A few years ago, Microsoft had a certificate known as MCSE or Microsoft Certified Systems Engineer. However, this certificate has been retired back in late January 2021.
Why is this retired certificate important? It's because now Microsoft has divided the MCSE certificate into three exams which are AZ-104 Administrator Associate, AZ-500 Security Engineer and AZ-305 Solutions Architect. If you pass all these three certificates, you are a certified Cloud Engineer.
In this article, we will discuss how to pass the Azure Security Engineer exam or AZ-500. Based on Microsoft, the exam name is Exam AZ-500: Microsoft Azure Security Technologies.
Why is getting AZ-500 Security Engineer certified so important?
The AZ-500 certificate is important to show to your potential employer that you have the necessary requirements to be a cloud engineer.
It is recommended to take Exam AZ-500 if you have passed Exam AZ104. As both certificates are on the same level, which is the Associate level, you will get familiar with the exams and can prepare well.
Once you pass both exams, then you can move to the expert certificate, which is Exam AZ-305, to be certified as an Azure Solutions Architect.
The role of Azure Security Engineer is responsible for securing the Azure environment, identifying and remediating vulnerabilities, performing threat modelling, and implementing threat protection. They may also participate in responding to security incidents.
AZ-500 Exam Overview:
The AZ-500 exam measures the skills of the test taker in managing identity and access, implementing platform protection, managing security operations, and securing data and applications.
- Associate level (No prerequisite).
- The certification is valid for one year.
- The cost is $165 for the United States or ₹4800 INR for India or £113 for the United Kingdom (The cost varies depending on where your country is and you can check the exam cost here)
- The exam duration is 120 minutes (Has lab questions which will discuss further in the article).
- The number of questions ranges between 45 to 60 questions.
- The format of questions is multiple-choice or multiple responses, including drag and drop.
- The passing score is 700. This exam is scaled between 1 to 1000 so 700 marks may not equal 70% of the points.
- To schedule the exam, you can go to this link and click on the yellow ‘Schedule Exam’ button and it will redirect you to the Microsoft certification dashboard. You may choose to take the exam in the nearest exam center or by online proctored exam.
- The exam is available to take in these languages:
English, Japanese, Chinese (Simplified), Korean, German, French, Spanish, Portuguese (Brazil), Arabic (Saudi Arabia), Russian, Chinese (Traditional), Italian, Indonesian (Indonesia)
AZ-500 Exam Content:
A) Manage identity and access (25–30%)
i) Manage identities in Azure AD
- Secure users in Azure AD
- Secure directory groups in Azure AD
- Recommend when to use external identities
- Secure external identities
- Implement Azure AD Identity Protection
ii) Manage authentication by using Azure AD
- Configure Microsoft Entra Verified ID
- Implement multi-factor authentication (MFA)
- Implement passwordless authentication
- Implement password protection
- Implement single sign-on (SSO)
- Integrate single sign on (SSO) and identity providers
- Recommend and enforce modern authentication protocols
iii) Manage authorization by using Azure AD
- Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
- Assign built-in roles in Azure AD
- Assign built-in roles in Azure
- Create and assign custom roles, including Azure roles and Azure AD roles
- Implement and manage Microsoft Entra Permissions Management
- Configure Azure AD Privileged Identity Management (PIM)
- Configure role management and access reviews by using Microsoft Entra Identity Governance
- Implement Conditional Access policies
iv) Manage application access in Azure AD
- Manage access to enterprise applications in Azure AD, including OAuth permission grants
- Manage app registrations in Azure AD
- Configure app registration permission scopes
- Manage app registration permission consent
- Manage and use service principals
- Manage managed identities for Azure resources
- Recommend when to use and configure authentication for an Azure AD Application Proxy
B) Secure networking (20–25%)
i) Plan and implement security for virtual networks
- Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Plan and implement user-defined routes (UDRs)
- Plan and implement VNET peering or VPN gateway
- Plan and implement Virtual WAN, including secured virtual hub
- Secure VPN connectivity, including point-to-site and site-to-site
- Implement encryption over ExpressRoute
- Configure firewall settings on PaaS resources
- Monitor network security by using Network Watcher, including NSG flow logging
ii) Plan and implement security for private access to Azure resources
- Plan and implement virtual network Service Endpoints
- Plan and implement Private Endpoints
- Plan and implement Private Link services
- Plan and implement network integration for Azure App Service and Azure Functions
- Plan and implement network security configurations for an App Service Environment (ASE)
- Plan and implement network security configurations for an Azure SQL Managed Instance
iii) Plan and implement security for private access to Azure resources
- Plan and implement TLS to applications, including Azure App Service and API Management
- Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies
- Plan and implement an Azure Application Gateway
- Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
- Plan and implement a Web Application Firewall (WAF)
- Recommend when to use Azure DDoS Protection Standard
C) Secure compute, storage, and databases (20–25%)
i) Plan and implement advanced security for compute
- Plan and implement remote access to public endpoints, including Azure Bastion and JIT
- Configure network isolation for Azure Kubernetes Service (AKS)
- Secure and monitor AKS
- Configure authentication for AKS
- Configure security monitoring for Azure Container Instances (ACIs)
- Configure security monitoring for Azure Container Apps (ACAs)
- Manage access to Azure Container Registry (ACR)
- Configure disk encryption, including Azure Disk Encryption (ADE), encryption as host, and confidential disk encryption
ii) Plan and implement security for storage
- Configure access control for storage accounts
- Manage life cycle for storage account access keys
- Select and configure an appropriate method for access to Azure Files
