Microsoft AZ-500 Online Practice
Questions and Exam Preparation
AZ-500 Exam Details
Exam Code
:AZ-500
Exam Name
:Microsoft Azure Security Technologies
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:626 Q&As
Last Updated
:Jul 12, 2026
Microsoft AZ-500 Online Questions &
Answers
Question 91:
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
You have a storage account named contoso2024 that contains the following resources:
4. A container named Container1 that contains a file named File1
5. A file share named Share1 that contains a file named File2
You create a private endpoint for contoso2024 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Question 92:
You have an Azure subscription that uses Microsoft Defender.
You enable the CIS Microsoft Azure Foundations Benchmark v2.0.0 built-in to the subscription.
You need to ensure that when users attempt to assign custom role-based access control (RBAC) roles, they receive a custom error message that includes a link to an internal website. The solution must minimize the impact on other policies.
What should you configure?
A. the effect of the policy B. the remediation task of the policy C. a policy-specific non-compliance message D. the default non-compliance message of the built-in
C. a policy-specific non-compliance message
Question 93:
HOTSPOT
You have an Azure key vault named KeyVault1 that contains the items shown in the following table.
In KeyVault, the following events occur in sequence:
1. Item1 is deleted
2. Administrator enables soft delete
3. Item2 and Policy1 are deleted.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Box1: No
Policies cannot be recovered.
Box2: Soft delete is enabled by default on all key vaults. You cannot add a new key named Item1 because an object named Item1 exists in a soft-deleted state.
Box3: Soft delete is now enabled by default on all key vaults so you can recover Item2.
You have an Azure subscription that contains a web app named App1. App1 provides users with product images and videos. Users access App1 by using a URL of HTTPS://app1.contoso.com.
You deploy two server pools named Pool1 and Pool2. Pool1 hosts product images. Pool2 hosts product videos.
You need to optimize the performance of App1. The solution must meet the following requirements:
1. Minimize the performance impact of TLS connections on Pool1 and Pool2.
2. Route user requests to the server pools based on the requested URL path.
What should you include in the solution?
A. Azure Bastion B. Azure Front Door C. Azure Traffic Manager D. Azure Application Gateway
D. Azure Application Gateway
Explanation
With an Application Gateway behind Front Door, one can achieve 100% TLS/SSL offload and route only HTTP requests within their virtual network (VNET).
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
Note: When should we deploy an Application Gateway behind Front Door?
The key scenarios why one should use Application Gateway behind Front Door are:
Front Door can perform path-based load balancing only at the global level but if one wants to load balance traffic even further within their virtual network (VNET) then they should use Application Gateway.
Since Front Door doesn't work at a VM/container level, so it can't do Connection Draining. However, Application Gateway allows you to do Connection Draining.
With an Application Gateway behind Front Door, one can achieve 100% TLS/SSL offload and route only HTTP requests within their virtual network (VNET).
Front Door and Application Gateway both support session affinity. While Front Door can direct subsequent traffic from a user session to the same cluster or backend in a given region, Application Gateway can direct affinitize the traffic to the same server within the cluster.
Incorrect:
* Azure Application Gateway
What is the difference between Azure Front Door and Azure Application Gateway?
While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a nonregional service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.
* Azure Front Door
Azure Front Door supports dynamic site acceleration (DSA), TLS/SSL offloading and end to end TLS, Web Application Firewall, cookie-based session affinity, url path-based routing, free certificates and multiple domain managements, and many other features.
You have an Azure subscription that contains a user named User1 and a storage account named storage 1. The storage1 account contains the resources shown in the following table:
User1 is assigned the following roles for storage1:
1. Storage Blob Data Reader
2. Storage Table Data Contributor
3. Storage File Data SMB Share Reader
Question 96:
You have an Azure subscription.
You create an Azure web app named Contoso1812 that uses an S1 App service plan.
You create a DNS record for www.contoso.com that points to the IP address of Contoso1812.
You need to ensure that users can access Contoso1812 by using the https://www.contoso.comURL.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Turn on the system-assigned managed identity for Contoso1812. B. Add a hostname to Contoso1812. C. Scale out the App Service plan of Contoso1812. D. Add a deployment slot to Contoso1812. E. Scale up the App Service plan of Contoso1812. F. Upload a PFX file to Contoso1812
B. Add a hostname to Contoso1812. F. Upload a PFX file to Contoso1812
Explanation
B: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN).
To do this, you have to create three records:
A root "A" record pointing to contoso.com
A root "TXT" record for verification
A "CNAME" record for the www name that points to the A record
F: To use HTTPS, you need to upload a PFX file to the Azure Web App. The PFX file will contain the SSL certificate required for HTTPS.
A user named Debbie has the Azure app installed on her mobile device.
You need to ensure that [email protected] is alerted when a resource lock is deleted.
To complete this task, sign in to the Azure portal.
A. See the explanation below.
A. See the explanation below.
Explanation
You need to configure an alert rule in Azure Monitor.
1. Type Monitor into the search box and select Monitor from the search results.
2. Click on Alerts.
3. Click on +New Alert Rule.
4. In the Scope section, click on the Select resource link.
5. In the Filter by resource type box, type locks and select Management locks (locks) from the filtered results.
6. Select the subscription then click the Done button.
7. In the Condition section, click on the Select condition link.
8. Select the Delete management locks condition the click the Done button.
9. In the Action group section, click on the Select action group link.
10.Click the Create action group button to create a new action group.
11.Give the group a name such as Debbie Mobile App (it doesn't matter what name you enter for the exam) then click the Next: Notifications > button.
12.In the Notification type box, select the Email/SMS message/Push/Voice option. 13.In the Email/SMS message/Push/Voice window, tick the Azure app Push Notifications checkbox and enter and enter [email protected] in the Azure account email field. 14.Click the OK button to close the window. 15.Enter a name such as Debbie Mobile App in the notification name box. 16.Click the Review & Create button then click the Create button to create the action group. 17.Back in the Create alert rule window, in the Alert rule details section, enter a name such as Management lock deletion in the Alert rule name field. 18.Click the Create alert rule button to create the alert rule.
Question 98:
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?
A. From Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet. B. From the Azure SQL Database query editor, create a Transact-SQL query. C. From the Azure Sentinel workspace, create a Custom query languages query. D. From Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
C. From the Azure Sentinel workspace, create a Custom query languages query.
Question 99:
You have an Azure subscription that contains the resources shown in the following table.
You plan to deploy an Azure Private Link service named APL1.
Which resource must you reference during the creation of APL1?
A. VMSS1 B. VM1 C. SQL D. LB1
D. LB1
Question 100:
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
1. Assignment: Include Group1, Exclude Group2
2. Conditions: Sign-in risk of Medium and above
3. Access: Allow access, Require password change
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Box 1: Yes
User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.
Box 2: Yes
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.
Box 3: No
Sign-ins from IP addresses with suspicious activity is low.
Note:
Azure AD Identity protection can detect six types of suspicious sign-in activities: Users with leaked credentials
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks - High, Medium&; Low
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-500 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.