AZ-500: Microsoft Azure Security Technologies Study Guide

Exam Overview

• Certification: Microsoft Azure Security Engineer Associate
• Exam Code: AZ-500
• Target Audience: Security engineers implementing, managing, and monitoring security for Azure resources
• Experience Required: Practical experience in Azure administration, strong familiarity with Microsoft Entra ID, compute, network, and storage

Skills Measured (as of January 31, 2025)

1. Secure Identity and Access (15-20%)

Manage Security Controls for Identity and Access

• Manage Azure built-in role assignments
• Manage custom roles (Azure roles and Microsoft Entra roles)
• Implement and manage Microsoft Entra Permissions Management
• Plan and manage Azure resources in Microsoft Entra Privileged Identity Management
• Implement multi-factor authentication (MFA) for Azure resources
• Implement Conditional Access policies for cloud resources
• Manage Microsoft Entra application access

Manage Microsoft Entra Application Access

• Manage access to enterprise applications (including OAuth permission grants)
• Manage Microsoft Entra app registrations
• Configure app registration permission scopes
• Manage app registration permission consent
• Manage and use service principals
• Manage managed identities

2. Secure Networking (20-25%)

Plan and Implement Security for Virtual Networks

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
• Manage virtual networks using Azure Virtual Network Manager
• Plan and implement user-defined routes (UDRs)
• Plan and implement Virtual Network peering or VPN gateway
• Plan and implement Virtual WAN (including secured virtual hub)
• Secure VPN connectivity (point-to-site and site-to-site)
• Implement encryption over ExpressRoute
• Configure firewall settings on Azure resources
• Monitor network security using Network Watcher

Plan and Implement Security for Private Access to Azure Resources

• Plan and implement virtual network Service Endpoints
• Plan and implement Private Endpoints
• Plan and implement Private Link services
• Plan and implement network integration for App Service and Functions
• Network security configurations for App Service Environment (ASE)
• Network security configurations for Azure SQL Managed Instance

Plan and Implement Security for Public Access to Azure Resources

• Plan and implement TLS to applications (App Service, API Management)
• Plan, implement, and manage Azure Firewall (including Firewall Manager)
• Plan and implement Azure Application Gateway
• Plan and implement Azure Front Door (including CDN)
• Plan and implement Web Application Firewall (WAF)
• Recommend when to use Azure DDoS Protection Standard

3. Secure Compute, Storage, and Databases (20-25%)

Plan and Implement Advanced Security for Compute

• Plan and implement remote access to VMs (Azure Bastion, JIT)
• Configure network isolation for Azure Kubernetes Service (AKS)
• Secure and monitor AKS
• Configure authentication for AKS
• Configure security monitoring for Azure Container Instances
• Configure security monitoring for Azure Container Apps
• Manage access to Azure Container Registry
• Configure disk encryption (ADE, encryption at host, confidential disk encryption)
• Recommend security configurations for Azure API Management

Plan and Implement Security for Storage

• Configure access control for storage accounts
• Manage storage account access keys
• Select and configure access to Azure Files
• Select and configure access to Azure Blob Storage
• Protect against data security threats (soft delete, backups, versioning, immutable storage)
• Configure Bring Your Own Key (BYOK)
• Enable double encryption at Azure Storage infrastructure level

Plan and Implement Security for Azure SQL Database and SQL Managed Instance

• Enable Microsoft Entra database authentication
• Enable database auditing
• Plan and implement dynamic masking
• Implement Transparent Data Encryption (TDE)
• Recommend when to use Azure SQL Database Always Encrypted

4. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)

Implement and Manage Enforcement of Cloud Governance Policies

• Create, assign, and interpret policies and initiatives in Azure Policy
• Configure Azure Key Vault network settings
• Configure access to Key Vault (vault access policies and Azure RBAC)
• Manage certificates, secrets, and keys
• Configure key rotation
• Perform backup and recovery of certificates, secrets, and keys
• Implement security controls to protect backups
• Implement security controls for asset management

Manage Security Posture Using Microsoft Defender for Cloud

• Identify and remediate security risks using Secure Score and Inventory
• Assess compliance against security frameworks
• Manage compliance standards
• Add custom standards
• Connect hybrid cloud and multi-cloud environments (AWS, GCP)
• Implement and use Microsoft Defender External Attack Surface Management

