🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
AZ-500
AZ-500 Microsoft Azure

Security Engineer

The course equips learners to implement and manage security controls across Azure identity, networking, compute, storage, and operations, preparing them for the AZ-500 certification and real‑world protection of cloud assets.

120
Minutes
50
Questions
700/1000
Passing Score
$165
Exam Cost
9
Languages

Who Should Take This

It is designed for IT professionals such as Azure administrators, security engineers, or solution architects who have foundational Azure knowledge and hands‑on experience, and who aim to validate their ability to secure Azure environments and advance their cloud security careers.

What's Covered

1 Configuring Microsoft Entra ID, implementing authentication methods, managing application registrations, and configuring Conditional Access policies.
2 Implementing network security groups, Azure Firewall, Azure DDoS Protection, private endpoints, and service endpoints for Azure resources.
3 Implementing security for VMs, containers, Azure SQL, storage accounts, and managing encryption with Azure Key Vault.
4 Configuring Microsoft Defender for Cloud, Microsoft Sentinel, security monitoring, incident response, and vulnerability management.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response
  • Case Studies
  • Labs

Scoring Method

Scaled score 100-1000, passing score 700

Delivery Method

Proctored exam, 40-60 questions, 100 minutes

Prerequisites

None required. AZ-104 recommended.

Recertification

Renew annually via free Microsoft Learn renewal assessment

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

79 learning goals
1 Domain 1: Manage Identity and Access
4 topics

Manage Microsoft Entra identities

  • Identify Microsoft Entra ID identity object types including users, groups, app registrations, managed identities, and service principals and describe their roles in Azure security architecture.
  • Configure user-assigned and system-assigned managed identities for Azure resources and assign appropriate RBAC roles to eliminate credential storage in application code.
  • Create and configure app registrations with appropriate API permissions, redirect URIs, and certificate or secret credentials for secure application authentication.
  • Configure service principals with least-privilege role assignments and manage credential rotation policies to secure automated service-to-service authentication.
  • Analyze identity security posture by evaluating managed identity versus service principal usage patterns and recommend identity configurations that minimize credential exposure risk.

Manage Microsoft Entra authentication

  • Identify Microsoft Entra authentication methods including passwords, MFA, passwordless options (FIDO2, Windows Hello, Microsoft Authenticator), and certificate-based authentication and describe their security characteristics.
  • Configure multi-factor authentication policies including per-user MFA, Conditional Access-based MFA, and authentication strength requirements for different user populations and risk levels.
  • Implement passwordless authentication by configuring FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator phone sign-in policies for organizational deployment.
  • Configure Conditional Access policies with conditions based on user risk, sign-in risk, device compliance, location, and client application to enforce adaptive access controls.
  • Configure Microsoft Entra ID Identity Protection policies including user risk policies and sign-in risk policies to automatically detect and remediate compromised identities.
  • Analyze authentication event logs and Identity Protection risk detections to investigate suspicious sign-in patterns and evaluate the effectiveness of Conditional Access and MFA policies.

Manage Microsoft Entra authorization

  • Identify Azure RBAC components including built-in roles, custom roles, role assignments, deny assignments, and scope hierarchy and describe how they control access to Azure resources.
  • Configure Azure RBAC role assignments at management group, subscription, resource group, and resource scopes using built-in and custom role definitions with least-privilege principles.
  • Implement Microsoft Entra Privileged Identity Management to configure just-in-time role activation, approval workflows, and time-bound assignments for privileged Azure and Entra ID roles.
  • Configure access reviews in Microsoft Entra ID to periodically validate group memberships, application assignments, and privileged role assignments for compliance and governance.
  • Evaluate authorization posture by analyzing RBAC role assignments, PIM activation logs, and access review results to identify over-privileged accounts and recommend authorization improvements.

