🔐 Azure Key Vault Security - AZ-500 Practice Questions

Manage cryptographic keys, secrets, and certificates with Key Vault access policies and RBAC.

29Questions Available
1Exam Domains

Practice Key Vault Questions Now

Start a timed practice session focusing on Azure Key Vault Security topics from the AZ-500 question bank.

Start AZ-500 Practice Quiz →

AZ-500 Key Vault Question Bank (29 Questions)

Browse all 29 practice questions covering Azure Key Vault Security for the AZ-500 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Azure Key Vault is accidentally deleted. The vault and all its secrets, keys, and certificates are still recoverable. Which Key Vault feature makes this possible?

    AKey Vault access policy
    BSoft delete
    CPurge protection
    DRBAC authorization

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  2. Question 2Secure identity and access

    A custom RBAC role must allow listing and reading secrets in Key Vault but not creating or deleting them. Which action set is correct for this role definition?

    AActions: Microsoft.KeyVault/vaults/secrets/*
    BDataActions: Microsoft.KeyVault/vaults/secrets/getSecret/action, Microsoft.KeyVault/vaults/secrets/list/action
    CActions: Microsoft.KeyVault/vaults/read; NotActions: Microsoft.KeyVault/vaults/secrets/write
    DDataActions: Microsoft.KeyVault/vaults/secrets/backup/action

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  3. Question 3Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A developer with the Key Vault Contributor role is unable to read secrets from the Key Vault configured with RBAC authorization. Why?

    AKey Vault Contributor is not an Azure AD role
    BKey Vault Contributor grants management plane access but not data plane (secrets/keys/certificates) access
    CThe developer needs Owner role at resource group level
    DRBAC authorization requires MFA to read secrets

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  4. Question 4Secure compute, storage, and databases

    An App Service must connect to Azure Key Vault to retrieve secrets. The App Service uses a system-assigned managed identity. Which Key Vault RBAC role grants read access to secrets only?

    AKey Vault Contributor
    BKey Vault Secrets Officer
    CKey Vault Secrets User
    DKey Vault Reader

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  5. Question 5Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Which Azure feature provides immutable audit logging of all key operations (create, read, delete) on secrets in Azure Key Vault?

    AKey Vault Access Policies
    BAzure Key Vault diagnostic logs sent to Log Analytics
    CAzure Policy for Key Vault
    DMicrosoft Defender for Key Vault

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  6. Question 6Secure compute, storage, and databases

    An AKS workload needs to read secrets from Azure Key Vault. The recommended approach avoids storing credentials in pod specifications. Which mechanism should be used?

    AStore secrets in Kubernetes Secrets with base64 encoding
    BUse Azure Key Vault Provider for Secrets Store CSI Driver with managed identity
    CMount Key Vault secrets using an Azure File Share
    DPass Key Vault credentials as environment variables in the Deployment manifest

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  7. Question 7Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Key Vault automatic key rotation is configured for an RSA key. What happens to data that was encrypted with the previous key version after rotation?

    AData encrypted with old key becomes undecryptable
    BAll data is automatically re-encrypted with the new key
    CKey Vault retains old key versions; data can still be decrypted using the previous version
    DAutomatic rotation immediately purges the old key version

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  8. Question 8Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Key Vault secret has multiple versions. Which version is returned when an application requests the secret without specifying a version?

    AThe oldest version created
    BThe version with the longest expiry
    CThe current (latest enabled) version
    DAll versions are returned in an array

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  9. Question 9Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    An organization's Key Vault stores certificates used by Azure App Service. The certificates expire in 30 days. Which Azure service can auto-renew certificates issued by public CAs (like DigiCert) in Key Vault?

    AAzure Automation runbook
    BKey Vault certificate auto-renewal with integrated CA
    CAzure Policy certificate expiry check
    DAzure API Management certificate rotation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  10. Question 10Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A company backs up Azure Key Vault secrets to another Azure region as part of a disaster recovery plan. Which Key Vault feature provides this capability?

    AKey Vault geo-replication
    BKey Vault backup and restore (per-object backup to Azure storage)
    CKey Vault private endpoint in secondary region
    DKey Vault managed HSM backup

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  11. Question 11Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    An organization's IT policy requires that all Azure Key Vaults must have soft delete enabled. Which Azure mechanism can enforce this retroactively and for new vaults?

