SC-500 Cloud & AI Security Engineer Practice Questions: 20 Free Questions (2026)

About the SC-500 Cloud & AI Security Engineer Beta Exam

SC-500 is officially titled 'Implementing End-to-End Security Controls for Cloud and AI Workloads' and earns the Microsoft Certified: Cloud and AI Security Engineer Associate credential. Microsoft published the study guide in April 2026 and opened beta seats on May 15, 2026. It is the replacement for AZ-500 (Azure Security Engineer Associate), which retires August 31, 2026. The passing score is 700, and most questions cover general-availability features — though commonly used Preview features can appear.

The exam targets security engineers who protect organizational systems and data across cloud and hybrid environments. Microsoft expects practical experience administering Azure and hybrid environments — compute, network, and storage — plus strong familiarity with Microsoft Entra ID and working knowledge of Microsoft 365 administration. The role spans identity, network, application, data, and compute security, and now explicitly includes making sure the platforms, data, identities, and infrastructure used by AI workloads are securely implemented and monitored.

The VistaSC500 promo code gives the first 300 beta candidates 80% off, and it is valid for sittings on or before June 8, 2026. After that, SC-500 stays in beta at full price until general availability, which Microsoft expects in July 2026. Sitting the beta is the fastest route to the credential and the cheapest — roughly $35 USD instead of the full price — and our SC-500 pack at readroo.st/marketplace/sc-500-cloud-ai-security-engineer covers every functional group on the published outline.

Quick Answer Key (for Scanning After You Try the Questions)

Try each question first. This key is here for post-test review. 1-B, 2-B, 3-C, 4-B, 5-C, 6-B, 7-B, 8-C, 9-B, 10-B, 11-B, 12-B, 13-B, 14-B, 15-B, 16-B, 17-B, 18-B, 19-B, 20-B. If you score 16+ you are exam-ready. The most commonly missed questions on this set are Q5 (Defender CSPM secret scanning vs Key Vault firewall), Q12 (Entra Agent ID conditional access), Q14 (Defender for AI Service vs Purview DSPM), and Q18 (Defender EASM vs Defender CSPM).

SC-500 Exam Domain Breakdown

Microsoft published four functional groups for SC-500, with these weightings: 1. Manage identity, access, and governance — 20-25% (Entra ID secure access, PIM, conditional access, MFA and passwordless, managed identities, Key Vault, Azure Policy, regulatory compliance in Defender for Cloud, RBAC and custom roles, infrastructure as code) 2. Secure storage, databases, and networking — 25-30% (storage account security and firewalls, Defender for Storage, Azure SQL platform security and auditing, Defender for Databases, NSGs and ASGs, Virtual Network Manager, Azure Firewall, private endpoints and Private Link, Entra Private Access) 3. Secure compute — 20-25% (AI security for Copilot, Copilot Studio, and Entra Agent ID; disk encryption, Bastion, JIT VM access, Defender for Servers, Azure Arc; container security with Defender for Containers, AKS, ACR; App Service, Functions, Logic Apps, and Web Application Firewall) 4. Manage and monitor security posture — 20-25% (Defender CSPM, Defender for Cloud workload protection, multicloud connectors for AWS and GCP, Defender EASM, Microsoft Sentinel workspaces and data connectors, automation rules and playbooks, Microsoft Security Copilot)

The 20 questions below distribute as 5 from Domain 1, 6 from Domain 2, 5 from Domain 3, and 4 from Domain 4 — roughly matching the official weights. If you miss two or more in any single domain, that's your study target. The full ReadRoost SC-500 pack is built off the same blueprint and contains hundreds of scenario-based questions with explanations plus review flashcards.

SC-500 Replaces AZ-500: What Changed

SC-500 replaces AZ-500 (Azure Security Engineer Associate), which retires on August 31, 2026. If you already hold AZ-500, your certification stays valid on your transcript until it expires — retirement only affects new exam attempts and renewals. If you are mid-study on AZ-500 and close to ready, finish it. If you are just starting, study for SC-500 instead: it is the exam that will exist going forward.

