Browse Microsoft Certification Guides

Azure AZ-500 Sample Questions with Explanations

April 25, 2026

Azure AZ-500 sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Microsoft Certified: Azure Security Engineer Associate (AZ-500) topics such as identity protection, privileged access, network isolation, Defender posture, storage security, key management, monitoring, and incident response. The prompts emphasize control selection and risk trade-offs.

Where these questions fit in the AZ-500 guide

The sample set below is part of the Microsoft AZ-500 guide path:

AZ-500 security sample questions

Work through each prompt before opening the explanation. Strong AZ-500 answers usually enforce least privilege, reduce exposed attack surface, and preserve detection and response signals.

Question 1

Topic: Just-in-time privileged access

Administrators need temporary elevated access to manage production resources. The security team wants approvals, time limits, and an audit trail for privilege activation. Which control best fits?

  • A. Assign permanent Owner permissions at subscription scope.
  • B. Use privileged access management with eligible assignments, activation approval, time-bound access, and logging.
  • C. Share one administrator account among the team.
  • D. Move production resources to a separate resource group but keep all current role assignments.

Best answer: B

Explanation: The requirement is not simply access; it is controlled activation. Eligible assignments, approval, time limits, and logs reduce standing privilege and support review.

Why the other choices are weaker:

  • A creates standing broad privilege.
  • C destroys individual accountability.
  • D changes organization but does not control privileged activation.

What this tests: Applying least privilege and just-in-time access to Azure administration.

Related topics: Privileged access; RBAC; Approval; Audit

Question 2

Topic: Reducing storage exposure

A storage account contains sensitive application data. It should be reachable only from approved virtual networks, and public network access should be minimized. What is the strongest configuration?

  • A. Enable public access and rely on long, random container names.
  • B. Use private endpoint connectivity, restrict public network access, and grant data-plane permissions only to approved identities.
  • C. Assign Reader at subscription scope to all developers.
  • D. Turn on soft delete only.

Best answer: B

Explanation: Sensitive storage needs both network restriction and identity control. Private endpoint connectivity reduces public exposure, and data-plane authorization controls who can read or write data.

Why the other choices are weaker:

  • A relies on obscurity and leaves public reachability.
  • C is too broad and does not grant appropriate data-plane access.
  • D helps recovery but does not control access.

What this tests: Combining network isolation with storage data authorization.

Related topics: Storage security; Private Endpoint; Data-plane roles; Network access

Question 3

Topic: Detection signal routing

A security operations team needs alerts when suspicious sign-in patterns appear and wants the events retained for investigation queries. Which approach best supports detection and investigation?

  • A. Export relevant identity and security logs to a central analytics workspace and create alert rules for suspicious patterns.
  • B. Disable sign-in logging to reduce storage cost.
  • C. Use only resource locks on subscriptions.
  • D. Send all alerts to an unmanaged shared mailbox and keep no queryable history.

Best answer: A

Explanation: The team needs both detection and investigation. Centralized logs plus alert rules preserve queryable evidence and provide notification when suspicious patterns occur.

Why the other choices are weaker:

  • B removes the evidence source.
  • C prevents resource changes but does not detect sign-in risk.
  • D may notify someone but weakens investigation and retention.

What this tests: Designing security monitoring with usable logs and actionable alerts.

Related topics: Security monitoring; Logs; Alert rules; Investigation

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by the exam vendor.

Revised on Sunday, May 10, 2026
Study Plan
FAQ