Delen via


Study guide for Exam AZ-500: Microsoft Azure Security Technologies

Purpose of this document

This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Useful links Description
How to earn the certification Some certifications only require passing one exam, while others require passing multiple exams.
Certification renewal Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn.
Your Microsoft Learn profile Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates.
Exam scoring and score reports A score of 700 or greater is required to pass.
Exam sandbox You can explore the exam environment by visiting our exam sandbox.
Request accommodations If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation.
Take a free Practice Assessment Test your skills with practice questions to help you prepare for the exam.

Updates to the exam

We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.

Note

The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.

Note

Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Skills measured as of January 31, 2025

Audience profile

As the Azure security engineer, you implement, manage, and monitor security for resources in Azure, multi-cloud, and hybrid environments as part of an end-to-end infrastructure. You implement and manage security components and configurations by using Microsoft Defender for Cloud and other tools. You ensure that the infrastructure aligns with standards and best practices such as the Microsoft Cloud Security Benchmark (MCSB).

Your responsibilities as an Azure security engineer include:

  • Managing the security posture.

  • Implementing threat protection.

  • Identifying and remediating vulnerabilities.

You are responsible for implementing regulatory compliance controls for Azure infrastructure including identity and access, network, compute, storage, data, applications, asset management, backup and recovery, and devops security.

As an Azure security engineer, you work with architects, administrators, and developers to plan and implement solutions that meet security and compliance requirements. You may also collaborate with security operations in responding to security incidents in Azure.

You should have:

  • Practical experience in administration of Microsoft Azure and hybrid environments.

  • Strong familiarity with Microsoft Entra ID, as well as compute, network, and storage in Azure.

Skills at a glance

  • Secure identity and access (15–20%)

  • Secure networking (20–25%)

  • Secure compute, storage, and databases (20–25%)

  • Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)

Secure identity and access (15–20%)

Manage security controls for identity and access

  • Manage Azure built-in role assignments

  • Manage custom roles, including Azure roles and Microsoft Entra roles

  • Implement and manage Microsoft Entra Permissions Management

  • Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments

  • Implement multi-factor authentication (MFA) for access to Azure resources

  • Implement Conditional Access policies for cloud resources in Azure

Manage Microsoft Entra application access

  • Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants

  • Manage Microsoft Entra app registrations

  • Configure app registration permission scopes

  • Manage app registration permission consent

  • Manage and use service principals

  • Manage managed identities

Secure networking (20–25%)

Plan and implement security for virtual networks

  • Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)

  • Manage virtual networks by using Azure Virtual Network Manager

  • Plan and implement user-defined routes (UDRs)

  • Plan and implement Virtual Network peering or VPN gateway

  • Plan and implement Virtual WAN, including secured virtual hub

  • Secure VPN connectivity, including point-to-site and site-to-site

  • Implement encryption over ExpressRoute

  • Configure firewall settings on Azure resources

  • Monitor network security by using Network Watcher

Plan and implement security for private access to Azure resources

  • Plan and implement virtual network Service Endpoints

  • Plan and implement Private Endpoints

  • Plan and implement Private Link services

  • Plan and implement network integration for Azure App Service and Azure Functions

  • Plan and implement network security configurations for an App Service Environment (ASE)

  • Plan and implement network security configurations for an Azure SQL Managed Instance

Plan and implement security for public access to Azure resources

  • Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management

  • Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies

  • Plan and implement an Azure Application Gateway

  • Plan and implement an Azure Front Door, including Content Delivery Network (CDN)

  • Plan and implement a Web Application Firewall (WAF)

  • Recommend when to use Azure DDoS Protection Standard

Secure compute, storage, and databases (20–25%)

Plan and implement advanced security for compute

  • Plan and implement remote access to virtual machines, including Azure Bastion and just-in-time (JIT)

  • Configure network isolation for Azure Kubernetes Service (AKS)

  • Secure and monitor AKS

  • Configure authentication for AKS

  • Configure security monitoring for Azure Container Instances (ACIs)

  • Configure security monitoring for Azure Container Apps (ACAs)

  • Manage access to Azure Container Registry (ACR)

  • Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption

  • Recommend security configurations for Azure API Management

Plan and implement security for storage

  • Configure access control for storage accounts

  • Manage storage account access keys

  • Select and configure an appropriate method for access to Azure Files

  • Select and configure an appropriate method for access to Azure Blob Storage

  • Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage

  • Configure Bring your own key (BYOK)