AZ-500 focused on Azure-specific security controls: network security groups, Azure Firewall, Key Vault, Defender for Cloud, identity and access management, and security operations with Microsoft Sentinel. SC-500 retains that entire foundation — the identity, networking, storage, compute, and posture-management content carries forward almost one-to-one — and then adds a new AI-security surface that AZ-500 never covered.

The new SC-500 AI content is concrete and tool-specific, not abstract. It covers identifying data overexposure to Microsoft Copilot using Microsoft Purview Data Security Posture Management (DSPM), enabling real-time protection for Copilot Studio agents, applying conditional access to Microsoft Entra Agent ID, analyzing the blast radius of an Agent ID with Defender XDR, deploying AI Gateway in Azure API Management for Microsoft Foundry, enabling Defender for AI Service in Defender for Cloud, and monitoring AI workloads through the Data and AI security dashboard. If you are coming from AZ-500, this is the section to spend your new study time on — everything else you already know.

For a full picture of the 2026 Microsoft certification retirements and replacements — including AI-102 to AI-103 and DP-100 to AI-300 — see our companion guide on Microsoft certification retirements. SC-500 also sits alongside the Microsoft Security, Compliance, and Identity family: SC-100 (Cybersecurity Architect) is the architect-level exam above it, and SC-200 (Security Operations Analyst) is the SOC-focused exam that goes deeper on Sentinel and Defender XDR threat hunting. SC-500 is the engineer-level exam — it is about implementing and operating the controls, not designing the enterprise strategy (SC-100) or running day-to-day detection and response (SC-200).

Questions 1-5: Manage Identity, Access, and Governance

Domain: Manage identity, access, and governance | Difficulty: Moderate 1. A privileged administrator only needs the User Access Administrator role for the four hours it takes to complete a quarterly access review. Security policy forbids standing privileged access. Which Microsoft Entra capability should you configure? A) A conditional access policy that blocks the role outside business hours B) Privileged Identity Management (PIM) with an eligible assignment and time-bound activation C) An access review that removes the role after 30 days D) A custom Entra role scoped to the access-review blade only

Correct Answer: B Privileged Identity Management with an eligible (not active) assignment is the supported pattern for just-in-time privileged access: the administrator activates the role for a bounded window, optionally with approval and MFA, and it expires automatically. Conditional access governs sign-in conditions, not role activation lifetime. A 30-day access review is far longer than the four-hour need. A custom role narrows scope but still leaves the access standing rather than time-bound.

Domain: Manage identity, access, and governance | Difficulty: Moderate 2. An enterprise application registered in Microsoft Entra ID requests delegated Microsoft Graph permissions that include Mail.ReadWrite. You want users to be unable to consent to this permission themselves, while still allowing low-risk permissions like User.Read. What should you configure? A) Disable user consent entirely for all applications B) Configure user consent settings to allow consent only for permissions classified as low impact, and review high-impact requests through the admin consent workflow C) Delete the app registration and recreate it as a managed identity D) Add the application to a conditional access policy that requires MFA

Correct Answer: B Entra consent settings let you permit user consent for permissions you classify as low impact while routing higher-impact permissions (like Mail.ReadWrite) to the admin consent workflow for review. Disabling user consent entirely is heavier-handed than required and creates admin toil for benign permissions. A managed identity is for Azure resource-to-resource auth, not a user-facing enterprise app. Conditional access governs sign-in, not OAuth permission grants.

Domain: Manage identity, access, and governance | Difficulty: Hard 3. An Azure Function needs to read secrets from Azure Key Vault without any credentials stored in code or app settings. The Function already runs in Azure. What is the correct configuration? A) Store the Key Vault access key in an encrypted app setting B) Use a Key Vault access policy with a service principal and a client secret rotated every 90 days C) Enable a system-assigned managed identity on the Function and grant it Key Vault access via RBAC or an access policy D) Embed an Entra ID app registration certificate in the deployment package

Correct Answer: C A system-assigned managed identity gives the Function an Entra identity with no credentials to store or rotate — Azure handles the lifecycle — and you grant that identity Get/List on secrets through RBAC or a Key Vault access policy. Encrypted app settings and rotated client secrets both still store a credential. A certificate embedded in the deployment package is a credential in code, which the requirement explicitly forbids.

