Azure · AZ-500

Over-Provisioning — Azure Security Engineer (AZ-500)

You provisioned more capacity or redundancy than the scenario required. The exam rewards right-sizing.

Defense in Depth Does Not Mean Every Layer at Maximum Strength

The scenario describes an internal-only API that processes non-sensitive metadata between two managed services in the same VNet. The candidate applies a WAF, mutual TLS, IP allowlisting, and a DDoS Protection Standard plan. The exam expects a Private Endpoint and an NSG rule. The deciding constraint is the threat model: internal traffic between trusted services in a single VNet does not justify external-facing controls. Over-securing burns budget and adds operational surface without reducing actual risk.

12%of exam questions affected (24 of 200)

The Scenario

A team needs storage for application logs. Logs are written continuously but only accessed during incident investigations — maybe once per quarter. You choose Premium Blob Storage for fast write performance. The correct answer is Standard Hot for recent logs (first 30 days) with a lifecycle management policy that moves data to Cool tier after 30 days and Archive after 90 days. Premium storage costs $0.15/GB/month; Standard Hot costs $0.018/GB/month; Cool costs $0.01/GB/month; Archive costs $0.002/GB/month. For 1TB of logs, Premium costs $150/month vs. a tiered approach averaging under $20/month.

How to Spot It

  • Azure Blob Storage tiers exist for different access patterns. Premium is for low-latency, high-transaction workloads (databases on disk). Hot is for frequently accessed data. Cool is for 30+ day retention. Archive is for 180+ day retention with hours of rehydration time. The exam tests whether you match the tier to the access frequency.
  • Azure Cosmos DB provisioned throughput at 400 RU/s (minimum) costs ~$23/month per container. If the scenario describes "occasional reads" or "low-traffic API," serverless Cosmos DB charges per RU consumed with no minimum, which can be pennies per month for light workloads.
  • Auto-scale and elastic tiers (Azure SQL Serverless, Cosmos DB autoscale, App Service auto-scaling) are the exam-preferred answer for unpredictable workloads. Fixed provisioned capacity is correct only when the scenario provides specific, stable throughput numbers.

Decision Rules

Whether to assign an Azure Policy initiative at management group scope — covering all child subscriptions declaratively at standard pricing — versus enabling Microsoft Defender for Cloud enhanced security plans across all subscriptions to leverage its regulatory compliance assessment dashboard, which over-provisions capability and introduces per-resource premium billing not justified by a pure policy-enforcement requirement.

Azure PolicyMicrosoft Defender for Cloud

Whether to enforce key rotation compliance through Azure Policy assigned at management group scope (policy-plane, no marginal licensing cost, uniform coverage) versus enabling Microsoft Defender for Cloud's Key Vault protection plan (threat detection, per-subscription premium cost) or configuring per-vault Azure RBAC roles or vault access policies (data-plane access control, not rotation enforcement).

Azure PolicyAzure Key Vault

Azure Policy assigned at management group scope with a Deny effect targeting Key Vault instances where enableRbacAuthorization is false is the only control that prevents non-compliant vault creation and reconfiguration across all 15 subscriptions at a single enforcement point, satisfying both the authorization model requirement and the no-premium-licensing constraint — Defender for Key Vault must be eliminated because it adds per-vault threat-detection cost without enforcing the authorization model.

Azure PolicyAzure Key VaultAzure Role-Based Access Control (RBAC)

Select system-assigned managed identity with a Key Vault Secrets User RBAC role assignment over a service principal with a Key Vault-stored certificate, because managed identity delegates the full credential lifecycle to Azure and supports fine-grained resource-scoped RBAC, satisfying credential-elimination and least-privilege simultaneously without introducing any bootstrap credential problem.

Azure App ServiceAzure Key VaultAzure Managed Identities

Whether intra-VNet, multi-tier micro-segmentation is best satisfied by ASGs combined with NSG rules (correct: native, zero additional cost, no topology overhead) or by a higher-capability network management overlay such as Azure Virtual Network Manager (over-provisioning trap: introduces cross-subscription topology management where none is needed).

Network Security Groups (NSGs)Application Security Groups (ASGs)

Whether Azure Virtual WAN with Secured Virtual Hub or Azure Virtual Network Manager connectivity configurations plus UDRs better satisfies a small-topology spoke-to-spoke inspection enforcement requirement when a cost constraint disqualifies over-provisioned managed WAN infrastructure.

Azure Virtual WANAzure Virtual Network Manager

Domain Coverage

Secure Identity and AccessSecure NetworkingSecure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel

Difficulty Breakdown

Medium: 24

Related Patterns

Network Connectivity Design16% of examMulti-Account Governance8% of examMulti-Service Tradeoff6% of exam
Start training this trap →

See all AZ-500 traps →