AZ-500 Exam Guide 2026: Microsoft Azure Security Engineer Associate Certification

Introduction

The AZ-500 (Microsoft Azure Security Technologies) earns the Microsoft Certified: Azure Security Engineer Associate badge. It validates that you can implement security controls, manage identity and access, protect data and applications, and respond to security incidents across Azure environments.

In 2026 — with cloud breaches dominating headlines and zero-trust architectures going mainstream — AZ-500 has become one of the most in-demand Azure certifications. This guide breaks down the current exam objectives, the four domains and their weights, prerequisites, hands-on skills, and a realistic 10–14 week study plan.

Who AZ-500 Is For

AZ-500 is the right exam if you:

Already hold or have prepared for AZ-104 (recommended but not required)
Work as a security engineer, cloud security analyst, DevSecOps engineer, or Azure administrator with security responsibilities
Have 6+ months of Azure security or strong general security background
Know the basics of identity (OAuth/OIDC), networking (TCP/IP, TLS), and at least one scripting language (PowerShell, Bash, or Python)

If you’re brand-new to security and Azure, take AZ-900 first, build hands-on experience for a few months, then tackle AZ-500.

AZ-500 Exam Specifications

Attribute	Detail
Exam code	AZ-500
Title	Microsoft Azure Security Technologies
Format	Multi-choice, multi-select, case studies, drag-and-drop, hot-area
Questions	40–60
Duration	120 minutes testing
Passing score	700 / 1000 (scaled)
Cost	$165 USD
Validity	1 year (free Microsoft Learn renewal)
Delivery	Pearson VUE in person or online

AZ-500 Domains (Current 2026 Objectives)

Domain	Weight
Manage identity and access	25–30%
Secure networking	20–25%
Secure compute, storage, and databases	20–25%
Manage security operations	25–30%

The exam is roughly balanced. Identity and security ops are slightly larger; networking and workload protection are equally weighted.

Domain 1: Manage Identity and Access (25–30%)

The single highest-yield domain:

Microsoft Entra ID: users, groups, administrative units, external identities (B2B)
Authentication: MFA, passwordless (FIDO2, Authenticator, Windows Hello for Business), Conditional Access policies
Authorization: RBAC scopes, custom roles, ABAC for storage
Privileged Identity Management (PIM): eligible vs. active assignments, just-in-time access, access reviews
Identity Protection: risk policies, risk-based Conditional Access, sign-in and user risk
Hybrid identity: Entra Connect, Cloud Sync, password hash sync vs. pass-through vs. federation
Workload identities: managed identities, service principals, workload identity federation

Domain 2: Secure Networking (20–25%)

Perimeter security: Azure Firewall, Firewall Manager, Azure DDoS Protection
VNet security: Network Security Groups, Application Security Groups, service endpoints, private endpoints, Private Link
Application security: Azure Front Door with WAF, Application Gateway WAF, Web Application Firewall policies
Connectivity: Site-to-Site VPN, ExpressRoute, Azure Bastion
Network monitoring: NSG flow logs, Traffic Analytics, Network Watcher

Domain 3: Secure Compute, Storage, and Databases (20–25%)

VM security: disk encryption (Azure Disk Encryption, server-side encryption with customer-managed keys), Just-in-Time access, update management, antimalware
Container security: AKS RBAC, Microsoft Defender for Containers, network policies, pod identity
App Service security: managed identities, access restrictions, Key Vault references for app settings
Storage security: SAS tokens, customer-managed keys (CMK), immutability, soft delete, Defender for Storage
Database security: Azure SQL — Transparent Data Encryption, Always Encrypted, Dynamic Data Masking, Defender for SQL
Key Vault: vaults vs. HSMs, soft delete and purge protection, access policies vs. RBAC, key rotation, certificates

Domain 4: Manage Security Operations (25–30%)

The second-largest domain and the one most new candidates underprepare for:

Microsoft Defender for Cloud: Secure Score, regulatory compliance dashboard, recommendations, workload protection plans
Microsoft Sentinel: workspace design, data connectors, KQL hunting, analytics rules, incidents, playbooks (Logic Apps), workbooks
Microsoft Defender XDR integration
Azure Monitor + Log Analytics: alerts, action groups, automated remediation
Policy as code: Azure Policy for security, Defender plans, baseline configurations
Incident response: runbooks, evidence collection, post-incident review

What Makes AZ-500 Hard

KQL is implicitly required. Sentinel and Log Analytics questions assume basic KQL fluency.
Conditional Access scenarios are dense. Multi-condition policies with exclusions are tested with realistic complexity.
Key Vault nuances. Access policies vs. RBAC, soft delete vs. purge protection, vault vs. HSM — high-yield distinctions.
Sentinel workspace design. Workspace scope, retention, cost model — questions often hide cost-optimization clues.
Hybrid identity topology. Each authentication method (PHS, PTA, federation) has different trade-offs and failure modes.

