The Microsoft Certified: Azure Security Engineer Associate certification is Microsoft's main role-based security exam for engineers who secure Azure infrastructure, workloads, and operational visibility. AZ-500 is where Azure administration knowledge turns into applied cloud-security engineering: identity hardening, network protection, workload controls, posture management, and threat detection all converge here.
This exam is not a general cybersecurity test. Microsoft is testing whether you can implement and operate Azure-native security controls inside a real cloud environment. That means your preparation should stay grounded in Entra ID, network security, data protection, workload hardening, Defender for Cloud, Sentinel, and the operational decisions that connect those services together.
As of May 28, 2026, Microsoft marks this certification and exam as active but also states that Azure Security Engineer Associate and AZ-500 retire on August 31, 2026. If you are pursuing it now, prepare against the current outline and move with urgency.
Exam At a Glance
| Attribute | Value |
|---|---|
| Certification | Microsoft Certified: Azure Security Engineer Associate |
| Exam code | AZ-500 |
| Level | Intermediate / Associate |
| Duration | 100 minutes |
| Cost | $165 USD |
| Renewal | Every 12 months while active |
| Status note | Microsoft states the certification, exam, and renewal assessments retire on 2026-08-31 |
| Prerequisites | No formal prerequisite, but Microsoft expects practical Azure administration experience plus strong familiarity with Microsoft Entra ID, compute, network, and storage |
| Target candidate | Cloud security engineers and Azure professionals implementing security controls and monitoring posture across Azure, hybrid, and multi-cloud environments |
| Primary focus | Identity, networking, workload and data protection, Defender for Cloud, and Sentinel |
- Official certification page: Microsoft Certified: Azure Security Engineer Associate
- Official exam page: Exam AZ-500: Microsoft Azure Security Technologies
- Official study guide: AZ-500 study guide
- Official course: Secure cloud resources with Microsoft security technologies
- Official learning paths: Protect identity and access in Azure, Protect network infrastructure in Azure, Protect compute, storage, and databases, Strengthen security posture using Microsoft Defender for Cloud and Microsoft Sentinel
Official Assessed Areas
- Secure identity and access
- Secure networking
- Secure compute, storage, and databases
- Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Microsoft's current public exam page lists the active domains without inline percentage weighting. All four domains matter, and AZ-500 questions often combine more than one domain in the same scenario.
1. Secure Identity and Access
This domain is about controlling who can access Azure resources, how privileged roles are governed, and how identity becomes the foundation of cloud security.
- Microsoft Entra ID and hybrid identity security - You need to understand how Azure security depends on strong identity controls, not just network boundaries. Official resources: Protect identity and access in Azure, What is Microsoft Entra ID?.
- Conditional Access, MFA, and identity hardening - AZ-500 expects you to know how risk reduction happens through layered identity controls and policy enforcement. Official resources: Conditional Access overview, Identity and access learning path.
- RBAC, privileged access, and least privilege - Know how Azure scope works, when to use just-in-time privilege, and how role assignments affect attack surface. Official resources: Azure RBAC overview, Privileged Identity Management.
- Identity is the first security boundary - The exam often rewards the answer that strengthens authentication, authorization, and privilege governance before it adds more infrastructure controls. Official resource: AZ-500 course.
Exam tip: If the scenario mentions privileged operations, sign-in risk, admin access, or permission scope, start with identity controls before you think about network or workload settings.
2. Secure Networking
This domain covers the network controls that isolate workloads, restrict traffic, and reduce exposure across Azure environments.
- NSGs, ASGs, routing, and segmentation - Study how Azure uses layered networking controls to shape east-west and north-south traffic. Official resources: Protect network infrastructure in Azure, Network security groups overview.
- Azure Firewall, WAF, DDoS, and perimeter protection - Microsoft expects you to recognize which control belongs at which network layer and why. Official resources: Azure Firewall overview, Azure Web Application Firewall overview, Azure DDoS Protection overview.
- Private endpoints and data-plane isolation - Many AZ-500 questions hinge on whether a service should be reachable over public endpoints or kept private inside the virtual network model. Official resources: Azure Private Link overview, Networking learning path.
- Networking answers are about exposure reduction - The right choice is often the one that reduces reachable surface area or enforces traffic inspection cleanly. Official resource: AZ-500 course.
Exam tip: Classify the problem first: segmentation, traffic filtering, internet exposure, or private service access. That usually narrows the security control immediately.
