Question 1mediummultiple choice
Full question →AZ-500 · topic practice
Secure Compute Storage And Databases practice questions
Use this page to practise AZ-500 Secure Compute Storage And Databases practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Secure Compute Storage And Databases
Secure Compute Storage And Databases questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Secure Compute Storage And Databases questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?
Question 3mediummulti select
Full question →A team enables Microsoft Defender for Storage. Which two threats can the plan help detect?
Question 4hardmulti select
Full question →A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?
Question 5mediummultiple choice
Full question →An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?
Question 6hardmulti select
Full question →A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?
Question 7hardmultiple choice
Full question →A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?
Question 8mediummultiple choice
Full question →A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?
Question 9easymultiple choice
Full question →A company uses Microsoft Defender for Cloud to manage the security posture of their Azure workloads. The compliance officer needs to generate a report that shows the current compliance status against the SOC 2 standard, including the pass/fail status of each control. Which feature in Defender for Cloud should they use?
Question 10mediummultiple choice
Full question →A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?
Question 11easymultiple choice
Full question →A company uses Microsoft Defender for Cloud. They want to receive alerts when a virtual machine has a vulnerability that is rated 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled?
Question 12mediummultiple choice
Full question →A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?
Question 13hardmultiple choice
Full question →A Defender for Cloud recommendation is valid for most subscriptions but not for a legacy subscription with an approved exception. The team wants secure score to reflect the exception without disabling the recommendation everywhere. What should they do?
Question 14easymultiple choice
Full question →A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?
Question 15mediummultiple choice
Full question →A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?
Question 16mediummultiple choice
Full question →A company enables Azure SQL Database auditing to log database events to a storage account. The security policy requires that the audit logs be protected from tampering and deletion after they are written. Which storage account feature should the company enable to ensure that audit log files cannot be modified or deleted by anyone for a specified retention period?
Question 17hardmultiple choice
Full question →A company stores sensitive data in Azure Blob Storage. They want to enforce encryption at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they require that the key vault be in a different region than the storage account to protect against regional disasters. Can this be achieved, and if so, what is the implication?
Question 18mediummultiple choice
Full question →A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?
Question 19mediummultiple choice
Full question →A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?
Question 20mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources that are discovered, without manual intervention. Which feature should they configure?
Watch out for
Common Secure Compute Storage And Databases exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Secure Compute Storage And Databases sessions
Start a Secure Compute Storage And Databases only practice session
Every question in these sessions is drawn from the Secure Compute Storage And Databases domain — nothing else.
Related practice questions
Related AZ-500 topic practice pages
Move into related areas when this topic feels solid.
Frequently asked questions
- What does the AZ-500 exam test about Secure Compute Storage And Databases?
- Secure Compute Storage And Databases questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Secure Compute Storage And Databases questions in a focused session?
- Yes — the session launcher on this page draws every question from the Secure Compute Storage And Databases domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other AZ-500 topics?
- Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.
Secure Compute Storage And Databases only
Mixed AZ-500 sessionTrack your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.