Preparation Guide for AZ-500: Microsoft Azure Security Technologies

After doing AZ-104, I started AZ-500. I was able to pass in my first attempt. I’m sharing with you all my preparation journey in this blog.

Candidates for this exam should have subject matter expertise implementing security controls and threat protection, managing identity and access, and protecting data, applications, and networks.

Responsibilities for an Azure Security Engineer include maintaining the security posture, identifying and remediating vulnerabilities by using a variety of security tools, implementing threat protection, and responding to security incident escalations.

Azure Security Engineers often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

If your job role is to manage security for Azure, then you can take the AZ-500: Microsoft Azure Security Technologies which makes you a certified Azure Security Engineer Associate.

However, the AZ-500 exam is not equivalent to expert-level certification in Azure. There is no pre-requisite for taking AZ-500 but in my opinion, take AZ-900 at a bare minimum. It will prepare you with what format of questions you can expect. 

I got around 50 Exam questions in total: 1 case study and the rest were MCQ questions. I did not get any labs. 

What does AZ-500 expects from you?

AZ-500 Azure Security Engineer Exam expects you to know how to implement security controls, maintain the security posture, manages identity and access, and protect data, applications, and networks. If you do not want to spend too much money on this cert, check out the following free content that really helped me understand the concepts as opposed to only reading.

AZ-500 Exam Details

• Number of questions in AZ-500 : 40-60
• You will have 150 minutes to complete the AZ-500 exam. In order to pass this exam, you will need:
• A minimum score of 70 percent on the overall exam
• A minimum score of 35 percent on each exam domain
• AZ-500 certification will cost you $165 USD including the additional taxes.
• Exam will contain one or more case study with multiple questions including multiple choices and drag-and-drop items.
• Question types include:
  1. Single-choice questions which may not be skipped or reviewed. You only get to answer these questions ONCE.
  2. Single-choice questions (True/False or Yes/No)
  3. Multiple-choice questions
  4. Arrange in the correct sequence questions.

Resources for AZ-500 Certification Exam 

1. Microsoft official link
2. Free Pluralsight – You can register and start for free.
3. I got a free offer for LinkedIn learning but IMO, it isn’t as effective as Pluralsight. You can create another account if you don’t want to pay.
4. Good old Youtube videos from John Savill.
5. Check out Practice Exams here.

Practice Exams on AZ-500 from ReviewNPrep for just $7.5 Click here.

Important Pointers for AZ-500 Certification Exam 

1. Manage your time well. If you do not know the answer, move on. There are some questions that you cannot revisit again. These are the ones where you have to suggest an implementation technique. 

2. I used the process of elimination for the ones I wasn’t sure of. In essence, remove the options you know for sure are wrong and then go with your gut feeling on the remaining left options. 

3. You don’t have to go through all of the links provided in this study guide but highly recommended if you want to prepare to be a better security engineer. 

4. If you go through the exam contents, you’d find that most common keyword used is “configure”. This means the bare minimum expectation is that you know how to do it in the portal. There is nothing that beats hands-on. So, get your hands dirty in the Azure portal. 

5. Few areas from which I got questions were NSG’s, Tags, conditional Policies, PIM, Azure monitor, alerts, resource locks, AD groups, MFA, Azure Bastion, SAS, KeyVault. There were a number of questions that required understanding of policies, lifecycles, access control, and more relating to Key Vault.

6. Many questions do not test you on one thing alone. It’s almost a combination of few services taken together. Example Azure Storage with RBAC.

NOTE: The content of this exam was updated on September 29, 2021.

You may find the below links all over the internet, but this is my guide reading from MS documentation and hunting for links from other blogs and websites. I started with this in parallel with the official Microsoft training mentioned above. 

Manage Identity and Access (30-35%)

Manage Azure Active Directory identities

• Create and manage a managed identity for Azure resources
• Manage Azure AD groups
• Manage Azure AD users
• Add or delete users using Azure Active Directory
• Assign or remove licenses in the Azure Active Directory portal
• Manage external identities by using Azure AD
• Manage administrative units

Manage secure access by using Azure AD

• Configure Azure AD Privileged Identity Management (PIM)
• Implement Conditional Access policies including Multi-Factor Authentication (MFA)
  • Conditional Access
  • Configure Azure Multi-Factor Authentication settings
  • Manage user settings for Azure Multi-Factor Authentication
  • Change your two-factor verification method and settings
  • Plan a Conditional Access deployment
  • Best practices
• Impliment Azure AD Identity Protection
  • What is Azure Active Directory Identity Protection?
  • How To: Configure the Azure Multi-Factor Authentication registration policy
• Implement passwordless authentication
• Configure access reviews

