Microsoft Azure Security Technologies Study Guide 2026 (AZ-500)

The Microsoft Azure Security Technologies (AZ-500) certification validates your ability to implement and manage security across cloud infrastructure, identity systems, and compliance frameworks. Whether you're protecting sensitive data, configuring network isolation, or enforcing access controls, this exam tests your hands-on knowledge of Azure's security services. This comprehensive study guide breaks down all exam domains, identifies the key services and concepts you must master, and provides proven strategies to help you pass your certification exam with confidence.

Table of Contents

Exam Overview and Structure

The AZ-500 exam is a performance-based certification that measures your ability to implement security solutions across Azure services. The exam contains 40-60 case study questions delivered in an interactive format where you must navigate realistic cloud environments and make security decisions. You have 150 minutes to complete the exam, and you'll need a score of 700 out of 1000 to pass.

The exam is organized into three main domains that reflect real-world responsibilities. Each domain tests both conceptual knowledge and practical application, meaning you need hands-on experience configuring Azure security features, not just theoretical understanding. The exam is updated regularly to reflect changes in Azure services, making current study materials essential for success in 2026.

Unlike multiple-choice exams, the AZ-500 uses case studies that simulate your actual job responsibilities. You'll be presented with scenarios describing security challenges, then asked to implement solutions using Azure portal navigation, PowerShell, and Azure CLI. This format requires you to understand not just what security controls exist, but how to deploy and configure them in realistic situations.

Domain 1: Manage Identity and Access (25-30%)

Overview

This domain focuses on implementing identity and access management solutions in Azure. You'll be tested on your ability to configure Azure AD (now called Microsoft Entra ID), manage user identities, implement multi-factor authentication, and control access to resources. Identity is foundational to security, so mastering this domain is critical for the exam and for protecting real Azure environments.

Key Topics and Services

Azure AD / Microsoft Entra ID

You must understand Azure AD as the identity platform for Azure resources. Key concepts include:

  • User and group management with role-based access control (RBAC)
  • Tenant structure and multi-tenancy scenarios
  • Azure AD administrative units for delegated management
  • Hybrid identity with Azure AD Connect and Azure AD Connect Cloud Sync
  • B2B and B2C identity scenarios

The exam expects you to configure Azure AD to support different organizational structures. You should be able to create users, manage groups, assign administrative roles, and understand how Azure AD Connect synchronizes on-premises identities with the cloud.

Multi-Factor Authentication (MFA) and Conditional Access

MFA is a critical security control tested extensively on the AZ-500. You need to know:

  • Azure MFA configuration methods (phone call, text message, mobile app, hardware token)
  • Self-service password reset (SSPR) integration with MFA
  • Conditional Access policies that enforce MFA based on risk, location, device state, and user attributes
  • Named locations and IP restrictions
  • Device compliance policies and device-based conditional access

Conditional Access is particularly important. You need to understand how to create policies that require MFA for high-risk sign-ins, block legacy authentication protocols, and enforce device compliance before granting access to sensitive applications.

Passwordless Authentication and Windows Hello

Microsoft is moving away from password-based authentication. The exam tests your knowledge of:

  • Windows Hello for Business deployment and configuration
  • FIDO2 security keys as passwordless options
  • Microsoft Authenticator app in passwordless mode
  • Hybrid scenarios where on-premises systems use passwordless authentication

Passwordless authentication reduces attack surface by eliminating passwords entirely. You should understand the benefits of each approach and when to recommend them for different user scenarios.

Privileged Identity Management (PIM)

PIM extends RBAC by adding just-in-time access and approval workflows for sensitive roles. Key concepts include:

  • Eligible vs. active role assignments
  • Time-limited activations with MFA requirements
  • Approval workflows for sensitive role activation
  • PIM reviews to ensure users still need access
  • Alerts for suspicious role activation patterns

The exam tests your ability to configure PIM policies that balance security with operational efficiency, ensuring only authorized users can activate privileged roles temporarily.

