Microsoft AZ-500 Online Practice
Questions and Exam Preparation
AZ-500 Exam Details
Exam Code
:AZ-500
Exam Name
:Microsoft Azure Security Technologies
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:626 Q&As
Last Updated
:Jul 12, 2026
Microsoft AZ-500 Online Questions &
Answers
Question 181:
SIMULATION
You need to deploy an Azure firewall to a virtual network named VNET3.
To complete this task, sign in to the Azure portal and modify the Azure resources.
This task might take several minutes to complete. You can perform other tasks while the task completes.
A. See the explanation below.
A. See the explanation below.
Explanation
To add an Azure firewall to a VNET, the VNET must first be configured with a subnet named AzureFirewallSubnet (if it doesn't already exist).
Configure VNET3.
1. In the Azure portal, type Virtual Networks in the search box, select Virtual Networks from the search results then select VNET3. Alternatively, browse to Virtual Networks in the left navigation pane.
2. In the Overview section, note the Location (region) and Resource Group of the virtual network. We'll need these when we add the firewall.
3. Click on Subnets.
4. Click on + Subnet to add a new subnet.
5. Enter AzureFirewallSubnet in the Name box. The subnet must be named AzureFirewallSubnet.
6. Enter an appropriate IP range for the subnet in the Address range box.
7. Click the OK button to create the subnet.
Add the Azure Firewall.
1. In the settings of VNET3 click on Firewall.
2. Click the Click here to add a new firewall link.
3. The Resource group will default to the VNET3 resource group. Leave this default.
4. Enter a name for the firewall in the Name box.
5. In the Region box, select the same region as VNET3.
6. In the Public IP address box, select an available public IP address if one exists, or click Add new to add a new public IP address.
7. Click the Review + create button.
8. Review the settings and click the Create button to create the firewall.
You have an Azure subscription that contains a user named UseR1.
You need to ensure that UseR1 can perform the following tasks:
1. Create groups.
2. Create access reviews for role-assignable groups.
3. Assign Azure AD roles to groups.
The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Groups administrator B. Authentication administrator C. Identity Governance Administrator D. Privileged role administrator
D. Privileged role administrator
Explanation
Privileged Role Administrator
Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.
Incorrect:
* Identity Governance Administrator
Users with this role can manage Azure AD identity governance configuration, including access packages, access reviews, catalogs and policies, ensuring access is approved and reviewed and guest users who no longer need access are removed.
You have an Azure subscription that contains the resources shown in the following table.
Transparent Data Encryption (TDE) is disabled on SQL1.
You assign policies to the resource groups as shown in the following table.
You plan to deploy Azure SQL databases by using an Azure Resource Manager (ARM) template. The databases will be configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Your on-premises network contains a Hyper-V virtual machine named VM1.
You need to use Azure Arc to onboard VM1 to Microsoft Defender for Cloud.
What should you install first?
A. the guest configuration agent B. the Azure Monitor agent C. the Log Analytics agent D. the Azure Connected Machine agent
C. the Log Analytics agent
Explanation
Add non-Azure machines with Azure Arc
The preferred way of adding your non-Azure machines to Microsoft Defender for Cloud is with Azure Arc-enabled servers.
A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've installed the Log Analytics agent on it - appears in Defender for Cloud with recommendations like your other Azure resources.
Note: Defender for Cloud can monitor the security posture of your non-Azure computers, but first you need to connect them to Azure.
You can connect your non-Azure computers in any of the following ways:
Using Azure Arc-enabled servers (recommended)
From Defender for Cloud's pages in the Azure portal (Getting started and Inventory)
Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure environment. You need to create a new Azure virtual machine from a tablet that runs the Android operating system.
Solution: You use the PowerApps portal.
Does this meet the goal?
A. Yes B. No
B. No
Explanation
PowerApps lets you quickly build business applications with little or no code. It is not used to create Azure virtual machines. Therefore, this solution does not meet the goal. PowerApps Portals allow organizations to create websites which can be shared with users external to their organization either anonymously or through the login provider of their choice like LinkedIn, Microsoft Account, other commercial login providers.
You need to deploy Microsoft Antimalware to meet the platform protection requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 187:
You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
A. In Azure AD, create a role. B. In Azure Key Vault, create a key. C. In Azure Key Vault, create an access policy. D. In Azure AD, enable Azure AD Application Proxy.
C. In Azure Key Vault, create an access policy.
Explanation
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources overview makes solving this problem simpler, by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Example: How a system-assigned managed identity works with an Azure VM
After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
You plan to implement Azure DDoS Protection. The solution must meet the following requirement:
1. Provide access to DDoS rapid response support during active attacks.
2. Project Basic SKU public IP addresses.
You need to recommend which type of DDoS projection to use for each requirement.
What should you recommend? To answer, drag the appropriate DDoS projection types to the correct requirements. Each DDoS Projection type may be used once, or not at all. You may need to drag the split bar between panes or scroll to view connect.
NOTE: Each correct selection is worth one point.
Select and Place:
Question 189:
You have an Azure subscription that contains a resource group named RG1 and the network security groups (NSGs) shown in the following table.
You create the Azure policy shown in the following exhibit.
You assign the policy to RG1.
What will occur if you assign the policy to NSG1 and NSG2?
A. Flow logs will be enabled for NSG1 and NSG2. B. Flow logs will be enabled for NSG2 only. C. Flow logs will be disabled for NSG1 and NSG2. D. Flow logs will be enabled for NSG1 only.
B. Flow logs will be enabled for NSG2 only.
Question 190:
HOTSPOT
You have the Azure Information Protection labels as shown in the following table.
You have the Azure Information Protection policies as shown in the following table.
You need to identify how Azure Information Protection will label files.
What should you identify? To answer, select the appropriate options in the answer area.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-500 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.