DISCLOSURE: This post may contain affiliate links, meaning we receive a commission when you click the links and make a purchase. We appreciate your support!
Updated – 17/05/2026 – Microsoft has announced that the Azure Security Engineer Associate certification, the related AZ-500 exam, and renewal assessments will retire on August 31, 2026. After this date, you will no longer be able to earn or renew the AZ-500 certification. The new SC-500 certification, replacing the AZ-500, will be available starting June 2026 and validates the skills needed to secure modern cloud and AI workloads. Check the new SC-500 Exam Study Guide!
Updated – 17/02/2025 — The exam guide below shows the major changes to be implemented starting January 31, 2025. The study guide has been updated to reflect Microsoft’s new exam objectives.
Updated — 13/05/2024 — The AZ-500 exam study guide below includes Free On-demand Instructor-led video training.
Updated – 03/08/2023 — The exam guide below shows the changes to be implemented starting August 23, 2023. The study guide has been updated to reflect Microsoft’s new exam objectives.
Updated – 21/04/2023 — The exam study guide below includes a new Free practice assessment for the AZ-500 certification.
Updated – 26/03/2023 — The exam guide below shows the changes to be implemented starting February 2, 2023. The study guide has been updated to reflect the new exam objectives added and removed by Microsoft.
Updated – 25/11/2021 — This study guide has been updated to reflect the new lab questions added by Microsoft. Please check the following hands-on lab section to help you prepare and gain more practical experience.
Updated – 09/02/2021 — The AZ-500 exam guide below shows the changes to be implemented starting January 27, 2021. This article has been updated to reflect the new exam objectives added by Microsoft and new study references to help you prepare successfully. Please check the following section, where you can download the appendix that covers the new additions per skill measure.
Table of Contents
Introduction
Microsoft is evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. At Ignite in September 2018, Microsoft announced new role-based certifications to help you and your career keep pace with today’s business requirements. They are evolving their learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities—you’ve earned.
After passing the Microsoft Azure Solutions Expert exam, the Azure Developer Associate exam, the Microsoft Azure Administrator certification, and the Microsoft Azure Fundamentals exam. I decided to sit for the Microsoft Azure Security Engineer exam.
I am so happy and grateful that I passed the AZ-500 Microsoft Certified: Azure Security Engineer Associate. I figured that I would share my experience in this post to help you prepare and tackle this exam successfully.
Updated – 09/11/2021 — In this exam, I got around 44 questions, 2 massive case studies, and a lab with 10 practical tasks, and it took only 120 minutes (2 hours). Microsoft started introducing performance-lab questions. The practical lab also wasted valuable seconds because it was slow. As you can see, the exam is getting a bit tough, so you need to prepare well. The questions pretty much match the list of skills measured below.
Updated – 04/05/2026 — I got 25 questions without a case study for the renewal assessment.
The performance assessment is based on the following topics:
> Single sign-on for applications
> Manage access to the enterprise
> Plan and implement security for virtual networks
> Plan and implement security for private access
> Plan and implement security for public access
> Plan and implement advanced security for compute
> Implement and manage the enforcement of cloud
> Connect non-Azure resources to Azure Arc
> Enable workload protection services in Microsoft Defender for Cloud
> Configure and manage security monitoring and automation solutions
Exam Profile Audience
This exam is for Azure Security Engineers or IT Administrators with a security focus or wanting to focus on security. The security engineer focuses on implementing Azure security controls that protect identity, access, data, applications, and networks in cloud and hybrid environments as part of an end-to-end infrastructure.
An Azure security engineer’s responsibilities include managing the security posture, identifying and remediating vulnerabilities, performing threat modeling, implementing threat protection, and responding to security incident escalations.
Candidates for this exam should have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud n-tier architecture, and a strong familiarity with cloud capabilities in general and Microsoft Azure products and services in particular. The Azure Security Engineer should also know other Microsoft products and services.
Please note that the Azure Security Engineer role does NOT focus on helping secure Microsoft 365 and remains separate from the M365 Security and Compliance Administrator role.
