MICROSOFT CERTIFICATION
AZ-500 Azure Security Engineer Associate Practice Exam
Exam Number: 3109 | Last updated 16-Apr-26 | 789+ questions across 4 vendor-aligned objectives
The AZ-500 Azure Security Engineer Associate certification validates the skills of security engineers who implement, manage, and monitor security controls for Azure resources and multi-cloud environments. This exam measures your ability to work with Microsoft Defender for Cloud, Microsoft Sentinel, Azure Key Vault, Microsoft Entra ID Protection, Azure Firewall, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Manage Identity and Access (25–30%), Manage Security Operations (25–30%), and Secure Networking (20–25%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Secure Compute, Storage, and Databases (20–25%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
611
practice exam users
95%
satisfied users
90.4%
passed the exam
4.9/5
quality rating
Test your AZ-500 Azure Security Engineer Associate knowledge
10 of 789+ questions
Question #1 - Manage Identity and Access
A company needs to require MFA for all administrator access to Azure portal while allowing standard users passwordless access from compliant devices.
Which identity feature should be configured?
A) Conditional Access policies with separate rules for admin and standard user groups
B) Azure AD Password Protection only
C) Disable MFA and use IP restrictions only
D) A single blanket MFA policy for all users
Show solution
Correct answers: A – Explanation:
Conditional Access allows differentiated policies: MFA for admins, passwordless for compliant standard users. Blanket MFA does not differentiate. IP restrictions alone are insufficient. Password Protection prevents weak passwords but does not enforce MFA. Source: Check Source
Question #2 - Manage Identity and Access
A company needs MFA for all admin Azure portal access while allowing standard users passwordless access from compliant devices.
Which identity feature should be configured?
A) Azure Firewall IP restriction rules limiting portal access to the corporate network only
B) Conditional Access policies with separate rules targeting admin roles and standard user groups
C) A single blanket MFA policy applied uniformly to every user account in the directory
D) Azure AD Password Protection policies enforcing complexity requirements across all accounts
Show solution
Correct answers: B – Explanation:
Conditional Access allows differentiated policies: MFA for admin roles, passwordless for compliant standard users. A blanket MFA policy cannot differentiate between admin and standard user requirements. Firewall IP restrictions control network access but do not manage authentication strength. Password Protection prevents weak passwords but does not enforce multi-factor authentication flows. Source: Check Source
Question #3 - Manage Identity and Access
A company discovers former employees still have Azure access two weeks after leaving. They need automatic deprovisioning.
Which solution automates access removal upon employee departure?
A) Forced password expiration every 30 days requiring all users to create new credentials
B) Quarterly access certification campaigns sending email reminders to resource owners
C) Entra ID lifecycle workflows triggered by HR system termination events for automated offboarding
D) Monthly manual access reviews conducted by each department manager in a spreadsheet
Show solution
Correct answers: C – Explanation:
Lifecycle workflows integrated with HR systems automatically disable accounts, revoke sessions, and remove group memberships upon termination events. Monthly manual reviews create up to 30-day gaps in deprovisioning. Quarterly certification campaigns are too infrequent for timely offboarding. Password expiry forces credential changes but does not disable accounts or revoke access to Azure resources. Source: Check Source
Question #4 - Manage Identity and Access
An organization needs to grant a third-party auditor read-only access to specific resources for 30 days with no standing access.
Which access approach should be used?
A) Create a permanent Guest account with the Reader role assignment and no expiration date
B) Configure PIM with a time-bound eligible assignment that automatically expires after 30 days
C) Establish a VPN tunnel granting the auditor full network-level connectivity to Azure resources
D) Share an existing administrator account with the auditor for the duration of the engagement
Show solution
Correct answers: B – Explanation:
PIM provides time-bound eligible assignments that auto-expire after the specified period without any manual cleanup required. Permanent guest accounts risk lingering access beyond the engagement unless manually removed. Sharing administrator accounts violates individual accountability and least-privilege principles. VPN provides network-level connectivity but does not grant Azure resource-level authorization or role assignments. Source: Check Source
Question #5 - Manage Security Operations
A SOC team needs to detect and investigate multi-stage attacks across endpoints, email, identity, and cloud workloads from a single dashboard.
Which Microsoft security solution provides this unified detection?
A) Microsoft Purview compliance portal managing data classification and retention policies
B) Microsoft Defender XDR correlating alerts across endpoints, email, identity, and cloud apps
C) Azure Firewall diagnostic logs providing network-level traffic inspection and analysis
D) Azure Network Watcher providing connectivity diagnostics and packet capture capabilities
Show solution
Correct answers: B – Explanation:
Defender XDR correlates signals across endpoints, email, identity, and cloud apps to detect multi-stage attacks in a unified investigation experience with automated incident grouping. Firewall logs show network events at the traffic level only. Network Watcher diagnoses connectivity issues between resources. Purview handles data governance and compliance, not security threat detection and investigation. Source: Check Source
Question #6 - Manage Security Operations
A security analyst needs custom detection rules that query log data from multiple sources to find suspicious sign-in patterns.
