AZ-500 · topic practice

Scenario practice questions

Practise Microsoft Azure Security Engineer Associate AZ-500 Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?

Question 2easymultiple choice
Read the full Scenario explanation →

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

Question 3mediummultiple choice
Read the full Scenario explanation →

A security analyst uses Microsoft Sentinel. They want to create a rule that triggers an incident when a user is added to a highly privileged Azure AD role (e.g., Global Administrator). The data source is Azure AD audit logs. Which type of analytics rule should they create?

Question 4mediummultiple choice
Read the full Scenario explanation →

A security team uses Microsoft Sentinel. They want to detect a potential privilege escalation scenario: when a user is added to the Global Administrator role in Azure AD (audit log) and within 10 minutes that user signs in from a suspicious location (sign-in log). Which type of analytics rule should they create to correlate these two different log sources?

Question 5easymultiple choice
Read the full Ansible explanation →

A security team uses Microsoft Sentinel. They have created a playbook in Azure Logic Apps that automatically isolates a compromised VM by modifying a network security group. They want the playbook to run automatically whenever an incident of type 'VM Isolation' is created. Which Microsoft Sentinel feature should they use to trigger the playbook automatically?

Question 6mediummultiple choice
Read the full Scenario explanation →

A security operations team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when an Azure virtual machine is created with a public IP address that is not in an approved list. Which type of rule should they use?

Question 7mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want users who activate this role to provide a justification and a support ticket number, and they want the activation to expire after a maximum of 4 hours. Which PIM role settings should they configure?

Question 8hardmulti select
Read the full Scenario explanation →

A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?

Question 9mediummultiple choice
Read the full Ansible explanation →

A security analyst uses Microsoft Sentinel. They have created a playbook that tags Azure VMs as 'isolated' when a high-severity malware alert is triggered. They want this playbook to run automatically whenever a related alert is generated. Which feature should they configure?

Question 10mediummultiple choice
Read the full Scenario explanation →

A security analyst is using Microsoft Sentinel to investigate a security incident. The analyst needs to view all related events, alerts, and entities (users, IPs, hosts) in a single, interactive graph to understand the full scope of the attack. Which Microsoft Sentinel feature should they use?

Question 11mediummultiple choice
Read the full Ansible explanation →

A security team uses Microsoft Sentinel. They have created a playbook that isolates a virtual machine by modifying a network security group rule. They want this playbook to execute automatically whenever a new incident of type 'Suspicious VM activity' is created. Which Microsoft Sentinel feature should they use to trigger the playbook?

Question 12mediummultiple choice
Read the full Scenario explanation →

A security team uses Microsoft Sentinel. They want to create a custom detection rule that identifies a potential data exfiltration scenario: when a user signs in from an unusual location and then, within 30 minutes, performs a large download from Azure Blob Storage. They need to correlate sign-in logs from Azure AD with storage diagnostic logs. Which type of analytics rule should they create in Microsoft Sentinel?

Question 13mediummultiple choice
Read the full Scenario explanation →

A security team uses Microsoft Sentinel. They want to create a custom analytic rule that triggers an incident when more than 10 failed Azure Active Directory sign-ins occur from the same source IP address within any 5-minute window. Which type of rule should they use?

Question 14mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a ticket number as justification, and the activation must be approved by a designated approver group. The role activation duration should be limited to 4 hours. Which PIM settings should be configured?

Question 15easymultiple choice
Read the full Scenario explanation →

You have an Azure virtual machine that hosts a web application. You need to allow inbound HTTP (80) and HTTPS (443) traffic from the internet to this VM only. You also need to allow outbound traffic to the internet from the VM. You want to use a managed Azure service with minimal configuration. What should you use?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

Question 17mediummultiple choice
Read the full Ansible explanation →

A company uses Microsoft Defender for Cloud to monitor security alerts. They receive an alert about a compromised virtual machine and want to automatically execute a playbook that isolates the VM by modifying the network security group. Which Defender for Cloud feature should they use to create this automated response?

Question 18mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

Question 19easymultiple choice
Read the full NAT/PAT explanation →

You need to provide secure remote administration access to Azure virtual machines in a production environment. You want to eliminate public RDP/SSH endpoints and provide just-in-time access. Which Azure service should you use?

Question 20hardmultiple choice
Read the full Scenario explanation →

You are troubleshooting connectivity between two Azure virtual machines in different VNets that are peered. VM1 (10.0.1.4) cannot reach VM2 (10.0.2.4) on port 80. Both VNets have NSGs allowing HTTP traffic from each other's IP ranges. The VNet peering is in 'Connected' state. You verify that the VMs' operating system firewalls allow HTTP. What is the most likely cause of the connectivity issue?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-500 exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.