AZ-500 · topic practice

Secure compute, storage, and databases practice questions

Practise Microsoft Azure Security Engineer Associate AZ-500 Secure compute, storage, and databases practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure compute, storage, and databases

What the exam tests

What to know about Secure compute, storage, and databases

Secure compute, storage, and databases questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Secure compute, storage, and databases exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Secure compute, storage, and databases questions

20 questions · select your answer, then reveal the explanation

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

A company plans to enable Azure Disk Encryption (ADE) on a set of Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have enabled soft-delete and purge protection on the Key Vault. The encryption fails with an error indicating that the key vault does not have the required permissions. Which additional configuration is most likely required for ADE to use the KEK?

A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?

An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?

A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?

A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure compute, storage, and databases sessions

Start a Secure compute, storage, and databases only practice session

Every question in these sessions is drawn from the Secure compute, storage, and databases domain — nothing else.

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-500 exam test about Secure compute, storage, and databases?
Secure compute, storage, and databases questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure compute, storage, and databases questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure compute, storage, and databases domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.