The AZ-500 exam description has just had a minor revision that shouldn’t have an impact on the preparation that you need to do, instead just keep focused on the weaknesses you have identified and are working on addressing. If you are starting your preparation from scratch, following are some examples of guidance for how you should focus your preparation.

If you are already familiar with Azure Active Directory (AAD) Premium P2 functionality, whether through Azure of through Microsoft 365 related services, you should be in pretty good shape for this exam. There is an exception here though – make sure you spend extra time in the managing application access section, this isn’t something you may have had exposure to. If you don’t have much AAD experience, then you will need to spend time here understanding the capabilities of AAD Premium P2, not just the free edition that’s included with Azure subscriptions by default.

If you are approaching this exam with a fairly solid understanding of networking concepts including subnets, routing, appliances etc. you are off to a strong start with the advanced network security section. The most important thing here is for you to understand how the Azure native versions of the services may differ from those of other solutions from other vendors. If you don’t have much or any networking in your prior experiences, make sure you spend some time going through some basics of TCP/IP and networking including what’s mentioned earlier in this paragraph, and then focus on the technologies in the exam objectives.

During the early days of this exam, understanding how to protect Azure virtual machines worked would have covered you quite well in the advanced security for compute section, but now you can’t just know what acronyms like ACI, ACR, AKS etc. stand for, you also need to how to secure them, including their networking configuration. At this stage it’s most likely you’re familiar with these container related technologies if you have Linux experience, but over the last few years I’ve seen more Windows centric exam takers having some exposure to these technologies as well.

The final thing here is to make sure you have an understanding of what’s in Azure Security Center, and the additional features you get when you move up to Azure Defender capabilities for the different workloads. Use the additional workload protections to help drive your understanding of the workloads that you aren’t familiar with.

The examples I’ve just provided don’t cover all of the different combinations of exam preparation scenarios based on your skills, but hopefully they give you some idea of what I see catch people out.

Manage identity and access (30-35%)

Manage Azure Active Directory identities 

• Configure security for service principals
  • Application and service principal objects in Azure Active Directory  
• Manage Azure AD directory groups 
  • Access with Azure Active Directory groups  
• Manage Azure AD users
  • Add or delete users using Azure Active Directory  
• Configure password writeback
  • Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment  
• Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth, and passwordless
  • Authentication vs authorization
  • What is password hash synchronization with Azure AD?   
  • User sign-in with Azure Active Directory Pass-through Authentication   
  • Passwordless authentication options for Azure Active Directory   
• Transfer Azure subscriptions between Azure AD tenants
  • Transfer billing ownership of an Azure subscription to another account  
  • Associate or add an Azure subscription to your Azure Active Directory tenant  

Configure secure access by using Azure AD

• Monitor privileged access for Azure AD Privileged Identity Management (PIM)
  • Configure security alerts for Azure AD roles in Privileged Identity Management   
• Configure Access Reviews
  • Create an access review of Azure AD roles in Privileged Identity Management  
• Configure PIM 
  • Deploy Azure AD Privileged Identity Management (PIM)  
• Implement Conditional Access policies including Multi-Factor Authentication 
  • Secure Azure Active Directory users with Multi-Factor Authentication
  • Configure Azure Multi-Factor Authentication settings
• Configure Azure AD identity protection
  • What is Azure Active Directory Identity Protection?

Manage application access

• Create App Registration
  • QuickStart: Register an application with the Microsoft identity platform  
• Configure App Registration permission scopes
  • Permissions and consent in the Microsoft identity platform endpoint
• Manage App Registration permission consent
  • Configure how end-users consent to applications
• Manage API access to Azure subscriptions and resources
  • Get access on behalf of a user
  • Authentication flows and application scenarios

Manage access control

• Configure subscription and resource permissions
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • Lock resources to prevent unexpected changes
• Configure resource group permissions
  • What is Azure role-based access control (Azure RBAC)?
• Configure custom RBAC roles
  • Create Custom Roles
• Identify the appropriate role
  • Azure Built-in Roles
• Apply principle of least privilege
  • Best practices for Azure RBAC
• Interpret permissions
  • Quickstart: View the access a user has to Azure resources  
• Check access
  • List Azure role definitions  
  • List Azure role assignments using the Azure portal  

Implement platform protection (15-20%)

Implement advanced network security

• Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
  • VPN Gateway design  
  • ExpressRoute encryption  
  • About Point-to-Site VPN  
  • Create a Site-to-Site connection in the Azure portal  
  • Configure virtual network connectivity
• Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Network security groups  
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal  
  • Application security groups  
• Create and configure Azure Firewall 
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
• Implement Azure Firewall Manager
  • Secure virtual hub – ARM template
  • General deployment process
• Configure Azure Front Door service as an Application Gateway
  • Quickstart: Create a Front Door for a highly available global web application
  • Encrypt network traffic end to end with Azure Application Gateway
• Configure a Web Application Firewall (WAF) on Azure Application Gateway
  • Azure Web Application Firewall on Azure Application Gateway
• Configure Azure Bastion
  • Bastion and VNet peering
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
• Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall
• Implement Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
  • Use private endpoints for Azure Storage
  • Quickstart: Create a Private Endpoint using Azure portal
• Implement DDoS Protection
  • Azure DDoS Protection Standard overview

