In September 2019 I took the AZ-500 exam, and passed. The Microsoft Exam AZ-500: Microsoft Azure Security Technologies, which if you pass, leads to the Microsoft Certification Azure Security Engineer Associate.
Update September 24th 2020:
Microsoft have updated the exam. There are a few changes from the previous skills measured. You'll find them all below, with links to resources where you can learn more.
I originally wrote this post in September 2019. It has been updated in October 2020 to reflect the latest changes in the exam.
I'm not going to lie - it was a challenging exam.
Who is this exam for?
- You're an SME (Subject Matter Expert) in implementing security controls, threat protection, managing identity and access, protecting data, applications and networks in cloud and hybrid environments.
- You're interested in your organization's and customers' security posture.
- You are familiar with scripting, automation and understands networking and virtualization. Specifically in cloud environments.
- A rigid understanding about Azure products and services, and other major Microsoft tech.
Top job titles where the AZ-500 is relevant:
- Software Engineer
- DevOps Engineer
- Data Engineer
- Cloud Engineer
- Cloud Security Engineer
- Manager in Information Security
Expectations vs Reality
I had some expectations beforehand that this would be tough. Coming from a dev background, and having a strong emphasis on security in both code and operations I considered myself fairly aware of security topics in Azure - but this exam touches on a lot of things I didn't put as much effort into in the past, and made me aware of gaps in my knowledge that I'm now taking time to fill.
A few topics I would have given more thought before the exam, should I do it again, are:
- VNet connectivity and security, subnets, Site-to-Site VPN. Networking and network security in general, and specifically in Azure with regards to VMs.
- Dive deeper into Policies in Azure.
- Dive deeper into the general practices and capabilities of Firewalls in Azure.
Taking an exam Online
I took my exam from the convenience of my own home, while being constantly monitored online by a remote proctor. This is a convenient way to get exams done, but requires you to prepare your office/room a bit to meet the rigid requirements from Microsoft. If you decide to take an exam from home, please ensure you meet the requirements.
Update 2020: With the COVID-19 pandemic, the norm today is to take the exams at your home/online, and there's great guidance from Microsoft how to make this a successful experience.
There's four main pillars measured in the exam.
With the September 2020 update, the weight of each pillar has shifted. The below percentages are the updated weight.
The links will help you better ramp up for your exam. My recommendation is to open each link, review if you already know and are familiar with it or not, then save the links you need to brush up on. When you have created your links, it's easier to create a study plan to push through.
I always recommend using the official Microsoft Docs documentation for the exam preparations, as it always contains updated material.
Manage identity and access (30-35%)
Manage Azure Active Directory identities
- Configure security for service principals
- Manage Azure AD directory groups
- Manage Azure AD users
- Configure password writeback
- Configure authentication methods including password hash and Pass-Through Authentication (PTA), OAuth, and passwordless
- Transfer Azure subscriptions between Azure AD tenants
Configure secure access by using Azure AD
- Monitor privileged access for Azure AD Privileged Identity Management (PIM)
- Configure Access Reviews
- Activate and configure PIM
- Implement Conditional Access policies including Multi-Factor Authentication (MFA)
- Configure Azure AD identity protection (additional tip: How To: Configure the Azure MFA Authentication registration policy)
Manage application access
- Create App Registration
- Configure App Registration permission scopes
- Manage App Registration permission consent
- Manage API access to Azure subscriptions and resources
Manage access control
- Configure subscription and resource permissions (and: Add or change Azure subscription administrators)
- Configure resource group permissions
- Configure custom RBAC roles
- Identify the appropriate role
- Apply principle of least privilege
- Interpret permissions
- Check access
Implement platform protection (15-20%)
Implement advanced network security
- Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
- Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Create and configure Azure Firewall
- Configure Azure Front Door service as an Application Gateway
- Configure a Web Application Firewall (WAF) on Azure Application Gateway
- Configure Azure Bastion
- Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
- Implement Service Endpoints
- Implement DDoS protection
Configure advanced security for compute
- Configure endpoint protection
- Configure and monitor system updates for VMs
- Configure authentication for Azure Container Registry
- Configure security for different types of containers
- Implement vulnerability management
- Configure isolation for AKS
- Configure security for container registry
- Implement Azure Disk Encryption
- Configure authentication and security for Azure App Service
- Configure SSL/TLS certs
- Configure authentication for Azure Kubernetes Service
- Configure automatic updates
Manage security operations (25-30%)
Monitor security by using Azure Monitor
- Create and customize alerts
- Monitor security logs by using Azure Monitor
- Configure diagnostic logging and log retention
Monitor security by using Azure Security Center
- Evaluate vulnerability scans from Azure Security Center
- Configure Just in Time VM access by using Azure Security Center
- Configure centralized policy management by using Azure Security Center
- Configure compliance policies and evaluate for compliance by using Azure Security Center
Monitor security by using Azure Sentinel
- Create and customize alerts
- Configure data sources to Azure Sentinel
- Evaluate results from Azure Sentinel
- Configure workflow automation by using Azure Sentinel
Configure security policies
- Configure security settings by using Azure Policy
- Configure security settings by using Azure Blueprint
- Configure a playbook by using Azure Sentinel
Secure data and applications (20-25%)
Configure security for storage
- Configure access control for storage accounts
- Configure key management for storage accounts
- Configure Azure AD authentication for Azure Storage
- Configure Azure AD Domain Services authentication for Azure Files
- Create and manage Shared Access Signatures (SAS)
- Create a shared access policy for a blob or blob container
- Configure Storage Service Encryption
Configure security for databases
- Enable database authentication
- Enable database auditing
- Configure Azure SQL Database Advanced Threat Protection
- Implement database encryption
- Implement Azure SQL Database Always Encrypted (Configure using SQL Server Management Studio, or PowerShell)
Configure and manage Key Vault
- Manage access to Key Vault
- Manage permissions to secrets, certificates, and keys
- Configure RBAC usage in Azure Key Vault
- Manage certificates
- Manage secrets
- Configure key rotation
- Backup and restore of Key Vault items
Free AZ-500 training from Microsoft
Microsoft does a great job in providing free online material to prepare. Here are the relevant parts from Microsoft Learn. On-demand, at your fingertips.
- Manage Security Operations (Microsoft Learn)
- Manage Identity and Access (Microsoft Learn)
- Implement virtual machine host security in Azure (Microsoft Learn)
- Implement network security in Azure (Microsoft Learn)
- Implement resource management security in Azure (Microsoft Learn)
- Secure your cloud applications in Azure (Microsoft Learn)
More information about the skills measured from Microsoft (without links), and more information about taking certifications online can be found here: