AZ-500 just had a major update, with many new topics added in, as well as the removal of quite a few topics. The changes to the skills at a glance and a weighting change help to start explaining some of the chance.

New skills at a glance

• Secure identity and access (15–20%)
• Secure networking (20-25%)
• Secure compute, storage, and databases (20–25%)
• Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)

Previous skills at a glance

• Manage identity and access (25-30%)
• Secure networking (20–25%)
• Secure compute, storage, and databases (20–25%)
• Manage Security Operations 30–35%)

The first thing to note here is that the identity section name and weighting has changed. The word change to secure from manage is aligned the exam moving to have less of an emphasis on general identity management with Entra ID, instead focusing on certain security elements. Quite a few topics have been removed, which is why the weighting has been dropped. I’ll dig into the changes below, but for now let’s jump to the next change.

Manage Security Operations has now become Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel. This change really emphasizes the focus of the objective domain, making it less vague. There have also been some changes in this section, along with the others, so let’s take a look at them.

What’s been added to the exam?

• Azure Virtual Network Manager
• Azure Key Vault network settings
• Security controls to protect backups
• Security controls for asset management
• Manage security posture by using Microsoft Defender for Cloud (new section with multiple topics)
• Microsoft Defender for Cloud DevOps Security
• Data collection rules (DCRs) in Azure Monitor

What’s been removed?

• Configure Microsoft Entra Verified ID
• Passwordless authentication
• Password protection
• Single sign-on (SSO)
• Single sign on (SSO) and identity providers
• Modern authentication methods
• Role management and access reviews in Microsoft Entra
• Microsoft Entra Application Proxy
• Secure Microsoft Entra users
• Secure Microsoft Entra groups
• Recommend when to use external identities
• Secure external identities
• Implement Microsoft Entra ID Protection
• Access to Azure tables
• Access to Azure queues
• Microsoft Purview governance portal
• Azure Blueprints
• Landing zones
• Dedicated Hardware Security Module
• Alerts and incidents in Microsoft Sentinel

Here’s where I get to give my usual disclaimer – just because something has been removed from the exam description, it doesn’t necessarily mean that it won’t be referenced somewhere in the exam. I view it as the audience profile section tends to give some insight into the overall breadth of additional skills, knowledge and exposure the exam candidate should have, with some previously singled out topics basically becoming core skills any candidate should have without it needing to be specified.

If you are already familiar with Microsoft Entra ID P2 functionality, whether through Azure of through Microsoft 365 related services, you should be good shape for the identity related portions of this exam. There is an exception here though – make sure you spend extra time in the managing application access section, this isn’t something you may have had exposure to. If you don’t have much Entra experience, then you will need to spend time here understanding the capabilities of Entra ID P2, not just the free edition that’s included with Azure subscriptions by default.

If you are approaching this exam with a fairly solid understanding of networking concepts including subnets, routing, appliances etc. you are off to a strong start with the advanced network security section. The most important thing here is for you to understand how the Azure native versions of the services may differ from those of other solutions from other vendors. If you don’t have much or any networking in your prior experiences, make sure you spend some time going through some basics of TCP/IP and networking including what’s mentioned earlier in this paragraph, and then focus on the technologies in the exam objectives.

During the early days of this exam, understanding how to protect Azure virtual machines worked would have covered you quite well in the advanced security for compute section, but now you can’t just know what acronyms like ACI, ACR, AKS etc. stand for, you also need to how to secure them, including their networking configuration. At this stage it’s most likely you’re familiar with these container related technologies if you have Linux experience, but over the last few years I’ve seen more Windows centric exam takers having some exposure to these technologies as well. This update has had some major changes in the container and serverless related objectives so expect to see more questions on those.

The final thing here is to make sure you have an understanding of what’s in Microsoft Defender for Cloud, and the additional features you get when you move up to workload protections in Microsoft Defender for Cloud. Use the additional workload protections to help drive your understanding of the workloads that you aren’t familiar with. Defender for Servers and Defender for SQL do get mentioned specifically, so they are the ones to focus on.

Sentinel, along with Azure monitor and DCRs have continued to take a bigger role in this exam as well.

The examples I’ve just provided don’t cover all of the different combinations of exam preparation scenarios based on your skills, but hopefully they give you some idea of what I see catch people out.

Secure identity and access (15–20%)

Manage security controls for identity and access

• Manage Azure built-in role assignments
  • Administrative units
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • What is Azure role-based access control (Azure RBAC)?
  • Quickstart: View the access a user has to Azure resources  
  • List Azure role definitions  
  • List Azure role assignments using the Azure portal  
  • Best practices for Azure RBAC
• Manage custom roles, including Azure roles and Microsoft Entra roles
  • Create Custom Azure Roles
  • Create custom Microsoft Entra roles
• Implement and manage Microsoft Entra Permissions Management
  • Enable Permissions Management in your organization
• Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments
  • Deploy Microsoft Entra Privileged Identity Management (PIM)
• Implement multi-factor authentication (MFA) for access to Azure resources
  • Configure Azure Multi-Factor Authentication settings
  • Secure Microsoft Entra users with multifactor authentication
• Implement Conditional Access policies for cloud resources in Azure
  • Building a Conditional Access policy

