What does the AZ-500 exam cover?
The AZ-500 Microsoft Azure Security Technologies exam covers four security domains: managing identity and access, securing networking, securing compute, storage and databases, and managing security operations. It requires hands-on experience configuring Azure security services and is aimed at security engineers who implement and manage Azure security controls. The passing score is 700 out of 1000 and the exam costs $165 USD.
The AZ-500 Microsoft Azure Security Technologies certification validates the skills required to implement and manage security controls across Azure environments. This is the role-based certification for Azure security engineers, who are responsible for maintaining the security posture of cloud infrastructure, identifying and remediating vulnerabilities, and implementing threat protection.
The AZ-500 is one of the most technically demanding Azure security certifications and is increasingly required for security-focused Azure roles. Cybersecurity professionals with this certification report salaries ranging from $110,000 to $145,000 in the United States. The exam costs $165 USD, contains 40-60 questions, and requires a passing score of 700 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | AZ-500 |
| Full Name | Microsoft Azure Security Technologies |
| Number of Questions | 40-60 |
| Time Limit | 120 minutes |
| Passing Score | 700/1000 |
| Cost | $165 USD |
| Prerequisites | AZ-104 or equivalent experience recommended |
| Renewal | Every 12 months via free online assessment |
The exam covers four domains:
- Manage identity and access (25-30%)
- Secure networking (20-25%)
- Secure compute, storage, and databases (20-25%)
- Manage security operations (25-30%)
"AZ-500 is not a conceptual exam. It requires you to know exactly how to configure Microsoft Defender for Cloud, how Conditional Access policies work, how to set up Microsoft Sentinel detection rules, and how to interpret security alerts. Candidates who study conceptually without hands-on labs consistently fail." -- Tom Janetscheck, Microsoft Security MVP
Domain 1: Manage Identity and Access (25-30%)
Entra ID Security Features
Privileged Identity Management (PIM) provides just-in-time privileged access to reduce the standing attack surface. Key configurations:
- Requiring approval and justification before activating privileged roles
- Setting maximum activation durations
- Configuring MFA requirements for role activation
- Alert generation for suspicious activation patterns
Identity Protection uses machine learning to detect and respond to identity risks:
- Risk detections: Leaked credentials, impossible travel, anonymous IP usage, atypical travel, malware-linked IP
- Risk policies: Automated responses requiring password change or MFA based on user risk level
- Sign-in risk: Real-time evaluation of each authentication attempt
Conditional Access Architecture
Security engineers design Conditional Access policies as the primary enforcement mechanism for Zero Trust. Critical scenarios tested on AZ-500:
- Requiring compliant devices for access to sensitive applications
- Blocking legacy authentication protocols (a major attack vector)
- Requiring MFA for all privileged administrator roles
- Creating named locations and applying location-based policies
Managed Identities
Managed identities eliminate the need for credentials in application code. Security engineers must configure:
- System-assigned managed identities (tied to resource lifecycle)
- User-assigned managed identities (independent lifecycle, shareable across resources)
- Role assignments granting managed identities access to Key Vault secrets, storage accounts, and other services
Domain 2: Secure Networking (20-25%)
Azure Firewall and DDoS Protection
Azure Firewall is a managed, stateful firewall providing:
- Application rules filtering based on FQDN
- Network rules filtering based on IP addresses, ports, and protocols
- DNAT rules translating inbound public traffic to private resources
- Threat intelligence integration to block known malicious IPs and domains
Azure DDoS Protection Standard provides enhanced mitigation for distributed denial-of-service attacks against Azure resources. Standard tier includes adaptive tuning, attack telemetry, and 24/7 DDoS rapid response support.
Network Security Configuration
| Security Control | Layer | Purpose |
|---|---|---|
| Network Security Groups | Subnet/NIC | Traffic filtering with allow/deny rules |
| Application Security Groups | Logical grouping | Simplified NSG rule management |
| Azure Firewall | VNet hub | Centralized stateful filtering and FQDN filtering |
| Web Application Firewall | Layer 7 | Protection against OWASP Top 10 vulnerabilities |
| Private Endpoints | Network isolation | Eliminate public exposure of PaaS services |
| Azure Bastion | Management access | RDP/SSH without public IP exposure |
Domain 3: Secure Compute, Storage, and Databases (20-25%)
Microsoft Defender for Cloud
Microsoft Defender for Cloud is the unified security management platform that provides:
- Secure Score: A quantified measure of security posture based on implemented recommendations
- Security recommendations: Prioritized list of misconfigurations to remediate
- Defender plans: Enhanced threat protection for specific resource types (servers, databases, containers, storage, Key Vault, etc.)
