As I’ve mentioned in the previous preparation guides for Microsoft’s security and compliance exams, they are targeting those who have broad exposure across both Azure and Microsoft 365 technologies. If you take a look at the weighting of this exam, 65-75% of it could be categorised as mostly Azure related, while only 25-30% of the exam is Microsoft 365 focused. What does this mean for those of you planning on taking this exam?

If you are starting your exam preparation already having exposure to Azure Defender, Azure Security Center, Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

Now, if you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Sentinel portion of the exam, but Azure Defender as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

Detect, investigate, respond, and remediate identity threats

Detect, investigate, respond, and remediate application threats

Manage cross-domain investigations in Microsoft 365 Defender portal

Mitigate threats using Azure Defender (25-30%)

Design and configure an Azure Defender implementation

Plan and implement the use of data connectors for ingestion of data sources in Azure Defender

Manage Azure Defender alert rules 

Configure automation and remediation 

Investigate Azure Defender alerts and incidents

Mitigate threats using Azure Sentinel (40-45%)

Design and configure an Azure Sentinel workspace

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel

Manage Azure Sentinel analytics rules

Configure Security Orchestration Automation and Response (SOAR) in Azure Sentinel

Manage Azure Sentinel Incidents

Use Azure Sentinel workbooks to analyze and interpret data

Hunt for threats using the Azure Sentinel portal