Microsoft Azure AZ-500 Exam Questions 2025

B. Configure the certificate-based authentication (CBA) policy.

This enables a different form of passwordless authentication that uses X.509 certificates, not the Microsoft Authenticator app, which is a primary method for this scenario.

C. Configure the sign-in risk policy.

This policy is part of Azure AD Identity Protection and is used to enforce controls based on the calculated risk of a sign-in, not to mandate a specific authentication method.

D. Create a Conditional Access policy.

While a Conditional Access policy can enforce the use of a passwordless method by requiring a specific authentication strength, the method itself must first be enabled and configured for the target group via its own policy.

1. Microsoft Entra documentation, "Enable passwordless sign-in with Microsoft Authenticator": This document outlines the precise steps. In the "Enable the passwordless authentication method" section, it states: "Browse to Protection > Authentication methods > Policies. Under Microsoft Authenticator, choose the following options: ... Target - All users or Select users. ... For users in the target group(s), set Authentication mode to Passwordless." This directly corresponds to option A.

Source: Microsoft Learn, learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-passwordless-phone

2. Microsoft Entra documentation, "Manage authentication methods for Azure AD": This document explains the role of authentication method policies. It states, "You can manage the authentication methods used in your Azure AD tenant from the Authentication methods policy... The policy has settings for each method that let you control how it's used." This confirms that the method policy is the correct place for this configuration.

Source: Microsoft Learn, learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods-manage

3. Microsoft Entra documentation, "Conditional Access: Authentication strength": This source clarifies the role of Conditional Access, which is to require a certain level of authentication. It states, "Authentication strength allows administrators to specify which combination of authentication methods can be used to access a resource." This shows it's an enforcement tool, secondary to enabling the method itself as described in option A.

Source: Microsoft Learn, learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-authentication-strengths

(Yes) The first statement is correct. A Shared Access Signature (SAS) token's permissions are independent of a user's RBAC roles. Since the SAS1 token is configured to allow Delete permissions on the File service and is valid on October 1, 2022, it can be used to delete files in the folder1 file share.

(No) The second statement is incorrect. When using Azure AD credentials to map a drive, permissions are governed by the user's assigned RBAC roles. User1 has the Storage File Data SMB Share Reader role, which only grants read access. To delete files, a role with write/delete permissions, such as Storage File Data SMB Share Contributor, would be required.

(Yes) The third statement is correct. Similar to the first statement, the permissions granted by SAS1 are key. The SAS token allows Delete permissions for the Table service and is valid on the specified date. Therefore, it can be used to delete rows (entities) from table1.

Microsoft Documentation, "Grant limited access to Azure Storage resources using shared access signatures (SAS)": This document specifies the permissions available for a service SAS. For the File service, the d permission allows for the deletion of a file. For the Table service, the d permission allows for the deletion of an entity. This supports the reasoning for statements 1 and 3.

Microsoft Documentation, "Assign share-level permissions": This document outlines the built-in RBAC roles for Azure Files. It explicitly states that the Storage File Data SMB Share Reader role provides "read access to files and directories in Azure file shares." It does not include delete permissions, which supports the reasoning for statement 2.

Microsoft Documentation, "Authorize access to tables using Azure Active Directory": This resource details the RBAC roles for Table storage. It lists the Storage Table Data Contributor role, which User1 has, granting read, write, and delete permissions via Azure AD. However, statement 3 specifically asks about access using SAS1, making the SAS token's permissions the deciding factor.

A. A tenant name is the domain name for your Azure AD instance (e.g., contoso.onmicrosoft.com) and is not part of the Google federation configuration.

B. A tenant ID is the unique identifier (GUID) for your Azure AD tenant and is not a value provided by or configured for Google federation.

C. The endpoint URL, specifically the redirect URI, is a value from Azure AD that you configure in the Google API Console, not a value you receive from Google to configure in Azure.

1. Microsoft Learn: Add Google as an identity provider for B2B guest users. In "Step 3: Configure Google federation in Azure AD," the instructions state: "In the Client ID box, paste the client ID you copied earlier. In the Client secret box, paste the client secret you copied earlier." This confirms that the Client ID and Client Secret obtained from Google are the required configuration values.

2. Microsoft Learn: Tutorial: Add an identity provider to your Azure Active Directory B2C tenant. In the section "Configure Google as an identity provider," the steps require you to "Enter the Client ID of the Google application that you created earlier" and "Enter the Client secret that you recorded." This demonstrates the same requirement for Azure AD B2C scenarios.

A. Key1 Only: This is incorrect because secrets also support a configurable rotation policy.

B. Cert1 only: This is incorrect. Certificates use an "Issuance Policy" for renewal, not a "rotation policy," and both keys and secrets support rotation policies.

D. Key1 and Cert1 only: This is incorrect because the feature for certificates is named "Issuance Policy," not "rotation policy," and secrets do support rotation.

E. Secret1 and Cert1 only: This is incorrect because keys support a rotation policy, and the feature for certificates is named differently.

F. Key1, Secret1, and Cert1: This is incorrect because the specific "rotation policy" feature, by name and implementation, applies to keys and secrets, not certificates.