Prerequisites study guide
If you are new to the Azure Security Engine role, please check the following references that will help you understand security fundamentals:
> Introduction to Azure security
> Azure security technical capabilities
> Azure identity management security overview
> Azure network security overview
> Fundamentals of Network Security
> Microsoft Azure Well-Architected Framework Security
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft. Please note that most questions cover features that are General Availability (GA). However, the exam may contain questions on Preview features if those features are commonly used by users.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Secure identity and access (15–20%)
Manage security controls for identity and access
- Manage Azure built-in role assignments
- Manage custom roles, including Azure roles and Microsoft Entra roles
- Implement and manage Microsoft Entra Permissions Management
- Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments
- Implement multi-factor authentication (MFA) for access to Azure resources
- Implement Conditional Access policies for cloud resources in Azure
Manage Microsoft Entra application access
- Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
- Manage Microsoft Entra app registrations
- Configure app registration permission scopes
- Manage app registration permission consent
- Manage and use service principals
- Manage managed identities
Secure networking (20–25%)
Plan and implement security for virtual networks
- Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Manage virtual networks by using Azure Virtual Network Manager
- Plan and implement user-defined routes (UDRs)
- Plan and implement Virtual Network peering or VPN gateway
- Plan and implement Virtual WAN, including secured virtual hub
- Secure VPN connectivity, including point-to-site and site-to-site
- Implement encryption over ExpressRoute
- Configure firewall settings on Azure resources
- Monitor network security by using Network Watcher
Plan and implement security for private access to Azure resources
- Plan and implement virtual network Service Endpoints
- Plan and implement Private Endpoints
- Plan and implement Private Link services
- Plan and implement network integration for Azure App Service and Azure Functions
- Plan and implement network security configurations for an App Service Environment (ASE)
- Plan and implement network security configurations for an Azure SQL Managed Instance
Plan and implement security for public access to Azure resources
- Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
- Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies
- Plan and implement an Azure Application Gateway
- Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
- Plan and implement a Web Application Firewall (WAF)
- Recommend when to use Azure DDoS Protection Standard
Secure compute, storage, and databases (20–25%)
Plan and implement advanced security for compute
- Plan and implement remote access to virtual machines, including Azure Bastion and just-in-time (JIT)
- Configure network isolation for Azure Kubernetes Service (AKS)
- Secure and monitor AKS
- Configure authentication for AKS
- Configure security monitoring for Azure Container Instances (ACIs)
- Configure security monitoring for Azure Container Apps (ACAs)
- Manage access to Azure Container Registry (ACR)
- Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption
- Recommend security configurations for Azure API Management
Plan and implement security for storage
- Configure access control for storage accounts
- Manage storage account access keys
- Select and configure an appropriate method for access to Azure Files
- Select and configure an appropriate method for access to Azure Blob Storage
- Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
- Configure Bring your own key (BYOK)
- Enable double encryption at the Azure Storage infrastructure level
Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
- Enable Microsoft Entra database authentication
- Enable database auditing
- Plan and implement dynamic masking
- Implement Transparent Data Encryption (TDE)
- Recommend when to use Azure SQL Database Always Encrypted
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)
Implement and manage enforcement of cloud governance policies
- Create, assign, and interpret policies and initiatives in Azure Policy
- Configure Azure Key Vault network settings
- Configure access to Key Vault, including vault access policies and Azure Role-Based Access Control
- Manage certificates, secrets, and keys
- Configure key rotation
- Perform backup and recovery of certificates, secrets, and keys
- Implement security controls to protect backups
- Implement security controls for asset management
Manage security posture by using Microsoft Defender for Cloud
- Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
- Assess compliance against security frameworks by using Microsoft Defender for Cloud
- Manage compliance standards in Microsoft Defender for Cloud
- Add custom standards to Microsoft Defender for Cloud
- Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)
- Implement and use Microsoft Defender External Attack Surface Management (EASM)
Configure and manage threat protection by using Microsoft Defender for Cloud
- Enable workload protection services in Microsoft Defender for Cloud
- Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage
- Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers
- Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines
- Connect to and configure settings in Microsoft Defender for Cloud DevOps Security, including GitHub, Azure DevOps, and GitLab
Configure and manage security monitoring and automation solutions
- Manage and respond to security alerts in Microsoft Defender for Cloud
- Configure workflow automation by using Microsoft Defender for Cloud
- Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
- Configure data connectors in Microsoft Sentinel
- Enable analytics rules in Microsoft Sentinel
- Configure automation in Microsoft Sentinel
Lessons Learned and Exam Preparation
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding of all the security concepts will help you to pass this exam. The key to success in passing this exam is to work with Microsoft Azure daily, especially cloud governance and security.
