Azure · AZ-500

Compliance Misconception — Azure Security Engineer (AZ-500)

You assumed a compliance or governance model that doesn't match the service's actual capabilities.

Encryption at Rest Does Not Mean Encryption Under Your Control

Azure encrypts storage at rest by default with Microsoft-managed keys. The scenario requires customer-managed keys with a 90-day rotation policy enforced by audit. The candidate selects the default encryption and adds an Azure Policy assignment. The exam expects a Key Vault with customer-managed keys, an automated rotation policy, and Defender for Cloud compliance monitoring. Default encryption satisfies the 'at rest' clause but not the 'customer-managed' or 'rotation' clauses. Read all the constraints before selecting.

14%of exam questions affected (28 of 200)

The Scenario

A European company needs GDPR compliance for customer data stored in Azure. You recommend deploying in the West Europe region and enabling encryption at rest with platform-managed keys. Region placement and encryption are necessary but nowhere near sufficient. GDPR requires: data residency controls (regions are a start), right to deletion (you must implement data purge APIs), consent management (application-level, not infrastructure-level), data processing records (Azure Activity Log and custom audit trails), and a Data Protection Officer. The exam tests whether you know that GDPR is a legal and procedural framework, not just a technical checklist.

How to Spot It

  • Azure Compliance Manager shows your compliance score and gives recommendations, but a high score does not equal compliance. Compliance is a shared responsibility — Microsoft certifies infrastructure controls; you implement data handling, consent, and access controls.
  • GDPR right to erasure means you must be able to find and delete all data for a specific individual across all storage systems — Cosmos DB, SQL Database, Blob Storage, Application Insights, Log Analytics. If your architecture spreads personal data across multiple stores, you need a data map and deletion pipeline. The exam tests this.
  • Azure Policy can enforce data residency (restrict resource deployment to specific regions) and Azure Purview can classify sensitive data. But neither implements consent management or data subject access requests — those are application-level responsibilities the exam expects you to identify.

Decision Rules

Whether to configure a PIM eligible role assignment with an activation policy requiring approval and a maximum activation duration versus assigning a permanent built-in role at subscription scope and relying on Azure Activity Log as the compliance audit trail.

Microsoft Entra Privileged Identity ManagementAzure Role-Based Access Control (RBAC)

Whether service-managed encryption satisfies a compliance mandate for organizational key custody and auditability, or whether customer-managed keys (CMK) integrated with Azure Key Vault are required to transfer key lifecycle control to the organization and produce the verifiable key-access audit log.

Azure Blob StorageAzure Key Vault

Whether the selected storage-protection control enforces write-once-read-many (WORM) semantics through a locked, immutable time-based retention policy, or merely enables recoverable deletion or version history that does not prevent modification of existing blob content and therefore fails the non-rewritable prong of the named compliance mandate.

Azure Blob StorageAzure Storage Accounts

Whether Microsoft Defender for Cloud's regulatory compliance dashboard satisfies the multi-cloud PCI-DSS posture visibility requirement better than Azure Policy, which enforces configuration rules on Azure resources only and does not aggregate cross-cloud posture or produce framework-mapped compliance scores.

Microsoft Defender for CloudAzure Policy

Whether to use Defender for Cloud workflow automation — which triggers a Logic App directly from a Defender plan alert with no workspace ingestion required — or a Sentinel playbook, which demands the alert be ingested into a Sentinel Log Analytics workspace before any automation can fire, violating the data-governance constraint.

Microsoft Defender for CloudMicrosoft Defender for StorageMicrosoft Sentinel

Whether Defender for Cloud's multi-cloud regulatory compliance dashboard satisfies the continuous cross-cloud posture assessment and named-framework mapping requirement better than Azure Policy's Azure-scoped PCI-DSS initiative assignment.

Microsoft Defender for CloudAzure Policy

Select Defender for Servers Plan 2 because only Plan 2 includes integrated agentless vulnerability assessment via Microsoft Defender Vulnerability Management; Plan 1 provides MDE-based EDR and AV but excludes vulnerability management entirely, making it non-compliant with any mandate that names continuous VA as a required control.

Microsoft Defender for ServersAzure Virtual Machines

Domain Coverage

Secure Identity and AccessSecure Compute, Storage, and DatabasesSecure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel

Difficulty Breakdown

Medium: 16Hard: 12

Related Patterns

Security And Governance Boundary70% of examNetwork Connectivity Design16% of examMulti-Account Governance8% of exam
Start training this trap →

See all AZ-500 traps →