Role-Based Access Control (RBAC)

RBAC is the foundation of access control in Azure. You must understand:

  • Built-in roles (Owner, Contributor, Reader, and specialized roles)
  • Custom role creation and permission assignments
  • Scope hierarchy (subscription, resource group, resource level)
  • Service principals and managed identities for application access
  • Access reviews and removal of unnecessary permissions

The exam expects you to assign the least-privilege permissions appropriate for each user or application. You should know when to use Owner, Contributor, or Reader roles, and when to create custom roles with specific permissions.

Study Strategy for Domain 1

Start by understanding Azure AD's role in Azure security. Create a test Azure subscription and configure users, groups, and RBAC assignments. Practice creating and testing Conditional Access policies with different scenarios. Then move to more advanced topics like PIM and passwordless authentication.

Use hands-on labs to configure MFA for test accounts and watch how Conditional Access policies are evaluated. Understand the flow of authentication requests and how Azure AD evaluates policy conditions. Focus on real-world scenarios: how would you enforce MFA for remote workers? How would you grant temporary admin access? These practical questions prepare you for the exam's case studies.

Review Microsoft's official documentation on Azure Security documentation for the latest guidance on identity management and access control patterns.

Domain 2: Implement Platform Protection (35-40%)

Overview

This is the largest exam domain, covering network security, data protection, and infrastructure hardening. You'll implement network segmentation, encryption, threat protection, and vulnerability management across your Azure environment. This domain requires hands-on experience with multiple Azure services working together to create defense-in-depth security.

Key Topics and Services

Network Security and Segmentation

Network segmentation is foundational to platform protection. You must understand:

  • Virtual networks (VNets) and subnets for logical isolation
  • Network security groups (NSGs) for east-west traffic control
  • Azure Firewall for centralized ingress/egress filtering
  • Web Application Firewall (WAF) for Layer 7 protection
  • DDoS protection standard vs. basic
  • Private endpoints and service endpoints to limit public exposure
  • VPN gateways and ExpressRoute for encrypted connectivity

The exam tests your ability to design network architectures that minimize attack surface. You should be able to create NSG rules that follow the principle of least privilege, deploy Azure Firewall with appropriate threat intelligence rules, and understand when to use WAF for protecting web applications.

Data Protection and Encryption

Data protection requires encryption at rest and in transit. Key concepts include:

  • Azure Storage Service Encryption (SSE) with Microsoft-managed and customer-managed keys
  • Azure Disk Encryption (ADE) using Azure Key Vault
  • Transparent Data Encryption (TDE) for SQL databases
  • Azure Information Protection (AIP) for data classification and labeling
  • SQL database encryption and Always Encrypted
  • SSL/TLS configuration for data in transit
  • Key rotation and key management strategies

You need practical experience managing encryption keys. The exam includes scenarios where you must configure customer-managed keys in Azure Key Vault, set up automatic key rotation, and implement access policies that prevent unauthorized key access.

Azure Key Vault

Key Vault is central to Azure security. You must understand:

  • Creating and managing key vaults with appropriate SKUs
  • Keys, secrets, and certificates storage and retrieval
  • Access policies vs. RBAC for key vault access
  • Key rotation and versioning
  • Soft delete and purge protection
  • Private endpoints for key vault access
  • Managed HSM for FIPS 140-2 compliance

The exam expects you to configure Key Vault access policies that grant the minimum permissions necessary. You should understand the difference between cryptographic operations (encrypt, decrypt, sign, verify) and key management operations (create, update, delete, purge).

Threat Protection Services

Azure provides multiple services to detect and respond to threats:

  • Microsoft Defender for Cloud (formerly Azure Security Center) for vulnerability scanning and security recommendations
  • Microsoft Defender for Servers for threat detection on VMs
  • Microsoft Defender for Databases for SQL database threats
  • Microsoft Defender for Container Registries for container image scanning
  • Microsoft Defender for App Service for web application threats

Understand the tiering model: Free tier provides basic security posture management, while Standard tier includes advanced threat detection. The exam tests your ability to configure Defender for Cloud policies, interpret security recommendations, and respond to detected threats.

