Passed AZ-500 Exam: Microsoft Certified Azure Security Engineer

Updated – 09/02/2021 – The AZ-500 exam guide below shows the changes that will be implemented starting on January 27, 2021. This article has been updated to reflect the new exam objectives added by Microsoft and new study references to help you prepare successfully. Please check the following section where you can download the appendix that covers the new additions per skill measure.

Introduction

Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. At Ignite in September 2018, Microsoft announced new role-based certifications to help you and your career keep pace with today’s business requirements. They are evolving their learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities—you’ve earned. Check the following document to have a complete overview of the new Microsoft certification program published on September 24, 2018. Microsoft is planning to announce more role-based certifications in 2019.

After passing the Microsoft Azure Solutions Expert exam, as well as the Azure Developer Associate exam, the Microsoft Azure Administrator certification, and the Microsoft Azure Fundamentals exam. I decided to sit for the Microsoft Azure Security Engineer exam.

I am so happy and grateful now that I passed the AZ-500 Microsoft Certified: Azure Security Engineer Associate. I figured that I would share my experience in this post to help you prepare and tackle this exam successfully.

In this exam, I got around 41 questions in total with 1 case study, and the total time for this exam is 180 minutes. The questions do pretty much match the list of skills measured below.

Exam Profile Audience

The Azure Security Engineer implements security controls, maintains the security posture, and finds and remediates vulnerabilities by using a variety of security tools. Responsibilities include helping protect data, applications, and networks; managing identity and access; implementing threat protection, and responding to security incident escalations. The Azure Security Engineer often serves as part of a larger team dedicated to cloud-based management and security. The Azure Security Engineer might also help secure hybrid environments as part of an end-to-end infrastructure.

Candidates for this exam should have strong skills in scripting and automation; a deep understanding of networking, virtualization, and cloud n-tier architecture; and a strong familiarity with cloud capabilities in general and Microsoft Azure products and services in particular. The Azure Security Engineer should also be familiar with other Microsoft products and services.

Please note that the Azure Security Engineer role does NOT focus on helping secure Microsoft 365 and remains separate from the M365 Security and Compliance Administrator role.

Prerequisites study guide

If you are new to the Azure Security Engine role, please check the following references that will help you to understand security fundamentals:

> Introduction to Azure security

> Azure security technical capabilities

> Azure identity management security overview

> Azure network security overview

> Fundamentals of Network Security

> Microsoft Azure Well-Architected Framework Security

Skills measured on this exam

This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft. Please note that most questions cover features that are General Availability (GA). However, the exam may contain questions on Preview features if those features are commonly used by users.

Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:

Manage Identity and Access (30-35%)

Manage Azure Active Directory Identities

• Configure security for service principals
  • Application and service principal objects in Azure Active Directory
  • Authenticate apps to Azure services by using service principals and managed identities for Azure resources

• Manage Azure AD directory groups
  • Access with Azure Active Directory groups
  • Manage users and groups in Azure Active Directory

• Manage Azure AD users
  • Add or delete users using Azure Active Directory
  • Manage users and groups in Azure Active Directory

• Configure password write-back
  • Tutorial: Enable Azure Active Directory self-service password reset write-back to an on-premises environment

• Configure authentication methods including password hash and Pass-Through Authentication (PTA), OAuth, and passwordless
  • Authentication vs authorization
  • What is password hash synchronization with Azure AD?
  • User sign-in with Azure Active Directory Pass-through Authentication
  • Passwordless authentication options for Azure Active Directory

• Transfer Azure subscriptions between Azure AD tenants
  • Manage access to an Azure subscription by using Azure role-based access control
  • Transfer billing ownership of an Azure subscription to another account
  • Associate or add an Azure subscription to your Azure Active Directory tenant

Configure secure access by using Azure AD

• Monitor privileged access for Azure AD Privileged Identity Management (PIM)
  • Configure security alerts for Azure AD roles in Privileged Identity Management

• Configure Access Reviews
  • Create an access review of Azure AD roles in Privileged Identity Management

