Courseiva

AZ-500 · topic practice

Manage Identity And Access practice questions

Use this page to practise AZ-500 Manage Identity And Access practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

20 questionsDomain: Manage Identity And Access
Practice 10 questionsBrowse domain →

What the exam tests

What to know about Manage Identity And Access

Manage Identity And Access questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Practice set

Manage Identity And Access questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Full question →

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

Full question →
Question 2easymultiple choice
Full question →

A company develops a web application that runs on Azure App Service. The application needs to access Azure Key Vault to retrieve secrets. The security team wants to avoid using service principals or connection strings. Which identity should they assign to the App Service to authenticate to Key Vault?

Full question →
Question 3mediummultiple choice
Full question →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

Full question →
Question 4mediummultiple choice
Full question →

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

Full question →
Question 5hardmultiple choice
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

Full question →
Question 6easymultiple choice
Full question →

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

Full question →
Question 7mediummultiple choice
Full question →

A company stores highly sensitive data in Azure Blob Storage. The security policy requires that all data is encrypted at rest using a key that is stored in Azure Key Vault, and that the storage account uses its system-assigned managed identity to access the key. Which encryption configuration should they use?

Full question →
Question 8hardmultiple choice
Full question →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

Full question →
Question 9hardmultiple choice
Full question →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

Full question →
Question 10mediummultiple choice
Full question →

A company plans to enable Azure Disk Encryption (ADE) on a set of Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have enabled soft-delete and purge protection on the Key Vault. The encryption fails with an error indicating that the key vault does not have the required permissions. Which additional configuration is most likely required for ADE to use the KEK?

Full question →
Question 11hardmultiple choice
Full question →

A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?

Full question →
Question 12mediummulti select
Full question →

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

Full question →
Question 13hardmultiple choice
Full question →

A company plans to enable Azure Disk Encryption (ADE) on a fleet of Windows virtual machines. They want to use a key stored in Azure Key Vault to encrypt the disks. Which additional access configuration must be made in the Key Vault to allow ADE to succeed?

Full question →
Question 14easymultiple choice
Full question →

A company uses Azure AD with Premium P2 licenses. They want to require that all new users register for Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. If they do not register, they should be denied access to all cloud applications until registration is completed. Which Azure AD feature should they configure?

Full question →
Question 15mediummultiple choice
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure resources. They want to enforce that when a user activates the Contributor role for a specific resource group, they must provide a ticket number as justification and the activation is limited to 4 hours. Which PIM settings should they configure?

Full question →
Question 16mediummultiple choice
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to the 'Security Administrator' role. They want a specific user to be able to activate the role only when needed, rather than having standing access. The user should not have the role active at all times. Which type of assignment should they configure for this user in PIM?

Full question →
Question 17hardmulti select
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Full question →
Question 18hardmultiple choice
Full question →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to critical roles. They want to require that users who are eligible for the 'Security Administrator' role must provide a support ticket number in the justification when activating the role. Additionally, they want to set a maximum activation duration of 4 hours. Which PIM role setting should they configure?

Full question →
Question 19hardmultiple choice
Full question →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?

Full question →
Question 20hardmultiple choice
Full question →

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

Full question →
Continue with 20-question session →

Watch out for

Common Manage Identity And Access exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Sign up freeLog in

Focused Manage Identity And Access sessions

Start a Manage Identity And Access only practice session

Every question in these sessions is drawn from the Manage Identity And Access domain — nothing else.

10 questions20 questions30 questions50 questions
Browse all Manage Identity And Access questions →Mixed AZ-500 session

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

AZ-500 fundamentals practice questions

Practise AZ-500 questions linked to AZ-500 fundamentals.

AZ-500 scenario practice questions

Practise AZ-500 questions linked to AZ-500 scenario.

AZ-500 troubleshooting practice questions

Practise AZ-500 questions linked to AZ-500 troubleshooting.

Frequently asked questions

What does the AZ-500 exam test about Manage Identity And Access?
Manage Identity And Access questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage Identity And Access questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage Identity And Access domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.