Azure Security Engineer (AZ-500) trap evaluation

Correct service, wrong scope or wrong control type

AZ-500 questions are calibrated to distinguish between controls that look similar from a feature standpoint. Conditional Access and Privileged Identity Management both manage identity-based access, but they operate at different points in the access lifecycle; selecting one where the scenario calls for the other reflects a feature-level mental model rather than a boundary-placement one. NSG versus Azure Firewall is a similar distinction: NSG operates at the subnet or NIC level, Azure Firewall at the VNet perimeter. A consistent third failure is Key Vault access model confusion: Key Vault access policies and Azure RBAC on Key Vault coexist, and the exam tests which model the described authorization requirement maps to. In each case, the wrong answer is a valid security control applied at the wrong boundary.