Manage application access in Microsoft Entra ID

  • Describe OAuth 2.0 authorization flows including authorization code, client credentials, and on-behalf-of and explain how they apply to Azure application authentication scenarios.
  • Configure application consent settings and API permissions including delegated and application permissions to control what resources applications can access on behalf of users or as themselves.
  • Evaluate enterprise application configurations by analyzing user and group provisioning settings, single sign-on methods, and token claims to determine appropriate access patterns for SaaS and custom applications.
  • Assess application access security by evaluating consent grants, API permission scopes, and enterprise app configurations to identify overly permissive application access patterns.
2 Domain 2: Secure Networking
3 topics

Plan and implement security for virtual networks

  • Identify Azure virtual network security components including network security groups, application security groups, user-defined routes, and service tags and describe their role in network traffic filtering.
  • Describe VNet service endpoints and private endpoints and explain how each restricts network access to Azure PaaS services with different isolation and security characteristics.
  • Configure network security groups with inbound and outbound rules using priority ordering, source and destination filters, service tags, and application security groups to control traffic flow between subnets and resources.
  • Implement Azure Firewall with network rules, application rules, DNAT rules, and threat intelligence-based filtering to centralize network security policy enforcement across virtual networks.
  • Configure Azure DDoS Protection plans including Standard tier features, telemetry, adaptive tuning, and DDoS rapid response to protect virtual network resources from distributed denial-of-service attacks.
  • Analyze network traffic routing requirements and evaluate user-defined routes and forced tunneling configurations to determine optimal traffic inspection paths through network virtual appliances or Azure Firewall.
  • Analyze virtual network security configurations and evaluate the tradeoffs among NSGs, Azure Firewall, and network virtual appliances to recommend a layered network security architecture for multi-tier applications.

Plan and implement security for private access to Azure resources

  • Recognize Azure Private Link and private endpoint components and describe how they enable private IP connectivity to Azure PaaS services, eliminating public internet exposure.
  • Implement private endpoints for Azure Storage, Azure SQL Database, and Azure Key Vault and configure private DNS zones for name resolution within virtual networks.
  • Configure VPN Gateway site-to-site and point-to-site connections with IPsec/IKE policies and certificate-based or RADIUS authentication for secure hybrid connectivity.
  • Configure ExpressRoute circuits with private peering and Microsoft peering and implement ExpressRoute encryption for secure dedicated connectivity between on-premises networks and Azure.
  • Evaluate private access strategies by comparing service endpoints, private endpoints, VPN, and ExpressRoute to recommend the appropriate private connectivity solution based on security requirements, latency, and cost constraints.

Plan and implement security for public access to Azure resources

  • Identify Azure public-facing security services including Azure Front Door, Application Gateway, and Web Application Firewall and describe their TLS termination, routing, and threat protection capabilities.
  • Configure TLS settings including minimum TLS version enforcement, certificate management, and end-to-end encryption for Azure services exposed to the public internet.
  • Implement Azure Application Gateway with WAF policies including OWASP rule sets, custom rules, bot protection, and rate limiting to secure web applications from common exploits.
  • Configure Azure Front Door with WAF policies, custom rules, geo-filtering, and rate limiting to provide global load balancing with integrated web application security at the edge.
  • Evaluate public access security architectures by comparing Application Gateway WAF versus Azure Front Door WAF configurations and determine the optimal deployment for web applications with varying geographic distribution and threat profiles.
3 Domain 3: Secure Compute, Storage, and Databases
3 topics

Plan and implement advanced security for compute

  • Identify Azure VM security features including Azure Disk Encryption, host-based encryption, confidential computing, trusted launch, and Microsoft Antimalware and describe their protection capabilities.
  • Configure Azure Disk Encryption using platform-managed or customer-managed keys in Azure Key Vault and implement encryption at host for temporary disks and OS/data disk caches.
  • Implement just-in-time VM access using Microsoft Defender for Cloud to restrict management port exposure and reduce the attack surface of Azure virtual machines.
  • Identify Azure container security features including Azure Container Registry image scanning, content trust, access policies, and network isolation options and describe how they protect containerized workloads.
  • Implement AKS security controls including Azure AD integration for cluster RBAC, pod security policies, network policies, Azure Policy for AKS, and secrets management with Azure Key Vault provider.
  • Evaluate Azure API Management security policies including OAuth 2.0 validation, rate limiting, IP filtering, and mutual TLS and determine the appropriate policy combination to secure API endpoints based on threat model and client types.
  • Analyze compute security posture by evaluating VM encryption configurations, container security controls, and AKS cluster hardening and recommend improvements to address identified vulnerabilities.

