Updated – 09/02/2021 – The AZ-500 exam guide below shows the changes that will be implemented starting on January 27, 2021. This article has been updated to reflect the new exam objectives added by Microsoft and new study references to help you prepare successfully. Please check the following section where you can download the appendix that covers the new additions per skill measure.
Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. At Ignite in September 2018, Microsoft announced new role-based certifications to help you and your career keep pace with today’s business requirements. They are evolving their learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities—you’ve earned. Check the following document to have a complete overview of the new Microsoft certification program published on September 24, 2018. Microsoft is planning to announce more role-based certifications in 2019.
After passing the Microsoft Azure Solutions Expert exam, as well as the Azure Developer Associate exam, the Microsoft Azure Administrator certification, and the Microsoft Azure Fundamentals exam. I decided to sit for the Microsoft Azure Security Engineer exam.
I am so happy and grateful now that I passed the AZ-500 Microsoft Certified: Azure Security Engineer Associate. I figured that I would share my experience in this post to help you prepare and tackle this exam successfully.
In this exam, I got around 41 questions in total with 1 case study, and the total time for this exam is 180 minutes. The questions do pretty much match the list of skills measured below.
Exam Profile Audience
The Azure Security Engineer implements security controls, maintains the security posture, and finds and remediates vulnerabilities by using a variety of security tools. Responsibilities include helping protect data, applications, and networks; managing identity and access; implementing threat protection, and responding to security incident escalations. The Azure Security Engineer often serves as part of a larger team dedicated to cloud-based management and security. The Azure Security Engineer might also help secure hybrid environments as part of an end-to-end infrastructure.
Candidates for this exam should have strong skills in scripting and automation; a deep understanding of networking, virtualization, and cloud n-tier architecture; and a strong familiarity with cloud capabilities in general and Microsoft Azure products and services in particular. The Azure Security Engineer should also be familiar with other Microsoft products and services.
Please note that the Azure Security Engineer role does NOT focus on helping secure Microsoft 365 and remains separate from the M365 Security and Compliance Administrator role.
Prerequisites study guide
If you are new to the Azure Security Engine role, please check the following references that will help you to understand security fundamentals:
- Introduction to Azure security
- Azure security technical capabilities
- Azure identity management security overview
- Azure network security overview
- Fundamentals of Network Security
- Microsoft Azure Well-Architected Framework Security
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft. Please note that most questions cover features that are General Availability (GA). However, the exam may contain questions on Preview features if those features are commonly used by users.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Manage Identity and Access (30-35%)
Manage Azure Active Directory Identities
- Configure security for service principals
- Manage Azure AD directory groups
- Manage Azure AD users
- Configure password write-back
- Configure authentication methods including password hash and Pass-Through Authentication (PTA), OAuth, and passwordless
- Transfer Azure subscriptions between Azure AD tenants
Configure secure access by using Azure AD
- Monitor privileged access for Azure AD Privileged Identity Management (PIM)
- Configure Access Reviews
- Activate and configure PIM
- Implement Conditional Access policies including Multi-Factor Authentication
- Configure Azure AD identity protection
Manage application access
- Create App Registration
- Configure App Registration permission scopes
- Manage App Registration permission consent
- Manage API access to Azure subscriptions and resources
Manage access control
- Configure subscription and resource permissions
- Configure resource group permissions
- Configure custom RBAC roles
- Identify the appropriate role
- Apply the principle of least privilege
- Interpret permissions
- Check access
Implement Platform Protection (15-20%)
Implement advanced network security
- Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
- Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Network security groups
- Create, change, or delete a network security group
- Tutorial: Filter network traffic with a network security group using the Azure portal
- Application security groups
- Manage and control traffic flow in your Azure deployment with routes
- Fundamentals of Network Security
- Secure and isolate access to Azure resources by using network security groups and service endpoints
- Create and configure Azure Firewall
- Implement Azure Firewall Manager
- Configure Azure Front Door service as an Application Gateway
- Configure a Web Application Firewall (WAF) on Azure Application Gateway
- Configure Azure Bastion
- Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
- Implement Service Endpoints
- Virtual Network service endpoints
- Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
- Create, change, or delete service endpoint policy using the Azure portal
- Use private endpoints for Azure Storage
- Quickstart: Create a Private Endpoint using the Azure portal
- Implement DDoS protection
Configure advanced security for compute
- Configure endpoint protection
- Configure and monitor system updates for VMs