• Activate and configure PIM
  • Deploy Azure AD Privileged Identity Management (PIM)

• Implement Conditional Access policies including Multi-Factor Authentication
  • Secure Azure Active Directory users with Multi-Factor Authentication
  • Configure Azure Multi-Factor Authentication settings

• Configure Azure AD identity protection
  • What is Azure Active Directory Identity Protection?
  • Protect your identities with Azure AD Identity Protection

Manage application access

• Create App Registration
  • QuickStart: Register an application with the Microsoft identity platform

• Configure App Registration permission scopes
  • Permissions and consent in the Microsoft identity platform endpoint

• Manage App Registration permission consent
  • Configure how end-users consent to applications
  • Secure your application by using OpenID Connect and Azure AD

• Manage API access to Azure subscriptions and resources
  • Get access on behalf of a user
  • Authentication flows and application scenarios
  • Permissions and Consent Framework

Manage access control

• Configure subscription and resource permissions
  • Elevate access to manage all Azure subscriptions and management groups
  • Add or change Azure subscription administrators
  • Lock resources to prevent unexpected changes

• Configure resource group permissions
  • What is Azure role-based access control (Azure RBAC)?
  • Secure your Azure resources with role-based access control

• Configure custom RBAC roles
  • Create Custom Roles
  • Secure your cloud resources with access control
  • Create custom roles for Azure resources with role-based access control

• Identify the appropriate role
  • Azure Built-in Roles
  • Manage access to an Azure subscription by using Azure role-based access control

• Apply the principle of least privilege
  • Best practices for Azure RBAC

• Interpret permissions
  • Quickstart: View the access a user has to Azure resources

• Check access
• • List Azure role definitions
  • List Azure role assignments using the Azure Portal

Implement Platform Protection (15-20%)

Implement advanced network security

• Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
  • VPN Gateway design
  • ExpressRoute encryption
  • About Point-to-Site VPN
  • Create a Site-to-Site connection in the Azure portal
  • Configure virtual network connectivity
  • Connect your on-premises network to the Microsoft global network by using ExpressRoute
  • Design a hybrid network architecture on Azure

• Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Network security groups
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal
  • Application security groups
  • Manage and control traffic flow in your Azure deployment with routes
  • Fundamentals of Network Security
  • Secure and isolate access to Azure resources by using network security groups and service endpoints

• Create and configure Azure Firewall
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal

• Implement Azure Firewall Manager
  • Tutorial: Secure your virtual hub using Azure Firewall Manager

• Configure Azure Front Door service as an Application Gateway
  • Quickstart: Create a Front Door for a highly available global web application
  • Encrypt network traffic end to end with Azure Application Gateway

• Configure a Web Application Firewall (WAF) on Azure Application Gateway
  • Azure Web Application Firewall on Azure Application Gateway

• Configure Azure Bastion
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
  • How to use Azure Bastion to connect securely to your Azure VMs

• Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall

• Implement Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
  • Use private endpoints for Azure Storage
  • Quickstart: Create a Private Endpoint using the Azure portal

• Implement DDoS protection
  • Azure DDoS Protection Standard overview

Configure advanced security for compute

• Configure endpoint protection
  • Feature coverage for machines
  • Security management in Azure
  • Microsoft Antimalware for Azure Cloud Services and Virtual Machines
  • Protect your servers and VMs from brute-force and malware attacks with Azure Security Center

• Configure and monitor system updates for VMs
  • Manage updates and patches for your Azure VMs
  • Manage updates for multiple VMs
  • Keep your virtual machines updated
  • Security best practices for IaaS workloads in Azure

• Configure authentication for Azure Container Registry
  • How to use managed identities with Azure Container Instances
  • Authenticate with an Azure container registry
  • Introduction to Docker containers

• Configure security for different types of containers
  • Run Docker containers with Azure Container Instances
  • Build a containerized web application with Docker

• Implement vulnerability management
• • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Azure Defender only)

• Configure isolation for AKS
• • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
  • Container Security in Azure
  • Azure Kubernetes Service Workshop
  • Secure traffic between pods using network policies in Azure Kubernetes Service