Configure and Manage Threat Protection Using Microsoft Defender for Cloud

• Enable workload protection services
• Configure Microsoft Defender for Servers, Databases, and Storage
• Implement and manage agentless scanning for VMs
• Implement and manage Microsoft Defender Vulnerability Management
• Connect and configure Defender for Cloud DevOps Security (GitHub, Azure DevOps, GitLab)

Configure and Manage Security Monitoring and Automation Solutions

• Manage and respond to security alerts in Microsoft Defender for Cloud
• Configure workflow automation
• Monitor network security events and performance data using DCRs in Azure Monitor
• Configure data connectors in Microsoft Sentinel
• Enable analytics rules in Microsoft Sentinel
• Configure automation in Microsoft Sentinel

Key Study Resources

Official Microsoft Learn Paths

• Manage identity and access
• Implement platform protection
• Secure data and applications
• Manage security operations

Security Documentation

• Microsoft Entra ID security
• Azure network security
• Azure Storage security
• Microsoft Defender for Cloud
• Microsoft Sentinel
• Azure Policy

Practice Resources

• Free Practice Assessment on Microsoft Learn
• Azure Security Center labs
• Microsoft Sentinel training lab
• Azure security hands-on labs

Exam Details

• Passing Score: 700
• Question Format: Multiple choice, case studies, drag-and-drop
• Exam Duration: 120 minutes (150 minutes for non-native English speakers)
• Languages Available: Multiple languages including English, Japanese, Chinese, Korean, German, French, Spanish, Portuguese
• Exam Cost: $165 USD (varies by region)

Key Security Concepts

Zero Trust Model

• Verify explicitly
• Least privilege access
• Assume breach
• Microsegmentation
• Identity as the security perimeter

Defense in Depth

• Physical security
• Identity and access
• Perimeter security
• Network security
• Compute layer
• Application layer
• Data layer

Identity Security

• Privileged Identity Management (PIM)
• Conditional Access
• Identity Protection
• Access Reviews
• Entitlement Management

Network Security

• Network segmentation
• DMZ implementation
• Service endpoints vs Private endpoints
• Network Security Groups
• Application Security Groups

Data Protection

• Encryption at rest
• Encryption in transit
• Key management
• Data classification
• Data loss prevention

Important Azure Security Services

Microsoft Entra ID (formerly Azure AD)

• Authentication methods
• Conditional Access policies
• Identity Protection
• Privileged Identity Management
• Application management

Azure Firewall

• FQDN filtering
• Network rules
• Application rules
• Threat intelligence
• Firewall Manager

Microsoft Defender for Cloud

• Secure Score
• Regulatory compliance
• Workload protection
• Cloud Security Posture Management (CSPM)
• Cloud Workload Protection Platform (CWPP)

Microsoft Sentinel

• Data connectors
• Analytics rules
• Playbooks (Logic Apps)
• Workbooks
• Threat hunting

Azure Key Vault

• Secrets management
• Key management
• Certificate management
• HSM-backed keys
• RBAC vs vault access policies

Security Best Practices

Identity Management

• Enable MFA for all users
• Use PIM for privileged roles
• Regular access reviews
• Implement Conditional Access
• Use managed identities

Network Security

• Implement hub-spoke topology
• Use NSGs at subnet level
• Enable DDoS protection
• Implement WAF for web apps
• Use Private Endpoints

Data Security

• Enable encryption by default
• Use customer-managed keys
• Implement data classification
• Regular backup and test restore
• Enable soft delete

Monitoring and Response

• Enable diagnostic logging
• Configure security alerts
• Automate incident response
• Regular security assessments
• Threat hunting activities

Certification Path

• Prerequisites: Azure Fundamentals (AZ-900) recommended
• Renewal: Required every 12 months through Microsoft Learn
• Related Certifications:
  • Azure Administrator Associate (AZ-104)
  • Azure Solutions Architect Expert (AZ-305)
  • Security Operations Analyst (SC-200)

Compliance and Governance

• Azure Policy vs RBAC
• Regulatory compliance dashboard
• Azure Blueprints
• Resource locks
• Management groups
• Cost management and tags