3. Secure Compute, Storage, and Databases
This domain is where workload protection, encryption, and service-level security controls show up in practical engineering scenarios.
- Compute hardening and workload protection - Be ready for questions about protecting VMs, containers, and platform workloads through secure configuration and monitoring-aware choices. Official resources: Protect compute, storage, and databases, Azure Virtual Machines overview.
- Storage security and secure data access - Understand storage encryption, secure transfer, network restrictions, and identity-based access patterns. Official resources: Storage account overview, Azure Storage network security.
- Database and secrets protection - AZ-500 expects you to know the security role of Azure SQL protections, key management, and secret storage. Official resources: Azure Key Vault overview, Azure SQL security overview.
- Think in terms of protecting the workload lifecycle - The question is often less about one feature name and more about how to protect data, hosts, and dependent services coherently. Official resource: AZ-500 course.
Exam tip: If the prompt is about protecting data or workloads, ask yourself whether the real issue is identity, network exposure, encryption, secrets handling, or service hardening.
4. Secure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel
This final domain tests whether you can improve posture, detect threats, and operationalize Azure security rather than only deploying preventive controls.
- Microsoft Defender for Cloud for posture and recommendations - Study how Defender for Cloud helps assess exposure, prioritize remediation, and align to benchmarks such as the Microsoft Cloud Security Benchmark. Official resources: Microsoft Defender for Cloud overview, Defender for Cloud and Sentinel learning path.
- Microsoft Sentinel for detection and response workflows - Understand the role of Sentinel in analytics, incidents, automation, and SOC-style workflows. Official resources: Microsoft Sentinel overview, Sentinel learning path.
- Security posture is continuous, not static - Microsoft wants you to think beyond one-time configuration and toward visibility, remediation, alerting, and operational follow-through. Official resources: Defender for Cloud overview, Sentinel overview.
- This domain ties the whole exam together - Identity, networking, workloads, and data all surface again here through posture and detection questions. Official resource: AZ-500 course.
Exam tip: When the question is about recommendations, alert correlation, incidents, or improving the overall security posture, think Defender for Cloud first and Sentinel where detection and investigation become central.
Recommended 5-Week Study Plan
| Week | Focus | Primary resources |
|---|---|---|
| 1 | Entra ID, Conditional Access, RBAC, PIM, access governance | Protect identity and access path, Entra ID overview, Conditional Access, RBAC, PIM |
| 2 | Network isolation, NSGs, Azure Firewall, WAF, DDoS, Private Link | Protect network infrastructure path, NSG overview, Azure Firewall, WAF, DDoS, Private Link |
| 3 | Compute, storage, databases, encryption, Key Vault, workload protection | Protect compute, storage, and databases path, storage security docs, Key Vault, Azure SQL security |
| 4 | Defender for Cloud, Sentinel, posture management, detections, remediation | Defender for Cloud and Sentinel path, Defender overview, Sentinel overview |
| 5 | Mixed scenario review, official study guide, practice assessment, exam readiness | AZ-500 study guide, Microsoft practice assessment, exam readiness videos |
Last-Mile Exam Strategy
- Study AZ-500 as a control-selection exam for Azure. The main job is choosing the right identity, network, workload, or posture control for the scenario.
- Use Microsoft Learn for structure, then reinforce each area with Azure product overview docs so the controls stay tied to real services.
- Do not isolate Defender for Cloud and Sentinel until the end. Microsoft uses them to connect preventive security with ongoing operations.
- Keep the retirement date in mind. If you are actively pursuing AZ-500, compress the study timeline and work from the live outline, not old community notes.
- Read questions for the core security boundary involved: identity, network, workload, data, or posture. That boundary usually determines the correct answer faster than memorizing feature names.
If you want exam-style reinforcement after the official docs, use our AZ-500 practice questions. If you need the Microsoft security vocabulary underneath this exam, pair it with our Security, Compliance, and Identity Fundamentals study guide. If you want the operational Azure base that supports this exam, our Azure Administrator Associate study guide is the best companion.
The fastest way to pass AZ-500 is to think like a cloud security engineer inside Azure: harden identity first, reduce exposure through networking, protect workloads and data with the right service-level controls, and use Defender for Cloud plus Sentinel to keep posture and detection operational. Stay current, stay close to Microsoft Learn, and keep the 2026 retirement timeline in view.