CC

Official AZ-500 Exam Guide

Exam Format, Domains & Preparation Tips

AZ-500: Microsoft Azure Security Technologies Study Guide

Exam Overview

  • Certification: Microsoft Azure Security Engineer Associate
  • Exam Code: AZ-500
  • Target Audience: Security engineers implementing, managing, and monitoring security for Azure resources
  • Experience Required: Practical experience in Azure administration, strong familiarity with Microsoft Entra ID, compute, network, and storage

Skills Measured (as of January 31, 2025)

1. Secure Identity and Access (15-20%)

Manage Security Controls for Identity and Access

  • Manage Azure built-in role assignments
  • Manage custom roles (Azure roles and Microsoft Entra roles)
  • Implement and manage Microsoft Entra Permissions Management
  • Plan and manage Azure resources in Microsoft Entra Privileged Identity Management
  • Implement multi-factor authentication (MFA) for Azure resources
  • Implement Conditional Access policies for cloud resources
  • Manage Microsoft Entra application access

Manage Microsoft Entra Application Access

  • Manage access to enterprise applications (including OAuth permission grants)
  • Manage Microsoft Entra app registrations
  • Configure app registration permission scopes
  • Manage app registration permission consent
  • Manage and use service principals
  • Manage managed identities

2. Secure Networking (20-25%)

Plan and Implement Security for Virtual Networks

  • Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Manage virtual networks using Azure Virtual Network Manager
  • Plan and implement user-defined routes (UDRs)
  • Plan and implement Virtual Network peering or VPN gateway
  • Plan and implement Virtual WAN (including secured virtual hub)
  • Secure VPN connectivity (point-to-site and site-to-site)
  • Implement encryption over ExpressRoute
  • Configure firewall settings on Azure resources
  • Monitor network security using Network Watcher

Plan and Implement Security for Private Access to Azure Resources

  • Plan and implement virtual network Service Endpoints
  • Plan and implement Private Endpoints
  • Plan and implement Private Link services
  • Plan and implement network integration for App Service and Functions
  • Network security configurations for App Service Environment (ASE)
  • Network security configurations for Azure SQL Managed Instance

Plan and Implement Security for Public Access to Azure Resources

  • Plan and implement TLS to applications (App Service, API Management)
  • Plan, implement, and manage Azure Firewall (including Firewall Manager)
  • Plan and implement Azure Application Gateway
  • Plan and implement Azure Front Door (including CDN)
  • Plan and implement Web Application Firewall (WAF)
  • Recommend when to use Azure DDoS Protection Standard

3. Secure Compute, Storage, and Databases (20-25%)

Plan and Implement Advanced Security for Compute

  • Plan and implement remote access to VMs (Azure Bastion, JIT)
  • Configure network isolation for Azure Kubernetes Service (AKS)
  • Secure and monitor AKS
  • Configure authentication for AKS
  • Configure security monitoring for Azure Container Instances
  • Configure security monitoring for Azure Container Apps
  • Manage access to Azure Container Registry
  • Configure disk encryption (ADE, encryption at host, confidential disk encryption)
  • Recommend security configurations for Azure API Management

Plan and Implement Security for Storage

  • Configure access control for storage accounts
  • Manage storage account access keys
  • Select and configure access to Azure Files
  • Select and configure access to Azure Blob Storage
  • Protect against data security threats (soft delete, backups, versioning, immutable storage)
  • Configure Bring Your Own Key (BYOK)
  • Enable double encryption at Azure Storage infrastructure level

Plan and Implement Security for Azure SQL Database and SQL Managed Instance

  • Enable Microsoft Entra database authentication
  • Enable database auditing
  • Plan and implement dynamic masking
  • Implement Transparent Data Encryption (TDE)
  • Recommend when to use Azure SQL Database Always Encrypted

4. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)

Implement and Manage Enforcement of Cloud Governance Policies

  • Create, assign, and interpret policies and initiatives in Azure Policy
  • Configure Azure Key Vault network settings
  • Configure access to Key Vault (vault access policies and Azure RBAC)
  • Manage certificates, secrets, and keys
  • Configure key rotation
  • Perform backup and recovery of certificates, secrets, and keys
  • Implement security controls to protect backups
  • Implement security controls for asset management

Manage Security Posture Using Microsoft Defender for Cloud

  • Identify and remediate security risks using Secure Score and Inventory
  • Assess compliance against security frameworks
  • Manage compliance standards
  • Add custom standards
  • Connect hybrid cloud and multi-cloud environments (AWS, GCP)
  • Implement and use Microsoft Defender External Attack Surface Management

