Microsoft Azure · Advanced · ~40h · Free

Azure Security Engineer
AZ-500 Complete Course

Master every AZ-500 domain: identity and access management with Conditional Access and PIM, secure networking with Azure Firewall and DDoS Protection, storage and database security with Key Vault and SQL Advanced Threat Protection, and security operations with Defender for Cloud and Microsoft Sentinel. 60 practice questions, no signup required.

AZ-500 7 modules ~40h study 60 practice questions advanced
⚡ Start practice quiz Listen on Spotify
Exam fact Details
Exam codeAZ-500
Full nameMicrosoft Azure Security Engineer Associate
Questions40–60 (mix of MCQ, case studies, drag-and-drop)
Passing score700 / 1000
Duration120 minutes
Price$165 USD
PrerequisitesAZ-104 recommended, 1+ year hands-on Azure security experience
RenewalFree annual online assessment (no re-exam required)

Exam domain weights

Domain 1 — Manage Identity and Access 25–30%
Domain 2 — Secure Networking 20–25%
Domain 3 — Secure Compute, Storage & Databases 20–25%
Domain 4 — Manage Security Operations 25–30%

Course modules

Module 1
Identity and Access — Microsoft Entra ID Foundations

Understand the identity layer that underpins every AZ-500 domain. Learn the difference between Microsoft Entra ID Free, P1, and P2, and when each feature unlocks. Covers hybrid identity with Entra Connect, cloud-only accounts, guest (B2B) vs consumer (B2C) identities, and the administrative units model.

Entra ID tiers (Free/P1/P2) Entra Connect / PHS / PTA / Federation B2B vs B2C identities Administrative Units Service principals vs managed identities
Module 2
Conditional Access, PIM, and RBAC

Master the access control triad that dominates the exam. Build Conditional Access policies that enforce MFA based on sign-in risk, location, and device compliance. Configure Privileged Identity Management (PIM) for just-in-time role activation with approval workflows and access reviews. Design RBAC with custom roles and least-privilege assignments at management group, subscription, resource group, and resource scope.

Conditional Access named locations + device filters PIM eligible vs active assignments PIM access reviews Custom RBAC roles Identity Protection — sign-in risk / user risk policies Entitlement management
Module 3
Secure Networking — Azure Firewall, NSG, and DDoS

Protect Azure network perimeters and internal traffic flows. Compare Azure Firewall Standard vs Premium (IDPS, TLS inspection), configure Network Security Groups with service tags and Application Security Groups (ASG), and deploy DDoS Protection Standard with mitigation metrics. Understand when to use Azure Bastion vs JIT VM access, and when Private Endpoints are mandatory.

Azure Firewall Standard vs Premium IDPS and TLS inspection (Premium) NSG service tags + ASG DDoS Protection Basic vs Standard Azure Bastion Private Endpoints vs Service Endpoints WAF on App Gateway vs Front Door Forced tunneling + UDR
Module 4
Azure Key Vault, Disk Encryption, and Storage Security

Secure secrets, keys, and certificates at rest and in transit. Configure Key Vault with soft-delete and purge protection, choose between RBAC and access policy models, and integrate customer-managed keys (CMK) with Storage and SQL. Compare Azure Disk Encryption (ADE using BitLocker/DM-Crypt) with SSE + CMK. Apply SAS tokens, storage account firewall rules, immutable storage, and private endpoint to blob and file shares.

Key Vault soft-delete + purge protection Key Vault RBAC vs access policies HSM-backed keys (Premium tier) ADE vs SSE + CMK SAS tokens (account / service / user delegation) Immutable storage (WORM) Storage account firewall + private endpoint
Module 5
SQL, Container, and VM Security

Extend security to compute and data workloads. Enable SQL Transparent Data Encryption (TDE), Dynamic Data Masking, Always Encrypted for column-level protection, and SQL Auditing with Log Analytics. Secure AKS clusters with Entra ID RBAC, pod-managed identity, Azure Policy, network policies, and image scanning via Microsoft Defender for Containers. Harden VMs with JIT access, endpoint protection assessments, and adaptive application controls.

SQL TDE + CMK Dynamic Data Masking vs Always Encrypted SQL Advanced Threat Protection + Vulnerability Assessment AKS RBAC + pod-managed identity JIT VM access Adaptive application controls Container registry security + image scanning
Module 6
Microsoft Defender for Cloud

Defender for Cloud is the exam's primary security operations tool. Understand the Secure Score model and how recommendations map to controls and regulatory standards. Enable workload protections: Defender for Servers (MDE integration, JIT, Qualys), Defender for Storage (malware scanning, sensitive data discovery), Defender for SQL, Defender for Containers, and Defender for App Service. Use regulatory compliance dashboards to track CIS, NIST 800-53, and PCI DSS posture.

