Microsoft Azure AZ-500 Exam Questions 2025

Azure Active Directory (Azure AD) Identity Protection categorizes risk detections into different levels to help administrators prioritize and automate responses.

• Users with leaked credentials is considered a High risk because it indicates that a user's valid credentials (username and password) have been exposed publicly on the dark web or through a data breach. This means an attacker has the direct ability to access the account, representing a severe and immediate threat.
• Impossible travel to atypical locations is classified as a Medium risk. This detection is triggered when two sign-ins from the same user occur from geographically distant locations in a time frame that is physically impossible. While highly suspicious, it's not rated as high because factors like using VPNs or misconfigured client reporting can sometimes cause false positives.
• Sign ins from IP addresses with suspicious activity is also a Medium risk. This event is triggered when a sign-in originates from an IP address associated with malicious activity, such as botnets or traffic from anonymous proxies (like Tor). This is a strong indicator of a potential attack, but it doesn't definitively prove the specific user's account is compromised, as malicious IP addresses can be part of a shared network.

Microsoft Entra ID Protection Documentation, "What are risk detections?": This official document provides a detailed list of user and sign-in risk detections and their corresponding risk levels.

Leaked credentials is explicitly listed as a user risk detection with a Risk level of High.

Impossible travel is listed as a sign-in risk detection with a Risk level of Medium.

Malicious IP address (the specific detection for "suspicious activity") is listed as a sign-in risk detection with a Risk level of Medium.

To annotate an intermediate event for hunting suspicious traffic in Microsoft Sentinel (formerly Azure Sentinel), you first query the data (Azure Log Analytics) from the Sentinel workspace. After obtaining and selecting the relevant result, you create a bookmark and map an entity (such as the IP address) so that it becomes part of the investigation graph and can be referenced in later steps. Adding to Favorites or tagging without mapping does not provide an entity reference for the graph.

Microsoft Learn, Hunt for threats with Microsoft Sentinel: Steps for running Log Analytics queries and bookmarking results with mapped entities (Create and use bookmarks) – https://learn.microsoft.com/en-us/azure/sentinel/hunting-bookmarks

Microsoft Learn, Investigation graph in Microsoft Sentinel: Explains how mapping an entity allows navigation in the investigation graph – https://learn.microsoft.com/en-us/azure/sentinel/investigate

Microsoft Learn, Kusto query language overview: Describes running queries in Log Analytics within Sentinel – https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/

Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. The solution requires both protection against common web vulnerabilities and optimized routing for global traffic. Azure Front Door Premium tier meets these requirements by providing global load balancing to route traffic to the lowest latency backend. It also includes a fully managed Web Application Firewall (WAF) that protects applications from common exploits and vulnerabilities, such as SQL injection and cross-site scripting. This combination of features in a single service directly addresses all the stated needs.

A. Azure Application Gateway: This is a regional load balancer. While it includes a WAF, it cannot optimize traffic routing for users across multiple global regions as effectively as a global service.

B. Azure Content Delivery Network (CDN): A CDN is primarily designed to cache and serve static content from edge locations. It does not provide the required comprehensive WAF protection or dynamic traffic routing capabilities.

C. Azure Firewall: This is a stateful network firewall designed to protect Azure Virtual Network resources. It operates at Layers 3 and 4 and is not a Web Application Firewall (WAF) for protecting against web-based attacks.

1. Microsoft Documentation

"What is Azure Front Door?": "Azure Front Door is a global

scalable entry-point that uses the Microsoft global edge network... Azure Front Door works at Layer 7 (HTTP/S layer) ... Key features include: ... Global load balancing ... Web Application Firewall (WAF)".

2. Microsoft Documentation

"Azure Front Door tier comparison": This document explicitly lists the features of the Standard and Premium tiers. The table shows that the Premium tier includes "Full-featured Web Application Firewall (WAF)" with "Bot protection

" "Managed rule sets

" and "Custom rules."

3. Microsoft Documentation

"What is Azure Web Application Firewall on Azure Front Door?": "Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits and vulnerabilities."

4. Microsoft Documentation

"What is Azure Application Gateway?": "Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It's a regional service and all resources including the gateway are placed in a single virtual network." This confirms its regional scope

making it unsuitable for global traffic optimization.

URL filtering on VNet1: Azure Firewall's URL filtering is an Application Rule feature, not a Network Rule feature. Since VNet1 is associated with FW1, which uses Policy2, and Policy2 is a Premium policy, URL filtering is available. However, the statement asks about applying it to network rules, which is incorrect. URL filtering is a function of application rules, not network rules.

IDPS on VNet2: VNet2 is associated with FW2. FW2 is a Premium tier firewall. The Premium tier of Azure Firewall includes an IDPS, which can be used to monitor malicious activity. The statement is therefore true.