Configure advanced security for compute

• Configure endpoint protection 
  • Feature coverage for machines
  • Security management in Azure
  • Microsoft Antimalware for Azure Cloud Services and Virtual Machines
• Configure and monitor system updates for VMs
  • Manage updates and patches for your Azure VMs
  • Manage updates for multiple VMs
  • Keep your virtual machines updated
  • Security best practices for IaaS workloads in Azure
• Configure authentication for Azure Container Registry
  • How to use managed identities with Azure Container Instances
  • Authenticate with an Azure container registry
• Configure security for different types of containers
  • Container Security in Azure
• Implement vulnerability management
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Standard tier only)
• Configure isolation for AKS
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
• Configure security for container registry
  • Authenticate with an Azure container registry
• Implement Azure Disk Encryption
  • Azure Disk Encryption for Windows VMs
• Configure authentication and security for Azure App Service
  • Security in Azure App Service
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service
• Configure SSL/TLS certs
  • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service
• Configure authentication for Azure Kubernetes Service
  • Service principals with Azure Kubernetes Service (AKS)
  • Integrate Azure Active Directory with Azure Kubernetes Service  
  • Use managed identities in Azure Kubernetes Service 
• Configure automatic updates
  • Update containers in Azure Container Instances

Manage security operations (25-30%)

Monitor security by using Azure Monitor

• Create and customize alerts
  • Create, view, and manage log alerts using Azure Monitor
  • Create, view, and manage metric alerts using Azure Monitor
• Monitor logs by using Azure Monitor 
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
• Configure diagnostic logging and log retention
  • Create diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs

Monitor security by using Azure Security Center

• Create and customize alerts
  • Security alerts in Azure Security Center
  • Manage and respond to security alerts in Azure Security Center
• Evaluate vulnerability scans from Azure Security Center
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Standard tier only)
• Configure Just in Time VM access by using Azure Security Center
  • Secure your management ports with just-in-time access
• Configure centralized policy management by using Azure Security Center
  • Working with security policies
  • Azure security policies monitored by Security Center
• Configure compliance policies and evaluate for compliance by using Azure Security Center
  • Tutorial: Improve your regulatory compliance

Monitor security by using Azure Sentinel

• Create and customize alerts
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Azure Sentinel
• Configure data sources to Azure Sentinel
  • Connect data sources
• Evaluate results from Azure Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel
• Configure a playbook
  • Tutorial: Set up automated threat responses in Azure Sentinel

Configure security policies

• Configure security settings by using Azure Policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Integrate Azure Key Vault with Azure Policy
• Configure security settings by using Azure Blueprint
  • What is Azure Blueprint?
  • Overview of the Azure Security Benchmark blueprint sample
  • Tutorial: Create an environment from a blueprint sample

Secure data and applications (20-25%)

Configure security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
• Configure key management for storage accounts
  • Manage storage account access keys
  • Use the Azure portal to access blob or queue data
• Configure Azure AD authentication for Azure Storage
  • Authorize access to blobs and queues using Azure Active Directory
  • Acquire a token from Azure AD for authorizing requests from a client application
• Configure Azure AD Domain Services authentication for Azure Files
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Enable Azure Active Directory Domain Services authentication on Azure Files
• Create and manage Shared Access Signatures (SAS)
  • Grant limited access to Azure Storage resources using shared access signatures
• Create a shared access policy for a blob or blob container
  • Security recommendations for Blob storage
• Configure Storage Service Encryption
  • Azure Storage encryption for data at rest
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal
• Configure Azure Defender for Storage
  • Configure Azure Defender for threat protection

Configure security for databases

• Enable database authentication
  • Use Azure Active Directory authentication
  • Configure and manage Azure AD authentication with Azure SQL
• Enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics
• Configure Azure Defender for SQL
  • Use Azure Defender for SQL
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
• Implement database encryption
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption
• Implement Azure SQL Database Always Encrypted
  • Always Encrypted
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault

Configure and manage Key Vault

• Manage access to Key Vault
  • Azure Key Vault security
  • Secure access to a key vault
• Manage permissions to secrets, certificates, and keys
  • Provide Key Vault authentication with a managed identity
• Configure RBAC usage in Azure Key Vault
  • Azure Policy built-in policy definitions for Key Vault
• Manage certificates
  • Tutorial: Import a certificate in Azure Key Vault
• Manage secrets
  • About Azure Key Vault secrets
• Configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate autorotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• Backup and restore of Key Vault items
  • Azure Key Vault soft-delete overview
• Configure Azure Defender for Key Vault
  • Azure Defender for Key Vault