The AZ-500 exam objectives had a major overhaul in February, and next month they receive some minor changes that don’t have an impact on your exam preparation.

Because the changes are so minor next month, it’s better to focus on the changes in the February update. Let’s start by taking a look at what’s been removed, then we can move on to what’s been added.

Most of the removed objectives are focused on virtual machine endpoint protection and security updates. What’s happened here is that the focus has shifted towards protecting VMs with Defender for Servers. There are other items that have been removed but what I found was that they were still covered by other objectives to some degree so aren’t really worth focusing on.

What has been added or expanded is definitely the more interesting topic this time round, and I’ll provide these as a list

• Entra Verfified ID
• Passwordless authentication
• SSO
• Entra Permissions Management
• AAD Application Proxy
• User Defined Routes
• Virtual WAN
• Virtual Secured Hub
• Network Watcher, including NSQ flow logging.
• SQL Managed Instance
• Azure Container Apps
• API Management
• Double Encryption
• Purview
• Dedicated HSM
• Landing Zne
• Defender for Cloud workflow automation
• Defender for Cloud vulnerability scans

As you can see, there are some major additions to previous versions of the exams, so make sure you adjust your study plans to take these into account. Otherwise, continue reading for some other advice on your exam preparation.

If you are already familiar with Azure Active Directory (AAD) Premium P2 functionality, whether through Azure of through Microsoft 365 related services, you should be in pretty good shape for this exam. There is an exception here though – make sure you spend extra time in the managing application access section, this isn’t something you may have had exposure to. If you don’t have much AAD experience, then you will need to spend time here understanding the capabilities of AAD Premium P2, not just the free edition that’s included with Azure subscriptions by default.

If you are approaching this exam with a fairly solid understanding of networking concepts including subnets, routing, appliances etc. you are off to a strong start with the advanced network security section. The most important thing here is for you to understand how the Azure native versions of the services may differ from those of other solutions from other vendors. If you don’t have much or any networking in your prior experiences, make sure you spend some time going through some basics of TCP/IP and networking including what’s mentioned earlier in this paragraph, and then focus on the technologies in the exam objectives.

During the early days of this exam, understanding how to protect Azure virtual machines worked would have covered you quite well in the advanced security for compute section, but now you can’t just know what acronyms like ACI, ACR, AKS etc. stand for, you also need to how to secure them, including their networking configuration. At this stage it’s most likely you’re familiar with these container related technologies if you have Linux experience, but over the last few years I’ve seen more Windows centric exam takers having some exposure to these technologies as well. This update has had some major changes in the container and serverless related objectives so expect to see more questions on those.

The final thing here is to make sure you have an understanding of what’s in Microsoft Defender for Cloud, and the additional features you get when you move up to workload protections in Microsoft Defender for Cloud. Use the additional workload protections to help drive your understanding of the workloads that you aren’t familiar with. Defender for Servers and Defender for SQL do get mentioned specifically, so they are the ones to focus on.

The examples I’ve just provided don’t cover all of the different combinations of exam preparation scenarios based on your skills, but hopefully they give you some idea of what I see catch people out.

Manage identity and access (25-30%)

Manage identities in Azure AD

• Secure users in Azure AD
  • Azure Identity Management and access control security best practices
• Secure directory groups in Azure AD
  • Secure access control using groups in Azure AD
• Recommend when to use external identities
  • Understand the B2B guest user
  • How a B2B guest redeems an invitation
• Secure external identities
  • Create a security plan for external access to resources
• Implement Azure AD Identity Protection
  • What is Azure Active Directory Identity Protection?

Manage authentication by using Azure AD

• Configure Microsoft Entra Verified ID
  • Configure your tenant for Microsoft Entra Verified ID
• Implement multi-factor authentication (MFA)
  • Configure Azure Multi-Factor Authentication settings
  • Secure Azure Active Directory users with Multi-Factor Authentication
• Implement passwordless authentication
  • Plan a passwordless authentication deployment in Azure Active Directory
• Implement password protection
  • Passwordless authentication options for Azure Active Directory
• Implement single sign-on (SSO)
  • Plan a single sign-on deployment
• Integrate single sign on (SSO) and identity providers
  • Use a SAML 2.0 Identity Provider (IdP) for Single Sign On
• Recommend and enforce modern authentication protocols
  • What authentication and verification methods are available in Azure Active Directory?