Domain: Manage identity, access, and governance | Difficulty: Moderate 4. Your security team must continuously evaluate the Azure environment against the Microsoft cloud security benchmark and a PCI DSS regulatory standard, and see a compliance score per standard. Which tool provides this? A) Azure Policy compliance state on a single custom initiative B) The regulatory compliance dashboard in Microsoft Defender for Cloud, with the relevant security standards assigned C) Microsoft Sentinel workbooks built on the AzureActivity table D) Azure Resource Graph queries scheduled through a Logic App

Correct Answer: B Defender for Cloud’s regulatory compliance dashboard maps your environment against assigned security standards — the Microsoft cloud security benchmark, PCI DSS, ISO 27001, and others — and reports a per-standard compliance score with drill-down to failing controls. A single Azure Policy initiative does not give per-regulatory-standard scoring. Sentinel workbooks and Resource Graph queries can report on activity and configuration but do not provide the built-in regulatory mapping.

Domain: Manage identity, access, and governance | Difficulty: Hard 5. During a security review you must find any plaintext secrets — connection strings, keys, tokens — that developers have left inside Azure resource configurations and IaC artifacts. Which capability surfaces these? A) Azure Key Vault firewall logs B) Microsoft Sentinel scheduled analytics rules on the SigninLogs table C) Secret scanning in Defender Cloud Security Posture Management (Defender CSPM) D) Azure Policy audit effect on the Key Vault resource type

Correct Answer: C Secret scanning is a Defender CSPM capability: it inspects resource configurations, VM disks, and infrastructure-as-code for exposed secrets such as connection strings, keys, and tokens, and raises recommendations to remediate them. Key Vault firewall logs only show network access to the vault. Sentinel sign-in analytics detect identity anomalies, not embedded secrets. An Azure Policy audit effect can flag configuration drift but does not scan content for plaintext secrets.

Questions 6-11: Secure Storage, Databases, and Networking

Domain: Secure storage, databases, and networking | Difficulty: Moderate 6. An Azure Storage account must be reachable only from a specific virtual network subnet and from one on-premises public IP range, and blocked from all other networks. Which configuration achieves this? A) Set the storage account to its default public access and rely on shared access signatures B) Configure the storage account firewall to deny public access by default, then allow the specific VNet subnet (via a service endpoint or private endpoint) and add the on-premises IP range to the firewall allow list C) Rotate the storage account keys daily D) Move the storage account into a separate subscription

Correct Answer: B The storage account firewall lets you deny all networks by default and then explicitly allow a VNet subnet and specific public IP ranges. Default public access plus SAS tokens still leaves the account network-reachable by anyone with a token. Key rotation is good hygiene but does not restrict network reachability. A separate subscription is an administrative boundary, not a network control.

Domain: Secure storage, databases, and networking | Difficulty: Moderate 7. You need threat detection for an Azure Storage account that alerts on anomalous access patterns — unusual data extraction, access from a Tor exit node, or a suspicious application. Which should you enable? A) Storage analytics logging to a Log Analytics workspace B) Microsoft Defender for Storage on the storage account C) A read-only lock on the storage account D) Customer-managed keys for encryption at rest

Correct Answer: B Microsoft Defender for Storage provides the threat-protection layer: it raises alerts on anomalous access, malicious uploads, data exfiltration patterns, and access from suspicious networks. Storage analytics logging records requests but performs no detection on its own. A read-only lock prevents resource deletion, not data-plane attacks. Customer-managed keys control encryption key ownership but provide no threat detection.

Domain: Secure storage, databases, and networking | Difficulty: Hard 8. An Azure SQL Database holds regulated data. Auditors require a permanent, queryable record of every successful and failed access to the database. What should you configure? A) Transparent Data Encryption with a customer-managed key B) A database-scoped firewall rule restricting access to known IPs C) Azure SQL Database auditing, writing audit logs to a Log Analytics workspace or storage account for long-term retention D) Always Encrypted on the columns that contain regulated data

Correct Answer: C Azure SQL Database auditing captures database events — including successful and failed access — and writes them to a Log Analytics workspace, storage account, or Event Hubs for retention and querying, which is exactly what an audit trail requires. Transparent Data Encryption and Always Encrypted protect data confidentiality but produce no access record. A firewall rule restricts connectivity but does not log access.