    AAzure Policy with Audit effect — existing vaults that don't have soft delete are flagged
    BAzure Policy with Modify effect to enable soft delete on non-compliant vaults
    CAzure Blueprints with Key Vault artifact
    DAzure Defender for Key Vault policy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  12. Question 12Secure compute, storage, and databases

    An organization uses Transparent Data Encryption with customer-managed keys on Azure SQL. The CMK is accidentally deleted from Key Vault without purge protection. What happens to the database?

    AThe database automatically switches to service-managed keys
    BThe database becomes inaccessible — SQL cannot decrypt the DEK without the CMK
    CKey Vault automatically regenerates the deleted key
    DThe database is automatically backed up before the key deletion

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  13. Question 13Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    An Azure DevOps pipeline must access Azure Key Vault secrets without storing any credentials in the pipeline. Which approach should be used?

    AUse a variable group linked to Azure Key Vault with a service connection (service principal)
    BStore Key Vault URI in a pipeline variable and access with admin credentials
    CUse a self-hosted agent with access policies
    DExport Key Vault secrets to Azure Pipeline secret variables manually

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  14. Question 14Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A company needs to back up Azure Key Vault secrets to a different Azure region for disaster recovery. What is a limitation of Key Vault backup-restore?

    ABackups can only be restored to the same Key Vault
    BBackups are not encrypted
    CA secret backup can only be restored to a vault in the same geography (same country/region pair)
    DOnly 10 secrets can be backed up per vault

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  15. Question 15Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Azure Key Vault Managed HSM provides what level of FIPS validation for cryptographic operations?

    AFIPS 140-2 Level 1
    BFIPS 140-2 Level 2
    CFIPS 140-2 Level 3
    DFIPS 140-3 Level 4

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  16. Question 16Secure compute, storage, and databases

    Which Azure feature protects VM disks by encrypting them using keys stored in Azure Key Vault?

    AAzure Storage Service Encryption
    BAzure Disk Encryption (ADE)
    CTransparent Data Encryption (TDE)
    DCustomer-Managed Keys in Blob Storage

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  17. Question 17Secure identity and access

    An Azure VM must authenticate to Azure Key Vault without storing credentials in code. Which identity approach should be used?

    AService principal with client secret stored in environment variables
    BSystem-assigned managed identity
    CUser-assigned managed identity shared across multiple VMs
    DAzure AD application registration with certificate

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  18. Question 18Secure compute, storage, and databases

    A VM's OS disk must be encrypted using a customer-managed key stored in Azure Key Vault, with encryption happening in the Azure storage layer. Which option achieves this?

    AAzure Disk Encryption (ADE) with BitLocker/dm-crypt
    BServer-side encryption with customer-managed keys (SSE-CMK)
    CEncryption at host with platform-managed key
    DConfidential disk encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  19. Question 19Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    An administrator must ensure that once a Key Vault is deleted, it cannot be permanently purged for 90 days even by administrators. Which Key Vault feature must be enabled?

    ASoft delete only
    BPurge protection
    CFirewall and virtual networks
    DPrivate endpoint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  20. Question 20Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Key Vault must be accessible only from a specific VNet subnet and deny all other access including from the Azure portal over the internet. Which configuration achieves this?

    AKey Vault firewall with selected VNet and 'Allow trusted Microsoft services' disabled
    BKey Vault RBAC with deny assignment
    CPrivate Endpoint with public network access enabled
    DKey Vault access policy restricted to the subnet

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  21. Question 21Secure compute, storage, and databases

    An AKS cluster uses Workload Identity. How does a pod obtain credentials to access Azure Key Vault?

    AThe pod uses a client secret stored in a Kubernetes secret
    BThe pod uses a federated token from the AKS OIDC issuer exchanged for an Azure AD access token
    CThe pod inherits the AKS node's managed identity
    DThe pod uses a system-assigned managed identity directly

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  22. Question 22Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Key Vault key is configured with expiration in 30 days. Which Key Vault feature sends a notification 15 days before expiry to alert the operations team?

    AKey Vault diagnostic logs
    BAzure Monitor metric alert on key expiry
    CKey Vault near-expiry event via Azure Event Grid
    DAzure Policy compliance check for key expiry

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  23. Question 23Secure networking

    A company has configured forced tunneling (all internet traffic routed to on-premises). Azure VMs cannot reach Azure platform services (Blob Storage, Key Vault). What should be added to allow this traffic to bypass the tunnel?

