AZ-500 Microsoft Practice Test Questions and Exam Dumps
Question No 1 :
You are a cloud security administrator for an organization that uses Azure Active Directory (Azure AD) for identity and access management. Recently, you've noticed unusual behaviour and suspect that some users are repeatedly attempting to sign in to resources they are not authorized to access. To investigate further, you decide to use Azure Log Analytics to query sign-in logs and confirm if any users have had multiple unsuccessful sign-in attempts over the last few days.
Your goal is to write a Kusto Query Language (KQL) query that does the following:
Retrieves sign-in attempts from the last few days.
Filters only failed sign-in attempts.
Aggregates the number of failed attempts per user.
Displays only those users who had more than five failed sign-in attempts.
To achieve this, your query should include functions or parameters that allow you to count occurrences per user and filter based on that count.
Which of the following options should be included in your query to achieve the desired result?
A. The EventID and CountIf() parameters
B. The ActivityID and CountIf() parameters
C. The EventID and Count() parameters
D. The ActivityID and Count() parameters
Correct Answer:
A. The EventID and CountIf() parameters
Explanation :
In Azure Log Analytics, queries are written using Kusto Query Language (KQL). When investigating failed sign-in attempts, it is essential to use the correct parameters to both filter and count the relevant events.
The EventID parameter identifies specific types of events, such as sign-in failures. Using this ensures that the query targets only the relevant entries in the logs.
The CountIf() function is particularly useful when you need to count occurrences conditionally—in this case, failed sign-in attempts. For example, you might use something like:
kusto
SigninLogs
| where ResultType != 0 // Non-zero results indicate failure
| summarize FailedAttempts = countif(ResultType != 0) by UserPrincipalName
| where FailedAttempts > 5
This query filters for failed attempts, summarizes them per user, and then filters again to find users with more than five failed attempts.
The Count() function, in contrast, simply counts all entries, regardless of any specific condition. Therefore, it is less suitable when you want to conditionally count only failed attempts.
ActivityID is generally used to trace a single activity across multiple services and is less useful for this type of analysis. In contrast, EventID is more appropriate when working with logs that record specific event types like sign-in failures.
So, the correct and most efficient choice to detect users with repeated failed sign-in attempts is to use EventID for filtering and CountIf() for conditional aggregation — making option A the correct answer.
Question No 2 :
QuesYour development team is utilizing Azure DevOps for managing your software development lifecycle, and you've configured branch policies to enforce standards across your repositories. Branch policies are crucial in maintaining high-quality code and structured workflows in modern DevOps practices.
Which of the following statements accurately describe the purpose and functionality of branch policies in Azure DevOps?
(Select all that apply.)
A. Branch policies help enforce your team's change management processes by controlling how and when changes are made to the codebase.
B. Branch policies determine who has permission to view and update the contents of a branch.
C. Branch policies help ensure the code committed to the branch meets your team's predefined quality standards.
D. Branch policies lock a branch entirely, making it read-only and preventing any updates.
Correct Answers:
A. It enforces your team's change management standards.
C. It enforces your team's code quality.
B. It controls who can read and update the code in a branch.
D. It places a branch into a read-only state.
Explanation :
Branch policies in Azure DevOps are designed to enhance collaboration and code quality within a team by regulating how changes are made to critical branches such as main or develop. They serve as a set of rules that contributors must follow before their changes can be merged into the protected branch.
One of the primary roles of branch policies is to enforce change management standards (A). For example, policies can require pull requests (PRs) before merging, mandate reviewer approval, or ensure that work items are linked. This ensures traceability, accountability, and control over what goes into the production or staging code.
Additionally, branch policies are instrumental in maintaining code quality (C). They can integrate with tools such as build pipelines and static code analyzers. For instance, a policy might block a PR if automated tests fail or if code coverage falls below a specified threshold.
