Updated – 25/11/2021 – This study guide has been updated to reflect the new lab questions added by Microsoft. Please check the following hands-on lab section that will help you prepare and gain more practical experience.
Updated – 29/09/2021 – The AZ-500 exam guide below shows the changes that will be implemented starting on September 29, 2021.
Updated – 09/02/2021 – The AZ-500 exam guide below shows the changes that will be implemented starting on January 27, 2021. This article has been updated to reflect the new exam objectives added by Microsoft and new study references to help you prepare successfully. Please check the following section where you can download the appendix that covers the new additions per skill measure.
In This Article
Introduction
Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. At Ignite in September 2018, Microsoft announced new role-based certifications to help you and your career keep pace with today’s business requirements. They are evolving their learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities—you’ve earned. Check the following document to have a complete overview of the new Microsoft certification program published on September 24, 2018. Microsoft is planning to announce more role-based certifications in 2019.
After passing the Microsoft Azure Solutions Expert exam, as well as the Azure Developer Associate exam, the Microsoft Azure Administrator certification, and the Microsoft Azure Fundamentals exam. I decided to sit for the Microsoft Azure Security Engineer exam.
I am so happy and grateful now that I passed the AZ-500 Microsoft Certified: Azure Security Engineer Associate. I figured that I would share my experience in this post to help you prepare and tackle this exam successfully.
In this exam, I got around 41 questions in total with 1 case study, and the total time for this exam is 180 minutes.
Updated on 09/11/2021 – In this exam, I got around 44 questions with 2 massive case studies and a lab with 10 practical tasks, and ONLY 120 MINUTES. The practical lab also wasted valuable seconds because it was slow. As you can see, the exam is getting a bit tough, you need to well prepare. The questions do pretty much match the list of skills measured below.
Updated on 29/03/2022 – For the renewal assessment, I got 26 questions in total without any case study. The performance assessment is based on the following topics:
> Plan and implement privileged access.
> Plan, implement, and manage access review.
> Enable identity protection in Azure Active Directory.
> Secure your Azure resources with role-based access control (RBAC).
> Secure and isolate access to Azure resources by using network security groups and service endpoints.
> Design a holistic monitoring strategy on Azure.
> Secure your Azure Storage account.
> Manage user authentication.
> Protect data in transit and at rest.
> Secure your Azure virtual machine disks.
Exam Profile Audience
This exam is for Azure Security Engineer or IT Administrators with a security focus or wanting to focus on security. The security engineer focuses on implementing Azure security controls that protect identity, access, data, applications, and networks in cloud and hybrid environments as part of an end-to-end infrastructure.
Responsibilities for an Azure security engineer include managing the security posture, identifying, and remediating vulnerabilities, performing threat modeling, implementing threat protection, and responding to security incident escalations.
Candidates for this exam should have strong skills in scripting and automation; a deep understanding of networking, virtualization, and cloud n-tier architecture; and a strong familiarity with cloud capabilities in general and Microsoft Azure products and services in particular. The Azure Security Engineer should also be familiar with other Microsoft products and services.
Please note that the Azure Security Engineer role does NOT focus on helping secure Microsoft 365 and remains separate from the M365 Security and Compliance Administrator role.