Based on my experience to get the most from this preparation you need the following trial subscriptions or equivalent access:
> An Azure subscription – you can create your free Azure account today and start practicing the latest and greatest security features.
> Microsoft 365 E5 plan.
> Microsoft Defender for Cloud with Defender plan enabled (free for 30 days).
I usually use Microsoft Azure Security Documentation which is a great resource to dive deep into each topic, and I use Microsoft Learn the new learning approach which is more structured to learn all the topics required for the exam. I highly recommend going through the free learning modules below on Microsoft Learn to prepare for the AZ-500 exam:
- AZ-500 Part-1: Manage Identity and Access (5 modules).
- AZ-500 Part-2: Implement platform protection (4 modules).
- AZ-500 Part-3: Secure your data and applications (4 modules).
- AZ-500 Part-4: Manage security operation (3 modules).
You can watch the free Azure Security Expert Series videos provided by Microsoft to get you prepared. Pluralsight also offers a great learning path for the Microsoft Azure Security Engineer preparation, you can check it out here.
You can also go through the following free Azure Security AZ-500 course from Microsoft to get prepared for this exam:
If you have access to a LinkedIn Learning platform, then I highly recommend going through the following fast preparation path in just 6 hours:
- Manage Identity and Access (Domain 1)
- Implement Platform Protection (Domain 2)
- Manage Security Operations (Domain 3)
- Secure Data and Applications (Domain 4)
I also recommend the comprehensive course on Azure Cloud Security on Udemy to learn how to implement security controls across the board.
Additionally, Skillmeup.com offered a great path for AZ-500 Exam preparation, and Skylinesacademy.com just released the AZ-500 course at a low cost, I highly recommend checking them out.
Books
As of December 10, 2020, Microsoft released the Exam Reference AZ-500 Book – Microsoft Azure Security Technologies (2nd Edition), which you can place the order from here. I highly recommend this book to prepare and pass this exam.
As of April 21st, 2022, you can order the updated Exam Ref AZ-500 Microsoft Azure Security Technologies with Practice Test (2nd Edition). I highly recommend this book to prepare and pass the new version of the AZ-500 exam.
On January 27, 2021, Microsoft updated the AZ-500 Exam objectives to add new topics to the existing areas of the exam. This appendix covers the new additions per the skill measure section. You can download the AZ-500 book appendix from here to help you prepare for the latest exam questions.
AZ-500 Exam Training Labs
Recently, Microsoft has added lab questions to the AZ-500 exam. Please make sure to check the following step-by-step hands-on labs that will help you to gain more practical experience and pass this exam:
1) LAB 01 – Role-Based Access Control.
2) LAB 02 – Azure Policy.
3) LAB 03 – Resource Manager Locks.
4) LAB 04 – MFA, and Conditional Access.
5) LAB 05 – Azure AD Privileged Identity Management.
6) LAB 06 – Implement Directory Synchronization.
7) LAB 07 – Network Security Groups and Application Security Groups.
8) LAB 08 – Azure Firewall.
9) LAB 09 – Configuring and Securing ACR and AKS.
10) LAB 10 – Key Vault (Implementing Secure Data by setting up Always Encrypted).
11) LAB 11 – Securing Azure SQL Database.
12) LAB 12 – Service Endpoints and Securing Storage.
13) LAB 13 – Azure Monitor.
14) LAB 14 – Microsoft Defender for Cloud.
15) LAB 15 – Microsoft Sentinel.