1. Microsoft Documentation - Configure key auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of keys in a key vault. When you configure a key rotation policy, you can customize the rotation frequency." (Section: "Key rotation policy")

2. Microsoft Documentation - Configure secret auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of secrets for databases or services that use a username and password for authentication... You can set a rotation policy on a secret to schedule rotation..." (Section: "Secret rotation policy")

3. Microsoft Documentation - Tutorial: Configure certificate auto-rotation in Key Vault: "To configure certificate auto-rotation... 3. Select the Issuance Policy tab... 4. Set the Lifetime Action Type to Automatically renew at a given percentage lifetime." (Section: "Create a certificate in Key Vault") This reference demonstrates that certificate lifecycle management uses an "Issuance Policy" and "Lifetime Actions," distinguishing it from the "rotation policy" of keys and secrets.

A. a shared access policy: A shared access policy is defined on a container to manage a group of SAS tokens, but it does not directly grant access itself. A SAS is still required.

C. role-based access control (RBAC): RBAC grants permissions to identities (users, groups) but does not natively provide a simple, time-bound expiry mechanism. This would grant persistent access until manually revoked.

D. a managed identity: A managed identity is an identity for an Azure resource (like a VM or Function App) to authenticate to other services, not for granting access to an external user.

1. Microsoft Documentation, "Grant limited access to Azure Storage resources using shared access signatures (SAS)": "A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example: ... How long the SAS is valid, including the start time and the expiry time." This document explicitly details the use of an expiry time as a core feature of SAS.

2. Microsoft Documentation, "Authorize access to data in Azure Storage": In the section "Authorize access with Azure AD", it describes RBAC for storage. In the section "Authorize access with a shared access signature", it states, "A SAS gives you granular control over how a client can access your data. You can specify which permissions the client has and for how long the SAS is valid." This highlights the specific use case for time-limited access.

3. Microsoft Documentation, "What are managed identities for Azure resources?": "Managed identities for Azure resources is a feature of Azure Active Directory... Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication." This confirms managed identities are for resources, not for granting access to users like user1.

4. Microsoft Documentation, "Define a stored access policy": "A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side... You can use a stored access policy to change the start time, expiry time, or permissions for a signature". This clarifies that the policy is a management layer for SAS, not the access mechanism itself.

The Azure Cosmos DB account cosmos1 is configured to allow access from Selected networks, which includes rules for both virtual networks and a public IP firewall. The question specifically asks about access over the internet, which is controlled by the Firewall rules that filter traffic based on public IP addresses.

1. VM1's Public IP is 20.224.219.170. This address falls within the allowed CIDR range of 20.224.219.0/24 in the firewall rules. Therefore, VM1 can connect over the internet.
2. VM2's Public IP is 20.224.219.230. This address also falls within the allowed CIDR range of 20.224.219.0/24. Therefore, VM2 can connect over the internet.
3. VM3's Public IP is 40.122.155.212. This address falls within the second allowed CIDR range of 40.122.155.0/24. Therefore, VM3 can connect over the internet.

Since the public IP addresses of all three virtual machines are included in the firewall's allowed IP ranges, all three can access cosmos1 over the internet. The VNet service endpoint configuration is a separate access method that routes traffic over the Azure backbone, not the public internet.

Microsoft Azure Documentation, "Configure IP firewall in Azure Cosmos DB." This document outlines how to restrict access to a Cosmos DB account by specifying a list of allowed IP addresses or address ranges. The scenario directly applies this by checking if the VMs' public IPs are in the allowed list.

Microsoft Azure Documentation, "Configure access to Azure Cosmos DB from virtual networks (VNet)." Section: "How a service endpoint works." This reference clarifies that VNet service endpoint traffic travels over the Azure backbone network, which is distinct from traffic coming from the public internet that would be evaluated by the IP firewall rules.

To create a group that can be assigned an Azure AD role (a "role-assignable group"), you must create it with the isAssignableToRole property enabled. This specific setting, "Azure AD roles can be assigned to the group," is available only in the Azure Active Directory (now Microsoft Entra) admin center. Within that portal's creation interface, the only Group type that supports this feature is Security. While mail-enabled security groups can also be role-assignable, in the Azure AD portal UI, you must first select "Security" as the group type. The required Azure AD Premium P1 license is present in the tenant.

Microsoft Learn. (2023). Create a role-assignable group in Microsoft Entra ID. "Prerequisites" section states an Azure AD Premium P1 or P2 license is required. The "Create a role-assignable group" section, Step 4 and Step 5, specifies using the Azure portal (Azure AD admin center) and selecting Security for the Group type. It also shows the specific toggle switch, "Microsoft Entra roles can be assigned to the group," which is unique to this portal.

Microsoft Learn. (2023). Use Microsoft Entra groups to manage role assignments. The "How do role-assignable groups work?" section clarifies that to assign a role, a "new security...group" must be created with the isAssignableToRole property set to true. This confirms that the group must be a security type and have this special property configured at creation, a process detailed in the first reference.

The environment includes servers running both Windows Server (Server1, Server2, and the VMs on Server1) and SUSE Linux Enterprise Server (SLES) (Server3). Therefore, the "Operating systems" filter must be set to SLES and Windows Server to include all machines.

