Microsoft Azure Exam AZ-500 Study Guide

AZ-500 is the latest Microsoft Azure Exam I have sat and passed, have received a number of messages asking when I would create a study guide for it, here it is!

A security focused exam by Azure measuring your ability to complete the following tasks:- manage identity and access, implement platform protection, manage security operations and secure data and applications. A complete security focused exam.

Snippet below taken from

Candidates for this exam are Microsoft Azure security engineers who implement security controls, maintain the security posture, manages identity and access, and protects data, applications, and networks.Candidates identify and remediate vulnerabilities by using a variety of security tools, implements threat protection, and responds to security incident escalations. As a Microsoft Azure security engineer, candidates often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

Candidates for this exam should have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud N-tier architecture, and a strong familiarity with cloud capabilities, Microsoft Azure products and services, and other Microsoft products and services

Exam topics covered:-

  • Manage identity and access (20-25%)
  • Implement platform protection (35-40%)
  • Manage Security Operations (15-20%)
  • Secure data and applications (30-35%)

A broad range of topics above, later in my blog I will include a list of study notes I used to prepare in each area including additional links that I think will be relevant.

Knowing the topics is one thing, knowing how to apply them in specific scenarios is another! Unfamiliar with a specific topic or area? I recommend deploying each resource into Azure, view the settings and look at why they may be deployed over a similar resource. Read my blog on Microsoft Azure:- Exam Preparation Tips

A general understanding of the following areas is highly recommended:

  • Azure Portal
  • AzureCLI
  • Powershell
  • ARM Templates
  • Networking
  • Security Concepts

Study Notes

Manage identity and access (20-25%)

Configure Microsoft Azure Active Directory for workloads

Create Identity for Azure App in Portal
Register an Application with Microsoft Identity
Use an app identity to access resources
Register an Application Azure B2C
Manage App Registration and API permission
Walkthrough: Register an App with Azure AD
Connect your app to Azure AD
Azure Multi-Factor Authentication:- How it Works
Planning a cloud-based Azure Multi-Factor Authentication deployment
Create a basic Azure AD Group
Azure AD Users, Groups, Roles
Azure AD Add or Delete Users
What is Azure AD connect?
Azure AD Connect: Accounts and permissions
Azure AD Conditional Access Documentation
Best practices for Conditional Access in Azure Active Directory
Azure AD Identity Protection
Azure AD Identity Access Management

Configure Microsoft Azure AD Privileged Identity Management

What is Azure AD Privileged Identity Management?
Deploy Azure AD PIM
Azure AD Roles in PIM
Create an access review of Azure AD roles in PIM
Review access to Azure AD roles in PIM
Activate my AD Roles in PIM

Configure Microsoft Azure tenant security

Transfer billing ownership of an Azure subscription to another account
Associate or add an Azure subscription to your Azure Active Directory tenant
Add or change Azure subscription administrators
Use Resource Manager authentication API to access subscriptions
Manage access to Azure resources using RBAC and the Azure portal

Implement platform protection (35-40%)

Implement network security

Configure a VNet-to-VNet VPN gateway connection by using the Azure portal
Configure a VNet-to-VNet VPN gateway connection using PowerShell
Virtual Network Peering
Plan Virtual Networks
NSGs & ASGs Simplified
Network Security Groups: 10 Suggestions For Best Practice! 
Azure Security Groups
Enable Network Security Groups in Azure Security Center
What is Azure Firewall?
Azure Firewall documentation
Deploy and configure Azure Firewall using the Azure portal
Monitor Azure Firewall logs and metrics
Manage Remote Access
Security Baseline Tools in Azure
What is baseline policies?

Implement host security

Azure Endpoint Protection
Manage endpoint protection issues with Azure Security Center
Endpoint Protection and Azure VMs
Azure Virtual Machines security overview
Harden Your Azure Infrastructure Using Azure Security Center Just-In-Time VM Access
Manage Windows updates by using Azure Automation

Configure container security

Create a virtual network using the Azure portal
Configure your App Service app to use Azure Active Directory sign-in
Authenticate and authorize users end-to-end in Azure App Service
How to configure your App Service application to use Microsoft Account login
Authentication and authorization in Azure App Service
What is Azure Container Instances?
Isolation in Azure Public Cloud?
AKS Best Practices
AKS Security Features
Security considerations for Azure Container Instances
Integrated Vulnerability Assessment with Azure Security Center
Vulnerability assessment in Azure Security Center
Protecting your machines and applications in Azure Security Center