  • Enable double encryption at the Azure Storage infrastructure level

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

  • Enable Microsoft Entra database authentication

  • Enable database auditing

  • Plan and implement dynamic masking

  • Implement Transparent Data Encryption (TDE)

  • Recommend when to use Azure SQL Database Always Encrypted

Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)

Implement and manage enforcement of cloud governance policies

  • Create, assign, and interpret policies and initiatives in Azure Policy

  • Configure Azure Key Vault network settings

  • Configure access to Key Vault, including vault access policies and Azure Role Based Access Control

  • Manage certificates, secrets, and keys

  • Configure key rotation

  • Perform backup and recovery of certificates, secrets, and keys

  • Implement security controls to protect backups

  • Implement security controls for asset management

Manage security posture by using Microsoft Defender for Cloud

  • Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory

  • Assess compliance against security frameworks by using Microsoft Defender for Cloud

  • Manage compliance standards in Microsoft Defender for Cloud

  • Add custom standards to Microsoft Defender for Cloud

  • Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)

  • Implement and use Microsoft Defender External Attack Surface Management (EASM)

Configure and manage threat protection by using Microsoft Defender for Cloud

  • Enable workload protection services in Microsoft Defender for Cloud

  • Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage

  • Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers

  • Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines

  • Connect to and configure settings in Microsoft Defender for Cloud Devops Security, including GitHub, Azure DevOps, and GitLab

Configure and manage security monitoring and automation solutions

  • Manage and respond to security alerts in Microsoft Defender for Cloud

  • Configure workflow automation by using Microsoft Defender for Cloud

  • Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor

  • Configure data connectors in Microsoft Sentinel

  • Enable analytics rules in Microsoft Sentinel

  • Configure automation in Microsoft Sentinel

Study resources

We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.

Study resources Links to learning and documentation
Get trained Choose from self-paced learning paths and modules or take an instructor-led course
Find documentation Azure documentation
Microsoft Entra ID
Azure Firewall documentation
Azure Firewall Manager documentation
Azure Application Gateway documentation
Azure Front Door and CDN Documentation
Web Application Firewall documentation
Azure Key Vault documentation
Virtual network service endpoint policies for Azure Storage
Manage Azure Private Endpoints - Azure Private Link
Create a Private Link service by using the Azure portal
Azure DDoS Protection documentation
Virtual machines in Azure
Secure and use policies on virtual machines in Azure
Security - Azure App Service
Azure Policy documentation
Plan your Defender for Servers deployment
Microsoft Defender for Cloud documentation
Microsoft Threat Modeling Tool overview
Azure Monitor documentation
Microsoft Sentinel documentation
Azure Storage documentation
Azure Files documentation
Azure SQL documentation
Ask a question Microsoft Q&A | Microsoft Docs
Get community support Azure Community Support
Follow Microsoft Learn Microsoft Learn - Microsoft Tech Community
Find a video Exam Readiness Zone
Azure Fridays
Browse other Microsoft Learn shows

Change log

The table below summarizes the changes between the current and previous version of the skills measured. The functional groups are in bold typeface followed by the objectives within each group. The table is a comparison between the previous and current version of the exam skills measured and the third column describes the extent of the changes.

Skill area prior to January 31, 2025 Skill area as of January 31, 2025 Change
Audience profile Major
Manage identity and access Secure identity and access % of the exam decreased
Manage Microsoft Entra identities Deleted
Manage Microsoft Entra authentication Deleted
Manage Microsoft Entra authorization Manage security controls for identity and access Major
Manage Microsoft Entra application access Manage Microsoft Entra application access Minor
Secure networking Secure networking % of the exam increased
Plan and implement security for virtual networks Plan and implement security for virtual networks Minor
Secure compute, storage, and databases Secure compute, storage, and databases No change
Plan and implement advanced security for compute Plan and implement advanced security for compute Minor
Plan and implement security for storage Plan and implement security for storage Major
Plan and implement security for Azure SQL Database and Azure SQL Managed Instance Plan and implement security for Azure SQL Database and Azure SQL Managed Instance Major
Manage security operations Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel % of the exam increased
Plan, implement, and manage governance for security Implement and manage enforcement of cloud governance policies Major
Manage security posture by using Microsoft Defender for Cloud Manage security posture by using Microsoft Defender for Cloud Minor
Configure and manage threat protection by using Microsoft Defender for Cloud Configure and manage threat protection by using Microsoft Defender for Cloud Major
Configure and manage security monitoring and automation solutions Configure and manage security monitoring and automation solutions Minor