Updated – 30/05/2020 – The exam guide below shows the changes that will be implemented starting on July 29, 2020. This article has been updated to reflect the new exam objectives added by Microsoft.

Introduction

Microsoft is keeping evolving their learning programs to help you and your career keep pace with today’s demanding IT environments. At Ignite in September 2018, Microsoft announced new role-based certifications to help you and your career keep pace with today’s business requirements. They are evolving their learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities—you’ve earned. Check the following document to have a complete overview of the new Microsoft certification program published on September 24, 2018. Microsoft is planning to announce more role-based certifications in 2019.

After passing the Microsoft Azure Solutions Expert exam, as well as the Azure Developer Associate exam, the Microsoft Azure Administrator certification, and the Microsoft Azure Fundamentals exam. I decided to sit for the Microsoft Azure Security Engineer exam.

I am so happy and grateful now that I passed the AZ-500 Microsoft Certified: Azure Security Engineer Associate. I figured that I would share my experience in this post to help you prepare and tackle this exam successfully.

In this exam, I got around 41 questions in total with 1 case study, and the total time for this exam is 180 minutes. The questions do pretty much match the list of skills measured below.

Exam Profile Audience

The Azure Security Engineer implements security controls, maintains the security posture, and finds and remediates vulnerabilities by using a variety of security tools. Responsibilities include helping protect data, applications, and networks; managing identity and access; implementing threat protection, and responding to security incident escalations. The Azure Security Engineer often serves as part of a larger team dedicated to cloud-based management and security. The Azure Security Engineer might also help secure hybrid environments as part of an end-to-end infrastructure.

Candidates for this exam should have strong skills in scripting and automation; a deep understanding of networking, virtualization, and cloud n-tier architecture; and a strong familiarity with cloud capabilities in general and Microsoft Azure products and services in particular. The Azure Security Engineer should also be familiar with other Microsoft products and services.

Please note that the Azure Security Engineer role does NOT focus on helping secure Microsoft 365 and remains separate from the M365 Security and Compliance Administrator role.

Skills measured on this exam

This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft.

Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:

Manage Identity and Access (20-25%)

1. Configure Azure AD for workloads

   • Create App Registration
   • Configure App Registration permission scopes
   • Manage App Registration permission consent
   • Configure multi-factor authentication settings
   • Manage Microsoft Azure AD Groups
   • Manage Microsoft Azure AD Users
   • Install and Configure Azure AD Connect
   • Configure Authentication Methods
   • Implement Conditional Access Policies
   • Configure Microsoft Azure AD Identity Protection

2. Configure Privileged Identity

   • Monitor Privileged Access
   • Configure Access Reviews
   • Activate Privileged Identity Management

3. Configure Azure Tenant Security

   • Transfer Azure subscriptions between Azure AD tenants
   • Manage API access to Azure subscriptions and resources

Implement Platform Protection (35-40%)

1. Implement Network Security

   • Configure virtual network connectivity
     • Configure a VNet-to-VNet VPN gateway connection by using the Azure portal
     • Virtual Network Peering
     • Plan Virtual Networks
   • Configure Network Security Groups (NSGs)
     • Azure Security Groups
     • Enable Network Security Groups in Azure Security Center
   • Create and Configure Microsoft Azure firewall
     • What is Azure Firewall?
     • Azure Firewall documentation
     • Deploy and configure Azure Firewall using the Azure portal
     • Monitor Azure Firewall logs and metrics
   • Create and configure Azure Front Door service
   • Create and Configure application security groups
     • Service Tags
   • Configure remote access management
   • Configure baseline
     Configure resource firewall
     • Configure Azure Storage firewalls and virtual networks
     • Azure SQL Database and SQL Data Warehouse IP firewall rules

2. Implement Host Security

   • Configure endpoint security within the VM
   • Configure VM security
   • Harden VMs in Microsoft Azure
   • Configure system updates for VMs in Microsoft Azure
   • Configure Baseline – Customize OS security configurations in Azure Security Center

3. Configure Container Security

   • Configure network
   • Configure authentication
   • Configure container isolation
   • Configure AKS security
   • Configure container registry
     • Best practices for Azure Container Registry
   • Implement vulnerability management

4. Implement Azure Resource Manager Security

   • Create Microsoft Azure resource locks
   • Manage resource group security
   • Configure Microsoft Azure policies
   • Configure custom RBAC roles
     • Built-in roles for Azure resources
   • Configure subscription and resource permissions

Manage Security Operations (15-20%)

1. Configure Security Services

   • Configure Azure Monitor
   • Configure diagnostic logging and log retention
     • Enable diagnostics logging for apps in Azure App Service
     • Changing the log data retention period
   • Configure vulnerability scanning

2. Configure Security Policies

   • Configure centralized policy management by using Azure Security Center
   • Configure Just in Time VM access by using Azure Security Center