Which tool and language should the analyst use?
A) Azure Advisor security recommendations providing periodic best-practice compliance checks
B) Azure Policy audit-effect definitions evaluating resource configuration against standards
C) Azure Monitor metric alert rules configured with numeric threshold conditions on counters
D) Microsoft Sentinel scheduled analytics rules built with Kusto Query Language log queries
Show solution
Correct answers: D – Explanation:
Sentinel analytics rules use KQL to query structured log data from connected sources, enabling complex pattern detection across time windows and multiple data types. Metric alerts evaluate numeric thresholds on performance counters, not log-based pattern queries. Advisor provides periodic recommendations, not real-time threat detection. Policy evaluates ARM resource configuration compliance, not security event patterns. Source: Check Source
Question #7 - Manage Security Operations
A company wants to automatically isolate compromised VMs and notify the security team when high-severity incidents are detected.
Which Sentinel feature enables this automated response?
A) Sentinel workbooks providing interactive data visualization dashboards for analysts
B) Entity behavior analytics detecting anomalous patterns in user and device activity
C) Playbooks built on Logic Apps and triggered automatically by analytics rule incidents
D) Hunting notebooks providing interactive Jupyter-based threat investigation environments
Show solution
Correct answers: C – Explanation:
Playbooks use Logic Apps to automate response actions like VM network isolation and team notifications when triggered by analytics rule incidents. Workbooks visualize data for analysis but do not execute response actions. Notebooks provide interactive investigation but require manual execution. Entity behavior analytics identifies anomalous patterns but does not execute automated containment responses. Source: Check Source
Question #8 - Secure Networking
A company needs to inspect and filter outbound internet traffic from Azure VMs, blocking access to known malicious domains.
Which service should be deployed?
A) Network Security Groups with outbound IP address and port-based filtering rules
B) Azure DDoS Protection Standard providing volumetric attack mitigation at the network edge
C) Azure Private Link establishing private connectivity between VNets and Azure PaaS services
D) Azure Firewall with FQDN application rules and integrated threat intelligence feeds
Show solution
Correct answers: D – Explanation:
Azure Firewall with application rules filters outbound traffic by fully qualified domain name and integrates threat intelligence to block known malicious destinations. NSGs filter by IP and port but cannot resolve or filter by domain name at the application layer. DDoS Protection handles inbound volumetric attacks, not outbound traffic filtering. Private Link provides private PaaS connectivity but does not filter or inspect general internet-bound traffic. Source: Check Source
Question #9 - Secure Networking
A database team needs Azure SQL Database accessible only from specific VNets and never exposed to the public internet.
Which configuration achieves this?
A) Configure a Private Endpoint for Azure SQL and disable the public network access setting
B) Deploy SQL Server on a Virtual Machine behind an internal Azure Load Balancer instance
C) Enable Azure DDoS Protection Standard on the virtual network hosting the database
D) Enable the public endpoint with IP firewall rules restricting access to known addresses
Show solution
Correct answers: A – Explanation:
Private Endpoint assigns a private IP from the VNet to the SQL instance, and disabling public access ensures it is reachable only through private VNet connectivity. IP firewall rules still use the public endpoint which remains internet-exposed. DDoS Protection mitigates volumetric attacks but does not restrict access to VNet-only paths. SQL on a VM adds management overhead compared to the PaaS Private Endpoint approach. Source: Check Source
Question #10 - Secure Compute, Storage, and Databases
A company stores sensitive financial data in Blob Storage. They need encryption with customer-controlled keys and the ability to revoke access by revoking the key.
Which encryption configuration should be implemented?
A) Customer-managed keys stored in Azure Key Vault with access policies controlled by the customer
B) Default Microsoft-managed encryption keys handled entirely by the Azure Storage platform
C) Client-side encryption using keys embedded directly within the application source code
D) No encryption applied to the storage account with network-level security isolation only
Show solution
Correct answers: A – Explanation:
Customer-managed keys in Key Vault provide encryption with full customer control, including the ability to revoke data access by disabling or deleting the encryption key. Microsoft-managed keys do not allow customer-controlled key revocation or lifecycle management. Client-side keys embedded in source code create a severe security vulnerability if the code is accessed. No encryption leaves financial data readable to anyone who gains storage access regardless of network controls. Source: Check Source
Get 789+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the AZ-500 Azure Security Engineer Associate exam measures
- Manage Identity and Access (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Secure Networking (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Secure Compute, Storage, and Databases (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage Security Operations (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Azure Security Engineer: $120,000–$160,000 per year (based on Glassdoor and ZipRecruiter data)
- Cloud Security Analyst: $110,000–$150,000 per year (based on Glassdoor and ZipRecruiter data)
- Information Security Engineer: $115,000–$155,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the AZ-500 Azure Security Engineer Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.