Plan and implement security for storage

  • Identify Azure Storage security features including access keys, shared access signatures, Entra ID authorization, storage encryption, and immutability policies and describe their access control and data protection characteristics.
  • Configure storage account access controls using shared access signatures with appropriate permissions, expiry times, IP restrictions, and stored access policies to delegate limited access to storage resources.
  • Implement Microsoft Entra ID authorization for Azure Storage by assigning RBAC roles for blob, queue, table, and file data access and configuring managed identity authentication for applications.
  • Configure Azure Storage encryption using Microsoft-managed keys and customer-managed keys in Azure Key Vault and implement infrastructure encryption for double encryption at rest.
  • Configure Azure Files security including SMB authentication with Entra ID Domain Services, NTFS permissions, and private endpoint access for secure file share deployments.
  • Evaluate storage security configurations by comparing access key-based, SAS-based, and Entra ID-based authorization models and recommend a storage security strategy that balances security, manageability, and application compatibility.

Plan and implement security for Azure SQL Database and Azure Cosmos DB

  • Identify Azure SQL Database security features including SQL authentication, Entra ID authentication, transparent data encryption, Always Encrypted, dynamic data masking, and auditing and describe their data protection purposes.
  • Configure Microsoft Entra ID authentication for Azure SQL Database including Entra-only mode, server admin assignment, and contained database user creation for centralized identity-based access control.
  • Implement transparent data encryption with service-managed and customer-managed keys and configure Always Encrypted with column master keys and column encryption keys for client-side data protection.
  • Configure Azure SQL auditing to capture database events to Azure Storage, Log Analytics, or Event Hub and implement dynamic data masking rules to obfuscate sensitive data from non-privileged users.
  • Configure Microsoft Defender for SQL to detect anomalous database activities, SQL injection attempts, and vulnerability assessment findings and manage security alerts for database threat protection.
  • Configure Azure Cosmos DB security including RBAC for data plane access, network isolation with private endpoints, encryption with customer-managed keys, and database-level access control.
  • Assess database security posture by evaluating encryption configurations, authentication modes, auditing coverage, and threat detection alerts to identify gaps and recommend improvements for Azure SQL and Cosmos DB deployments.
4 Domain 4: Manage Security Operations
4 topics

Plan, implement, and manage governance for security

  • Identify Azure Policy components including policy definitions, initiatives, assignments, exemptions, and compliance states and describe how they enforce organizational security standards across Azure resources.
  • Describe Microsoft Defender for Cloud capabilities including secure score, security recommendations, regulatory compliance dashboard, and cloud workload protection plans and explain their role in security governance.
  • Create and assign Azure Policy definitions and initiatives to enforce security configurations including allowed resource types, required tags, encryption requirements, and network restrictions at subscription and management group scopes.
  • Configure Microsoft Defender for Cloud security policies, enable Defender plans for specific resource types, and remediate security recommendations to improve the organization's secure score.
  • Assess regulatory compliance posture in Microsoft Defender for Cloud by evaluating security control mappings against NIST, ISO 27001, and CIS benchmarks and determining remediation priorities for compliance gaps.
  • Analyze security governance effectiveness by evaluating Azure Policy compliance results, Defender for Cloud secure score trends, and regulatory compliance gaps to prioritize remediation efforts across the organization.

Manage security posture by using Microsoft Defender for Cloud

  • Identify Cloud Security Posture Management capabilities in Microsoft Defender for Cloud including attack path analysis, cloud security graph, and governance rules and describe how they provide visibility into security posture.
  • Configure vulnerability assessment solutions for Azure VMs, container registries, and SQL databases using Microsoft Defender for Cloud integrated scanners to identify and track security vulnerabilities.
  • Implement Defender for Cloud workload protection for servers, App Service, storage, SQL, containers, and Key Vault by enabling appropriate plans and configuring alert suppression rules.
  • Investigate security posture findings by analyzing Defender for Cloud attack path analysis results, cloud security graph queries, and vulnerability assessment reports to determine remediation priorities and risk exposure.

Configure and manage threat protection

  • Identify Microsoft Sentinel components including workspaces, data connectors, analytics rules, incidents, and playbooks and describe how they provide SIEM and SOAR capabilities for cloud security operations.
  • Describe threat detection mechanisms including Defender for Cloud alerts, Microsoft Sentinel analytics, and behavioral analysis and explain how they identify suspicious activities across Azure workloads.
  • Deploy Microsoft Sentinel by creating a Log Analytics workspace, connecting data sources including Azure AD, Defender for Cloud, and Azure Activity logs, and enabling built-in analytics rule templates.
  • Create custom Microsoft Sentinel analytics rules using KQL queries with entity mapping, alert grouping, and incident creation settings to detect organization-specific security threats.
  • Configure Microsoft Sentinel playbooks using Logic Apps to automate incident response workflows including alert enrichment, notification, remediation actions, and ticket creation in external systems.
  • Analyze security incidents in Microsoft Sentinel by triaging alerts, investigating incidents using entity timelines and bookmarks, and assessing impact scope for incident response prioritization.
  • Investigate complex security incidents by correlating alerts across Microsoft Sentinel, Defender for Cloud, and Identity Protection to determine attack scope, affected resources, and appropriate containment and remediation actions.