- Select and configure an appropriate method for access to Azure Blob Storage
- Select and configure an appropriate method for access to Azure Tables
- Select and configure an appropriate method for access to Azure Queues
- Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
- Configure Bring your own key (BYOK)
- Enable double encryption at the Azure Storage infrastructure level
iii) Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
- Enable database authentication by using Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
- Enable database auditing
- Identify use cases for the Microsoft Purview governance portal
- Implement data classification of sensitive information by using the Microsoft Purview governance portal
- Plan and implement dynamic masking
- Implement Transparent Database Encryption (TDE)
- Recommend when to use Azure SQL Database Always Encrypted
D) Manage security operations (25–30%)
i) Plan, implement, and manage governance for security
- Create, assign, and interpret security policies and initiatives in Azure Policy
- Configure security settings by using Azure Blueprint
- Deploy secure infrastructures by using a landing zone
- Create and configure an Azure Key Vault
- Recommend when to use a Dedicated HSM
- Configure access to Key Vault, including vault access policies and Azure Role Based Access Contro
- Manage certificates, secrets, and keys
- Configure key rotation
- Configure backup and recovery of certificates, secrets, and keys
ii) Manage security posture by using Microsoft Defender for Cloud
- Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
- Assess compliance against security frameworks and Microsoft Defender for Cloud
- Add industry and regulatory standards to Microsoft Defender for Cloud
- Add custom initiatives to Microsoft Defender for Cloud
- Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud
- Identify and monitor external assets by using Microsoft Defender External Attack Surface Management
iii) Configure and manage threat protection by using Microsoft Defender for Cloud
- Enable workload protection services in Microsoft Defender for Cloud, including Microsoft Defender for Storage, Databases, Containers, App Service, Key Vault, Resource Manager, and DNS
- Configure Microsoft Defender for Servers
- Configure Microsoft Defender for Azure SQL Database
- Manage and respond to security alerts in Microsoft Defender for Cloud
- Configure workflow automation by using Microsoft Defender for Cloud
- Evaluate vulnerability scans from Microsoft Defender for Server
iv) Configure and manage security monitoring and automation solutions
- Monitor security events by using Azure Monitor
- Configure data connectors in Microsoft Sentinel
- Create and customise analytics rules in Microsoft Sentinel
- Evaluate alerts and incidents in Microsoft Sentinel
- Configure automation in Microsoft Sentinel
The Exam Questions
The exam questions consist of multiple answers or multiple choices and include lab questions. For the lab questions, the test-taker is required to sign into Azure and complete the task given by Microsoft during the exam.
From my experience, I was given ten tasks to complete and most of the tasks are simple and straightforward. For example, I was given a task to create a user in Azure Active Directory and assigned a role to the user.
For exam purposes, Microsoft will provide you with an Azure account with a subscription and they will provide you with the login credentials as well. When I took the exam, the lab questions were assigned as the last section, so you need to allocate some time for the lab questions.
Before we move to the next section, I would like to inform you that some test-takers did not get any lab questions for Exam AZ-500. However, it's best to prepare for the lab questions just in case you will get them.
How to Prepare for Exam AZ-500:
Using courses Udemy will definitely help any motivated test-taker to pass Exam AZ-500: Microsoft Azure Security Technologies and be the certified Azure Security Engineer.
Udemy | AZ-500 Microsoft Azure Security Technologies Exam Prep 2022
This 6.5-hour long course covers around 85% of the Microsoft Learn syllabus for Exam AZ-500. Microsoft Learn is a self-paced online learning provided by Microsoft for free and it offers a structured exam syllabus for the test-taker.
Scott Duffy who is the instructor for this course expertly explained the required skills to know to pass the exam. He is consistently updating this course based on Microsoft Learn.
In this course, you will learn how to secure access and identity through Azure Active Directory, how to implement advanced network security via multiple Azure network services, and how to manage and monitor threat protection.
At the end of each lecture, you will have hands-on labs which are beneficial to prepare you for the lab questions.
This ultimate course will prepare you for the exam and gives you the confidence and skills to pass the exam with flying colours.
Udemy | [NEW] AZ-500: Azure Security Technologies Exam 2023
This course offers five practice exam sets that cover 315 exam questions. Each practice set has 63 questions and will test your understanding of each exam topic.
These practice sets will help you to prepare for the real exam questions. After each practice set, every question and answer will be explained thoroughly so that you will learn and overcome any weakness in any exam topic.
I have bought this course and it's tremendously helpful in passing my Exam AZ-500 with high marks.
It is highly recommended to do practice sets a week before your exam after you have completed your Exam AZ-500 course.
How to Renew AZ-500
For AZ-500 exam renewal, you will receive a reminder email from Microsoft six months before the certificate expires. The passing mark for renewal is only 57% and it's an open-book assessment.
If you revise through Microsoft Learn, it will not be difficult to pass on the first attempt. However, do not fret if you are unable to pass for the first time, as you can try unlimited attempts to pass. But, be sure you renew before the certificate expires as then you will need to pay again to re-certify.
Conclusion:
Always practice, practice and practice till you make it. Allocate at least 15 hours for your exam preparation. Keep studying and revising until you understand and master the skills.
I hope this article will provide you with clearer guidance on how to pass Exam AZ-500. I wish the best of luck to all of you and may you pass with the flying colours!
