2026 Exam Guide
Microsoft Azure Security Engineer Associate Study Guide
Current exam coverage, candidate guidance, important topics, and practical preparation advice for the AZ-500 exam.
What Is Microsoft AZ-500?
Microsoft Azure Security Engineer Associate is earned by passing AZ-500. The exam validates practical implementation of security controls across Azure identity, networking, compute, storage, databases, Microsoft Defender for Cloud, and Microsoft Sentinel. Candidates must secure real Azure resources and troubleshoot security configurations rather than only explain security concepts.
The current skills outline effective January 22, 2026 covers secure identity and access, secure networking, secure compute storage and databases, and securing Azure by using Defender for Cloud and Sentinel. Microsoft has announced that the certification and exam retire on August 31, 2026, so candidates should verify scheduling and replacement guidance before purchasing an exam voucher.
Core topics include Entra roles, Azure RBAC, PIM, Conditional Access, workload identities, network security groups, Azure Firewall, WAF, Private Link, Key Vault, storage security, AKS, database protection, Azure Policy, Defender plans, regulatory compliance, analytics rules, automation, and incident response. Microsoft uses a scaled passing score of 700.
Who Should Take This Exam?
AZ-500 is intended for Azure security engineers, cloud security administrators, infrastructure engineers, and security operations professionals responsible for implementing controls in Azure. Candidates should have practical Azure administration experience and strong familiarity with identity, networking, compute, storage, logging, automation, and security operations.
Because retirement is scheduled for August 31, 2026, the certification is most relevant to candidates who can complete preparation and testing before that date or whose organization specifically requires AZ-500. Hands-on work with private endpoints, PIM, managed identities, Azure Firewall, Key Vault, Defender for Cloud, Policy, and Sentinel is essential.
Exam Domains
Secure Identity and Access
15-20%Entra identities, authentication, authorization, PIM, RBAC, workload identities, and governance.
Secure Networking
20-25%Segmentation, private access, NSGs, Firewall, WAF, routing, and connectivity security.
Secure Compute, Storage, and Databases
20-25%VMs, containers, AKS, storage, Key Vault, encryption, and database security.
Secure Azure Using Defender for Cloud and Sentinel
30-35%Posture, workload protection, policy, compliance, detection, automation, and response.
Common Topics Covered
- Microsoft Entra and Azure RBAC
- PIM and Conditional Access
- Managed identities and federation
- NSGs, Azure Firewall, and WAF
- Private Link and private DNS
- Key Vault and encryption
- Storage and database security
- AKS and compute hardening
- Defender for Cloud
- Microsoft Sentinel automation
Study Tips
Build a hub-and-spoke lab with NSGs, user-defined routes, Azure Firewall, private endpoints, and private DNS. Configure Entra roles, Azure RBAC, PIM, managed identities, Conditional Access, Key Vault access, and storage network restrictions. Verify traffic and authorization instead of assuming a configuration works.
Use Defender for Cloud recommendations and Policy initiatives to understand the relationship between posture detection and enforcement. Build Sentinel analytics and automation rules, then test a Logic Apps response workflow. Pay attention to control scope: tenant, management group, subscription, resource group, resource, data plane, and management plane permissions differ.
Practice Questions Overview
Certoga's AZ-500 bank contains current implementation scenarios involving PIM, private endpoints, hub-and-spoke inspection, workload federation, storage restrictions, Defender for Cloud, Azure Policy, and Sentinel playbooks. The bank targets the active exam outline before its August 31, 2026 retirement.