On the other hand, branch policies do not manage access control (B). Permissions regarding who can read or write to a branch are managed through repository security settings, not through branch policies.
Lastly, branch policies do not make branches read-only (D). Instead, they provide a structured gatekeeping mechanism to allow changes only after meeting certain conditions, but they do not completely block all writes.
In summary, branch policies in Azure DevOps are critical for implementing automated governance in your development workflow without interfering with collaboration or role-based access control.
Question No 3:
After setting up a new Azure subscription, your organization assigns you the responsibility of enabling advanced threat detection and custom alerting capabilities using Azure Security Center. You have already provisioned an Azure Storage account as part of the environment setup.
To ensure that you can create custom alert rules that analyze and respond to specific security-related events across your Azure resources, you need to perform an additional configuration step.
Which of the following actions is required to meet this goal?
A. Remove Azure Active Directory (Azure AD) Identity Protection from the environment
B. Create a Data Loss Prevention (DLP) policy
C. Create an Azure Log Analytics workspace
D. Upgrade Security Center to the appropriate pricing tier
Correct Answer:C. Create an Azure Log Analytics workspace
Explanation :
To enable custom alert rules in Azure Security Center, it is essential to integrate Azure Log Analytics, which is the foundational platform for collecting, analyzing, and acting on telemetry data from Azure resources.
Custom alerts in Security Center rely on data collected from various sources, such as virtual machines, storage accounts, and other Azure resources. This telemetry is ingested into a Log Analytics workspace, where it can be queried using Kusto Query Language (KQL). You can then define custom alert rules based on these queries to trigger actions, such as sending email notifications, running automation scripts, or integrating with other security tools.
Without a Log Analytics workspace, Security Center cannot collect or analyze detailed telemetry data, which is crucial for the creation and execution of custom alert rules.
Let’s look at the other options:
Option A: Azure AD Identity Protection is not related to Security Center's alerting capabilities.
Option B: A DLP (Data Loss Prevention) policy is used in Microsoft Purview or Microsoft 365 to protect sensitive data, not for creating custom alerts in Security Center.
Option D: While having the correct Security Center tier (e.g., Standard/Defender for Cloud) is important for advanced threat protection, custom alerting specifically requires a Log Analytics workspace.
In conclusion, to set up and manage custom alert rules in Azure Security Center, you must first create and link a Log Analytics workspace. This enables centralized data collection, flexible querying, and alerting capabilities to enhance your security posture in Azure.
Question No 4 :
our organization has integrated its on-premises infrastructure with Azure by connecting 100 Windows servers (running either Windows Server 2012 R2 or Windows Server 2016) to an Azure Log Analytics workspace. This workspace is configured specifically to collect security-related performance counters from these servers.
Now, you are assigned to create alert rules based on the data collected by Azure Log Analytics. These alert rules must meet the following criteria:
They should support dimensions for more granular alerting.
Alert creation time must be minimal (alerts should be triggered quickly after the event is detected).
A single alert notification should be sent when the alert is fired and also when it is resolved.
To meet these requirements, you need to select the most suitable signal type when configuring the alert rules in Azure Monitor.
Question:
Which signal type should you use to configure these alert rules efficiently?
A. Activity log
B. Application log
C. Metric
D. Audit log
Correct Answer: C. Metric
Explanation :
When creating alert rules in Azure Monitor, the signal type determines what kind of data the alert will monitor. In your scenario, since you're working with performance counters collected from servers via Azure Log Analytics, the most appropriate signal type is Metrics.
Here's why:
Metrics support dimensions: Dimensions allow you to filter and group metrics, such as performance data per server, which helps in building precise alerts.
Faster alerting: Metric alerts are near real-time and provide low latency, meaning alerts are triggered within minutes of detecting an issue—ideal when alert creation time is critical.
Single alert with fire and resolve states: Metric alerts support stateful alerting, meaning one alert is triggered when the threshold is breached and resolved when the condition returns to normal. This avoids multiple notifications and ensures clean alerting behaviour.
Other options are less suitable:
Activity log is used for Azure resource changes (not performance monitoring).
Application log is more relevant for app-specific telemetry, not OS-level performance counters.
Audit log relates to user activity and changes in Azure Active Directory.
Hence, Metric is the best fit for your requirements: supporting dimensions, enabling quick alerting, and managing alert lifecycle efficiently.
Question No 5 :
Your organization manages an Azure subscription with approximately 100 virtual machines (VMs), all of which have Azure Diagnostics enabled. Recently, an issue was reported regarding the unexpected deletion of one of the virtual machines, which occurred around 15 days ago. You have access to Azure Monitor and have been assigned the task of identifying which user was responsible for deleting the VM.
Given that you need to trace a user-initiated deletion operation,
Which Azure Monitor feature should you utilize to accurately determine the identity of the user who performed the deletion?
Choose the correct option:
A. Application Log
B. Metrics
C. Activity Log
D. Logs
Correct Answer:
C. Activity Log
Explanation :
Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry data from your Azure environment. It provides different types of logs and data views, each serving a unique purpose.
When you need to track management operations such as the creation, deletion, or modification of Azure resources — especially to identify the user or service principal responsible for an action — the Azure Activity Log is the correct place to look.
The Activity Log captures control-plane events and shows operations performed on resources at the subscription level. In this case, since a virtual machine was deleted, it is considered a management operation, not an application or workload event. The Activity Log includes detailed metadata, such as the timestamp, operation type, resource affected, and most importantly, the identity (user, app, or service principal) that initiated the operation.
Let's briefly compare the other options:
Application Log (A) tracks application-level events and errors within the VM, which wouldn’t capture resource-level changes like deletion.
Metrics (B) provide numerical values related to performance (CPU, memory, etc.), not audit trails or user actions.
Logs (D), sometimes referring to Azure Monitor Logs (Log Analytics), are helpful for querying telemetry but are better suited for deeper analysis once you know what to look for. They don't inherently contain user identity for control-plane operations unless specifically ingested.
Therefore, to retrieve who deleted a VM 15 days ago, the Activity Log is your best and most direct option.
Question No 6 :
Your organization operates a large-scale environment within Microsoft Azure, containing over a hundred virtual machines (VMs). All these VMs have Azure Diagnostics enabled to collect performance and diagnostic data. You are specifically assigned to investigate security-related events on one of the virtual machines running Windows Server 2016.
You have already logged into Azure Monitor, which is the central hub for monitoring performance and diagnostics across your Azure resources. Your goal is to analyze security events such as successful or failed login attempts, account lockouts, or unauthorized access attempts on the virtual machine.
Given the available monitoring tools and logging capabilities within Azure Monitor,
which of the following should you use to access detailed security logs and query event data from the virtual machine?
A. Application Log
B. Metrics
C. Activity Log
D. Logs (Log Analytics)
Correct Answer: D. Logs (Log Analytics)
Explanation :
When analyzing security events on an Azure virtual machine (especially one running Windows Server 2016), the most effective and detailed option available is Azure Monitor Logs (Log Analytics).
Azure Monitor collects and aggregates data from a variety of sources, including VM diagnostics, and stores this data in a Log Analytics workspace. This workspace allows users to run Kusto Query Language (KQL) queries to deeply investigate events like Security, System, and Application log entries from Windows machines.
Since the virtual machine already has Azure Diagnostics enabled, it is capable of forwarding Windows Event Logs (including Security logs) to the Log Analytics workspace. You can then go to the “Logs” section in Azure Monitor, select the right workspace, and use queries like:
kusto
Copy
Edit
Event
| where Event Log == "Security"
This lets you search for and filter specific security events.