Manage authorization by using Azure AD

• Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
  • Administrative units
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • What is Azure role-based access control (Azure RBAC)?
• Assign built-in roles in Azure AD
  • Assign directory roles
  • View roles assigned to a group
• Assign built-in roles in Azure
  • Quickstart: View the access a user has to Azure resources  
  • List Azure role definitions  
  • List Azure role assignments using the Azure portal  
  • Best practices for Azure RBAC
  • Lock resources to prevent unexpected changes
• Create and assign custom roles, including Azure roles and Azure AD roles
  • Create Custom Azure Roles
  • Create custom Azure AD roles
• Implement and manage Microsoft Entra Permissions Management
  • Enable Permissions Management in your organization
• Configure Azure AD Privileged Identity Management (PIM)
  • Deploy Azure AD Privileged Identity Management (PIM)  
  • Configure security alerts for Azure AD roles in Privileged Identity Management   
• Configure role management and access reviews by using Microsoft Entra Identity Governance
  • Plan Access review deployment
  • Create an access review of Azure AD roles in Privileged Identity Management  
  • Create an access review of an access package in Azure AD entitlement management
• Implement Conditional Access policies
  • Building a Conditional Access policy

Manage application access in Azure AD

• Manage access to enterprise applications in Azure AD, including OAuth permission grants
  • Build an app using Microsoft identities or social accounts
  • Configure how end-users consent to applications
  • Get access on behalf of a user
  • Authentication flows and application scenarios
• Manage app registrations in Azure AD
  • QuickStart: Register an application with the Microsoft identity platform  
• Configure app registration permission scopes
  • Introduction to permissions and consent
• Manage app registration permission consent
  • Permissions and consent in the Microsoft identity platform endpoint
• Manage and use service principals
  • Application and service principal objects in Azure Active Directory  
• Manage managed identities for Azure resources
  • Managed identity best practice recommendations
  • About managed identities for Azure resources
• Recommend when to use and configure an Azure AD Application Proxy, including authentication
  • How to configure an Application Proxy application

Secure Networking (20-25%)

Plan and implement security for virtual network

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Network security groups  
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal  
  • Application security groups  
• Plan and implement user-defined routes (UDRs)
  • Custom routes
• Plan and implement VNET peering or VPN gateway
  • About Point-to-Site VPN  
  • Create a Site-to-Site connection in the Azure portal  
  • Configure virtual network connectivity
  • Bastion and VNet peering
• Plan and implement Virtual WAN, including secured virtual hub
  • What is Virtual WAN?
  • What is a secured virtual hub?
• Secure VPN connectivity, including point-to-site and site-to-site
  • VPN Gateway design  
• Implement encryption over ExpressRoute
  • ExpressRoute encryption  
• Configure firewall settings on PaaS resources
  • Security in Azure App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall
• Monitor network security by using Network Watcher, including NSG flow logging
  • About Network Watcher
  • NSG flow logs

Plan and implement security for private access to Azure resources

• Plan and implement virtual network Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
• Plan and implement Private Endpoints
  • Quickstart: Create a Private Endpoint using Azure portal
  • Use private endpoints for Azure Storage
• Plan and implement Private Link services
  • What is Azure Private Link?
  • Use portal to create private link for managing Azure resources
• Plan and implement network integration for Azure App Service and Azure Functions
  • Serverless Functions app security
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service
• Plan and implement network security configurations for an App Service Environment (ASE)
  • Security in Azure App Service
• Plan and implement network security configurations for an Azure SQL Managed Instance
  • An overview of Azure SQL Database and SQL Managed Instance security capabilities

Plan and implement security for public access to Azure resources

• Plan and implement TLS to applications, including Azure App Service and API Management
  • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service
• Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall
  policies
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
  • Secure virtual hub – ARM template
  • General deployment process
• Plan and implement an Azure Application Gateway
  • Encrypt network traffic end to end with Azure Application Gateway
• Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
  • Quickstart: Create a Front Door for a highly available global web application
• Plan and implement a Web Application Firewall (WAF)
  • Azure Web Application Firewall on Azure Application Gateway
• Recommend when to use Azure DDoS Protection Standard
  • Azure DDoS Protection Standard overview

Secure compute, storage, and databases (20–25%)

Plan and implement advanced security for compute

• Plan and implement remote access to public endpoints, including Azure Bastion and JIT
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
• Configure network isolation for Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
• Secure and monitor AKS
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
• Configure authentication for AKS
  • Service principals with Azure Kubernetes Service (AKS)
  • Integrate Azure Active Directory with Azure Kubernetes Service  
  • Use managed identities in Azure Kubernetes Service 
• Configure security monitoring for Azure Container Instances (ACIs)
  • Container Security in Azure
  • How to use managed identities with Azure Container Instances
  • Update containers in Azure Container Instances
• Configure security monitoring for Azure Container Apps (ACAs)
  • Monitor logs in Azure Container Apps with Log Analytics
• Manage access to Azure Container Registry (ACR)
  • Authenticate with an Azure container registry
• Configure disk encryption, including Azure Disk Encryption (ADE), encryption as host, and
  confidential disk encryption
  • Azure Disk Encryption for Windows VMs
  • Azure Storage encryption for data at rest
• Recommend security configurations for Azure API Management
  • Security considerations for the API Management landing zone accelerator

