How to Pass Microsoft Azure Security Technologies (AZ-500) in 2026: Complete Study Guide

# How to Pass Microsoft Azure Security Technologies (AZ-500) in 2026: Complete Study Guide The AZ-500 Microsoft Azure Security Technologies exam is the Associate-level security certification for Azure. It validates your ability to implement security controls across identity, networking, compute, storage, and security operations. Unlike the AZ-900 or AZ-104, the AZ-500 focuses exclusively on security — and in 2026, with increasing pressure on organizations to meet compliance mandates, passing this exam demonstrates skills that are in high demand. --- ## Exam Format | Detail | Value | |---|---| | Exam code | AZ-500 | | Cost | $165 USD | | Number of questions | 40–60 questions | | Time limit | 120 minutes | | Level | Associate | | Passing score | 700 / 1000 | | Prerequisite | None (AZ-104 strongly recommended) | The AZ-500 has no formal prerequisite, but you will struggle without a working knowledge of Azure resource management. Complete the AZ-104 (Azure Administrator) or at minimum work through the Azure fundamentals content before starting AZ-500 preparation. --- ## Exam Domain Breakdown | Domain | Weight | Question Estimate (~50q) | |---|---|---| | Manage identity and access | 25–30% | ~14 questions | | Secure networking | 20–25% | ~11 questions | | Secure compute, storage, and databases | 20–25% | ~11 questions | | Manage security operations | 25–30% | ~14 questions | The exam is balanced across four domains, with identity/access and security operations receiving the most attention. Neither can be neglected. --- ## Domain 1: Manage Identity and Access This domain covers Microsoft Entra ID (formerly Azure Active Directory) and related identity services. **Microsoft Entra ID fundamentals:** - Users, groups, service principals, managed identities - Roles: Azure RBAC (resource-level) vs Entra roles (directory-level) — these are separate role systems - Guest access: B2B (invite external users to your tenant) vs B2C (consumer identity for your applications) **Privileged Identity Management (PIM):** PIM manages time-bound, just-in-time access to privileged roles. - **Eligible assignment**: a user can activate the role when needed (requires MFA/approval/justification) - **Active assignment**: a user has the role permanently active (no activation required) - PIM covers both Azure RBAC roles and Entra directory roles - Activation settings: maximum duration, require MFA, require approval, require justification **Conditional Access:** Conditional Access policies evaluate at token issuance (sign-in time). They block or grant access based on conditions: - User/group membership - Application being accessed - Device compliance status (managed/compliant) - Sign-in location (named locations: IP ranges or countries) - Sign-in risk level (from Entra ID Protection) **MFA and Authentication Methods:** - MFA methods: authenticator app, SMS, voice call, FIDO2 security keys, Windows Hello for Business, certificate-based authentication - Authentication strength: a Conditional Access control that requires a specific combination of methods (e.g., phishing-resistant MFA requires FIDO2 or certificate-based auth, not SMS) **Managed Identities:** - System-assigned: tied to a single Azure resource lifecycle - User-assigned: standalone identity that can be assigned to multiple resources - Eliminates the need for credentials in application code > **💡 Exam Tip:** Conditional Access is preventive — it evaluates at token issuance. Entra ID Protection risk policies are reactive — they respond to detected risky sign-ins or compromised users. Know which one applies to each scenario. --- ## Domain 2: Secure Networking **Network Security Groups (NSGs):** - Stateful packet filter at subnet or NIC level - Rules: priority, source/destination (IP, CIDR, service tag, ASG), port, protocol, allow/deny - Default rules (lowest priority): allow VNet-to-VNet, allow Azure Load Balancer inbound, deny all inbound - Application Security Groups (ASGs): group VMs by role (e.g., "WebTier") and use ASG names in NSG rules instead of IP addresses **Azure Firewall:** - Stateful, fully managed network firewall - Rule types: network rules (IP/port), application rules (FQDN-based), NAT rules (DNAT) - Azure Firewall Premium: includes IDPS (Intrusion Detection and Prevention System), TLS inspection, URL filtering, web categories - Threat intelligence: blocks traffic to/from known malicious IPs **Azure DDoS Protection:** - Basic: automatically enabled for all Azure services (free) - Standard: enhanced protection for your specific VNet resources, adaptive tuning, attack analytics, SLA guarantee for protected resources **Web Application Firewall (WAF):** - Deployed in front of Azure Application Gateway (regional) or Azure Front Door (global) - Modes: Detection (log only) vs Prevention (block) - Managed rule sets: OWASP Core Rule Set (CRS), Microsoft Bot Manager rule set | Service | Protection type | Layer | Scope | |---|---|---|---| | NSG | Packet filter (L3/L4) | Network | Subnet/NIC | | Azure Firewall | Stateful inspection (L3-L7) | Network/App | VNet perimeter | | WAF on App Gateway | Web application firewall (L7) | Application | HTTP/HTTPS | | WAF on Front Door | Web application firewall (L7) | Application | Global HTTP/HTTPS | | DDoS Protection Standard | Volumetric/protocol attack mitigation | Network | VNet resources | --- ## Domain 3: Secure Compute, Storage, and Databases **Azure Key Vault:** - Stores secrets (passwords, connection strings), keys (RSA, EC), and certificates - Two access models: access policies (vault-level permissions) and RBAC (resource-level, Azure roles) - Soft-delete: deleted items retained for 90 days (default), recoverable - Purge protection: prevents permanent deletion during retention period **Managed HSM:** - Dedicated FIPS 140-2 Level 3 Hardware Security Module - Single-tenant, fully managed by customer - More expensive than Key Vault Premium (which uses shared HSM) **Encryption options:** | Option | What it encrypts | Key control | |---|---|---| | Azure Storage Service Encryption (SSE) | Storage data at rest | Platform-managed or customer-managed keys | | SSE with Customer-Managed Keys (CMK) | Storage data at rest | Your Key Vault key | | Azure Disk Encryption (ADE) | OS and data disks | BitLocker (Windows) / DM-Crypt (Linux), key in Key Vault | | Transparent Data Encryption (TDE) | Azure SQL / SQL Managed Instance at rest | Platform-managed or CMK | **Managed Identities for resource access:** - Applications use managed identities to access Key Vault, Storage, SQL, etc. without passwords - Assign the identity the appropriate RBAC role (e.g., `Key Vault Secrets User`) - System-assigned vs user-assigned (covered in Domain 1) --- ## Domain 4: Manage Security Operations **Defender for Cloud:** - Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) - Free tier: basic security recommendations (CSPM), secure score - Enhanced security plans (paid, per-resource type): Defender for Servers, Defender for SQL, Defender for Containers, Defender for App Service, Defender for Storage, Defender for Key Vault **Secure score:** - Percentage of security controls met across your subscriptions - Each recommendation belongs to a security control with a maximum score impact - Remediating high-impact controls improves score most **Microsoft Sentinel:** - Cloud-native SIEM (Security Information and Event Management) + SOAR (Security Orchestration, Automated Response) - Data connectors: Azure Monitor Agent (AMA), legacy Log Analytics agent, direct REST API connectors, third-party connectors - Analytics rules: detect threats from log data - Automation rules + playbooks (Logic Apps): automated response **Microsoft Sentinel analytics rule types:** | Rule type | Description | |---|---| | Scheduled | KQL query runs on a schedule; generates alerts when conditions match | | Near Real-Time (NRT) | Runs every minute for near-real-time detection | | Fusion | ML-based correlation of low-fidelity signals into high-fidelity incidents | | ML behavior analytics | Detects anomalous behavior using built-in ML models | | Threat intelligence | Matches IOCs from TI feeds against your log data | | Anomaly | Statistical baseline; alerts when deviations exceed threshold | **Azure Policy:** - Enforces governance across Azure subscriptions - Effect types: Audit (log non-compliance), Deny (block non-compliant deployments), DeployIfNotExists (auto-remediate), Modify (change resource properties) - Initiatives: groups of policies (e.g., Azure Security Benchmark initiative) > **💡 Exam Tip:** Microsoft Sentinel analytics rules generate **alerts**. Alerts are grouped into **incidents** (either automatically by correlation rules or manually). Playbooks (Logic Apps) respond to **incidents or alerts** via automation rules — not directly to raw log events. --- ## 6-Week Study Plan | Week | Focus | Activities | |---|---|---| | 1 | Entra Identity | PIM eligible vs active, Conditional Access policy design, MFA methods, authentication strength. | | 2 | Network Security | NSG rule priority, ASGs, Azure Firewall vs WAF vs DDoS comparison. Deploy a hub-spoke network lab. | | 3 | Compute and Storage Security | Key Vault access policies vs RBAC, soft-delete vs purge protection, ADE vs SSE, managed identities. | | 4 | Defender for Cloud | Enable enhanced security plans, review secure score recommendations, configure workflow automation. | | 5 | Microsoft Sentinel | Set up a Sentinel workspace, create a scheduled analytics rule, build a simple playbook (Logic App). | | 6 | Practice and Review | Full practice exams. Review comparison tables. Focus on identity and security operations (50-60% of exam). | --- ## Key Study Resources - **Microsoft Learn**: AZ-500 learning path (free, official, includes labs) - **Microsoft documentation**: Microsoft Entra admin center, Defender for Cloud, Microsoft Sentinel - **Ninja training**: Microsoft Sentinel Ninja training (free, detailed) - **CertLand practice exams**: 340 AZ-500 scenario questions covering all four domains --- ## Final Exam Tips 1. Know the difference between Azure RBAC roles and Entra directory roles — they are separate systems 2. PIM eligible = must activate (with MFA/approval); PIM active = always active 3. Key Vault access policies vs RBAC is a top-5 exam topic — know when each applies 4. Defender for Cloud enhanced plans are per-resource-type — you can enable Defender for Servers without enabling Defender for SQL 5. Sentinel analytics rules generate alerts that become incidents — playbooks respond to incidents via automation rules Ready to practice? **[Start AZ-500 Practice Exam on CertLand →](https://certland.net/exam/microsoft-azure-security-technologies-az-500-340-questions)**