• Configure security for container registry
• • Authenticate with an Azure container registry
  • Build and store container images with Azure Container Registry

• Implement Azure Disk Encryption
• • Azure Disk Encryption for Windows VMs
  • Secure your Azure virtual machine disks

• Configure authentication and security for Azure App Service
• • Security in Azure App Service
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service

• Configure SSL/TLS certs
• • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service

• Configure authentication for Azure Kubernetes Service
• • Service principals with Azure Kubernetes Service (AKS)
  • Integrate Azure Active Directory with Azure Kubernetes Service
  • Use managed identities in Azure Kubernetes Service

• Configure automatic updates
• • Update containers in Azure Container Instances

Manage Security Operations (25-30%)

Monitor security by using Azure Monitor

• Create and customize alerts
  • Create, view, and manage log alerts using Azure Monitor
  • Create, view, and manage metric alerts using Azure Monitor
  • Improve incident response with alerting on Azure

• Monitor security logs by using Azure Monitor
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
  • Analyze your Azure infrastructure by using Azure Monitor logs
  • Monitor and report on security events in Azure AD

• Configure diagnostic logging and log retention
  • Create a diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs

Monitor security by using Azure Security Center

• Create and customize alerts
  • Security alerts in Azure Security Center
  • Manage and respond to security alerts in Azure Security Center

• Evaluate vulnerability scans from Azure Security Center
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Azure Defender only)
  • Identify security threats with Azure Security Center
  • Resolve security threats with Azure Security Center

• Configure Just in Time VM access by using Azure Security Center
  • Secure your management ports with just-in-time access

• Configure centralized policy management by using Azure Security Center
  • Working with security policies
  • Azure security policies monitored by Security Center

• Configure compliance policies and evaluate for compliance by using Azure Security Center
  • Tutorial: Improve your regulatory compliance

Monitor security by using Azure Sentinel

• Create and customize alerts
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Azure Sentinel

• Configure data sources to Azure Sentinel
  • Connect data sources
  • Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

• Evaluate results from Azure Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel
  • Use a framework to identify threats and find ways to reduce or eliminate the risk

• Configure a playbook for a security event by using Azure Sentinel
  • Tutorial: Set up automated threat responses in Azure Sentinel

Configure security policies

• Configure security settings by using Azure Policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Integrate Azure Key Vault with Azure Policy
  • Apply and monitor infrastructure standards with Azure Policy

• Configure security settings by using Azure Blueprint
• • What are Azure Blueprints?
  • Overview of the Azure Security Benchmark blueprint sample
  • Tutorial: Create an environment from a blueprint sample

Secure Data and Applications (20-25%)

Configure security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Secure your Azure Storage accounts

• Configure key management for storage accounts
  • Manage storage account access keys
  • Use the Azure portal to access blob or queue data

• Configure Azure AD authentication for Azure Storage
  • Authorize access to blobs and queues using Azure Active Directory
  • Acquire a token from Azure AD for authorizing requests from a client application

• Configure Azure AD Domain Services authentication for Azure Files
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Enable Azure Active Directory Domain Services authentication on Azure Files
  • Store and share files in your application with Azure Files

• Create and Manage Shared Access Signatures (SAS)
  • Grant limited access to Azure Storage resources using shared access signatures
  • Control access to Azure Storage with shared access signatures

• Create a shared access policy for a blob or blob container
  • Security recommendations for Blob storage

• Configure Storage Service Encryption
  • Azure Storage Encryption for data at rest
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal

• Configure Azure Defender for Storage
  • Configure Azure Defender for Storage

Configure security for databases

• Enable database authentication
  • Use Azure Active Directory authentication
  • Configure and manage Azure AD authentication with Azure SQL
  • Configure security policies to manage data

• Enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics

• Configure Azure Defender for SQL
  • Configure Azure Defender for Azure SQL database
  • Configure Azure Defender for SQL servers on machines

• Configure Azure SQL Database Advanced Threat Protection
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics

• Implement database encryption
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption

• Implement Azure SQL Database Always Encrypted
  • Always Encrypted
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault

Configure and manage Key Vault

• Manage access to Key Vault
  • Azure Key Vault security
  • Secure access to a key vault
• Manage permissions to secrets, certificates, and keys
  • Provide Key Vault authentication with a managed identity
  • Manage secrets in your server apps with Azure Key Vault
• Configure RBAC usage in Azure Key Vault
  • Azure Policy built-in policy definitions for Key Vault
• Manage certificates
  • Tutorial: Import a certificate in Azure Key Vault
• Manage secrets
  • About Azure Key Vault secrets
  • Configure and manage secrets in Azure Key Vault
• Configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate auto-rotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• Backup and restore of Key Vault items
  • Azure Key Vault soft-delete overview
• Configure Azure Defender for Key Vault
  • Azure Defender for Key Vault
  • Respond to Azure Defender for Key Vault alerts

Lessons Learned and Exam Preparation

Practice, practice, and read… I cannot stress enough that hands-on experience and understanding all the security concepts will help you to pass this exam. The key success to pass this exam is to work with Microsoft Azure daily, especially cloud governance and security.

Based on my experience to get the most from this preparation you need the following trial subscriptions or equivalent access:

> An Azure subscription – you can create your free Azure account today and start practicing the latest and greatest security features.

> An EMS E5.

> Azure Security Center with Azure Defender enabled (free for 30 days).

> Azure Sentinel.

I usually use Microsoft Azure Security Documentation which is a great resource to dive deep into each topic, and I use Microsoft Learn the new learning approach which is more structured to learn all the topics required for the exam. I highly recommend going through the free learning modules below on Microsoft Learn to prepare for the AZ-500 exam:

• Secure your cloud applications in Azure (6 modules)
• Implement resource management security in Azure (6 modules)
• Implement network security in Azure (5 modules)
• Implement virtual machine host security in Azure (6 modules)
• Manage identity and access in Azure Active Directory (9 modules)
• Manage security operations in Azure (8 modules)

You can watch the free Azure Security Expert Series videos provided by Microsoft to get you prepared. Pluralsight also offers a great learning path for the Microsoft Azure Security Engineer preparation, you can check it out here.

You can also go through the following free Azure Security AZ-500 course from Microsoft to get prepared for this exam:

• Microsoft Azure Security Technologies

If you have access to a LinkedIn Learning platform, then I highly recommend going through the following fast preparation path in just 6 hours:

• Manage Identity and Access (Domain 1)
• Implement Platform Protection (Domain 2)
• Manage Security Operations (Domain 3)
• Secure Data and Applications (Domain 4)
  • Policy and Data Infrastructure
  • Data at Rest, App Security, and Key Vault

I also recommend the comprehensive course on Azure Cloud Security on udemy to learn how to implement security controls across the board.

Additionally, Skillmeup.com offered a great path for AZ-500 Exam preparation, and Skylinesacademy.com just released the AZ-500 course at a low cost, I highly recommend checking them out.

Books

As of December 10, 2020, Microsoft released the Exam Reference AZ-500 Book – Microsoft Azure Security Technologies which you can place the order today here. I highly recommend this book to prepare and pass this exam.

Appendix January 2021 Exam Update

On January 27, 2021, Microsoft updated the AZ-500 Exam objectives to add new topics to the existing areas of the exam. This appendix covers the new additions per skill measure section. You can download the appendix from here to help you prepare for the latest exam questions.

Instructor-led virtual training

Last but certainly not least, if you prefer an instructor-led training course, Microsoft released the AZ-500T00-A (4 days) course. This course provides IT Security Professionals with the knowledge and skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. This course includes security for identity and access, platform protection, data and applications, and security operations. If you prefer to prepare for this exam with Microsoft MCT instructor-led virtual training, you can contact me here.

Certification

Bypassing the AZ-500 Microsoft Azure Security Technologies, you will earn the Microsoft Azure Security Engineer Associate certificate.

If you are planning to take this exam… I wish you all the best and Happy Studying!!!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts