Microsoft AZ-500: Azure Security Technologies Exam Guide

Everything you need to know about the AZ-500 certification exam, from preparation strategies to exam day tips.

Exam Information

150 minutes

Duration

40-60 questions

Questions

700/1000

Passing Score

$165 USD

Exam Cost

Recommended Study Plan

Week 1

Azure RBAC and Microsoft Entra Identity

Manage identity and access (25-30%)

8-10 hours

Azure RBAC: roles, role assignments, built-in vs custom roles, deny assignments, scope hierarchy
Microsoft Entra ID: tenants, users, groups, service principals, managed identities
Authentication methods: MFA, SSPR, passwordless (FIDO2, Windows Hello, Authenticator)
Conditional Access: signals (user, location, device, risk), access controls, policies
Identity Protection: sign-in risk policy, user risk policy, risk detections (leaked credentials, anonymous IP, atypical travel)
External identities: B2B collaboration, B2B direct connect, External ID (B2C)

Recommended Resources:

Microsoft Entra Docs

Microsoft Learn — Manage identity and access for AZ-500

Week 2

Privileged Access, PIM, and Governance

Manage identity and access (25-30%)

6-8 hours

Privileged Identity Management (PIM): just-in-time role activation, time-bound assignments, approval workflows, access reviews for Azure roles and Entra roles
Entitlement Management: access packages, catalogs, My Access portal, time-limited assignments, connected organizations
Access Reviews: review group membership, app assignments, and Azure role assignments — auto-remove stale access
Azure AD Application Registrations: app permissions (delegated vs application), admin consent, service principal security
Managed identities: system-assigned vs user-assigned — authenticate to Azure services without credentials in code
Microsoft Entra Permissions Management (CIEM): identify over-provisioned identities

Recommended Resources:

Microsoft Entra PIM Docs

Azure RBAC Documentation

Week 3

Secure Networking — Firewalls, NSGs, and Private Access

Secure networking (20-25%)

8-10 hours

Network Security Groups (NSGs): inbound/outbound rules, priority evaluation, Application Security Groups (ASGs), NSG flow logs
Azure Firewall Standard vs Premium: FQDN filtering, threat intelligence, IDPS, TLS inspection
Web Application Firewall (WAF): OWASP CRS, detection vs prevention mode, custom rules, deployment on App Gateway and Front Door
Azure DDoS Protection: Basic (free) vs Network Protection — volumetric, protocol, and resource-layer attack mitigation
Private Link and Private Endpoints: private IP for PaaS services, DNS override, disabling public access
Azure Bastion: browser-based RDP/SSH, eliminating public IP on VMs, Basic vs Standard SKU
VPN Gateway and ExpressRoute security: IPsec/IKEv2, MACsec, VPN over ExpressRoute for compliance

Recommended Resources:

Azure Network Security Docs

Microsoft Learn — Secure networking for AZ-500

Week 4

Secure Compute, Storage, and Databases

Secure compute, storage, and databases (20-25%)

8-10 hours

JIT VM Access: how Defender for Cloud locks down management ports, time-limited NSG Allow rules, audit trail
Azure Disk Encryption (ADE) vs SSE with CMK vs Encryption at host — when to use each
Azure Key Vault: secrets/keys/certificates, Vault access policy vs Azure RBAC, soft-delete, purge protection, Private Endpoint, managed HSM
Storage security: RBAC roles, SAS types (User Delegation SAS recommended), storage firewall, secure transfer required, Defender for Storage
Azure SQL security: TDE with CMK, Always Encrypted, Row-Level Security, Dynamic Data Masking, Advanced Threat Protection, SQL Auditing
Container security: ACR RBAC, Defender for Containers runtime protection, AKS network policies, Workload Identity, Azure Policy for AKS

Recommended Resources:

Azure Key Vault Docs

Microsoft Learn — Secure compute, storage, and databases for AZ-500

Week 5

Defender for Cloud and Microsoft Sentinel

Manage security operations (25-30%)

10-12 hours

Defender for Cloud: CSPM (Foundational free vs Enhanced), Secure Score, regulatory compliance dashboard, security recommendations
Defender workload protection plans: Defender for Servers P1/P2, Defender for SQL, Storage, Containers, Key Vault — know what each protects
Security alerts: MITRE ATT&CK mapping, workflow automation with Logic Apps, attack path analysis
Microsoft Sentinel architecture: Log Analytics Workspace, data connectors, analytics rules (Scheduled, NRT, Microsoft incident creation)
Sentinel detection: Fusion ML correlation, UEBA entity behavior analytics, anomaly detection rules
Sentinel response: Playbooks (Logic Apps), threat hunting with KQL, workbooks for dashboarding
Sentinel incident lifecycle: detect → triage → investigate → respond → close with classification

