Microsoft Certified: Azure Security Engineer Associate (AZ-500)
Demonstrate the skills needed to implement security controls, maintain an organization's security posture, and identify and remediate security vulnerabilities. Validates expertise in implementing, managing, and monitoring security for resources in Azure, multi-cloud, and hybrid environments using Microsoft Defender for Cloud and other tools.
What the Microsoft Certified: Azure Security Engineer Associate (AZ-500) exam covers
Domains and their approximate weight on the exam.
Secure identity and access
18%Manage security controls for identity and access including managing Azure built-in role assignments, managing custom roles (Azure roles and Microsoft Entra roles), planning and managing Azure resources in Microsoft Entra Privileged Identity Management (settings and assignments), implementing multi-factor authentication (MFA) for access to Azure resources, and implementing Conditional Access policies for cloud resources in Azure. Manage Microsoft Entra application access and managed identities including managing access to enterprise applications in Microsoft Entra ID (OAuth permission grants), managing Microsoft Entra app registrations, configuring app registration permission scopes, managing app registration permission consent, managing and using service principals, and managing managed identities.
Secure networking
23%Plan and implement security for virtual networks including planning and implementing Network Security Groups (NSGs) and Application Security Groups (ASGs), managing virtual networks using Azure Virtual Network Manager, planning and implementing user-defined routes (UDRs), planning and implementing Virtual Network peering or VPN gateway, planning and implementing Virtual WAN (including secured virtual hub), securing VPN connectivity (point-to-site and site-to-site), implementing encryption over ExpressRoute, configuring firewall settings on Azure resources, and monitoring network security using Network Watcher. Plan and implement security for private access to Azure resources including planning and implementing virtual network Service Endpoints, planning and implementing Private Endpoints, planning and implementing Private Link services, planning and implementing network integration for Azure App Service and Azure Functions, planning and implementing network security configurations for App Service Environment (ASE), and planning and implementing network security configurations for Azure SQL Managed Instance. Plan and implement security for public access to Azure resources including planning and implementing Transport Layer Security (TLS) to applications (Azure App Service and API Management), planning, implementing, and managing Azure Firewall (including Azure Firewall Manager and firewall policies), planning and implementing Azure Application Gateway, planning and implementing Azure Front Door (including Content Delivery Network/CDN), planning and implementing Web Application Firewall (WAF), and recommending when to use Azure DDoS Protection Standard.
Secure compute, storage, and databases
24%Plan and implement advanced security for compute including planning and implementing remote access to virtual machines (Azure Bastion and just-in-time/JIT VM access), configuring network isolation for Azure Kubernetes Service (AKS), securing and monitoring AKS, configuring authentication for AKS, configuring security monitoring for Azure Container Instances (ACIs), configuring security monitoring for Azure Container Apps (ACAs), managing access to Azure Container Registry (ACR), configuring disk encryption (Azure Disk Encryption/ADE, encryption at host, confidential disk encryption), and recommending security configurations for Azure API Management. Plan and implement security for storage including configuring access control for storage accounts, managing storage account access keys, selecting and configuring appropriate methods for access to Azure Files, selecting and configuring appropriate methods for access to Azure Blob Storage, selecting and configuring appropriate methods for protecting against data security threats (soft delete, backups, versioning, immutable storage), configuring Bring your own key (BYOK), and enabling double encryption at the Azure Storage infrastructure level. Plan and implement security for Azure SQL Database and Azure SQL Managed Instance including enabling Microsoft Entra database authentication, enabling database auditing, planning and implementing dynamic masking, implementing Transparent Data Encryption (TDE), and recommending when to use Azure SQL Database Always Encrypted.
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
35%Implement and manage enforcement of cloud governance policies including creating, assigning, and interpreting policies and initiatives in Azure Policy, configuring Azure Key Vault network settings, configuring access to Key Vault (vault access policies and Azure Role Based Access Control), managing certificates, secrets, and keys, configuring key rotation, performing backup and recovery of certificates, secrets, and keys, implementing security controls to protect backups, and implementing security controls for asset management. Manage security posture by using Microsoft Defender for Cloud including identifying and remediating security risks using Microsoft Defender for Cloud Secure Score and Inventory, assessing compliance against security frameworks using Microsoft Defender for Cloud, managing compliance standards in Microsoft Defender for Cloud, adding custom standards to Microsoft Defender for Cloud, connecting hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud (AWS and GCP), and implementing and using Microsoft Defender External Attack Surface Management (EASM). Configure and manage threat protection by using Microsoft Defender for Cloud including enabling cloud workload protection plans in Microsoft Defender for Cloud, configuring Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage, implementing and managing agentless scanning for virtual machines in Microsoft Defender for Servers, implementing and managing Microsoft Defender Vulnerability Management for Azure virtual machines, and connecting to and configuring settings in Microsoft Defender for Cloud DevOps Security (GitHub, Azure DevOps, GitLab). Configure and manage security monitoring and automation solutions including managing and responding to security alerts in Microsoft Defender for Cloud, configuring workflow automation using Microsoft Defender for Cloud, monitoring network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor, configuring data connectors in Microsoft Sentinel, enabling analytics rules in Microsoft Sentinel, and configuring automation in Microsoft Sentinel.
How CertSim helps you pass
Realistic questions
Scenario-based questions aligned to the official Microsoft Certified: Azure Security Engineer Associate (AZ-500) objectives.
AI explanations
Understand why each answer is right or wrong, with deep-dive explanations.
Readiness analytics
Track your score by domain and know when you are ready for exam day.
Start preparing for Microsoft Certified: Azure Security Engineer Associate (AZ-500) today
Free to start. Practice realistic questions and track your readiness.
Start free