Prerequisites study guide
If you are new to the Azure Security Engine role, please check the following references that will help you to understand security fundamentals:
> Introduction to Azure security
> Azure security technical capabilities
> Azure identity management security overview
> Azure network security overview
> Fundamentals of Network Security
> Microsoft Azure Well-Architected Framework Security
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft. Please note that most questions cover features that are General Availability (GA). However, the exam may contain questions on Preview features if those features are commonly used by users.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Manage Identity and Access (30-35%)
Manage Azure Active Directory (Azure AD) Identities
- Create and manage a managed identity for Azure resources
- Manage Azure AD groups
- Manage Azure AD users
- Manage external identities by using Azure AD
- Manage administrative units
Manage secure access by using Azure AD
- Configure Azure AD Privileged Identity Management (PIM)
- Implement Conditional Access policies including Multi-Factor Authentication
- Implement Azure AD Identity Protection
- Implement Passwordless authentication
- Configure access reviews
Manage application access
- Integrate single sign-on (SSO) and identity providers for authentication
- Create an app registration
- Configure app registration permission scopes
- Manage app registration permission consent
- Manage API permissions to Azure subscriptions and resources
- Configure an authentication method for a service principal
Manage access control
- Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
- Interpret role and resource permissions
- Assign built-in Azure AD roles
- Create and assign custom roles, including Azure roles and Azure AD roles
Implement Platform Protection (15-20%)
Implement advanced network security
- Secure the connectivity of hybrid networks
- Secure the connectivity of virtual networks
- Network security groups
- Create, change, or delete a network security group
- Tutorial: Filter network traffic with a network security group using the Azure portal
- Application security groups
- Manage and control traffic flow in your Azure deployment with routes
- Fundamentals of Network Security
- Secure and isolate access to Azure resources by using network security groups and service endpoints
- Create and configure Azure Firewall
- Create and configure Azure Firewall Manager
- Create and configure Azure Application Gateway
- Create and configure Azure Front Door
- Create and configure Web Application Firewall (WAF)
- Configure a resource firewall, including a storage account, Azure SQL, Azure Key Vault, or Azure App Service
- Configure network isolation for Web Apps and Azure Functions
- Implement Azure Service Endpoints
- Virtual Network service endpoints
- Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
- Create, change, or delete service endpoint policy using the Azure portal
- Use private endpoints for Azure Storage
- Quickstart: Create a Private Endpoint using the Azure portal
- Implement Azure Private Endpoints, including integrating with other services
- Implement Azure Private Links
- Implement Azure DDoS Protection
Configure advanced security for compute
- Configure Azure Endpoint Protection for virtual machines (VMs)
- Implement and manage security updates for VMs
- Configure security for containers services
- Manage access to Azure Container Registry
- Configure security for serverless compute
- Configure security for an Azure App Service
- Configure encryption at rest
- Configure encryption in transit
Manage Security Operations (25-30%)
Configure centralized policy management
- Configure a custom security policy
- Create a policy initiative
- Configure security settings and auditing by using Azure Policy
Configure and manage threat protection
- Configure Azure Defender for Servers (not including Microsoft Defender for Endpoint)
- Evaluate vulnerability scans from Azure Defender
- Configure Azure Defender for SQL
- Use the Microsoft Threat Modeling Tool
Configure and manage security monitoring solutions
- Create and customize alert rules by using Azure Monitor
- Configure diagnostic logging and log retention by using Azure Monitor
- Monitor security logs by using Azure Monitor
- Create and customize alert rules in Microsoft Sentinel
- Configure connectors in Microsoft Sentinel
- Evaluate alerts and incidents in Microsoft Sentinel
Secure Data and Applications (25-30%)
Configure security for storage
- Configure access control for storage accounts
- Configure storage account access keys
- Configure Azure AD authentication for Azure Storage and Azure Files
- Acquire a token from Azure AD for authorizing requests from a client application
- Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
- Enable Azure Active Directory Domain Services authentication on Azure Files
- Store and share files in your application with Azure Files
- Authorize access to blobs and queues using Azure Active Directory
- Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
- Enable Azure Active Directory Domain Services authentication on Azure Files
- Store and share files in your application with Azure Files
- Configure delegated access
Configure security for data
- Enable database authentication by using Azure AD
- Enable database auditing
- Configure dynamic masking on SQL workloads
- Implement database encryption for Azure SQL Database
- Implement network isolation for data solutions, including Azure Synapse Analytics and Azure Cosmos DB
Configure and manage Azure Key Vault
- Create and configure Key Vault
- Configure access to Key Vault
- Manage certificates, secrets, and keys
- Configure key rotation
- Backup and recovery of certificates, secrets, and keys
Lessons Learned and Exam Preparation
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding of all the security concepts will help you to pass this exam. The key to success in passing this exam is to work with Microsoft Azure daily, especially cloud governance and security.
Based on my experience to get the most from this preparation you need the following trial subscriptions or equivalent access:
> An Azure subscription – you can create your free Azure account today and start practicing the latest and greatest security features.
> Microsoft M365 E5.