Recommended Resources:

Microsoft Sentinel Docs

Defender for Cloud Docs

KQL quick reference

Week 6

Azure Policy, Governance, and Full Review

Manage security operations (25-30%)

8-10 hours

Azure Policy: effects (Audit, Deny, DeployIfNotExists, Modify), initiatives, scope hierarchy, remediation tasks
Azure Monitor: diagnostic settings, Activity Log, resource logs, Log Analytics KQL, Azure Monitor Alerts and Action Groups
Microsoft Defender XDR: Defender for Endpoint (EDR), Defender for Identity (AD threat detection), Defender for Cloud Apps (CASB)
Security baselines: Microsoft Cloud Security Benchmark (MCSB), CIS Benchmarks, regulatory compliance in Defender for Cloud
Full-length timed practice exam (AZ-500 style: 60 questions, 150 minutes)
Identify weak domains and focused review of gap areas
Review official AZ-500 skills measured document for any coverage gaps

Recommended Resources:

Azure Policy Docs

CertStud Practice Exams

AZ-500 Skills Outline (Microsoft Learn)

Exam Tips & Strategies

Know Service Boundaries — Especially Identity vs Operations

AZ-500 heavily tests which service applies to a given scenario. Know: PIM = just-in-time role activation, Conditional Access = policy-based access control, RBAC = resource permissions, Defender for Cloud = CSPM/CWPP posture, Sentinel = SIEM/SOAR for detection and response.

Time Management — 150 Minutes for 40-60 Questions

Budget 2-3 minutes per question — AZ-500 is an associate-level exam with complex scenario-based questions. Flag uncertain questions and return. Case studies (if included) appear as a block — read scenario once, then answer all questions before moving on.

Hands-On Practice Accelerates Retention

AZ-500 tests applied knowledge — configure NSG rules, create Key Vault with RBAC, enable Defender for Cloud, set up Sentinel analytics rules. Use Azure free tier or MPN credits. Pair hands-on labs with CertStud practice questions to reinforce concepts.

Read Scenario Keywords Carefully

Keyword map: 'JIT' → Defender for Servers P2, 'SIEM/SOAR' → Sentinel, 'secure score/posture' → Defender for Cloud CSPM, 'column-level encryption' → Always Encrypted, 'OS-level disk encryption' → ADE (not SSE), 'private IP for PaaS' → Private Endpoint, 'time-bound admin access' → PIM.

Key Topics to Master

Azure RBAC: built-in roles, custom roles, scope (management group → subscription → resource group → resource)

Microsoft Entra ID: Conditional Access policies, Identity Protection risk policies, PIM JIT activation

Network Security Groups (NSGs): inbound/outbound rules, priority order, Application Security Groups

Azure Firewall Standard vs Premium: FQDN rules, threat intelligence, IDPS, TLS inspection

Azure DDoS Protection: Basic (free) vs Network Protection — volumetric and protocol attack mitigation

Azure Key Vault: secrets/keys/certificates, access policy vs RBAC, soft-delete, purge protection

JIT VM Access: Defender for Servers P2, time-limited NSG rules, approval workflow

Disk Encryption: ADE (OS-level BitLocker/DM-Crypt) vs SSE with CMK (storage-layer) vs Encryption at host

Storage security: User Delegation SAS, storage firewall, secure transfer required, Defender for Storage

SQL security: TDE with CMK, Always Encrypted, Row-Level Security, Dynamic Data Masking, SQL ATP

Defender for Cloud: Secure Score, CSPM foundational vs enhanced, CWPP plans (Servers P1/P2, SQL, Storage, Containers)

Microsoft Sentinel: data connectors, KQL analytics rules, Fusion correlation, Playbooks (SOAR), incident lifecycle

Recommended Study Plan

Week 1

Azure RBAC and Microsoft Entra Identity

Manage identity and access (25-30%)

8-10 hours

Azure RBAC: roles, role assignments, built-in vs custom roles, deny assignments, scope hierarchy
Microsoft Entra ID: tenants, users, groups, service principals, managed identities
Authentication methods: MFA, SSPR, passwordless (FIDO2, Windows Hello, Authenticator)
Conditional Access: signals (user, location, device, risk), access controls, policies
Identity Protection: sign-in risk policy, user risk policy, risk detections (leaked credentials, anonymous IP, atypical travel)
External identities: B2B collaboration, B2B direct connect, External ID (B2C)

Recommended Resources:

Microsoft Entra Docs

Microsoft Learn — Manage identity and access for AZ-500

Week 2

Privileged Access, PIM, and Governance

Manage identity and access (25-30%)