Azure Policy and Compliance

Azure Policy enforces organizational standards and compliance requirements:

  • Built-in policy definitions for common security scenarios
  • Custom policy creation for organizational requirements
  • Policy initiatives (built-in and custom collections)
  • Compliance evaluation and remediation
  • Guest Configuration for machine compliance
  • Integration with security standards like CIS benchmarks

The exam includes scenarios where you must assign policies to enforce encryption, require MFA, or prevent insecure configurations. You should understand how to evaluate policy compliance and create remediation tasks for non-compliant resources.

Container and Kubernetes Security

Container security is increasingly important:

  • Azure Container Registry (ACR) image scanning and quarantine
  • Azure Kubernetes Service (AKS) security controls
  • Pod identity and managed identity integration
  • Network policies for pod-to-pod communication
  • Azure Policy for Kubernetes compliance
  • Image pull secrets and registry access control

You should understand how security differs between containers and VMs. Container scanning, admission controllers, and pod security policies are critical concepts tested on the AZ-500.

Study Strategy for Domain 2

This domain requires extensive hands-on practice. Start with network security basics, creating VNets and NSGs, then progress to Azure Firewall and WAF configurations. Practice creating different NSG rules and understanding how traffic flows through your network architecture.

Next, focus on encryption. Configure storage accounts with customer-managed keys in Key Vault. Set up disk encryption on a VM. Practice key rotation and understand the audit logs showing when encryption keys are accessed. Use the included 12-hour Challenge labs to get realistic scenario-based practice.

Then explore threat protection services. Enable Microsoft Defender for Cloud on a test subscription and navigate through the security recommendations. Understand the difference between Free and Standard pricing tiers and what capabilities each provides. Review security alerts and understand how to investigate and respond to findings.

Finally, experiment with Azure Policy. Create policies that enforce encryption, require managed disks, or mandate network security group rules. Use policy compliance reporting to understand how resources align with organizational standards.

For detailed network architecture patterns, review Azure security architecture patterns on Microsoft Learn.

Domain 3: Manage Security Operations (25-30%)

Overview

This domain covers security monitoring, incident response, and compliance management. You'll implement logging, configure alerts, use SIEM capabilities, and respond to security incidents. This domain tests your ability to detect, investigate, and respond to security events in Azure environments.

Key Topics and Services

Logging and Monitoring

Comprehensive logging is essential for detecting security incidents. You must understand:

  • Azure Monitor for metrics and logs collection
  • Azure Log Analytics workspace for log storage and analysis
  • Diagnostic settings to send logs to Log Analytics, storage, or event hubs
  • Azure Activity Log for subscription-level events
  • Resource-level diagnostic logs
  • Guest-level logging on VMs using Log Analytics agents
  • Log Analytics queries (KQL) for threat detection and investigation

The exam expects you to configure diagnostic settings on various resources, understand what logs are available for different services, and write simple KQL queries to investigate security events. You should know which logs are useful for detecting specific security incidents.

Azure Sentinel

Azure Sentinel is Azure's cloud-native SIEM platform:

  • Data connectors for ingesting logs from Azure and third-party sources
  • Analytics rules for threat detection
  • Workbooks for visualization and reporting
  • Incident management and investigation
  • Automation with playbooks
  • Threat intelligence integration
  • Entity behavior analytics (UEBA) for anomaly detection

You should understand the workflow: connect data sources, configure analytics rules to generate incidents from raw logs, investigate incidents using case tools, and automate response with playbooks. The exam tests your ability to set up basic Sentinel configurations and respond to generated incidents.