Secure Score and security controls JIT VM access via Defender Defender for Servers (Plan 1 vs Plan 2) Defender for Storage malware scanning Defender for SQL on-prem + Azure Regulatory compliance dashboards Auto-provisioning settings
Module 7
Microsoft Sentinel — SIEM, SOAR, and KQL Analytics

Microsoft Sentinel is the cloud-native SIEM/SOAR that ties together all AZ-500 security signals. Connect data connectors (Azure Activity, Microsoft 365 Defender, CEF/Syslog), write scheduled and NRT analytics rules with KQL, manage incidents and alerts, and build SOAR playbooks with Logic Apps. Use threat hunting with bookmarks, entity behavior analytics (UEBA), and Workbooks for visualization. Understand workspace design: cost, data retention, and cross-workspace queries.

Data connectors (Azure AD, M365 Defender, CEF, Syslog) KQL: summarize, extend, where, join Scheduled vs NRT analytics rules Incidents + alert grouping SOAR playbooks (Logic Apps) Threat hunting + bookmarks UEBA entity pages Workbooks + Dashboards
Reinforce what you just read 60 scenario-based questions covering every AZ-500 domain — track your score, no signup.
⚡ Take the quiz Podcast
🔐

PIM vs Conditional Access — what's the difference?

Conditional Access controls how someone signs in (require MFA, compliant device). PIM controls what roles they can activate after signing in — it's the last mile of least-privilege for admin access. Both appear heavily on AZ-500.

🔓

Key Vault access policies vs RBAC — when to use which

Access policies are the legacy model — they work at the vault level, not per-key. RBAC is Microsoft's recommended model: assign Key Vault Secrets User or Key Vault Crypto Officer scoped to individual secrets. AZ-500 expects you to know both models and the tradeoffs.

📈

Sentinel Secure Score ≠ Defender Secure Score

Defender for Cloud has its own Secure Score for resource posture. Sentinel has no Secure Score — it's a SIEM. Many candidates confuse the two. On exam day: Secure Score = Defender for Cloud; analytics rules + incidents = Sentinel.

6-week study plan

Week 1
Identity foundations + Conditional Access Module 1 & 2. Set up a free Entra ID P2 trial. Create Conditional Access policies (MFA on sign-in risk). Enable Identity Protection and explore the risky users report. Build a PIM-eligible role assignment for a test user and walk through the activation flow.
Week 2
RBAC, managed identities, and access reviews Create a custom RBAC role with minimum permissions. Assign system-assigned and user-assigned managed identities to a VM and a Function App. Run an Entra ID access review on a group. Complete 15 identity-domain quiz questions.
Week 3
Secure networking (Module 3) Deploy Azure Firewall in a hub VNet. Create NSG rules using service tags. Enable DDoS Protection Standard on a VNet and review the mitigation metrics dashboard. Explore Private Endpoint for a Storage Account — verify DNS resolution. Practice 12 networking-domain questions.
Week 4
Key Vault, disk encryption, SQL, and containers (Modules 4–5) Create a Key Vault in RBAC mode. Enable soft-delete and purge protection. Enable ADE on a Windows VM. Configure SQL Dynamic Data Masking and enable the Vulnerability Assessment scanner. Enable Defender for Containers and review image scanning results in ACR.
Week 5
Defender for Cloud + Sentinel (Modules 6–7) Enable Defender for Cloud enhanced workload protections. Explore the Secure Score recommendations dashboard and fix 3 low-effort issues. In Sentinel: connect the Azure Activity connector, write a scheduled analytics rule in KQL, and build a simple playbook that posts to a Teams channel on new high-severity incidents.
Week 6
Full practice tests + weak-domain review Take the full 60-question CertQuests AZ-500 quiz. Identify your weakest domain. Read the official Microsoft Learn exam study guide for any missed objectives. Take 2–3 timed mock exams from other providers. Review case study format questions (often 4–10 sub-questions per scenario).

⚠️ Top 4 AZ-500 exam mistakes

Ready to test your AZ-500 knowledge?

60 scenario-based practice questions — instant scoring, no signup. Your progress is saved locally.

⚡ Start AZ-500 quiz Also on Spotify

Need deep-dives while commuting? The CertQuests podcast covers AZ-500 domains in audio format — perfect for reinforcing concepts on the go.

Related certifications

AZ-104 Azure Administrator — Recommended before AZ-500 SC-900 Security Fundamentals — Great entry point AZ-900 Azure Fundamentals — Beginner foundation Security+ Vendor-neutral security baseline
CertQuests is an independent study tool and is not affiliated with or endorsed by Microsoft. AZ-500 is a registered exam of Microsoft Corporation. All trademarks belong to their respective owners.