6-8 hours

Privileged Identity Management (PIM): just-in-time role activation, time-bound assignments, approval workflows, access reviews for Azure roles and Entra roles
Entitlement Management: access packages, catalogs, My Access portal, time-limited assignments, connected organizations
Access Reviews: review group membership, app assignments, and Azure role assignments — auto-remove stale access
Azure AD Application Registrations: app permissions (delegated vs application), admin consent, service principal security
Managed identities: system-assigned vs user-assigned — authenticate to Azure services without credentials in code
Microsoft Entra Permissions Management (CIEM): identify over-provisioned identities

Recommended Resources:

Microsoft Entra PIM Docs

Azure RBAC Documentation

Week 3

Secure Networking — Firewalls, NSGs, and Private Access

Secure networking (20-25%)

8-10 hours

Network Security Groups (NSGs): inbound/outbound rules, priority evaluation, Application Security Groups (ASGs), NSG flow logs
Azure Firewall Standard vs Premium: FQDN filtering, threat intelligence, IDPS, TLS inspection
Web Application Firewall (WAF): OWASP CRS, detection vs prevention mode, custom rules, deployment on App Gateway and Front Door
Azure DDoS Protection: Basic (free) vs Network Protection — volumetric, protocol, and resource-layer attack mitigation
Private Link and Private Endpoints: private IP for PaaS services, DNS override, disabling public access
Azure Bastion: browser-based RDP/SSH, eliminating public IP on VMs, Basic vs Standard SKU
VPN Gateway and ExpressRoute security: IPsec/IKEv2, MACsec, VPN over ExpressRoute for compliance

Recommended Resources:

Azure Network Security Docs

Microsoft Learn — Secure networking for AZ-500

Week 4

Secure Compute, Storage, and Databases

Secure compute, storage, and databases (20-25%)

8-10 hours

JIT VM Access: how Defender for Cloud locks down management ports, time-limited NSG Allow rules, audit trail
Azure Disk Encryption (ADE) vs SSE with CMK vs Encryption at host — when to use each
Azure Key Vault: secrets/keys/certificates, Vault access policy vs Azure RBAC, soft-delete, purge protection, Private Endpoint, managed HSM
Storage security: RBAC roles, SAS types (User Delegation SAS recommended), storage firewall, secure transfer required, Defender for Storage
Azure SQL security: TDE with CMK, Always Encrypted, Row-Level Security, Dynamic Data Masking, Advanced Threat Protection, SQL Auditing
Container security: ACR RBAC, Defender for Containers runtime protection, AKS network policies, Workload Identity, Azure Policy for AKS

Recommended Resources:

Azure Key Vault Docs

Microsoft Learn — Secure compute, storage, and databases for AZ-500

Week 5

Defender for Cloud and Microsoft Sentinel

Manage security operations (25-30%)

10-12 hours

Defender for Cloud: CSPM (Foundational free vs Enhanced), Secure Score, regulatory compliance dashboard, security recommendations
Defender workload protection plans: Defender for Servers P1/P2, Defender for SQL, Storage, Containers, Key Vault — know what each protects
Security alerts: MITRE ATT&CK mapping, workflow automation with Logic Apps, attack path analysis
Microsoft Sentinel architecture: Log Analytics Workspace, data connectors, analytics rules (Scheduled, NRT, Microsoft incident creation)
Sentinel detection: Fusion ML correlation, UEBA entity behavior analytics, anomaly detection rules
Sentinel response: Playbooks (Logic Apps), threat hunting with KQL, workbooks for dashboarding
Sentinel incident lifecycle: detect → triage → investigate → respond → close with classification

Recommended Resources:

Microsoft Sentinel Docs

Defender for Cloud Docs

KQL quick reference

Week 6

Azure Policy, Governance, and Full Review

Manage security operations (25-30%)

8-10 hours

Azure Policy: effects (Audit, Deny, DeployIfNotExists, Modify), initiatives, scope hierarchy, remediation tasks
Azure Monitor: diagnostic settings, Activity Log, resource logs, Log Analytics KQL, Azure Monitor Alerts and Action Groups
Microsoft Defender XDR: Defender for Endpoint (EDR), Defender for Identity (AD threat detection), Defender for Cloud Apps (CASB)
Security baselines: Microsoft Cloud Security Benchmark (MCSB), CIS Benchmarks, regulatory compliance in Defender for Cloud
Full-length timed practice exam (AZ-500 style: 60 questions, 150 minutes)
Identify weak domains and focused review of gap areas
Review official AZ-500 skills measured document for any coverage gaps