Plan and implement security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Security recommendation
  • Grant limited access to Azure Storage resources using shared access signatures
  • Authorize access to blobs and queues using Azure Active Directory
  • Acquire a token from Azure AD for authorizing requests from a client application
• Manage life cycle for storage account access keys
  • Manage storage account access keys
  • Use the Azure portal to access blob or queue data
• Select and configure an appropriate method for access to Azure Files
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Enable Azure Active Directory Domain Services authentication on Azure Files
• Select and configure an appropriate method for access to Azure Blob Storage
  • Choose how to authorize access to blob data in the Azure portal
• Select and configure an appropriate method for access to Azure Tables
  • Authorize access to data in Azure Storage
• Select and configure an appropriate method for access to Azure Queues
  • Authorize access to data in Azure Storage
• Select and configure appropriate methods for protecting against data security threats, including
  soft delete, backups, versioning, and immutable storage
  • Data protection overview
• Configure Bring your own key (BYOK)
  • Customer-managed keys for Azure Storage encryption
• Enable double encryption at the Azure Storage infrastructure level
  • Double encryption

Plan and implement security for Azure SQL Database and Azure SQL Managed
Instance

• Enable database authentication by using Microsoft Azure AD
  Microsoft Entra
  • Use Azure Active Directory authentication
  • Configure and manage Azure AD authentication with Azure SQL
• Enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics
• Identify use cases for the Microsoft Purview governance portal
  • What’s available in the Microsoft Purview governance portal?
• Implement data classification of sensitive information by using the Microsoft Purview
  governance portal
  • Data classification in the Microsoft Purview governance portal
• Plan and implement dynamic masking
  • Dynamic data masking
• Implement Transparent Database Encryption (TDE)
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault
• Recommend when to use Azure SQL Database Always Encrypted
  • Always Encrypted

Manage security operations (25–30%)

Plan, implement, and manage governance for security

• Create, assign, and interpret security policies and initiatives in Azure Policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Initiative Definition
  • Working with security policies
  • Built-in policy definitions for Microsoft Defender for Cloud
• Configure security settings by using Azure Blueprint
  • What is Azure Blueprints?
• Deploy secure infrastructures by using a landing zone
  • Infrastructure security implementation
• Create and configure an Azure Key Vault
  • Azure Key Vault security
  • Azure Defender for Key Vault
  • Integrate Azure Key Vault with Azure Policy
• Recommend when to use a Dedicated HSM
  • Dedicated HSM overview
• Configure access to Key Vault, including vault access policies and Azure Role Based Access
  Control
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Azure Policy built-in policy definitions for Key Vault
• Manage certificates, secrets, and keys
  • About Azure Key Vault secrets
  • Tutorial: Import a certificate in Azure Key Vault
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal
• Configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate autorotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• Configure backup and recovery of certificates, secrets, and keys
  • Azure Key Vault soft-delete overview
  • Azure Key Vault backup

Configure and manage threat protection by using Microsoft Defender for
Cloud

• Enable workload protection services in Microsoft Defender for Cloud, including Microsoft
  Defender for Storage, Databases, Containers, App Service, Key Vault, Resource Manager, and
  DNS
  • Quickstart: Enable enhanced security features
• Configure Microsoft Defender for Servers
  • Overview of Microsoft Defender for servers
  • Secure your management ports with just-in-time access
  • File integrity monitoring
  • Use adaptive application controls to reduce your machines’ attack surfaces
  • Improve your network security posture with adaptive network hardening
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines
• Configure Microsoft Defender for Azure SQL Database
  • Use Microsoft Defender for SQL
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
• Manage and respond to security alerts in Microsoft Defender for Cloud
  • Security alerts and incidents in Microsoft Defender for Cloud
  • Manage security alerts in Microsoft Defender for Cloud
• Configure workflow automation by using Microsoft Defender for Cloud
  • Automate responses to Microsoft Defender for Cloud triggers
• Evaluate vulnerability scans from Microsoft Defender for Server
  • Investigate weaknesses with Microsoft Defender Vulnerability Management

Configure and manage security monitoring and automation solutions

• Monitor security events by using Azure Monitor
  • Create, view, and manage log alerts using Azure Monitor
  • Create diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
• Configure data connectors in Microsoft Sentinel
  • Connect data sources
• Create and customize analytics rules in Microsoft Sentinel
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Microsoft Sentinel
• Evaluate alerts and incidents in Microsoft Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel
• Configure automation in Microsoft Sentinel
  • Tutorial: Set up automated threat responses in Azure Sentinel