Encrypted traffic inspection: Azure Firewall can inspect encrypted traffic, but only if TLS inspection is enabled. For this to work, the client (VNet3 in this case) must trust the firewall's certificate authority, and the traffic must be routed to the firewall. The question implies that peering alone will cause encrypted traffic to be inspected. Peering simply allows connectivity; it doesn't automatically enable traffic routing through the firewall or TLS inspection. VNet3 has no firewall associated with it, so its traffic will not be inspected unless specifically routed and configured for TLS inspection, which isn't guaranteed by just peering.

Microsoft Azure Documentation. (2023). What is Azure Firewall Premium? Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/firewall/premium-features

Specifically, the section on "TLS Inspection" and "IDPS" confirms these features are part of the Premium tier.

Microsoft Azure Documentation. (2023). Azure Firewall Rules. Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/firewall/rule-processing

This document clarifies the distinction between Network rules and Application rules, with URL filtering being a function of Application rules.

Microsoft Azure Documentation. (2023). Azure Virtual Network Peering. Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

This source explains that VNet peering provides connectivity but does not automatically route traffic through a firewall. Specific user-defined routes (UDRs) are needed for this purpose.

The Microsoft Authenticator app is the only method listed that supports both number matching and the display of geographical location during a sign-in attempt. These features are part of the "additional context" available for push notifications, designed to enhance security. Number matching requires the user to type a number displayed on the sign-in screen into the app, preventing accidental approvals from MFA fatigue attacks. The geographical location, derived from the sign-in IP address, helps the user identify potentially fraudulent sign-in attempts from unexpected locations.

A. SMS sends a one-time passcode via text message and lacks the functionality for number matching or displaying geographical location.

B. A Temporary Access Pass is a time-limited passcode used for onboarding or account recovery, not a primary MFA method with these features.

D. A FIDO2 security key is a hardware-based, passwordless method that does not use an app interface to display number matching or location.

1. Microsoft Entra ID Documentation. (2023). How to use additional context in Microsoft Authenticator notifications. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context. The section "Location" states

"The user’s location based on the IP address of the signing in device is displayed

" and the section "Number matching" describes the feature.

2. Microsoft Entra ID Documentation. (2023). Authentication methods in Azure Active Directory - Microsoft Authenticator app. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app. This document outlines the capabilities of the Authenticator app

including "Push notification with number matching" as a primary authentication method.

The storage account allows Selected networks: only VNET3/Subnet3 and an IP range 52.233.129.0/24.

• VM1 (VNET1/Subnet1): Although the subnet has Microsoft.Storage service endpoint, it isn’t added to the storage account’s allowed VNets ⇒ denied. Azure requires the subnet to be added as a virtual network rule, which relies on a Storage service endpoint.

• VM2 (VNET2/Subnet2): No service endpoint. Without endpoints, traffic to Azure services uses the VM’s public IPv4 as source; the storage firewall IP rule (52.233.129.0/24) matches 52.233.129.82 ⇒ allowed.

• VM3 (VNET3/Subnet3): Subnet is added, but its endpoint is Microsoft.KeyVault (not Microsoft.Storage). A Storage virtual network rule works only when the subnet has a Storage service endpoint ⇒ denied. Also, where a service endpoint is used, IP rules don’t apply.

Microsoft Learn — Create a virtual network rule for Azure Storage (shows enabling Microsoft.Storage endpoint on the subnet to use VNet rules; includes command examples).

Microsoft Learn

Microsoft Learn — Azure virtual network service endpoints overview (before endpoints, service traffic from a VNet uses public IP; with endpoints it switches to private IP).

Microsoft Learn

Microsoft Learn — Azure Storage firewall rules (with a service endpoint, traffic uses private IP and IP rules no longer have effect)

To deploy Azure Disk Encryption, you first need a secure repository for the encryption keys, so you must create an Azure key vault. Before the encryption extension can use this vault, you must configure access policies (specifically enabling the EnabledForDiskEncryption setting) to grant the Azure platform permission to retrieve and back up secrets to that vault. Finally, you apply the encryption configuration to the virtual machine by running the Set-AzureRmVmDiskEncryptionExtension cmdlet (or its Az module equivalent), which triggers the BitLocker encryption process inside the guest OS.

Microsoft Learn: Create and configure a key vault for Azure Disk Encryption

Reference: "You can create a key vault... Enable the key vault for disk encryption... You must enable the key vault for disk encryption to allow Azure Disk Encryption to retrieve secrets."

Link: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault

Microsoft Learn: Enable Azure Disk Encryption for Windows VMs

Reference: "Enable encryption using the Set-AzVMDiskEncryptionExtension cmdlet... requires the Key Vault created in previous steps."

Link: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows

Azure Key Vault provides a specific, configurable feature named "rotation policy" for both keys and secrets. For keys, the rotation policy automates the generation of a new key version at a scheduled time or after a specific duration. For secrets, the rotation policy integrates with Azure Event Grid and automation services (like Azure Functions or Logic Apps) to manage the lifecycle of credentials such as database connection strings.