Domain: Secure storage, databases, and networking | Difficulty: Moderate 9. You want an Azure web app to reach an Azure SQL Database over the Microsoft backbone with no exposure to the public internet, and you want DNS to resolve the database name to a private IP inside your virtual network. Which feature provides this? A) A service endpoint on the SQL subnet B) A private endpoint for the Azure SQL logical server, integrated with a private DNS zone C) An NSG rule allowing only the web app subnet D) Azure Firewall with a network rule to the SQL service tag

Correct Answer: B A private endpoint assigns the Azure SQL logical server a private IP inside your VNet and, when integrated with a private DNS zone, makes the server FQDN resolve to that private IP — traffic never traverses the public internet. A service endpoint keeps traffic on the backbone but the resource still has a public endpoint and a public IP in DNS. NSG rules and Azure Firewall control traffic flow but do not give the PaaS resource a private IP.

Domain: Secure storage, databases, and networking | Difficulty: Moderate 10. A security team manages network access policies across 40 virtual networks in multiple regions and wants to define and enforce connectivity and security rules centrally rather than editing each VNet. Which service should they use? A) A single large NSG applied to every subnet B) Azure Virtual Network Manager, using network groups and security admin rules C) Azure Front Door with custom routing rules D) A hub-and-spoke topology with user-defined routes only

Correct Answer: B Azure Virtual Network Manager lets you group virtual networks into network groups and apply connectivity configurations and security admin rules centrally, enforced across every VNet in the group — which is exactly the 40-VNet, multi-region scenario described. Manually applying one NSG everywhere does not scale and lacks central enforcement. Azure Front Door is an application-delivery service. A hub-and-spoke topology with UDRs handles routing but not centralized security-rule management.

Domain: Secure storage, databases, and networking | Difficulty: Hard 11. Remote employees need access to specific internal web applications without a traditional VPN that exposes the whole network. Access must be identity-aware and policy-driven. Which Microsoft solution fits? A) A point-to-site VPN gateway for every employee B) Microsoft Entra Private Access, publishing the internal applications with conditional access applied C) An Azure Firewall DNAT rule per application D) A public Application Gateway with a Web Application Firewall

Correct Answer: B Microsoft Entra Private Access (part of Microsoft’s Security Service Edge) publishes specific internal applications and brokers access through Entra ID, so conditional access, MFA, and device policy apply per app — without granting full network access the way a VPN does. Point-to-site VPN gives broad network reach. An Azure Firewall DNAT rule or a public Application Gateway exposes the apps to the internet rather than keeping access private and identity-gated.

Questions 12-16: Secure Compute (Including AI Security)

Domain: Secure compute | Difficulty: Hard 12. Your organization has deployed Copilot Studio agents to employees. Security requires that access to a sensitive HR agent is allowed only from compliant, managed devices. The agent is identified in Microsoft Entra by an Agent ID. What should you configure? A) A Microsoft Sentinel analytics rule that alerts when the agent is used B) A conditional access policy targeting the Microsoft Entra Agent ID, requiring a compliant device C) A Dataverse security role removing access for non-HR users D) An Azure Policy definition denying agent creation outside HR

Correct Answer: B Microsoft Entra Agent ID gives agents a first-class identity, and conditional access policies can target that Agent ID — so you can require a compliant or hybrid-joined device for access to the sensitive HR agent, exactly like a conditional access policy on a user. A Sentinel rule only detects after the fact. A Dataverse security role governs data-table access, not device compliance for reaching the agent. Azure Policy governs Azure resource deployment, not agent access conditions.