Let’s briefly review the other options:
A. Application Log: This refers to application-level events, not security-focused.
B. Metrics: These are numeric performance values (CPU, memory, etc.), not logs.
C. Activity Log: This only shows control-plane operations on Azure resources, like VM creation, not inside-VM security events.
Therefore, to perform in-depth security analysis of a VM, the correct and most powerful tool is D. Logs (Log Analytics).
Question No 7 :
You are working as a cloud administrator for an organization that heavily relies on Microsoft Azure for its infrastructure. Part of your responsibility is to ensure that all virtual machines (VMs) and other compute resources are protected using proper security configurations. Your team decides to utilize Azure Security Center to improve threat protection and overall security posture.
One of your primary tasks is to modify the operating system security configurations of the resources through Azure Security Center. However, you soon realize that not all features are available under the default setup, and you must select the correct pricing tier to gain access to advanced security management capabilities.
To be able to modify operating system-level security configurations via Azure Security Center, which pricing tier must be enabled?
A. Advanced
B. Premium
C. Standard
D. Free
Correct Answer:
C. Standard
Explanation :
Azure Security Center offers two primary pricing tiers: Free and Standard (previously referred to as the "paid tier"). The Free tier provides basic security capabilities such as security policy management and continuous assessment, but it does not include advanced threat protection or the ability to modify OS-level security configurations directly.
To access advanced capabilities like Just-In-Time VM access, adaptive application controls, network hardening, regulatory compliance dashboard, and especially the ability to modify OS security configurations, you need to subscribe to the Standard tier.
The Standard tier enhances visibility and control over your environment, offering advanced threat detection using Microsoft Defender for Cloud (formerly part of Azure Security Center). It provides deeper security insights, proactive recommendations, and integration with other Microsoft security services.
With the Standard tier, Azure Security Center can automatically apply security recommendations and enforce configuration changes across supported resources. This includes applying system security settings that align with best practices and compliance standards (e.g., CIS benchmarks or Microsoft’s secure baseline configurations).
Therefore, if your goal is to modify the operating system’s security configurations directly from within the Azure Security Center interface, you must enable the Standard pricing tier. Neither the Free tier nor non-existent options like "Advanced" or "Premium" offer this capability.
Always ensure your subscription includes the correct tier to fully leverage Azure’s built-in security management features.
Question No 8 :
Your organization has an Azure subscription connected to its Azure Active Directory (Azure AD) tenant. An internally developed application has been registered within Azure AD. You are responsible for ensuring that this application can access secrets stored in Azure Key Vault on behalf of the users who use the application.
A proposed solution is to configure a delegated permission for the application and then grant admin consent for those permissions.
Question:
Does this solution ensure that the application can access Azure Key Vault secrets on behalf of the users?
A. Yes
B. No
Correct Answer:
A. Yes
Explanation :
In Azure Active Directory (Azure AD), permissions can be granted to applications in two primary forms: delegated permissions and application permissions.
Delegated permissions are used when the application is acting on behalf of a signed-in user. In this mode, the application uses the user’s identity and has the same permissions the user has. This is commonly used in scenarios where a user is actively interacting with the application (e.g., web apps or mobile apps).
Application permissions are used when the application is running as a background service or daemon without a signed-in user. In this case, the app is granted its own identity and permission to act directly against resources like Key Vault.
In the scenario described, the goal is to allow the application to access Azure Key Vault secrets on behalf of the users. Since the app is acting on behalf of users, delegated permissions are appropriate. Additionally, admin consent is necessary to grant these permissions, especially if they involve high privileges or tenant-wide impact.
By configuring delegated permissions and ensuring admin consent is provided, the application can receive the necessary OAuth 2.0 access tokens scoped with the correct user-based permissions to access Azure Key Vault via Azure AD.
However, the application must also have Key Vault access policies or role assignments configured appropriately to ensure it can interact with the Key Vault using the delegated token.
Conclusion: Yes, the solution meets the goal — delegated permissions with admin consent are valid for accessing resources on behalf of users.