- Regulatory compliance: Mapping of Azure resource configurations to compliance frameworks (CIS, NIST, PCI-DSS)
Azure Key Vault
Azure Key Vault is the central secrets management service. Security engineers configure:
- Access policies vs. RBAC: Azure RBAC is the recommended model for Key Vault access control over the legacy access policy model
- Soft delete and purge protection: Preventing accidental or malicious deletion of secrets and keys
- Key rotation: Automated rotation policies for secrets and certificates
- Diagnostic logging: Auditing all Key Vault access attempts
Storage and Database Security
- Storage service encryption: Enabled by default using Microsoft-managed keys; customer-managed keys (CMK) in Key Vault provide additional control
- Advanced threat protection: Detects anomalous access patterns (unusual location, unusual application, brute force)
- SQL Database auditing: Logging all database events to Log Analytics or storage
- SQL Transparent Data Encryption: Encrypting SQL databases at rest using service-managed or customer-managed keys
Domain 4: Manage Security Operations (25-30%)
Microsoft Sentinel
Microsoft Sentinel is Azure's cloud-native SIEM and SOAR platform. Security engineers must configure:
- Data connectors: Ingesting security data from Azure services, Microsoft 365, and third-party sources
- Analytics rules: Detecting threats using built-in Microsoft rules, community rules, or custom KQL-based rules
- Playbooks: Automated response workflows built on Azure Logic Apps
- Hunting queries: Proactive threat hunting using KQL queries against ingested data
- Incidents: Grouped alerts requiring analyst investigation
KQL Fundamentals
Microsoft Sentinel requires knowledge of Kusto Query Language (KQL) for writing analytics rules and hunting queries. Essential operators:
SecurityEvent
| where EventID == 4625
| summarize count() by Account, Computer
| where count_ > 10
| order by count_ desc
This query identifies accounts with more than 10 failed logon attempts, a common brute-force detection pattern.
"KQL proficiency separates average AZ-500 candidates from those who score 800+. The exam includes scenario questions about which KQL queries would detect specific attack patterns. Practice with KQL at least 15-20 hours before your exam." -- Microsoft Sentinel community guidance
Microsoft Defender for Endpoint Integration
Security engineers configure Microsoft Defender for Endpoint (MDE) integration with Defender for Cloud and Sentinel to:
- Extend endpoint threat detection to Azure VMs and Arc-enabled servers
- Correlate endpoint alerts with cloud resource alerts in Sentinel
- Automate response actions (isolate machine, collect investigation package) through Sentinel playbooks
Frequently Asked Questions
How difficult is the AZ-500 compared to AZ-104? AZ-500 is considered more difficult than AZ-104 by most candidates. AZ-500 requires understanding security-specific services like Microsoft Sentinel, Defender for Cloud, PIM, and Identity Protection that are not covered in AZ-104. It also expects hands-on experience with security configurations, not just infrastructure administration. Most security professionals recommend having 1-2 years of Azure experience before attempting AZ-500.
Is there a lab component in AZ-500? The AZ-500 exam may include a lab section where you perform tasks in a live Azure environment. Lab tasks have appeared in recent exam versions and typically involve configuring security services. Practice with the actual Azure portal, not just conceptual study, is essential for this component.
What is the best study order for Azure security certifications? The recommended path is: AZ-900 (fundamentals) > AZ-104 (administrator) > AZ-500 (security engineer). Some candidates also pursue SC-200 (Microsoft Security Operations Analyst) alongside AZ-500 for a complementary security specialization. The AZ-500 and SC-200 share overlapping content in Microsoft Sentinel and Defender products.
References
- Microsoft. (2025). Exam AZ-500: Microsoft Azure Security Technologies. https://learn.microsoft.com/en-us/credentials/certifications/exams/az-500/
- Microsoft. (2025). Microsoft Defender for Cloud Documentation. https://learn.microsoft.com/en-us/azure/defender-for-cloud/
- Microsoft. (2025). Microsoft Sentinel Documentation. https://learn.microsoft.com/en-us/azure/sentinel/
- Janetscheck, T. (2024). Microsoft Azure Security Technologies Study Guide. Sybex/Wiley.
- MITRE ATT&CK. (2025). Cloud Matrix. https://attack.mitre.org/matrices/enterprise/cloud/
- Cloud Security Alliance. (2024). Cloud Controls Matrix v4. https://cloudsecurityalliance.org/research/cloud-controls-matrix/