Study guide for Exam AZ-500: Microsoft Azure Security Technologies
Purpose of this document
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
Useful links | Description |
---|---|
How to earn the certification | Some certifications only require passing one exam, while others require passing multiple exams. |
Certification renewal | Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn. |
Your Microsoft Learn profile | Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates. |
Exam scoring and score reports | A score of 700 or greater is required to pass. |
Exam sandbox | You can explore the exam environment by visiting our exam sandbox. |
Request accommodations | If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation. |
Take a free Practice Assessment | Test your skills with practice questions to help you prepare for the exam. |
Updates to the exam
We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured as of January 31, 2025
Audience profile
As the Azure security engineer, you implement, manage, and monitor security for resources in Azure, multi-cloud, and hybrid environments as part of an end-to-end infrastructure. You implement and manage security components and configurations by using Microsoft Defender for Cloud and other tools. You ensure that the infrastructure aligns with standards and best practices such as the Microsoft Cloud Security Benchmark (MCSB).
Your responsibilities as an Azure security engineer include:
Managing the security posture.
Implementing threat protection.
Identifying and remediating vulnerabilities.
You are responsible for implementing regulatory compliance controls for Azure infrastructure including identity and access, network, compute, storage, data, applications, asset management, backup and recovery, and devops security.
As an Azure security engineer, you work with architects, administrators, and developers to plan and implement solutions that meet security and compliance requirements. You may also collaborate with security operations in responding to security incidents in Azure.
You should have:
Practical experience in administration of Microsoft Azure and hybrid environments.
Strong familiarity with Microsoft Entra ID, as well as compute, network, and storage in Azure.
Skills at a glance
Secure identity and access (15–20%)
Secure networking (20–25%)
Secure compute, storage, and databases (20–25%)
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)
Secure identity and access (15–20%)
Manage security controls for identity and access
Manage Azure built-in role assignments
Manage custom roles, including Azure roles and Microsoft Entra roles
Implement and manage Microsoft Entra Permissions Management
Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments
Implement multi-factor authentication (MFA) for access to Azure resources
Implement Conditional Access policies for cloud resources in Azure
Manage Microsoft Entra application access
Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
Manage Microsoft Entra app registrations
Configure app registration permission scopes
Manage app registration permission consent
Manage and use service principals
Manage managed identities
Secure networking (20–25%)
Plan and implement security for virtual networks
Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
Manage virtual networks by using Azure Virtual Network Manager
Plan and implement user-defined routes (UDRs)
Plan and implement Virtual Network peering or VPN gateway
Plan and implement Virtual WAN, including secured virtual hub
Secure VPN connectivity, including point-to-site and site-to-site
Implement encryption over ExpressRoute
Configure firewall settings on Azure resources
Monitor network security by using Network Watcher
Plan and implement security for private access to Azure resources
Plan and implement virtual network Service Endpoints
Plan and implement Private Endpoints
Plan and implement Private Link services
Plan and implement network integration for Azure App Service and Azure Functions
Plan and implement network security configurations for an App Service Environment (ASE)
Plan and implement network security configurations for an Azure SQL Managed Instance
Plan and implement security for public access to Azure resources
Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies
Plan and implement an Azure Application Gateway
Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
Plan and implement a Web Application Firewall (WAF)
Recommend when to use Azure DDoS Protection Standard
Secure compute, storage, and databases (20–25%)
Plan and implement advanced security for compute
Plan and implement remote access to virtual machines, including Azure Bastion and just-in-time (JIT)
Configure network isolation for Azure Kubernetes Service (AKS)
Secure and monitor AKS
Configure authentication for AKS
Configure security monitoring for Azure Container Instances (ACIs)
Configure security monitoring for Azure Container Apps (ACAs)
Manage access to Azure Container Registry (ACR)
Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption
Recommend security configurations for Azure API Management
Plan and implement security for storage
Configure access control for storage accounts
Manage storage account access keys
Select and configure an appropriate method for access to Azure Files
Select and configure an appropriate method for access to Azure Blob Storage
Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
Configure Bring your own key (BYOK)
Enable double encryption at the Azure Storage infrastructure level
Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
Enable Microsoft Entra database authentication
Enable database auditing
Plan and implement dynamic masking
Implement Transparent Data Encryption (TDE)
Recommend when to use Azure SQL Database Always Encrypted
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)
Implement and manage enforcement of cloud governance policies
Create, assign, and interpret policies and initiatives in Azure Policy
Configure Azure Key Vault network settings
Configure access to Key Vault, including vault access policies and Azure Role Based Access Control
Manage certificates, secrets, and keys
Configure key rotation
Perform backup and recovery of certificates, secrets, and keys
Implement security controls to protect backups
Implement security controls for asset management
Manage security posture by using Microsoft Defender for Cloud
Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
Assess compliance against security frameworks by using Microsoft Defender for Cloud
Manage compliance standards in Microsoft Defender for Cloud
Add custom standards to Microsoft Defender for Cloud
Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)
Implement and use Microsoft Defender External Attack Surface Management (EASM)
Configure and manage threat protection by using Microsoft Defender for Cloud
Enable workload protection services in Microsoft Defender for Cloud
Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage
Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers
Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines
Connect to and configure settings in Microsoft Defender for Cloud Devops Security, including GitHub, Azure DevOps, and GitLab
Configure and manage security monitoring and automation solutions
Manage and respond to security alerts in Microsoft Defender for Cloud
Configure workflow automation by using Microsoft Defender for Cloud
Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
Configure data connectors in Microsoft Sentinel
Enable analytics rules in Microsoft Sentinel
Configure automation in Microsoft Sentinel
Study resources
We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.
Change log
The table below summarizes the changes between the current and previous version of the skills measured. The functional groups are in bold typeface followed by the objectives within each group. The table is a comparison between the previous and current version of the exam skills measured and the third column describes the extent of the changes.
Skill area prior to January 31, 2025 | Skill area as of January 31, 2025 | Change |
---|---|---|
Audience profile | Major | |
Manage identity and access | Secure identity and access | % of the exam decreased |
Manage Microsoft Entra identities | Deleted | |
Manage Microsoft Entra authentication | Deleted | |
Manage Microsoft Entra authorization | Manage security controls for identity and access | Major |
Manage Microsoft Entra application access | Manage Microsoft Entra application access | Minor |
Secure networking | Secure networking | % of the exam increased |
Plan and implement security for virtual networks | Plan and implement security for virtual networks | Minor |
Secure compute, storage, and databases | Secure compute, storage, and databases | No change |
Plan and implement advanced security for compute | Plan and implement advanced security for compute | Minor |
Plan and implement security for storage | Plan and implement security for storage | Major |
Plan and implement security for Azure SQL Database and Azure SQL Managed Instance | Plan and implement security for Azure SQL Database and Azure SQL Managed Instance | Major |
Manage security operations | Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel | % of the exam increased |
Plan, implement, and manage governance for security | Implement and manage enforcement of cloud governance policies | Major |
Manage security posture by using Microsoft Defender for Cloud | Manage security posture by using Microsoft Defender for Cloud | Minor |
Configure and manage threat protection by using Microsoft Defender for Cloud | Configure and manage threat protection by using Microsoft Defender for Cloud | Major |
Configure and manage security monitoring and automation solutions | Configure and manage security monitoring and automation solutions | Minor |