The AZ-500 exam objectives just received a minor update that mostly address some Microsoft Entra wording in the identity section, so it shouldn’t impact your existing preparation. Below are some things to consider when preparing for this exam, especially when it comes to the areas that you will need to focus on.
If you are already familiar with Microsoft Entra ID Premium P2 functionality, whether through Azure of through Microsoft 365 related services, you should be good shape for the identity related portions of this exam. There is an exception here though – make sure you spend extra time in the managing application access section, this isn’t something you may have had exposure to. If you don’t have much Entra experience, then you will need to spend time here understanding the capabilities of Entra Premium P2, not just the free edition that’s included with Azure subscriptions by default.
If you are approaching this exam with a fairly solid understanding of networking concepts including subnets, routing, appliances etc. you are off to a strong start with the advanced network security section. The most important thing here is for you to understand how the Azure native versions of the services may differ from those of other solutions from other vendors. If you don’t have much or any networking in your prior experiences, make sure you spend some time going through some basics of TCP/IP and networking including what’s mentioned earlier in this paragraph, and then focus on the technologies in the exam objectives.
During the early days of this exam, understanding how to protect Azure virtual machines worked would have covered you quite well in the advanced security for compute section, but now you can’t just know what acronyms like ACI, ACR, AKS etc. stand for, you also need to how to secure them, including their networking configuration. At this stage it’s most likely you’re familiar with these container related technologies if you have Linux experience, but over the last few years I’ve seen more Windows centric exam takers having some exposure to these technologies as well. This update has had some major changes in the container and serverless related objectives so expect to see more questions on those.
The final thing here is to make sure you have an understanding of what’s in Microsoft Defender for Cloud, and the additional features you get when you move up to workload protections in Microsoft Defender for Cloud. Use the additional workload protections to help drive your understanding of the workloads that you aren’t familiar with. Defender for Servers and Defender for SQL do get mentioned specifically, so they are the ones to focus on.
The examples I’ve just provided don’t cover all of the different combinations of exam preparation scenarios based on your skills, but hopefully they give you some idea of what I see catch people out.
Manage identity and access (25-30%)
Manage identities in Microsoft Entra
- Secure Microsoft Entra users
- Secure Microsoft Entra groups
- Recommend when to use external identities
- Secure external identities
- Implement Microsoft Entra ID Protection
Manage Microsoft Entra authentication
- Configure Microsoft Entra Verified ID
- Implement multi-factor authentication (MFA)
- Implement passwordless authentication
- Implement password protection
- Implement single sign-on (SSO)
- Integrate single sign on (SSO) and identity providers
- Recommend and enforce modern authentication protocols
Manage Microsoft Entra authorization
- Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
- Assign Microsoft Entra built in roles
- Assign Azure built-in roles
- Create and assign custom roles, including Azure roles and Microsoft Entra roles
- Implement and manage Microsoft Entra Permissions Management
- Configure Microsoft Entra Privileged Identity Management
- Configure role management and access reviews in Microsoft Entra
- Implement Conditional Access policies
Manage Microsoft Entra application access
- Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
- Manage Microsoft Entra app registrations
- Configure app registration permission scopes
- Manage app registration permission consent
- Manage and use service principals
- Manage managed identities for Azure resources
- Recommend when to use and configure an Microsoft Entra Application Proxy, including authentication
Secure Networking (20-25%)
Plan and implement security for virtual network
- Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Plan and implement user-defined routes (UDRs)
- Plan and implement VNET peering or VPN gateway
- Plan and implement Virtual WAN, including secured virtual hub
- Secure VPN connectivity, including point-to-site and site-to-site
- Implement encryption over ExpressRoute
- Configure firewall settings on PaaS resources
- Monitor network security by using Network Watcher, including NSG flow logging
Plan and implement security for private access to Azure resources
- Plan and implement virtual network Service Endpoints
- Plan and implement Private Endpoints
- Plan and implement Private Link services
- Plan and implement network integration for Azure App Service and Azure Functions
- Plan and implement network security configurations for an App Service Environment (ASE)
- Plan and implement network security configurations for an Azure SQL Managed Instance
Plan and implement security for public access to Azure resources
- Plan and implement TLS to applications, including Azure App Service and API Management
- Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall
policies - Plan and implement an Azure Application Gateway
- Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
- Plan and implement a Web Application Firewall (WAF)
- Recommend when to use Azure DDoS Protection Standard
Secure compute, storage, and databases (20–25%)
Plan and implement advanced security for compute
- Plan and implement remote access to public endpoints, including Azure Bastion and JIT
- Configure network isolation for Azure Kubernetes Service (AKS)
- Secure and monitor AKS
- Configure authentication for AKS
- Configure security monitoring for Azure Container Instances (ACIs)
- Configure security monitoring for Azure Container Apps (ACAs)
- Manage access to Azure Container Registry (ACR)
- Configure disk encryption, including Azure Disk Encryption (ADE), encryption as host, and
confidential disk encryption - Recommend security configurations for Azure API Management
Plan and implement security for storage
- Configure access control for storage accounts
- Manage life cycle for storage account access keys
- Select and configure an appropriate method for access to Azure Files
- Select and configure an appropriate method for access to Azure Blob Storage
- Select and configure an appropriate method for access to Azure Tables
- Select and configure an appropriate method for access to Azure Queues
- Select and configure appropriate methods for protecting against data security threats, including
soft delete, backups, versioning, and immutable storage - Configure Bring your own key (BYOK)
- Enable double encryption at the Azure Storage infrastructure level
Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
- Enable Microsoft Entra database authentication
- Enable database auditing
- Identify use cases for the Microsoft Purview governance portal
- Implement data classification of sensitive information by using the Microsoft Purview
governance portal - Plan and implement dynamic masking
- Implement Transparent Database Encryption (TDE)
- Recommend when to use Azure SQL Database Always Encrypted
Manage security operations (25–30%)
Plan, implement, and manage governance for security
- Create, assign, and interpret security policies and initiatives in Azure Policy
- Configure security settings by using Azure Blueprints
- Deploy secure infrastructures by using a landing zone
- Create and configure an Azure Key Vault
- Recommend when to use a Dedicated Hardware Security Module (HSM)
- Configure access to Key Vault, including vault access policies and Azure Role Based Access
Control - Manage certificates, secrets, and keys
- Configure key rotation
- Configure backup and recovery of certificates, secrets, and keys
Configure and manage threat protection by using Microsoft Defender for
Cloud
- Enable workload protection services in Microsoft Defender for Cloud, including Microsoft
Defender for Storage, Databases, Containers, App Service, Key Vault, Resource Manager, and
DNS - Configure Microsoft Defender for Servers
- Overview of Microsoft Defender for servers
- Secure your management ports with just-in-time access
- File integrity monitoring
- Use adaptive application controls to reduce your machines’ attack surfaces
- Improve your network security posture with adaptive network hardening
- Vulnerability assessments for your Azure Virtual Machines
- Integrated vulnerability scanner for virtual machines
- Configure Microsoft Defender for Azure SQL Database
- Manage and respond to security alerts in Microsoft Defender for Cloud
- Configure workflow automation by using Microsoft Defender for Cloud
- Evaluate vulnerability scans from Microsoft Defender for Server
Configure and manage security monitoring and automation solutions
- Monitor security events by using Azure Monitor
- Configure data connectors in Microsoft Sentinel
- Create and customize analytics rules in Microsoft Sentinel
- Evaluate alerts and incidents in Microsoft Sentinel
- Configure automation in Microsoft Sentinel
intunedin.net 