    AAdd VNet service endpoints for the required Azure services on the affected subnets
    BCreate a UDR with a specific route for Microsoft services to internet
    CEnable ExpressRoute Microsoft peering for Azure services
    DConfigure NSG to allow outbound to Azure service IP ranges

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  24. Question 24Secure compute, storage, and databases

    Azure Disk Encryption (ADE) is enabled on a Linux VM. Which key component stored in Azure Key Vault protects the volume encryption key (VEK)?

    ACertificate used to sign the VEK
    BKey Encryption Key (KEK) — an RSA key that wraps the VEK
    CStorage account key that protects the encryption
    DClient secret of the ADE service principal

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  25. Question 25Secure compute, storage, and databases

    An Azure SQL Managed Instance requires TDE with customer-managed keys. The key must be accessible at all times. What must be configured to prevent data loss if the primary Key Vault becomes unavailable?

    AEnable geo-redundancy on the Key Vault
    BAdd the same CMK to a secondary Key Vault in another region and configure TDE to use both
    CSet purge protection on the primary Key Vault
    DExport the key from Key Vault to a certificate file

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  26. Question 26Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Azure Key Vault access policies are being replaced by which newer authorization model that Microsoft recommends?

    AAzure AD Conditional Access for Key Vault
    BAzure RBAC for Key Vault data plane authorization
    CService endpoint firewall policies
    DManaged identity with Key Vault Contributor role

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  27. Question 27Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    An organization uses Azure Defender for Key Vault. Which activity would trigger a Defender for Key Vault alert?

    AA developer lists all secrets in Key Vault using the Azure portal
    BAn unusual application (not seen before) access Key Vault from an anonymizing proxy IP
    CRotating a key with auto-rotation enabled
    DCreating a new secret via Azure CLI by an authorized user

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  28. Question 28Secure compute, storage, and databases

    An organization wants to use their own encryption keys stored in an Azure-dedicated HSM for encrypting Azure Blob Storage, ensuring Microsoft cannot access the keys. Which approach is required?

    ACustomer-managed keys in Azure Key Vault (software-protected)
    BCustomer-managed keys in Azure Key Vault with HSM-protected keys or Managed HSM
    CDouble encryption with infrastructure-level CMK
    DPlatform-managed keys with ADE

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  29. Question 29Secure identity and access

    A custom RBAC role is created with only `Microsoft.Storage/storageAccounts/listkeys/action` in the Actions section. What can a user with this role actually do?

    AList and read all storage account data
    BRetrieve the storage account keys only
    CCreate and delete storage accounts
    DRead storage account metadata and access data

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz

Key Key Vault Concepts for AZ-500

key vaultsecretkeycertificatehsmaccess policyrbacrotationsoft deletepurge protection

AZ-500 Key Vault Exam Tips

Azure Key Vault Security questions in AZ-500 are typically scenario-based. Focus on identity protection, platform hardening, data security, and security operations. Priority concepts: key vault, secret, key, certificate, hsm, access policy.

What AZ-500 Expects

  • Anchor your answer in choose controls that reduce exposure while preserving least-privilege access.
  • Key Vault scenarios for AZ-500 are frequently mapped to Domain 3 (20-25%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Key Vault interacts with identity, networking, governance, or monitoring patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Key Vault Concepts

  • Know the core Key Vault building blocks cold: key vault, secret, key, certificate.
  • Review the edge-case features and limits for hsm, access policy; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Key Vault pairs with Data Security, Identity Security in real deployment patterns.
  • For AZ-500, explain why the chosen Key Vault design meets reliability, security, and cost expectations better than the alternatives.

Common AZ-500 Traps

  • Watch for identity controls that are too broad for the requested scope.
  • Questions in Secure Compute, Storage, and Databases often include distractors that look correct for Key Vault but violate least-privilege, compliance, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Key Vault implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Secure Compute, Storage, and Databases (20-25%) outcomes for AZ-500?
  • Can you explain security and access boundaries for Key Vault without relying on default-open assumptions?
  • Can you describe how Key Vault integrates with Data Security and Identity Security during failure, scaling, and monitoring events?

Exam Domains Covering Key Vault

Domain 3Secure Compute, Storage, and Databases20-25%

Related Resources

🎯 Free AZ-500 Mock Exam Data Security Questions Identity Security Questions

More AZ-500 Study Resources

← AZ-500 Study Hub30-Day Study PlanFull Practice Exam