AZ-500 Free Practice Assessment
Are you preparing for the AZ-500 certification exam? Microsoft just announced Practice Assessments on Microsoft Learn, the newest free exam preparation resource that allows you to assess your knowledge and fill knowledge gaps so that you are better prepared the take the AZ-500 certification exam.
The following assessment provides you with an overview of the style, wording, and difficulty of the questions you’re likely to experience on the exam. Through this assessment, you’re able to assess your readiness, determine where additional preparation is needed, and fill knowledge gaps bringing you one step closer to the likelihood of passing your AZ-500 exam.
> Take now the Exam AZ-500: Microsoft Azure Security Technologies Practice Assessment (50 questions).
Prepare for your certification exam by assessing your knowledge through Practice Assessments, which are free and can be attempted multiple times. These assessments are created and regularly updated by the same team that develops the official certification exams.
You can access practice assessments on Microsoft Learn by signing in or creating an account. The score report for each question includes the answer, rationale, and links to additional information.
AZ-500 Free Instructor-led Video Training
Microsoft Learning recently published a FREE special 17-module on-demand video training course, “AZ-500 Azure Security Technologies.” Instructors were video-recorded for all modules.
This course is designed to equip IT Security Professionals with the necessary knowledge and skills to implement effective security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. It covers various aspects of security, including identity and access, platform protection, data and applications, and security operations.
All video-recorded modules for “AZ-500 Azure Security Technologies” are available below:
- AZ-500 Course Introduction (1 of 17)
- AZ-500 Secure Azure Solutions With Azure Active Directory (2 of 17)
- AZ-500 Deploy Entra ID Identity Protection (3 of 17)
- AZ-500 Configure Entra ID Privileged Identity Management (4 of 17)
- AZ-500 Design An Enterprise Governance Strategy (5 of 17)
- AZ-500 Implement Hybrid Identity (6 of 17)
- AZ-500 Implement Perimeter Security (7 of 17)
- AZ-500 Configure Network Security (8 of 17)
- AZ-500 Configure And Manage Host Security (9 of 17)
- AZ-500 Enable Containers Security (10 of 17)
- AZ-500 Deploy And Secure Azure Key Vault (11 of 17)
- AZ-500 Configure Application Security Features (12 of 17)
- AZ-500 Implement Storage Security (13 of 17)
- AZ-500 Configure And Manage SL Database Security (14 of 17)
- AZ-500 Configure And Manage Azure Monitor (15 of 17)
- AZ-500 Enable And Manage Microsoft Defender For Cloud (16 of 17)
- AZ-500 Configure And Monitor Microsoft Sentinel (17 of 17)
Additionally, you may find written versions of this course located at Microsoft Learn: Microsoft Azure Security Technologies. This course is designed for Azure Security Engineers who are preparing to take the associated certification exam or performing security tasks as part of their job responsibilities. The course is also helpful for engineers who want to specialize in providing security for digital platforms based on Azure and play a crucial role in safeguarding an organization’s data. If you prefer to prepare for the AZ-500 exam with Microsoft MCT instructor-led training, a written, non-video recorded version of this course, you can contact me here.
AZ-500 Certification
By passing the AZ-500 Microsoft Azure Security Technologies, you will earn the Microsoft Azure Security Engineer Associate certificate.
If you are planning to take the AZ-500 exam… I wish you all the best and Happy Studying!!!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
I didn’t know that you get lab practical tests as well.
Do they still come now?
How do I prepare for those, are they tough?
Hello Nikita, thanks for the comment!
Yes, Microsoft started to add lab practical questions in the AZ-500 exam.
I have updated the study guide to include Training Labs.
Please make sure to check the following hands-on lab section that will help you prepare and gain more practical experience.
Good Luck!
Hi Charbel, Do you know how many practical questions there are?
Hello Mark, thanks for the comment!
There are 10 practical questions in the AZ-500 exam. But please note that this might change.
Good luck!
Hey, Do I need a Azure subscription or shall I be able to practice labs in my free subscription on a student account.
Hello Batuk, thanks for the comment!
No, you should be able to practice the labs in your free student account subscription.
Good Luck!