Configure and Manage Threat Protection Using Microsoft Defender for Cloud

  • Enable workload protection services
  • Configure Microsoft Defender for Servers, Databases, and Storage
  • Implement and manage agentless scanning for VMs
  • Implement and manage Microsoft Defender Vulnerability Management
  • Connect and configure Defender for Cloud DevOps Security (GitHub, Azure DevOps, GitLab)

Configure and Manage Security Monitoring and Automation Solutions

  • Manage and respond to security alerts in Microsoft Defender for Cloud
  • Configure workflow automation
  • Monitor network security events and performance data using DCRs in Azure Monitor
  • Configure data connectors in Microsoft Sentinel
  • Enable analytics rules in Microsoft Sentinel
  • Configure automation in Microsoft Sentinel

Key Study Resources

Official Microsoft Learn Paths

  • Manage identity and access
  • Implement platform protection
  • Secure data and applications
  • Manage security operations

Security Documentation

  • Microsoft Entra ID security
  • Azure network security
  • Azure Storage security
  • Microsoft Defender for Cloud
  • Microsoft Sentinel
  • Azure Policy

Practice Resources

  • Free Practice Assessment on Microsoft Learn
  • Azure Security Center labs
  • Microsoft Sentinel training lab
  • Azure security hands-on labs

Exam Details

  • Passing Score: 700
  • Question Format: Multiple choice, case studies, drag-and-drop
  • Exam Duration: 120 minutes (150 minutes for non-native English speakers)
  • Languages Available: Multiple languages including English, Japanese, Chinese, Korean, German, French, Spanish, Portuguese
  • Exam Cost: $165 USD (varies by region)

Key Security Concepts

Zero Trust Model

  • Verify explicitly
  • Least privilege access
  • Assume breach
  • Microsegmentation
  • Identity as the security perimeter

Defense in Depth

  • Physical security
  • Identity and access
  • Perimeter security
  • Network security
  • Compute layer
  • Application layer
  • Data layer

Identity Security

  • Privileged Identity Management (PIM)
  • Conditional Access
  • Identity Protection
  • Access Reviews
  • Entitlement Management

Network Security

  • Network segmentation
  • DMZ implementation
  • Service endpoints vs Private endpoints
  • Network Security Groups
  • Application Security Groups

Data Protection

  • Encryption at rest
  • Encryption in transit
  • Key management
  • Data classification
  • Data loss prevention

Important Azure Security Services

Microsoft Entra ID (formerly Azure AD)

  • Authentication methods
  • Conditional Access policies
  • Identity Protection
  • Privileged Identity Management
  • Application management

Azure Firewall

  • FQDN filtering
  • Network rules
  • Application rules
  • Threat intelligence
  • Firewall Manager

Microsoft Defender for Cloud

  • Secure Score
  • Regulatory compliance
  • Workload protection
  • Cloud Security Posture Management (CSPM)
  • Cloud Workload Protection Platform (CWPP)

Microsoft Sentinel

  • Data connectors
  • Analytics rules
  • Playbooks (Logic Apps)
  • Workbooks
  • Threat hunting

Azure Key Vault

  • Secrets management
  • Key management
  • Certificate management
  • HSM-backed keys
  • RBAC vs vault access policies

Security Best Practices

Identity Management

  • Enable MFA for all users
  • Use PIM for privileged roles
  • Regular access reviews
  • Implement Conditional Access
  • Use managed identities

Network Security

  • Implement hub-spoke topology
  • Use NSGs at subnet level
  • Enable DDoS protection
  • Implement WAF for web apps
  • Use Private Endpoints

Data Security

  • Enable encryption by default
  • Use customer-managed keys
  • Implement data classification
  • Regular backup and test restore
  • Enable soft delete

Monitoring and Response

  • Enable diagnostic logging
  • Configure security alerts
  • Automate incident response
  • Regular security assessments
  • Threat hunting activities

Certification Path

  • Prerequisites: Azure Fundamentals (AZ-900) recommended
  • Renewal: Required every 12 months through Microsoft Learn
  • Related Certifications:
    • Azure Administrator Associate (AZ-104)
    • Azure Solutions Architect Expert (AZ-305)
    • Security Operations Analyst (SC-200)

Compliance and Governance

  • Azure Policy vs RBAC
  • Regulatory compliance dashboard
  • Azure Blueprints
  • Resource locks
  • Management groups
  • Cost management and tags

Related Resources

OverviewStudy GuideCheatsheetPractice Test