Near-Right Architecture — Azure Security Engineer (AZ-500)

Whether the selected architecture provides built-in transitive routing through a central inspection point for spoke-to-spoke flows, or merely establishes peering adjacency that a learner mistakenly assumes is transitive.

Whether Azure Virtual WAN with a secured virtual hub — which natively enforces transitive routing and directs all spoke-to-spoke flows through the hub inspection tier — or Azure Virtual Network Manager connected groups — which achieve reachability at scale but delegate inspection-path enforcement to operator-managed UDR overlays — satisfies the unconditional requirement that inter-spoke traffic cannot bypass the central inspection point.

Whether to grant a standing built-in Contributor role at subscription scope (near-right: functional but violates least privilege on both permission breadth and scope width) versus configuring a PIM eligible assignment of a narrowly scoped role at resource-group scope with approval-gated, time-limited activation (correct: satisfies least privilege on both dimensions and enforces just-in-time access).

Whether to apply a Conditional Access policy scoped to the PIM role activation action with a device-compliance condition and named-location filter (satisfying all three constraints: no standing access, compliant device, IP-range gate) versus applying a general-purpose MFA policy on All Cloud Apps that enforces at sign-in but does not enforce device compliance, does not gate by named location, and does not target the activation event as the control surface.

Choose between Service Endpoints and Private Endpoints when the stated constraint is zero public endpoint exposure: Service Endpoints apply a VNet-scoped ACL to a still-publicly-routable endpoint, while Private Endpoints inject a private NIC into the VNet and permit disabling the public endpoint entirely.

Whether to protect a public web application against OWASP-class application-layer threats (SQL injection, XSS) using L7 WAF inspection on Application Gateway, or to rely on Azure Firewall which operates at L3/L4 and cannot inspect HTTP payloads.

Determine whether Service Endpoints with a VNet-scoped firewall rule or Private Endpoints satisfy a zero-public-endpoint mandate on a PaaS backend service connected to a VNet-integrated Azure Functions app.

Whether to place Azure Firewall (L3/L4 network perimeter) or Application Gateway with WAF Policy (L7 OWASP CRS enforcement) in front of a regional public API endpoint when the threat class is HTTP application-layer attacks requiring payload inspection.

When the stated requirement is that temp-disk and cache data must be encrypted at the physical-host boundary before leaving the host, encryption-at-host satisfies that scope boundary while ADE alone does not, making host-level encryption the disqualifying dimension.

When a named WORM-compliance regulation requires tamper-proof retention, select a locked time-based retention policy on an immutable-storage-enabled Azure Blob Storage container; disqualify soft delete and versioning because they restore deleted or prior versions but do not block modification or deletion during the active retention window.

Choose Always Encrypted (with column master key stored in Azure Key Vault) over Transparent Data Encryption when the constraint is column-level in-use protection that keeps plaintext invisible to the database engine and privileged database users — not merely at-rest disk-level encryption.

Select the Azure SQL encryption layer that keeps column ciphertext opaque to the database engine and DBAs at query time — Always Encrypted with client-side key custody versus Transparent Data Encryption, which decrypts data at the storage engine before any query result is returned.

When the requirement is continuous posture assessment with regulatory-compliance mapping and Secure Score aggregation across Azure and non-Azure clouds, Defender for Cloud (CSPM plan with multi-cloud connector) is the correct boundary; Azure Policy alone satisfies Azure-scoped enforcement but cannot aggregate cross-cloud posture or calculate the risk-prioritised score that maps to a named compliance framework.

Choose Defender for Servers Plan 2 — not Plan 1 — because Plan 2 is the plan tier that includes integrated Microsoft Defender Vulnerability Management with agentless scanning, which is the only configuration that satisfies a no-agent, continuous vulnerability assessment requirement.