Scope Overreach — Azure Security Engineer (AZ-500)

Whether to assign the Deny-effect Azure Policy definition at the Production management group scope (correct — inherits to all member subscriptions, excludes dev/test) versus escalating to tenant root management group (scope overreach — over-governs beyond the production-only boundary) or substituting Azure RBAC role assignments (wrong control plane — enforces access identity, not resource configuration state).

Whether to scope the Conditional Access policy to the Microsoft Azure Management cloud app and the named contributor group exclusively, or to apply a policy with a broader cloud-app or user target that satisfies the MFA goal but overreaches the stated scope boundary.

When time-bounded, approval-gated access is required, choose a PIM eligible assignment scoped to the target resource group over a permanent built-in role assigned at subscription scope.

Select Private Endpoints over Service Endpoints when the stated constraint is full public-endpoint elimination: Service Endpoints add a VNet-scoped ACL but leave the resource's public endpoint active, whereas Private Endpoints assign a VNet-private IP and allow the public endpoint to be disabled entirely.

Select the service or service pairing that enforces OWASP L7 threat inspection at the correct OSI layer and regional scope without oversolving by adding global anycast routing or network-layer firewall capabilities that the scenario does not require.

Whether the zero-trust compute-access requirement — no public IPs, no open inbound ports, minimum operational overhead — is best satisfied by Azure Bastion alone or by a more capable but architecturally heavier alternative such as a P2S VPN Gateway or a self-managed jump-box VM.

Select a time-based immutable retention policy on Azure Blob Storage (WORM) over recoverable-deletion controls such as soft delete or versioning, and over threat-detection additions such as Microsoft Defender for Storage, because only the immutability policy directly enforces the write-once deletion-prevention semantics required by SEC Rule 17a-4.

Whether the protection requirement demands column-level encryption opaque to the database engine and all server-side principals (Always Encrypted + Azure Key Vault column master key) or only role-scoped presentation masking that preserves DBA access (Dynamic Data Masking) — resolved by identifying exactly who must be excluded from plaintext: non-privileged app roles only, or also the database engine itself.

Does satisfying the temp-disk and host-cache encryption boundary require enabling encryption-at-host on the VM (correct scope), selecting Azure Disk Encryption (wrong scope—OS and data disks only), or deploying Confidential disk encryption (scope overreach—requires specialized hardware and confidential VM SKUs beyond what the requirement warrants)?

Whether to disable the ACR public endpoint via private endpoint and grant the AKS managed identity the AcrPull role — right-sized, satisfying both constraints at the resource boundary — versus adding Azure Firewall egress rules with ACR service tags plus a service principal imagePullSecret, which filters outbound traffic at the cluster level but leaves the public endpoint reachable from outside the VNet and reintroduces credential management.

Select TDE with a customer-managed key (TDE-CMK/BYOK) stored in Azure Key Vault when the compliance requirement is at-rest encryption with organizational key control and DBAs must retain normal query access — reject Always Encrypted as scope overreach because it encrypts at the column level, is opaque to the database engine, breaks normal query patterns, and mandates client-side column master key management that the scenario does not require.

Determine which Azure VM encryption scope satisfies temporary-disk and cache-level protection at the physical-host boundary without introducing confidential computing infrastructure that exceeds the stated minimum-required-control constraint.

Whether to issue a User Delegation SAS scoped to the target container (Entra-ID-backed, time-bounded, revocable via delegation key expiry) versus assigning a Storage Blob Data Reader RBAC role at the storage account level or issuing an Account SAS backed by account keys — the governing constraint is least-privilege access scope combined with key-independent revocability.

Whether to use Defender for Cloud native workflow automation (Logic App triggered directly from a Defender for Cloud alert) or Microsoft Sentinel playbooks/automation rules (which require prior data ingestion into a Sentinel-attached Log Analytics workspace) to respond to Defender for Servers alerts under a no-SIEM ingestion constraint.

Select the minimum Defender for Servers plan tier (Plan 1 vs Plan 2) that satisfies the specific stated capability requirement — MDE integration for EDR — without over-provisioning features that fall outside the declared threat model, applying least-privilege to plan tier selection.

Whether to configure Defender for Cloud native workflow automation — which triggers Logic Apps directly from Defender alert signals within Defender's own scope boundary — or deploy Microsoft Sentinel with automation rules and playbooks, which requires alert data ingestion into a Log Analytics workspace before any playbook can execute.

Select the Defender for Cloud capability that delivers subscription-aggregated, quantified internal workload hardening recommendations (Secure Score) rather than an external-asset-discovery tool whose scope is internet-facing surfaces only.