Domain: Secure compute | Difficulty: Moderate 13. After an Agent ID is suspected of being over-permissioned, you must understand exactly what data and systems that agent could reach if compromised. Which tool gives you this blast-radius analysis? A) Azure Network Watcher connection troubleshoot B) Defender XDR blast-radius analysis for Entra Agent ID C) Azure Cost Management resource graph D) Key Vault access policy review

Correct Answer: B Defender XDR provides blast-radius analysis for Entra Agent ID — it maps the resources, data, and permissions an agent identity can reach, so you can scope the security risk of a potential compromise. Network Watcher diagnoses connectivity, not identity reach. Cost Management reports spend. A Key Vault access policy review covers only one resource type, not the agent’s full reachability.

Domain: Secure compute | Difficulty: Hard 14. A compliance officer is worried that Microsoft Copilot can summarize SharePoint sites containing data that is over-shared — accessible to far more users than intended. Which tool identifies this overexposure before Copilot surfaces it? A) Microsoft Defender for Cloud Apps session policies B) Microsoft Purview Data Security Posture Management (DSPM), which identifies data overexposure and risks related to Microsoft Copilot and AI apps C) Microsoft Sentinel user and entity behavior analytics (UEBA) D) Azure Information Protection scanner on file shares

Correct Answer: B Microsoft Purview DSPM is purpose-built to identify data overexposure in SharePoint and surface the risks that Microsoft Copilot and other AI apps introduce by being able to summarize that over-shared content. Defender for Cloud Apps session policies control in-session actions, not pre-emptive overexposure discovery. Sentinel UEBA detects anomalous behavior. The Azure Information Protection scanner classifies on-premises file shares, not SharePoint Copilot exposure.

Domain: Secure compute | Difficulty: Moderate 15. You expose a Microsoft Foundry model through Azure API Management and need centralized control over the AI traffic — token-based rate limiting, prompt logging, and a single governed entry point for multiple Foundry models. What should you deploy? A) An Azure Front Door profile in front of each model endpoint B) AI Gateway capabilities in Azure API Management for Microsoft Foundry C) A separate Application Gateway per model D) A Logic App that proxies each request to the model

Correct Answer: B Azure API Management’s AI Gateway capabilities are built for exactly this: token-based rate limiting, prompt and completion logging, semantic caching, and a single governed front door for Microsoft Foundry models. Azure Front Door is a general-purpose CDN and delivery service with no AI-specific token governance. An Application Gateway per model does not centralize control. A Logic App proxy adds latency and lacks the AI Gateway policy set.

Domain: Secure compute | Difficulty: Moderate 16. A fleet of Azure virtual machines must allow inbound management (RDP/SSH) only during the short windows when an administrator actually needs it, with access requested and time-bound. Which Defender for Servers feature provides this? A) Azure Bastion deployed in the hub virtual network B) Just-in-time (JIT) VM access in Microsoft Defender for Cloud C) An NSG rule allowing RDP and SSH from the corporate IP range D) Disk encryption with platform-managed keys

Correct Answer: B Just-in-time VM access keeps management ports closed by default and opens them only when an administrator requests access, for a bounded time window and from a specified source — minimizing the attack surface. Azure Bastion provides secure browser-based connectivity but leaves access continuously available rather than time-bound. A standing NSG allow rule leaves the ports open. Disk encryption protects data at rest, not management-port exposure.

Questions 17-20: Manage and Monitor Security Posture

Domain: Manage and monitor security posture | Difficulty: Moderate 17. Your organization runs workloads in Azure, AWS, and Google Cloud and wants a single security posture view with recommendations across all three. What should you configure in Microsoft Defender for Cloud? A) Deploy a separate Defender for Cloud instance per cloud B) Connect the AWS and GCP environments to Defender for Cloud using its native multicloud connectors C) Export AWS and GCP findings to a CSV and import them manually D) Use Microsoft Sentinel as the only cross-cloud tool and skip Defender for Cloud

Correct Answer: B Defender for Cloud has native multicloud connectors for AWS and GCP — once connected, their resources appear in the same secure score, recommendations, and workload-protection views as Azure. Defender for Cloud is a single service, not one-instance-per-cloud. Manual CSV import is not a supported posture-management workflow. Sentinel is a SIEM for detection and response; it complements Defender for Cloud rather than replacing its posture management.