Recommended 10–14 Week Study Plan

Weeks 1–3: Identity and Access

Entra ID deep dive (users, groups, AUs, B2B)
Conditional Access scenarios and edge cases
PIM, Identity Protection, access reviews
Hybrid identity topologies and Entra Connect

Weeks 4–5: Networking

Azure Firewall, NSG, ASG, Bastion
Private Link and private endpoints
WAF policies and Front Door security

Weeks 6–7: Workload Security

Disk and storage encryption, customer-managed keys
Key Vault deep dive (access policies, RBAC, certificates, rotation)
AKS security and Defender for Containers
Azure SQL security (TDE, Always Encrypted, masking)

Weeks 8–10: Security Operations

Defender for Cloud (Secure Score, Defender plans, compliance)
Microsoft Sentinel end-to-end (connectors → analytics rules → incidents → playbooks)
KQL basics through intermediate
Azure Policy for security baselines

Weeks 11–14: Mock Exams and Review

3+ full-length mocks from Sailor.sh’s AZ-500 mock exam bundle
Build a Sentinel workspace from scratch, ingest one connector, write one analytics rule, and trigger a playbook
Targeted re-study on weak domains

Must-Build Hands-On Skills

Before booking, build these in real Azure subscriptions:

Conditional Access policy that requires MFA for risky sign-ins, with exclusions for break-glass accounts
PIM eligible role assignment with approval workflow and access review
Key Vault with soft delete + purge protection, RBAC, and managed-identity access from a VM
Storage account with private endpoint, CMK, and no public access
Azure Firewall policy in a hub VNet with application and network rule collections
Sentinel workspace with at least one connector, one analytics rule, and one playbook
Defender for Cloud Secure Score review, with at least three remediations applied

Salary Impact

AZ-500 is one of the highest-ROI security certifications:

US average: $115K–$160K for “Azure Security Engineer + AZ-500”
UK average: £65K–£100K
India average: ₹14L–₹32L

The salary bump is especially strong when paired with CISSP or CompTIA Security+ — Azure-specific depth plus broad security credentialing is a competitive combination.

AZ-500 vs. Other Security Certifications

Certification	Scope	Format	Difficulty
AZ-500	Azure-specific security	MCQ + scenarios	Hard
AWS Security Specialty	AWS-specific security	MCQ + scenarios	Hard
CompTIA Security+	General security fundamentals	MCQ + PBQ	Medium
CISSP	Enterprise security management	MCQ	Hard
SC-200	Microsoft security operations (Sentinel/Defender)	MCQ	Medium-Hard
SC-100	Security Architect Expert	MCQ	Hard

AZ-500 sits between SC-200 (more SecOps-focused) and SC-100 (architect-focused). It’s the most hands-on of the three.

Most Common Reasons People Fail AZ-500

Weak KQL. Even basic queries trip up candidates who only studied conceptually.
Underestimating Sentinel. “Sentinel is just SIEM” is too simplistic — exam scenarios test design, ingestion costs, and playbook workflows.
Conditional Access oversimplification. Real-world CA policies have exclusions, sessions controls, and authentication contexts. Practice with multi-condition scenarios.
Key Vault access policy vs. RBAC confusion. Know when each applies and the migration story.
Treating AZ-500 like AZ-104. Identity and security ops are 50%+ of AZ-500; admin topics are only background.

After You Pass

Strong next steps:

SC-100 (Security Architect Expert): complete the Microsoft security architect pathway
CISSP: broader, vendor-neutral security credibility
AWS Security Specialty: cross-cloud security depth
AZ-305: add the Solutions Architect Expert designation
KCSA and CKS: for container-heavy security roles

Frequently Asked Questions

Q: Do I need AZ-104 before AZ-500? A: No, it’s not required. But you should know Azure administration fundamentals (VNets, NSGs, RBAC). AZ-104 first is the smoothest path.

Q: How hard is AZ-500? A: Hard. The identity and security operations domains are dense, and KQL fluency is implicitly required.

Q: How long to prepare for AZ-500? A: 10–14 weeks for working security or cloud professionals. 16+ weeks if you’re newer to security or Azure.

Q: Will I need to write KQL on the exam? A: You’ll likely need to read and choose the correct KQL query. You’re rarely asked to write one from scratch, but enough exposure to recognize syntax and intent is essential.

Q: Is AZ-500 worth it in 2026? A: Yes. Cloud security roles are growing faster than overall cloud roles, and AZ-500 is the headline Microsoft credential.

Q: Do I need to learn Microsoft Sentinel deeply? A: Yes. Sentinel topics are central to the Security Operations domain and appear repeatedly.

Ready to Start?

AZ-500 rewards depth across identity, networking, workload protection, and security operations — plus hands-on muscle memory in Key Vault, Conditional Access, and Sentinel. The candidates who pass first time spend 10–14 weeks combining the official Microsoft Learn path with realistic, exam-format practice.

Take a free AZ-500 practice test on Sailor.sh to find your weakest domain, then work the AZ-500 mock exam bundle until you consistently score 80%+ across every domain.