3. Manage Security Alerts

   • Create and customize alerts
   • Review and respond to alerts and recommendations
   • Configure a playbook for a security event by using Azure Sentinel
   • Investigate escalated security alerts

Secure Data and Applications (30-35%)

1. Configure security services

   • Configure data classification
   • Configure data retention
     • Configure diagnostic logging and log retention
     • Change the data retention period
   • Configure data sovereignty

2. Configure security policies

   • Enable database authentication
   • Enable database auditing
   • Configure Azure SQL Database Advanced Threat Protection
   • Configure access control for storage accounts
   • Configure key management for storage accounts
   • Configure Azure AD authentication for Azure Storage
   • Configure Azure AD Domain Services authentication for Azure Files
   • Create and Manage Shared Access Signatures (SAS)
   • Configure security for HDInsight
     • An Azure HDInsight QuickStart
     • An Azure HDInsight ARM Template
   • Configure security for Cosmos DB
     • Cosmos DB ARM Template
     • Cosmos DB QuickStart
   • Configure security for Azure Data Lake

3. Configure encryption for data at rest

   • Implement Azure SQL Database Always Encrypted
   • Implement database encryption
   • Implement Storage Service Encryption
   • Implement disk encryption

4. Configure application security

   • Configure SSL/TLS certs
     • Add an SSL certificate in Azure App Service
     • Configuring the free TLS/SSL certificates on Azure App Service
   • Configure Azure services to protect web apps
   • Create an application security baseline
     • Create Security Baselines
     • Create Azure Security Center Baseline

5. Configure and manage Key Vault

   • Manage access to Key Vault
     • Provide Key Vault authentication with an access control policy
     • Secure access to a key vault
     • Tutorial: Use a Windows VM system-assigned managed identity to access Azure Key Vault
   • Manage permissions to secrets, certificates, and keys
     • Manage access and permissions to secrets, certificates, and keys to Key Vault
     • Do you have an idea or a suggestion for Azure Key Vault based on your experience?
     • Key and Secret Management in ‘Azure’
   • Configure RBAC usage in Azure Key Vault
     • Azure Key Vault security
     • ARM Template to create Azure Key Vault and Key
   • Manage certificates (get started with Key Vault certificates)
   • Manage secrets
     • About keys, secrets, and certificates
     • Manage keys and secrets
   • Configure key rotation (set up Azure Key Vault with key rotation and auditing)

Lessons Learned and Exam Preparation

Practice, practice and read… I cannot stress enough that hands-on experience and understanding all the security concepts will help you to pass this exam. The key success to pass this exam is to work with Microsoft Azure on a daily basis, and especially cloud governance and security.

Based on my experience to get the most from this preparation you need the following trial subscriptions or equivalent access:

• An Azure subscription – you can create your free Azure account today and start practicing the latest and greatest security features.
• An EMS E5
• Azure Security Center (Standard Tier)
• Azure Sentinel

I usually use Microsoft Azure Security Documentation which is a great resource to dive deep in each topic, and I use Microsoft Learn the new learning approach which is more structured to learn all the topics required for the exam. I highly recommend to go through the free learning modules below on Microsoft Learn to prepare for the AZ-500 exam:

• Secure your cloud applications in Azure (6 modules)
• Implement resource management security in Azure (6 modules)
• Implement network security in Azure (5 modules)
• Implement virtual machine host security in Azure (6 modules)
• Manage identity and access in Azure Active Directory (9 modules)
• Manage security operations in Azure (8 modules)

You can watch the free Azure Security Expert Series videos provided by Microsoft to get you prepared. Pluralsight also offers a great learning path for the Microsoft Azure Security Engineer preparation, you can check it out here.

You can also go through the following free Azure Security AZ-500 course from Microsoft to get prepared for this exam:

• Microsoft Azure Security Technologies

If you have access to a LinkedIn learning platform, then I highly recommend to go through the following fast preparation path in just 6 hours:

• Manage Identity and Access (Domain 1)
• Implement Platform Protection (Domain 2)
• Manage Security Operations (Domain 3)
• Secure Data and Applications (Domain 4)
  • Policy and Data Infrastructure
  • Data at Rest, App Security, and Key Vault

I also recommend the comprehensive course on Azure Cloud Security on udemy to learn how to implement security controls across the board.

Additionally, Skillmeup.com offered a great path for AZ-500 Exam preparation, and Skylinesacademy.com just released the AZ-500 course at a low cost, I highly recommend to check them out.

At the time of this writing (May 30, 2020), Microsoft is working on releasing the Exam Reference AZ-500 Microsoft Azure Security Technologies book which is due for release in August 2020, you can place the pre-order today here.

Last but not least, if you prefer instructor-led training, you can find a classroom from Microsoft Learning Partners here.

Certification

By passing the AZ-500 Microsoft Azure Security Technologies, you will earn the Microsoft Azure Security Engineer Associate certificate.

If you are planning to take this exam… I wish you all the best and Happy Studying!!!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-