Commonly Confused Services on AZ-500

Deciding signal

Azure Security Center was renamed to Microsoft Defender for Cloud. They are the same product — if you see Security Center on an exam, treat it as Defender for Cloud. Defender for Cloud provides CSPM (Cloud Security Posture Management), a secure score, hardening recommendations, and Defender plans for workload-specific threat protection (VMs, databases, containers, storage). Microsoft Sentinel is a cloud-native SIEM and SOAR — it collects and correlates logs from Azure, on-premises, and third-party sources using analytics rules, detects threats with ML, manages incidents, and automates response with playbooks (Logic Apps). When the scenario involves improving resource security configurations and detecting resource-level threats, Defender for Cloud. When it involves aggregating logs for threat hunting, correlation, and automated response across a full environment, Sentinel.

Deciding signal

Key Vault is a multi-tenant managed service for secrets, keys, and certificates — FIPS 140-2 Level 2. It suits the vast majority of workloads. Managed HSM provides dedicated, single-tenant FIPS 140-2 Level 3 HSM hardware with customer-exclusive key custody — Azure has no access to keys. Required when regulations mandate Level 3 HSM or non-shared hardware. Managed Identity is an automatically managed Azure AD service principal for an Azure resource — it eliminates the need to store credentials. The typical architecture is: resource uses Managed Identity to authenticate to Key Vault; Key Vault returns the secret; Managed HSM is the Key Vault when Level 3 compliance is required.

Deciding signal

MFA is an authentication factor — it requires users to verify their identity with a second method (authenticator app, SMS, phone call). It is a mechanism, not a policy. Conditional Access is the policy engine that decides when and how MFA (or other controls) is enforced — it evaluates conditions like user location, device compliance, application sensitivity, and sign-in risk before granting access. Entra ID Protection detects risky sign-in events and compromised accounts using ML on identity signals (impossible travel, leaked credentials, atypical locations) and can feed its risk signals into Conditional Access policies. The relationship: ID Protection detects risk → Conditional Access evaluates it → MFA or block is the enforcement action.

Deciding signal

RBAC assigns roles to identities at a scope — it grants permanent standing access to perform actions on resources. PIM manages privileged RBAC roles and Azure AD roles with just-in-time access: administrators request elevated access for a time-bounded period, which may require MFA and manager approval. It eliminates standing permanent privilege. Azure Policy enforces resource configuration standards — it is about resources, not identities. When the scenario describes requiring approval and time-limited elevation for privileged actions, PIM. When it describes assigning permissions to users or service principals, RBAC. When it describes enforcing resource configuration compliance, Policy.

Deciding signal

NSGs filter inbound and outbound traffic based on IP, port, and protocol rules at the subnet or NIC level — simple allow/deny. Azure Firewall is a fully stateful managed firewall with FQDN-based rules, threat intelligence, DNS proxy, and centralized policy management via Firewall Policy. Network Watcher is an Azure networking diagnostics service — it provides IP flow verify (test if traffic is allowed or denied), packet capture, topology visualization, connection troubleshooting, and NSG flow logs. Network Watcher does not block or filter traffic; it observes and diagnoses it. When the scenario involves inspecting why traffic is being blocked or allowed, Network Watcher. When it involves filtering traffic with stateful rules, NSG or Azure Firewall.

Deciding signal

Entra B2B enables employees of partner organizations to access your applications using their own organizational identities — the guest invitation model. Partners use their existing company credentials. It is for business-to-business workforce collaboration. Entra External ID for customers (the service formerly known as B2C) is a Customer Identity and Access Management (CIAM) platform — it handles consumer sign-up, sign-in, profile management, and social identity provider integration (Google, Facebook). The user types are completely different: B2B is for organizational users with existing corporate credentials; CIAM/B2C is for external consumers who may have no corporate identity.

Deciding signal

Entra ID Protection monitors cloud identity signals — Azure AD sign-ins, leaked credentials, impossible travel, token anomalies — and generates user and sign-in risk scores used by Conditional Access. It is cloud-only. Microsoft Defender for Identity monitors on-premises Active Directory Domain Controllers and hybrid environments — it detects lateral movement, pass-the-hash, pass-the-ticket, Kerberoasting, and other Active Directory attack patterns by analyzing AD replication traffic and LDAP queries. When the scenario involves detecting attacks on on-premises AD or hybrid environments, Defender for Identity. When it involves detecting risky cloud sign-ins and compromised Azure AD accounts, Entra ID Protection.

Deciding signal

DDoS Protection Basic is automatically enabled for all Azure resources at no cost — it absorbs common volumetric attacks using the Azure network infrastructure. It provides no SLA guarantees, no attack analytics, no real-time metrics, and no access to a DDoS rapid response team. DDoS Protection Standard is a paid service that adds real-time attack metrics, adaptive tuning, post-attack reports, access to the DDoS Rapid Response team, and financial protection (cost credits if scaling occurs during an attack). Standard is applied to VNets and protects all public IPs in those VNets. When the scenario describes SLA requirements, attack visibility, or financial protection during DDoS events, Standard. Basic is the default that requires no action.

Deciding signal

Service Endpoints extend your VNet identity to Azure service traffic — they optimize the network path for traffic to services like Storage and SQL, allowing you to add VNet-based network rules on the service. The service still has a public endpoint; traffic stays on the Microsoft backbone. Private Endpoints allocate a private IP address from your VNet subnet for a specific service instance — the service is accessible only via the private IP, with no public endpoint needed. VNet Integration is for Azure App Service and Functions — it allows outbound traffic from the app to reach resources in a VNet or connected on-premises networks. It is outbound-only from the app. Private Endpoint is inbound — it makes a service accessible privately to your VNet.

Deciding signal

Purview Information Protection (formerly Azure Information Protection) applies sensitivity labels to documents and emails — it classifies and encrypts data at the file level, regardless of where it travels. Purview is the broader Microsoft data governance platform — it provides a unified data catalog, data map, compliance management, and eDiscovery across Azure, M365, and multi-cloud data. Defender for Cloud Apps is a Cloud Access Security Broker (CASB) — it discovers and controls shadow IT, monitors SaaS app usage, enforces policies on cloud app access, and integrates with Conditional Access for session controls. When the scenario involves classifying and protecting documents with encryption labels, Purview Information Protection. When it involves discovering and governing data across your estate, Microsoft Purview. When it involves controlling and monitoring SaaS application access and shadow IT, Defender for Cloud Apps.