The infrastructure consists of three distinct platform types:

1. Azure virtual machines: As stated in the subscription details.
2. Hyper-V virtual machines: The four VMs hosted on Server1.
3. Azure Arc-enabled servers: Server2 and Server3 have the Azure Arc agent installed, bringing them under Azure management from their on-premises location.

To encompass all these components, the "Platforms" filter must be set to Azure virtual machines, Hyper-V virtual machines, and Azure Arc-enabled servers.

Microsoft Corporation. (2024). Azure Arc-enabled servers overview. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview. (This document defines Azure Arc-enabled servers as physical or virtual machines hosted outside of Azure that are managed through Azure, which applies to Server2 and Server3).

Microsoft Corporation. (2023). Introduction to Hyper-V on Windows Server. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server. (This resource describes the Hyper-V role for hosting virtual machines, as seen with Server1).

Microsoft Corporation. (2024). Linux virtual machines in Azure. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/azure/virtual-machines/linux/overview. (This page confirms that SLES is a supported operating system for Azure VMs, justifying its inclusion).

A. Key Vault properties: This allows setting an expiration date for an individual key, but it does not enforce a maximum validity period for all new keys. This would require manual configuration for every key, which does not minimize administrative effort.

C. Azure Purview: This is a unified data governance service used for data discovery, classification, and lineage. It is not used for enforcing configuration rules on Azure resources like Key Vault keys.

D. Azure Blueprints: This service is used to deploy a repeatable set of Azure resources, which can include policy assignments. However, the underlying mechanism that enforces the rule on key validity is Azure Policy itself, making it the more direct and precise answer.

1. Microsoft Learn, Azure Policy built-in definitions for Azure Key Vault: The built-in policy "Keys should not be active for longer than the specified number of days" directly addresses the question's requirement. The documentation states, "this policy will audit or deny the creation of any key that is active for longer than the specified number of days."

Source: Microsoft Learn, "Azure Policy built-in definitions for Azure Key Vault", Section: "Key Vault".

2. Microsoft Learn, Overview of Azure Policy: This document explains the function of Azure Policy. "Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity." This supports the "minimize administrative effort" requirement.

Source: Microsoft Learn, "What is Azure Policy?", Section: "Overview".

3. Microsoft Learn, Set and remove an expiration date on a key: This document shows that setting an expiration date is a per-key operation. "Use the az keyvault key set-attributes command to update an existing key's attributes... Set the --expires parameter to the date you want the key to expire." This confirms that using key properties is a manual, per-key action.

Source: Microsoft Learn, "Set and remove an expiration date on a key", Section: "Set an expiration date on an existing key".

The provided exhibit shows that Admin1 has the Owner role scoped to the resource group RG1. To answer the questions, we must logically deduce the roles and scopes for the other administrators based on the available answer choices. A plausible configuration that aligns with the options is:

• Admin1: Owner on Resource Group RG1 (Given).
• Admin2: Reader on the Subscription.
• Admin3: Contributor on the Subscription.
• Admin4: Owner on a different Resource Group (e.g., RG2).

Deletion of VM1

To delete a virtual machine, a user needs delete permissions (included in Owner and Contributor roles) at the scope of the VM or a parent scope. Assuming VM1 is in RG1:

• Admin1 is the Owner of RG1 and thus can delete VM1.
• Admin3 is a Contributor at the subscription level. These permissions are inherited by all child resource groups, including RG1. Therefore, Admin3 can delete VM1.
• Admin2 has a Reader role, which does not permit any changes.
• Admin4's permissions are confined to a different resource group and do not apply to RG1.

Thus, only Admin1 and Admin3 can delete VM1.

Creation of New Resource Groups

Creating a resource group requires Microsoft.Resources/subscriptions/resourcegroups/write permission, which must be assigned at the subscription scope.

• Admin3 has the Contributor role at the subscription scope, which grants this permission. Therefore, Admin3 can create new resource groups.
• Admin1's and Admin4's roles are scoped to resource groups, not the subscription, so they cannot create new resource groups.
• Admin2's Reader role does not grant write permissions.

Thus, only Admin3 can create new resource groups.

Azure built-in roles - Microsoft Documentation: This document details the permissions for roles like Owner, Contributor, and Reader.

Owner: "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC."

Contributor: "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." This includes creating and deleting resources.

Reference: Microsoft, "Azure built-in roles," Azure RBAC documentation, learn.microsoft.com. Accessed Sep 18, 2025.

Understand scope for Azure RBAC - Microsoft Documentation: This resource explains how permissions are inherited from higher scopes (like subscriptions) to lower scopes (like resource groups).

Section: Scope: "When you assign a role, you must specify a scope. Scope is the set of resources that the access applies to... In Azure, you can specify a scope at four levels: management group, subscription, resource group, and resource. Scopes are structured in a parent-child relationship... When you grant access at a parent scope, those permissions are inherited by the child scopes."

Reference: Microsoft, "Understand scope for Azure RBAC," Azure RBAC documentation, learn.microsoft.com. Accessed Sep 18, 2025.