Domain: Manage and monitor security posture | Difficulty: Hard 18. Security leadership wants to discover internet-facing assets the organization may not even know it owns — shadow IT, forgotten subdomains, exposed services — and see their vulnerabilities. Which capability is designed for this? A) Microsoft Defender Vulnerability Management on enrolled Azure VMs B) Microsoft Defender External Attack Surface Management (Defender EASM) C) Defender CSPM secure score for the Azure subscription D) Azure Network Watcher topology view

Correct Answer: B Defender EASM continuously discovers internet-facing assets associated with the organization — including unknown subdomains, shadow IT, and exposed services — and reports their vulnerabilities, giving an attacker’s-eye view of the external attack surface. Defender Vulnerability Management scans assets you have already enrolled. Defender CSPM secure score evaluates known Azure resources. Network Watcher topology shows known VNet resources, not unknown external assets.

Domain: Manage and monitor security posture | Difficulty: Moderate 19. You are onboarding Microsoft Sentinel and need to collect security events from on-premises Windows servers, including events forwarded from servers that cannot run an agent directly. Which approach should you use? A) Manually export Windows Event Logs and upload them weekly B) Use the Windows Security Events connector with data collection rules, and use Windows Event Forwarding (WEF) so agentless servers forward to a collector C) Enable Defender for Storage on the Sentinel workspace D) Configure a syslog connector for the Windows servers

Correct Answer: B Sentinel collects Windows Security events through the Windows Security Events connector governed by data collection rules; for servers that cannot run the agent, Windows Event Forwarding lets them forward events to a collector that the agent then reads. Manual weekly export defeats near-real-time detection. Defender for Storage is unrelated to Windows event collection. Syslog/CEF is the connector for Linux and network appliances, not native Windows Security events.

Domain: Manage and monitor security posture | Difficulty: Hard 20. Your SOC wants an AI assistant that can summarize incidents, run guided investigations, and reason over Microsoft Sentinel and Defender data using natural language. Which product should you enable and configure? A) Azure OpenAI deployed as a standalone chatbot B) Microsoft Security Copilot, with workspaces, role permissions, and plugins configured C) A custom Logic App that calls a language model on each incident D) Microsoft Copilot in Microsoft 365 (the productivity Copilot)

Correct Answer: B Microsoft Security Copilot is the security-specific generative-AI product: you configure its workspaces, assign roles and permissions, and enable plugins so it can reason over Sentinel, Defender, and other security data to summarize incidents and guide investigations. A standalone Azure OpenAI chatbot has no security-product integration. A custom Logic App lacks the investigation tooling. Microsoft 365 Copilot is the productivity assistant, not the SOC tool.

How Did You Score?

17-20 correct: You are exam-ready. Book your SC-500 beta seat using VistaSC500 before June 8, 2026 to lock in 80% off, then drill edge cases — especially the AI-security topics (Entra Agent ID conditional access, Purview DSPM, Defender for AI Service, AI Gateway) — in the full ReadRoost SC-500 pack at readroo.st/marketplace/sc-500-cloud-ai-security-engineer.

12-16 correct: Solid foundation, but you need a focused week. If you are coming from AZ-500, the gap is almost certainly the AI-security content in the Secure compute domain — that is the genuinely new material. Drill the differences between Purview DSPM (data overexposure to Copilot), Defender for AI Service (workload protection for AI), Entra Agent ID conditional access (device-gated agent access), and AI Gateway in API Management (governed Foundry traffic). Knowing which tool maps to which AI-security problem is the single highest-leverage thing you can study.

Under 12 correct: Start with the Microsoft Learn SC-500 study guide and the Azure security learning paths. SC-500 is an associate-level exam, but it is broad — identity, networking, storage, compute, AI, and security operations all appear. Work through the official training, then come back to these 20 questions and move on to the full pack. If you are weighing SC-500 against the rest of the Microsoft security family, SC-200 (Security Operations Analyst) goes deeper on Sentinel and threat hunting, and SC-100 (Cybersecurity Architect) is the architect-level exam above SC-500 — browse all three at readroo.st/marketplace.