Alert Management

Effective alerting requires careful tuning to reduce false positives:

  • Azure Monitor alert rules with appropriate thresholds
  • Alert routing to action groups
  • Webhook integration for automated response
  • Notification preferences and escalation
  • Alert suppression to prevent alert fatigue

Understand the differences between Azure Monitor alerts, Defender for Cloud alerts, and Sentinel incidents. The exam tests your ability to configure alerts that detect genuine threats without generating excessive noise.

Incident Response and Forensics

When security incidents occur, you must be able to investigate and respond:

  • Incident classification and severity assignment
  • Forensic evidence collection and preservation
  • Timeline reconstruction from logs
  • Impact assessment and containment strategies
  • Root cause analysis
  • Remediation and lessons learned

The exam includes scenarios where you investigate security incidents using available logs and telemetry. You should understand how to correlate events, identify attack patterns, and determine the scope of compromise.

Compliance and Governance

Security operations include maintaining compliance with regulations:

  • Azure Compliance Manager for tracking compliance posture
  • Regulatory compliance assessments
  • Audit logs and evidence collection
  • Data retention and deletion policies
  • Privacy and data protection compliance
  • Security baselines and benchmarks

You should understand how to use Azure tools to demonstrate compliance with regulations like HIPAA, PCI-DSS, and GDPR. The exam tests your knowledge of how security controls support compliance requirements.

Secure DevOps

Security must be integrated into development pipelines:

  • Azure DevOps security scanning in CI/CD pipelines
  • Container image scanning and signing
  • Infrastructure as Code (IaC) security scanning
  • Secrets management in DevOps workflows
  • Dependency scanning for vulnerable libraries

You need to understand how to shift security left, catching vulnerabilities before they reach production. The exam tests your knowledge of security tools integrated into development workflows.

Study Strategy for Domain 3

Start by understanding Azure Monitor and Log Analytics. Create a Log Analytics workspace and configure diagnostic settings on various resources. Write simple KQL queries to search logs. This foundation is essential for all monitoring work.

Next, explore Azure Sentinel. Set up a Sentinel workspace, connect data sources, and review the available analytics rules. Create a simple custom analytics rule that would trigger alerts for suspicious activity. Understand the incident investigation workflow.

Then practice incident response scenarios. Review logs from a test environment that has been intentionally compromised (or use provided sample scenarios). Practice investigating the timeline, determining what occurred, and what systems were affected. This practical understanding prepares you for exam scenarios.

Finally, understand compliance and governance. Review compliance assessments available in Compliance Manager. Understand how Azure Policy and Defender for Cloud recommendations support compliance requirements.

Review Microsoft's Azure Sentinel documentation and Azure Monitor documentation for the latest capabilities and best practices.

Study Strategies and Preparation Timeline

Recommended Study Timeline (8-12 Weeks)

A typical AZ-500 preparation timeline follows this structure:

Weeks 1-2: Foundation and Domain 1

Begin with Azure fundamentals if you're new to cloud. Understand the Azure portal, subscriptions, resource groups, and basic Azure services. Then dive into Domain 1 (Identity and Access). Watch video tutorials, read official Microsoft documentation, and create a test Azure subscription where you'll complete hands-on exercises. Configure users, groups, and RBAC assignments. Set up MFA and test Conditional Access policies.

By the end of week 2, you should be able to manage Azure AD users and groups, configure RBAC, and implement basic security controls for access management.

Weeks 3-5: Domain 2, Part 1 (Network and Data Protection)

Focus on network security and infrastructure protection. Create virtual networks, configure network security groups, and understand network security group rules. Practice designing network architectures that follow security principles. Then move to encryption topics. Configure customer-managed key encryption in Azure Key Vault, enable disk encryption on VMs, and understand encryption options for storage and databases.

Complete practical labs focusing on these areas. The included 12-hour Challenge labs provide realistic scenarios where you must secure networks and implement encryption under time pressure, simulating exam conditions.

