Question 1hardmulti select
Full question →AZ-500 · topic practice
Secure Networking practice questions
Use this page to practise AZ-500 Secure Networking practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Secure Networking
Secure Networking questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Secure Networking questions
20 questions · select your answer, then reveal the explanation
Question 2easymultiple choice
Full question →A company uses Microsoft Defender for Cloud to manage the security posture of their Azure workloads. The compliance officer needs to generate a report that shows the current compliance status against the SOC 2 standard, including the pass/fail status of each control. Which feature in Defender for Cloud should they use?
Question 3mediummultiple choice
Full question →A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?
Question 4hardmultiple choice
Full question →A Defender for Cloud recommendation is valid for most subscriptions but not for a legacy subscription with an approved exception. The team wants secure score to reflect the exception without disabling the recommendation everywhere. What should they do?
Question 5easymultiple choice
Full question →A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?
Question 6mediummultiple choice
Full question →A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?
Question 7easymultiple choice
Full question →A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?
Question 8hardmultiple choice
Full question →A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?
Question 9mediummultiple choice
Full question →A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?
Question 10easymultiple choice
Full question →A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?
Question 11mediummultiple choice
Full question →A Defender for Cloud secure score recommendation says storage accounts allow public blob access. What remediation best addresses the root issue?
Question 12easymultiple choice
Full question →A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?
Question 13mediummultiple choice
Full question →A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?
Question 14mediummultiple choice
Full question →A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?
Question 15hardmultiple choice
Full question →A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?
Question 16hardmultiple choice
Full question →A custom Azure role should allow operators to restart virtual machines but not delete them or change networking. Which permission design is most appropriate?
Question 17mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud. The security team wants to receive a weekly email digest that includes the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. Which Defender for Cloud feature should they configure?
Question 18hardmultiple choice
Full question →A security analyst uses Microsoft Defender for Cloud. They need to continuously monitor the security posture of their Azure subscription against the Microsoft cloud security benchmark (MCSB). They want to see the current compliance score and specific recommendations for failing controls. Which Defender for Cloud feature should they use?
Question 19easymultiple choice
Full question →A security team wants to receive a weekly email summary of the security posture of all their Azure subscriptions, including the Secure Score, top recommendations, and the number of healthy resources. Which Microsoft Defender for Cloud feature should they configure?
Question 20mediummultiple choice
Full question →A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?
Watch out for
Common Secure Networking exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Secure Networking sessions
Start a Secure Networking only practice session
Every question in these sessions is drawn from the Secure Networking domain — nothing else.
Related practice questions
Related AZ-500 topic practice pages
Move into related areas when this topic feels solid.
Frequently asked questions
- What does the AZ-500 exam test about Secure Networking?
- Secure Networking questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Secure Networking questions in a focused session?
- Yes — the session launcher on this page draws every question from the Secure Networking domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other AZ-500 topics?
- Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.