Implement Microsoft Azure Resource management security

Lock Resources To Prevent Unexpected Changes 
What Is Role-Based Access Control (RBAC) For Azure Resources? 
Manage Access To Azure Resources Using RBAC And The Azure Portal
RBAC For Azure Resources
Understand RBAC Roles
View Roles Per User
Overview of Azure Policy
Create and manage policies to enforce compliance
Index of Azure Policy Examples
Working with Security Policies
Create a custom policy definition
Add or change Azure subscription administrators

Manage security operations (15-20%)

Configure security services

Azure Monitor – Taking the Logging and alerting deployment from ARM To PowerShell
Get Started with Azure Monitor
Azure Monitor Overview
Get started with Log Analytics in Azure Monitor
End-to-end monitoring solutions in Azure for Apps and Infrastructure
Alerting On Log Analytics Data 
Viewing And Analysing Data In Log Analytics 
Overview of log queries in Azure Monitor
Create a Log Analytics workspace in the Azure portal
Collect log data with the Log Analytics agent
Azure Automation Account Logging to Log Analytics using AzureRM
Azure Logging and Auditing

Configure security policies

Create and manage policies to enforce compliance
Index of Azure Policy Examples
Working with Security Policies
Create a custom policy definition
Azure Security Centre Settings
Azure security policies monitored by Security Centre
Manage virtual machine access using just-in-time

Manage security alerts

Metric Alerts With Dynamic Thresholds In Azure Monitor 
Alerting On Log Analytics Data 
Create and manage Action Groups in Azure Portal
Action Groups – What are they?
Create, view, and manage log alerts using Azure Monitor
Using Azure Security Center for an incident response

Secure data and applications (30-35%)

Configure security policies to manage data

What is data classification?
What is Azure Information Protection?
Azure Information Protection
Overview of retention policies
Manage Azure SQL Database long-term backup retention
Data collection, retention and storage in Application Insights
Custom data sovereignty and data gravity requirements
Achieving compliant data residency and security with Azure
Where is your data located

Configure security for data infrastructure

Use Azure Active Directory Authentication for authentication with SQL
Controlling and granting database access to SQL Database and SQL Data Warehouse
Configure and manage Azure Active Directory authentication with SQL
Get started with SQL database auditing
Get started with Azure SQL Database managed instance auditing
Advanced Threat Protection for Azure SQL Database
Azure SQL Database Advanced Threat Protection for single or pooled databases
Azure Storage Security Guide
Authorising access to Azure Storage
Grant access to Azure blob and queue data with RBAC in the Azure portal
Manage storage account keys with Azure Key Vault and the Azure CLI
Getting Started with Shared Access Signatures (SAS)
Grant limited access to Azure Storage resources using shared access signatures (SAS)
Delegate access with a shared access signature
Overview of enterprise security in Azure HDInsight
Configure a HDInsight cluster with Enterprise Security Package by using Azure Active Directory Domain Services
Security in Azure Cosmos DB
Secure Access to Data in Cosmos DB
Access control in Azure Data Lake Storage Gen2

Configure encryption for data at rest

Always Encrypted now generally available in Azure SQL Database
An overview of Azure SQL Database security capabilities
Azure Data Encryption at rest
Transparent data encryption for SQL Database and Data Warehouse
Azure Storage encryption for data at rest
Azure Disk Encryption Overview
Azure Disk Encryption for IaaS VMs FAQ
Back up and restore encrypted Azure VM

Implement security for application delivery

Develop secure cloud applications on Azure
Monitor the availability of any website

Configure application security

Buy and configure an SSL certificate for Azure App Service
Configure App Service with Application Gateway
Best practices for securing PaaS web and mobile applications using Azure App Service
Security Baseline Tools in Azure

Configure and manage Key Vault

Always Encrypted & Azure Key Vault
Securing Your Secrets Using Azure Key Vault And Virtual Machine Identity
Key Vault API
Secure Access to a KeyVault
Grant several applications access to a key vault
Azure Key Vault Security
About keys, secrets, and certificates
Set up Azure Key Vault with key rotation and auditing


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s