While certificates have automated renewal capabilities, this is configured within the certificate's "Issuance Policy" through "Lifetime Actions," which is a distinct mechanism from the feature explicitly named "rotation policy" that applies to keys and secrets.

A. Key1 Only: This is incorrect because secrets also support a configurable rotation policy.

B. Cert1 only: This is incorrect. Certificates use an "Issuance Policy" for renewal, not a "rotation policy," and both keys and secrets support rotation policies.

D. Key1 and Cert1 only: This is incorrect because the feature for certificates is named "Issuance Policy," not "rotation policy," and secrets do support rotation.

E. Secret1 and Cert1 only: This is incorrect because keys support a rotation policy, and the feature for certificates is named differently.

F. Key1, Secret1, and Cert1: This is incorrect because the specific "rotation policy" feature, by name and implementation, applies to keys and secrets, not certificates.

1. Microsoft Documentation - Configure key auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of keys in a key vault. When you configure a key rotation policy

you can customize the rotation frequency." (Section: "Key rotation policy")

2. Microsoft Documentation - Configure secret auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of secrets for databases or services that use a username and password for authentication... You can set a rotation policy on a secret to schedule rotation..." (Section: "Secret rotation policy")

3. Microsoft Documentation - Tutorial: Configure certificate auto-rotation in Key Vault: "To configure certificate auto-rotation... 3. Select the Issuance Policy tab... 4. Set the Lifetime Action Type to Automatically renew at a given percentage lifetime." (Section: "Create a certificate in Key Vault") This reference demonstrates that certificate lifecycle management uses an "Issuance Policy" and "Lifetime Actions

" distinguishing it from the "rotation policy" of keys and secrets.

To enable and use Azure AD Privileged Identity Management (PIM), a user with the Global Administrator role must perform a sequence of onboarding steps.

1. Consent to PIM: The first action is to grant PIM the necessary permissions to manage directory roles. This is a one-time consent action for the entire Azure AD tenant.
2. Verify your identity by using multi-factor authentication (MFA): Because consenting to and configuring PIM is a highly privileged operation, the administrator must first verify their identity using MFA. This ensures the user is who they claim to be before proceeding.
3. Sign up PIM for Azure AD roles: After consent is given and the administrator's identity is verified, the final step is to explicitly enable, or "sign up," the PIM service to begin managing Azure AD roles.

The other options, Discover privileged roles and Discover resources, are actions performed after PIM has been successfully set up and configured.

Microsoft Learn: In the official documentation for deploying PIM, the sequence is clearly outlined. The article states, "The first step is to consent to PIM... To consent to PIM, you'll be required to verify your identity with multi-factor authentication (MFA)... After you've consented to PIM, you can sign up PIM to manage Azure AD roles." This directly supports the provided order of operations.

Source: Microsoft Entra documentation, "Deploy Privileged Identity Management (PIM)", section: "Onboard PIM".

Microsoft Learn: The getting started guide also confirms this sequence by explaining that the initial user (a Global Administrator) must first consent and will be prompted for MFA. The ability to manage roles comes after these initial onboarding and verification steps are completed.

Source: Microsoft Entra documentation, "Start using Privileged Identity Management", section: "Prerequisites".

Microsoft Entra Permissions Management specifically identifies certain Microsoft Entra roles as "highly privileged" for reporting on the Azure AD insights tab. According to official documentation, these roles are Global Administrator, Privileged Role Administrator, and Security Administrator.

In the given scenario:

Admin1 holds the Global Administrator role.

Admin2 holds the Security Administrator role.

Admin3 holds the Privileged Role Administrator role.

The User Administrator role, held by Admin4, is not classified as a highly privileged role in this context. Therefore, only Admin1, Admin2, and Admin3 will be listed.

A. This option is incorrect because it omits the Security Administrator (Admin2) and Privileged Role Administrator (Admin3) roles, which are also considered highly privileged.

B. This option is incorrect because it omits the Global Administrator (Admin1) role, which is a highly privileged role.

C. This option is incorrect as it omits two highly privileged roles (Admin1, Admin3) and incorrectly includes the User Administrator (Admin4) role.

E. This option is incorrect as it omits the Global Administrator (Admin1) role and incorrectly includes the User Administrator (Admin4) role.

F. This option is incorrect because the User Administrator (Admin4) role is not considered a highly privileged role by Microsoft Entra Permissions Management for this insight.

1. Microsoft Learn. (2023). View key statistics and data about your authorization system in Permissions Management. Under the section "The Azure AD insights tab

" the "Highly privileged roles" tile description explicitly states: "Permissions Management considers the following roles to be highly privileged: Global administrator

Privileged role administrator

and Security administrator." This directly supports that Admin1

Admin2

and Admin3 are the correct accounts.