Manage application access

• Integrate single sign-on (SSO) and multiple identity providers for authentication
• Create App Registration
  • How to: Use the portal to create an Azure AD application and service principal that can access resources
  • Quickstart: Register an application with the Microsoft identity platform
• Configure app registration permission scopes
• Configure App Registration permission scopes
• Manage App Registration permission consent
• Manage API permission to Azure subscriptions and resources
  • Authentication flows and application scenarios
  • Add or remove Azure role assignments using the REST API
• Configure an authentication method for a service principal

Manage access control

• Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
• Interpret role and resource permissions
• Assign built-in Azure AD roles
• Interpret role and resource permissions
• Create and assign custom roles, including Azure roles and Azure AD roles

Implement Platform Protection (15-20%)

Implement advanced network security

• Secure the connectivity of hybrid networks
  • What is VPN Gateway?
  • Configure Azure Active Directory authentication for User VPN
  • What is Azure ExpressRoute?
  • ExpressRoute encryption
• Secure the connectivity of virtual network
  • Create, change, or delete a network security group
  • Application security groups
• create and configure Azure Firewall Manager
  • What is Azure Firewall?
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
• implement Azure Firewall Manager
  • What is Azure Firewall Manager?
  • Tutorial: Secure your virtual hub using Azure Firewall Manager
• Create and configure Azure Application Gateway
  • What is Azure Front Door?
  • Quickstart: Create a Front Door for a highly available global web application
• Create and configure Azure Front Door
• Create and configure a Web Application Firewall (WAF)
• Configure a resource firewall, including storage account, Azure SQL, Azure Key Vault, or Azure App Service
• Configure network isolation for Web Apps and Azure Functions
• Implement Azure Service Endpoints
  • Virtual Network service endpoints
• Implement Azure Private Endpoints, including integrating with other services
• Implement Azure Private Links
• Implement DDoS protection
  • Azure DDoS Protection Standard overview

Configure advanced security for compute

• Configure Azure Endpoint protection for virtual machines (VMs)
  • Microsoft Anti malware for Azure Cloud Services and Virtual Machines
  • Azure Virtual Machines security overview
• Implement and manage security updates for VMs
  • Update Management overview
  • Manage updates and patches for your Azure VMs
• Configure security for container services
  • Container security in Security Center
  • Security considerations for Azure Container Instances
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
• Manage access to Azure Container Registry
• Configure security for serverless compute
• Configure security for an Azure App Service
• Configure encryption at rest
• Configure encryption in transit

Manage Security Operations (25-30%)

Configure centralized policy management

• Configure a custom security policy
• Create a policy initiative
• Configure security settings and auditing by using Azure Policy

Configure and manage threat protection

• Configure Azure Defender for Servers (not including Microsoft Defender for Endpoint)
• Evaluate vulnerability scans from Azure Defender
  • Integrated vulnerability scanner for virtual machines (Standard tier only)
  • Vulnerability assessments for your Azure Virtual Machines
• Configure Azure Defender for SQL
• Use the Microsoft Threat Modeling Tool

Configure and manage security monitoring solutions

• Create and customize alerts rules by using Azure Monitor
  • Tutorial: Detect threats out-of-the-box
  • What is Azure Sentinel? 
  • Tutorial: Set up automated threat responses in Azure Sentinel
• Configure diagnostic logging and log retention by using Azure Monitor
• Monitor security logs by using Azure Monitor
• Create and customize alert rules in Azure Sentinel
• Configure connectors in Azure Sentinel
• Evaluate alerts and incidents in Azure Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel

Secure Data and Applications (25-30%)

Configure security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Authorize access to blobs and queues using Azure Active Directory
• Configure storage accounts access keys
• Configure Azure AD authentication for Azure Storage and Azure files
• Configure delegated access

Configure security for data

• Enable database authentication by using Azure AD
  • Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
  • Configure and manage Azure Active Directory authentication with SQL
  • Use Azure Active Directory Authentication for authentication with SQL
• Enable database auditing
• Configure dynamic masking on SQL workloads
• Implement database encryption for Azure SQL Database
  • Transparent data encryption for SQL Database and Azure Synapse
  • An overview of Azure SQL Database security capabilities
  • Azure encryption overview
  • An overview of Azure SQL Database security capabilities
• Implement network isolation for data solutions, including Azure Synapse Analytics and Azure Cosmos DB

Configure and manage Azure Key Vault

• Create and configure Key Vault
• Configure access to Key Vault
  • About Azure Key Vault
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Provide Key Vault authentication with an access control policy
• Manage certificates , secrets, and keys
• Configure key rotation
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate auto-rotation in Key Vault
• Configure backup and recovery of certificates, secrets, and keys

Good Luck with your exams.

Author: Ralph Bryant loves working on Azure and helping others succeed in their career. You can connect with him on LinkedIn.

ReviewNPrep is a community-based website. Follow us on LinkedIn to stay in touch with the certification community.

Need help from the community in preparation. Join our Forums.

Check out AZ-500 Certification Practice Exams on ReviewNPrep Marketplace.