- Configure authentication for Azure Container Registry
- Configure security for different types of containers
- Implement vulnerability management
- Configure isolation for AKS
- Configure security for container registry
- Implement Azure Disk Encryption
- Configure authentication and security for Azure App Service
- Configure SSL/TLS certs
- Configure authentication for Azure Kubernetes Service
- Configure automatic updates
Manage Security Operations (25-30%)
Monitor security by using Azure Monitor
- Create and customize alerts
- Monitor security logs by using Azure Monitor
- Configure diagnostic logging and log retention
Monitor security by using Azure Security Center
- Create and customize alerts
- Evaluate vulnerability scans from Azure Security Center
- Configure Just in Time VM access by using Azure Security Center
- Configure centralized policy management by using Azure Security Center
- Configure compliance policies and evaluate for compliance by using Azure Security Center
Monitor security by using Azure Sentinel
- Create and customize alerts
- Configure data sources to Azure Sentinel
- Evaluate results from Azure Sentinel
- Configure a playbook for a security event by using Azure Sentinel
Configure security policies
- Configure security settings by using Azure Policy
- Configure security settings by using Azure Blueprint
Secure Data and Applications (20-25%)
Configure security for storage
- Configure access control for storage accounts
- Configure key management for storage accounts
- Configure Azure AD authentication for Azure Storage
- Configure Azure AD Domain Services authentication for Azure Files
- Create and Manage Shared Access Signatures (SAS)
- Create a shared access policy for a blob or blob container
- Configure Storage Service Encryption
- Configure Azure Defender for Storage
Configure security for databases
- Enable database authentication
- Enable database auditing
- Configure Azure Defender for SQL
- Configure Azure SQL Database Advanced Threat Protection
- Implement database encryption
- Implement Azure SQL Database Always Encrypted
Configure and manage Key Vault
- Manage access to Key Vault
- Manage permissions to secrets, certificates, and keys
- Configure RBAC usage in Azure Key Vault
- Manage certificates
- Manage secrets
- Configure key rotation
- Backup and restore of Key Vault items
- Configure Azure Defender for Key Vault
Lessons Learned and Exam Preparation
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding all the security concepts will help you to pass this exam. The key success to pass this exam is to work with Microsoft Azure daily, especially cloud governance and security.
Based on my experience to get the most from this preparation you need the following trial subscriptions or equivalent access:
- An Azure subscription – you can create your free Azure account today and start practicing the latest and greatest security features.
- An EMS E5
- Azure Security Center with Azure Defender enabled (free for 30 days)
- Azure Sentinel
I usually use Microsoft Azure Security Documentation which is a great resource to dive deep into each topic, and I use Microsoft Learn the new learning approach which is more structured to learn all the topics required for the exam. I highly recommend going through the free learning modules below on Microsoft Learn to prepare for the AZ-500 exam:
- Secure your cloud applications in Azure (6 modules)
- Implement resource management security in Azure (6 modules)
- Implement network security in Azure (5 modules)
- Implement virtual machine host security in Azure (6 modules)
- Manage identity and access in Azure Active Directory (9 modules)
- Manage security operations in Azure (8 modules)
You can watch the free Azure Security Expert Series videos provided by Microsoft to get you prepared. Pluralsight also offers a great learning path for the Microsoft Azure Security Engineer preparation, you can check it out here.
You can also go through the following free Azure Security AZ-500 course from Microsoft to get prepared for this exam:
If you have access to a LinkedIn Learning platform, then I highly recommend going through the following fast preparation path in just 6 hours:
- Manage Identity and Access (Domain 1)
- Implement Platform Protection (Domain 2)
- Manage Security Operations (Domain 3)
- Secure Data and Applications (Domain 4)
I also recommend the comprehensive course on Azure Cloud Security on udemy to learn how to implement security controls across the board.
Additionally, Skillmeup.com offered a great path for AZ-500 Exam preparation, and Skylinesacademy.com just released the AZ-500 course at a low cost, I highly recommend checking them out.
As of December 10, 2020, Microsoft released the Exam Reference AZ-500 Book – Microsoft Azure Security Technologies which you can place the order today here. I highly recommend this book to prepare and pass this exam.
Appendix January 2021 Exam Update
On January 27, 2021, Microsoft updated the AZ-500 Exam objectives to add new topics to the existing areas of the exam. This appendix covers the new additions per skill measure section. You can download the appendix from here to help you prepare for the latest exam questions.
Instructor-led virtual training
Last but certainly not least, if you prefer an instructor-led training course, Microsoft released the AZ-500T00-A (4 days) course. This course provides IT Security Professionals with the knowledge and skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. This course includes security for identity and access, platform protection, data and applications, and security operations. If you prefer to prepare for this exam with Microsoft MCT instructor-led virtual training, you can contact me here.
Bypassing the AZ-500 Microsoft Azure Security Technologies, you will earn the Microsoft Azure Security Engineer Associate certificate.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.