Azure · AZ-500

Multi-Service Tradeoff — Azure Security Engineer (AZ-500)

6%of exam questions (12 of 200)

Detection, Prevention, and Response Are Three Different Services

The candidate sees 'secure the workload' and selects Microsoft Defender for Cloud. The scenario distinguishes between posture assessment (Secure Score), runtime threat detection (Defender plans), and incident response (Sentinel). Each operates at a different phase of the security lifecycle. When the scenario says 'detect lateral movement,' that is Defender for Servers or Sentinel analytics, not a Secure Score recommendation. The phase determines the service.

What This Pattern Tests

Azure offers three messaging services with distinct models. Service Bus handles enterprise messaging with sessions, dead-lettering, and exactly-once delivery at $0.05 per million operations. Event Grid handles reactive event routing with push delivery at $0.60 per million events. Queue Storage handles simple FIFO queueing at $0.004 per 10,000 transactions. The exam gives you a messaging requirement and tests whether you match it: "order processing with dead-letter handling" = Service Bus, "react to blob uploads" = Event Grid, "simple task queue for background workers" = Queue Storage. Cosmos DB vs. SQL Database vs. Table Storage follows the same principle: global multi-model vs. relational with joins vs. simple key-value.

Decision Axis

Message complexity and delivery model determine service. Over-specifying is as wrong as under-specifying.

Associated Traps

Operational Complexity Underestimation (8)Azure VMs with load balancers, auto-scaling rules, and custom monitoring — for a standard web API that App Service handles out of the box.Over-Provisioning (4)Premium Blob Storage for application logs accessed once a year. Standard Hot with lifecycle policies costs 80% less.

More Top Traps on This Exam

Scope Overreach · 34%Private Link + Azure Firewall + NSGs to restrict a Storage Account to a VNet — when a Service Endpoint is one click.

Decision Rules

Select system-assigned managed identity with a Key Vault Secrets User RBAC role assignment over a service principal with a Key Vault-stored certificate, because managed identity delegates the full credential lifecycle to Azure and supports fine-grained resource-scoped RBAC, satisfying credential-elimination and least-privilege simultaneously without introducing any bootstrap credential problem.

Azure App ServiceAzure Key VaultAzure Managed Identities

When N workloads share a single resource access requirement, a user-assigned managed identity assigned to all workloads collapses N credential lifecycle cycles to zero, while per-workload service principals multiply rotation burden proportionally — the deciding axis is credential lifecycle scale, not permission granularity.

Azure Managed IdentitiesAzure Key VaultAzure Role-Based Access Control (RBAC)

When an Azure-hosted application needs least-privilege access to Key Vault and the dominant constraint is eliminating credential lifecycle management, choose system-assigned managed identity over a service principal with a certificate, because managed identity delegates credential issuance and rotation entirely to the Azure control plane.

Azure App ServiceAzure Managed IdentitiesAzure Key Vault

Domain Coverage

Secure Identity and Access

Difficulty Breakdown

Medium: 8Hard: 4

Build recognition speed →

See all AZ-500 patterns →