Weeks 6-7: Domain 2, Part 2 (Threat Protection and Compliance)

Explore threat protection services. Enable Microsoft Defender for Cloud on a test subscription and work through its security recommendations. Understand how to configure Defender policies and investigate security findings. Then learn Azure Policy. Create policies that enforce security standards and understand how compliance is evaluated.

Practice interpreting policy compliance reports and remediating non-compliant resources. By the end of week 7, you should understand how Azure uses policies and threat protection to create a defense-in-depth security posture.

Weeks 8-9: Domain 3 (Security Operations)

Configure logging and monitoring. Set up a Log Analytics workspace, configure diagnostic settings across resources, and practice writing KQL queries. Create Azure Monitor alerts for security-relevant events. Then explore Azure Sentinel. Create a Sentinel workspace, connect data sources, and configure analytics rules.

Practice the incident investigation workflow using Sentinel's case tools. The incident management capabilities in Sentinel simulate real SIEM operations.

Weeks 10-12: Practice Exams and Gap Analysis

Use the included MeasureUp practice exams (60 days access) to identify knowledge gaps. The practice exams use the same case study format as the real exam, helping you become comfortable with the question delivery format. Review your weak areas and revisit relevant topics.

Continue hands-on practice with challenging scenarios. Re-visit the Challenge labs and try to complete them faster or with additional complexity. Practice under timed conditions to build speed and confidence.

Effective Study Techniques

Hands-On Practice Over Memorization

The AZ-500 is a practical exam. Don't just memorize facts; actually use Azure services. When learning about network security, create NSG rules and test them. When learning about encryption, enable encryption on real resources and verify it in logs. This practical experience is what the exam truly tests.

Lab-Based Learning

Complete the included 12-hour Challenge labs with your course. These labs simulate exam scenarios where you must make security decisions in realistic environments. They also build the muscle memory needed to quickly navigate Azure portal and complete tasks.

Use Official Microsoft Documentation

Microsoft Learn provides free, official training for Azure services. When studying encryption, read the official documentation on Azure encryption overview. This ensures you're learning current, accurate information directly from the source.

Create Real Scenarios

Don't practice services in isolation. Create realistic scenarios: secure a multi-tier application with web servers, application servers, and databases. Implement network segmentation, encryption, identity controls, and monitoring. This integrated approach reflects real job responsibilities and prepares you for case study questions.

Review and Adjust

After each study session, review what you learned. After each practice exam, identify weak domains and allocate additional study time. If you score well on Domain 1 but poorly on Domain 3, spend more weeks on Domain 3 before taking another practice exam.

Supplementary Resources

Beyond your primary course, leverage these resources:

  • Microsoft Learn provides free, self-paced modules on Azure services
  • Microsoft's official Azure Security Engineer Associate exam page lists official study materials
  • Azure security blogs and white papers for current threat landscape information
  • Community forums and study groups for peer discussion and support

Essential Resources and Practice Labs

Your exam preparation requires multiple types of resources working together. Your primary course provides structured learning paths and practice labs. MeasureUp practice exams familiarize you with the case study format and allow self-assessment before the real exam.

Microsoft Learn offers free official training modules covering all exam topics. Use these to supplement your course content and ensure you're learning the latest Azure features. The combination of structured course content, hands-on labs, practice exams, and official Microsoft documentation creates a comprehensive preparation program.

For Domain 1 (Identity and Access), the Microsoft Azure Administrator (AZ-104) course provides complementary knowledge on Azure administration, including foundational RBAC and access management concepts. Understanding administration helps you grasp security from an operational perspective.

For those entering Azure security for the first time, the Microsoft Azure Fundamentals (AZ-900) course provides essential background on Azure services, helping you understand the foundational concepts underlying security implementations.

Developers preparing for AZ-500 might find the Microsoft Azure Developer Associate (AZ-204) course valuable for understanding how applications interact with Azure security services.

