists",
          "AuditIfNotExists",
          "Disabled"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  }
}

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Count = count() by AlertName, AlertSeverity
| top 10 by Count desc

Refer to the exhibit. This is an excerpt from an Azure Policy assignment. What is the effect of the 'notScopes' property?

Exhibit

{
  "properties": {
    "enforcementMode": "Default",
    "scope": "/subscriptions/abc123/resourceGroups/RG-Prod",
    "notScopes": [
      "/subscriptions/abc123/resourceGroups/RG-Prod/providers/Microsoft.Compute/virtualMachines/VM-Sensitive"
    ]
  }
}

Your organization uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions have the 'Auto-provisioning' extension enabled for Log Analytics agent on new VMs. What should you configure?

Your company has a hybrid environment with on-premises servers and Azure VMs. All resources are onboarded to Microsoft Defender for Cloud. You need to receive alerts when a critical vulnerability is detected on any server. The security team wants to minimize false positives. What should you configure?

A security analyst reports that Microsoft Sentinel is not receiving Windows Security Events from Azure VMs that have the Log Analytics agent installed. The agent shows as connected, and other data sources (e.g., performance counters) are flowing. What is the most likely cause?

Your organization uses Microsoft Defender for Cloud to assess regulatory compliance. You need to ensure that the compliance dashboard reflects the latest standards and that custom assessments are included. What should you do?

You are investigating a security incident in Microsoft Sentinel. A KQL query returns results indicating that a user logged in from an IP address that is not in the organization's approved list. The user's account has been compromised. You need to automatically disable the user account in Microsoft Entra ID when such an alert is triggered. What should you configure?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel sessions

Start a Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel only practice session

Every question in these sessions is drawn from the Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel domain — nothing else.

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-500 exam test about Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.