> Microsoft Defender for Cloud with Defender plan enabled (free for 30 days).
I usually use Microsoft Azure Security Documentation which is a great resource to dive deep into each topic, and I use Microsoft Learn the new learning approach which is more structured to learn all the topics required for the exam. I highly recommend going through the free learning modules below on Microsoft Learn to prepare for the AZ-500 exam:
- AZ-500 Part-1: Manage Identity and Access (5 modules).
- AZ-500 Part-2: Implement platform protection (4 modules).
- AZ-500 Part-3: Secure your data and applications (4 modules).
- AZ-500 Part-4: Manage security operation (3 modules).
You can watch the free Azure Security Expert Series videos provided by Microsoft to get you prepared. Pluralsight also offers a great learning path for the Microsoft Azure Security Engineer preparation, you can check it out here.
You can also go through the following free Azure Security AZ-500 course from Microsoft to get prepared for this exam:
If you have access to a LinkedIn Learning platform, then I highly recommend going through the following fast preparation path in just 6 hours:
- Manage Identity and Access (Domain 1)
- Implement Platform Protection (Domain 2)
- Manage Security Operations (Domain 3)
- Secure Data and Applications (Domain 4)
I also recommend the comprehensive course on Azure Cloud Security on udemy to learn how to implement security controls across the board.
Additionally, Skillmeup.com offered a great path for AZ-500 Exam preparation, and Skylinesacademy.com just released the AZ-500 course at a low cost, I highly recommend checking them out.
Books
As of December 10, 2020, Microsoft released the Exam Reference AZ-500 Book – Microsoft Azure Security Technologies (1st Edition) which you can place the order today here. I highly recommend this book to prepare and pass this exam.
As of April 21st, 2022, you can order the updated Exam Ref AZ-500 Microsoft Azure Security Technologies with Practice Test (2nd Edition). I highly recommend this book to prepare and pass the new version of the AZ-500 exam.
Appendix January 2021 Exam Update
On January 27, 2021, Microsoft updated the AZ-500 Exam objectives to add new topics to the existing areas of the exam. This appendix covers the new additions per the skill measure section. You can download the appendix from here to help you prepare for the latest exam questions.
Training Labs
Recently, Microsoft has added lab questions to the AZ-500 exam. Please make sure to check the following step-by-step hands-on labs that will help you to gain more practical experience and pass this exam:
> LAB 01 – Role-Based Access Control.
> LAB 02 – Azure Policy.
> LAB 03 – Resource Manager Locks.
> LAB 04 – MFA, Conditional Access, and AAD Identity Protection.
> LAB 05 – Azure AD Privileged Identity Management.
> LAB 06 – Implement Directory Synchronization.
> LAB 07 – Network Security Groups and Application Security Groups.
> LAB 08 – Azure Firewall.
> LAB 09 – Configuring and Securing ACR and AKS.
> LAB 10 – Key Vault (Implementing Secure Data by setting up Always Encrypted).
> LAB 11 – Securing Azure SQL Database.
> LAB 12 – Service Endpoints and Securing Storage.
> LAB 13 – Azure Monitor.
> LAB 14 – Microsoft Defender for Cloud.
> LAB 15 – Microsoft Sentinel.
Instructor-led virtual training
Last but certainly not least, if you prefer an instructor-led training course, Microsoft released the AZ-500T00-A (4 days) course. This course provides IT Security Professionals with the knowledge and skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.
This course includes security for identity and access, platform protection, data and applications, and security operations. If you prefer to prepare for this exam with Microsoft MCT instructor-led virtual training, you can contact me here.
Certification
Bypassing the AZ-500 Microsoft Azure Security Technologies, you will earn the Microsoft Azure Security Engineer Associate certificate.
If you are planning to take the AZ-500 exam… I wish you all the best and Happy Studying!!!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
I didn’t know that you get lab practical tests as well.
Do they still come now?
How do I prepare for those, are they tough?
Hello Nikita, thanks for the comment!
Yes, Microsoft started to add lab practical questions in the AZ-500 exam.
I have updated the study guide to include Training Labs.
Please make sure to check the following hands-on lab section that will help you prepare and gain more practical experience.
Good Luck!