For broader cybersecurity context, the cybersecurity training collection offers related certifications like CompTIA Security+ (SY0-701) that cover general security principles applicable to cloud environments.

The DiviTrain Advantage

  • Expert tutor support available 24/7
  • MeasureUp Practice Exams (60 days access)
  • 365 days of course access
  • Challenge labs (12 hours of realistic scenario-based practice)
  • Comprehensive curriculum covering all three exam domains
  • Regular updates reflecting the latest Azure services and security features

Frequently Asked Questions

What is the Azure Security Technologies (AZ-500) exam?

The Azure Security Technologies (AZ-500) is a Microsoft certification exam that validates your ability to implement and manage security across Azure cloud infrastructure. The exam tests your knowledge of identity and access management, platform protection, and security operations through practical case study scenarios. Passing this exam qualifies you as a Microsoft Azure Security Engineer Associate.

How many domains does the AZ-500 exam cover?

The AZ-500 exam covers three main domains: Domain 1 covers Manage Identity and Access (25-30% of the exam), Domain 2 covers Implement Platform Protection (35-40% of the exam), and Domain 3 covers Manage Security Operations (25-30% of the exam). Each domain requires different knowledge and hands-on skills, and the exam is weighted to emphasize platform protection as the largest focus area.

What score do I need to pass the AZ-500 exam?

You need to achieve a score of 700 out of 1000 to pass the AZ-500 exam. The passing score is consistent across different exam administrations and doesn't change based on the difficulty of questions. The score is calculated based on how many questions you answer correctly and the relative difficulty of those questions.

How long is the AZ-500 exam?

The AZ-500 exam is 150 minutes long, giving you two and a half hours to complete 40-60 case study questions. The variable number of questions means some exams have more questions than others, but all exams have the same total time allocation. This provides approximately 2-4 minutes per question on average, depending on question complexity.

What are the prerequisites for taking the AZ-500 exam?

Microsoft doesn't have formal prerequisites, but you should have foundational knowledge of Azure services and administration before attempting AZ-500. Most candidates find it helpful to have passed AZ-104 (Azure Administrator) or have equivalent hands-on experience with Azure. You should be comfortable navigating the Azure portal, managing resources, and understanding basic networking concepts.

How long does it take to prepare for the AZ-500 exam?

Most candidates require 8-12 weeks of dedicated study to prepare adequately for the AZ-500 exam. The timeline depends on your starting knowledge. If you already have Azure experience, you might prepare in 6-8 weeks. If you're new to Azure, you might need 12-14 weeks. Effective preparation requires consistent effort, hands-on practice with Azure services, and multiple practice exams.

What types of questions appear on the AZ-500 exam?

The AZ-500 uses case study questions delivered in an interactive format rather than traditional multiple-choice. You're presented with realistic security scenarios and must navigate simulated Azure environments to complete tasks and make security decisions. Some questions require you to identify which Azure service to use, while others require you to configure settings or interpret logs. This practical format means you need hands-on experience, not just theoretical knowledge.

Can I retake the AZ-500 exam if I fail?

Yes, you can retake the AZ-500 exam if you don't achieve a passing score. Microsoft allows exam retakes, though you should wait at least 24 hours between attempts. There's no limit on retakes, but each exam attempt costs the full exam fee. After a failing attempt, identify your weak domains using practice exam results and focus additional study time on those areas before retaking the exam.

About the Author

DiviTrain is an international IT learning platform with nearly 20 years of experience in professional IT training. Our courses are developed by Skillsoft, the global leader in enterprise learning, ensuring high-quality, industry-relevant content. You get access to hands-on practice labs (where applicable), expert tutor support available 24/7, and official MeasureUp practice exams—all backed by DiviTrain's commitment to your certification success. Whether you're pursuing your first certification or advancing your career in cloud security, DiviTrain provides the complete tools, guidance, and support you need to succeed.

Structured Data

Back to blog

Start your career in IT with Divitrain

1 6