Azure Security Engineer (AZ-500) pattern recognition

Defense-in-depth layering and identity control selection are the main recurring question structures

Identity protection questions appear in multiple variants: the choice between Conditional Access, PIM, Entra ID Protection, and MFA enforcement maps to the described threat scenario and access lifecycle phase. Network security boundary questions recur with different traffic scenarios: NSG rules, Azure Firewall policies, Application Gateway WAF, and DDoS Protection each operate at a specific layer, and questions test whether you know which layer the described attack or access pattern targets. Data protection questions test Key Vault configuration, CMK versus platform-managed key selection, and Defender for Storage alerting scope. Monitoring and detection questions form the fourth cluster: Microsoft Sentinel versus Defender for Cloud versus Azure Monitor each serves a different detection and response scope, and the scenario specifies which scope applies.