Configure and manage security monitoring and automation

  • Identify Azure Monitor security-relevant capabilities including diagnostic settings, activity logs, resource logs, and Azure Monitor Alerts and describe how they support security monitoring workflows.
  • Configure diagnostic settings to route security-relevant resource logs and activity logs to Log Analytics workspaces, Azure Storage, and Event Hubs for centralized security monitoring.
  • Create Log Analytics queries using KQL to analyze security events including failed sign-ins, privilege escalations, resource modifications, and network anomalies across Azure resources.
  • Implement security automation using Azure Logic Apps triggered by Defender for Cloud alerts or Azure Monitor to execute automated remediation workflows including resource isolation, key rotation, and access revocation.
  • Evaluate security monitoring and automation effectiveness by analyzing alert coverage, log retention configurations, and automation workflow success rates to identify gaps in detection and response capabilities.

Hands-On Labs

25 labs ~449 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$140,000
Average Salary

Related Job Roles

Cloud Security Engineer Security Analyst Azure Security Administrator Information Security Engineer

Industry Recognition

Microsoft Azure certifications are among the most valued in enterprise IT, with Microsoft holding the second-largest cloud market share globally and serving as the dominant platform in enterprise and hybrid cloud environments.

Scope

Included Topics

  • All domains and task statements in the Microsoft Azure Security Engineer Associate (AZ-500) exam guide: Domain 1 Manage identity and access (25-30%), Domain 2 Secure networking (20-25%), Domain 3 Secure compute, storage, and databases (20-25%), and Domain 4 Manage security operations (25-30%).
  • Associate-level Azure security engineering practices for identity protection, network security, compute and data protection, and security operations management in Microsoft Azure.
  • Scenario-driven security decision making for implementing, configuring, and managing security controls across Azure workloads under compliance, risk, and threat mitigation constraints.
  • Key Azure security services and features: Microsoft Entra ID, Conditional Access, MFA, Passwordless Authentication, Identity Protection, Privileged Identity Management, Access Reviews, Azure RBAC, App Registrations, Managed Identities, Service Principals, OAuth and App Consent, NSGs, ASGs, UDRs, Azure Firewall, Azure DDoS Protection, Private Link, Private Endpoints, VPN Gateway, ExpressRoute, Azure Front Door, Application Gateway, WAF, TLS, VM Security, Container Security, AKS Security, Storage Account Security, SAS Tokens, Storage Encryption, Azure Files Security, Azure SQL Security, Cosmos DB Security, TDE, Always Encrypted, Dynamic Data Masking, Azure Policy, Microsoft Defender for Cloud, Secure Score, Microsoft Sentinel, SIEM/SOAR, Azure Monitor, Log Analytics, Logic Apps Security Automation, Microsoft Defender for SQL, Cloud Security Posture Management.

Not Covered

  • Expert-level Azure solutions architecture and enterprise-wide multi-tenant security design that exceeds AZ-500 associate security engineer objectives.
  • Deep application development security implementation details including secure coding practices, SAST/DAST tooling, and DevSecOps pipeline configuration not centered on Azure platform security controls.
  • Transient Azure service pricing details and short-lived promotional values that are not stable for durable domain specifications.
  • Non-Azure security tooling specifics including third-party SIEM platforms, endpoint detection and response products, and on-premises-only security solutions not integrated with Azure.
  • Azure CLI and PowerShell command-level syntax memorization and SDK version-specific API signatures beyond conceptual understanding of security operations automation.

Official Exam Page

Learn more at Microsoft Azure

Visit

Ready to master AZ-500?

Adaptive learning that maps your knowledge and closes your gaps.

Subscribe to Access

Trademark Notice

Microsoft and Azure are registered trademarks of Microsoft Corporation. Microsoft does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.