Manage Microsoft Entra application access

• Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
  • Build an app using Microsoft identities or social accounts
  • Configure how end-users consent to applications
  • Get access on behalf of a user
  • Authentication flows and application scenarios
• Manage Microsoft Entra app registrations
  • QuickStart: Register an application with the Microsoft identity platform  
• Configure app registration permission scopes
  • Introduction to permissions and consent
• Manage app registration permission consent
  • Permissions and consent in the Microsoft identity platform endpoint
• Manage and use service principals
  • Application and service principal objects inMicrosoft Entra ID  
• Manage managed identities
  • Managed identity best practice recommendations
  • About managed identities for Azure resources

Secure Networking (20-25%)

Plan and implement security for virtual network

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Network security groups  
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal  
  • Application security groups  
• Manage virtual networks by using Azure Virtual Network Manager
  • What is Azure Virtual Network Manager?
  • Common use cases for Azure Virtual Network Manager
• Plan and implement user-defined routes (UDRs)
  • Custom routes
• Plan and implement VNET peering or VPN gateway
  • About Point-to-Site VPN  
  • Create a Site-to-Site connection in the Azure portal  
  • Configure virtual network connectivity
  • Bastion and VNet peering
• Plan and implement Virtual WAN, including secured virtual hub
  • What is Virtual WAN?
  • What is a secured virtual hub?
• Secure VPN connectivity, including point-to-site and site-to-site
  • VPN Gateway design  
• Implement encryption over ExpressRoute
  • ExpressRoute encryption  
• Configure firewall settings on Azure resources
  • Security in Azure App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall
• Configure firewall settings on Azure resources
  • About Network Watcher
  • NSG flow logs

Plan and implement security for private access to Azure resources

• Plan and implement virtual network Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
• Plan and implement Private Endpoints
  • Quickstart: Create a Private Endpoint using Azure portal
  • Use private endpoints for Azure Storage
• Plan and implement Private Link services
  • What is Azure Private Link?
  • Use portal to create private link for managing Azure resources
• Plan and implement network integration for Azure App Service and Azure Functions
  • Serverless Functions app security
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service
• Plan and implement network security configurations for an App Service Environment (ASE)
  • Security in Azure App Service
• Plan and implement network security configurations for an Azure SQL Managed Instance
  • An overview of Azure SQL Database and SQL Managed Instance security capabilities

Plan and implement security for public access to Azure resources

• Plan and implement TLS to applications, including Azure App Service and API Management
  • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service
• Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall
  policies
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
  • Secure virtual hub – ARM template
  • General deployment process
• Plan and implement an Azure Application Gateway
  • Encrypt network traffic end to end with Azure Application Gateway
• Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
  • Quickstart: Create a Front Door for a highly available global web application
• Plan and implement a Web Application Firewall (WAF)
  • Azure Web Application Firewall on Azure Application Gateway
• Recommend when to use Azure DDoS Protection Standard
  • Azure DDoS Protection Standard overview

Secure compute, storage, and databases (20–25%)

Plan and implement advanced security for compute

• Plan and implement remote access to public endpoints, including Azure Bastion and just-in-time (JIT) virtual machine (VM) access
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
• Configure network isolation for Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
• Secure and monitor AKS
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
• Configure authentication for AKS
  • Service principals with Azure Kubernetes Service (AKS)
  • IntegraIntegrate Microsoft Entra ID with Azure Kubernetes Service  
  • Use managed identities in Azure Kubernetes Service 
• Configure security monitoring for Azure Container Instances (ACIs)
  • Container Security in Azure
  • How to use managed identities with Azure Container Instances
  • Update containers in Azure Container Instances
• Configure security monitoring for Azure Container Apps (ACAs)
  • Monitor logs in Azure Container Apps with Log Analytics
• Manage access to Azure Container Registry (ACR)
  • Authenticate with an Azure container registry
• Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and
  confidential disk encryption
  • Azure Disk Encryption for Windows VMs
  • Azure Storage encryption for data at rest
• Recommend security configurations for Azure API Management
  • Security considerations for the API Management landing zone accelerator

Plan and implement security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Security recommendation
  • Grant limited access to Azure Storage resources using shared access signatures
  • Authorize access to blobs and queues using Microsoft Entra
  • Acquire a token from Microsoft Entra for authorizing requests from a client application
• Manage storage account access keys
  • Manage storage account access keys
• Select and configure an appropriate method for access to Azure Files
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB
• Select and configure an appropriate method for access to Azure Blob Storage
  • Choose how to authorize access to blob data in the Azure portal
• Select and configure appropriate methods for protecting against data security threats, including
  soft delete, backups, versioning, and immutable storage
  • Data protection overview
• Configure Bring your own key (BYOK)
  • Customer-managed keys for Azure Storage encryption
• Enable double encryption at the Azure Storage infrastructure level
  • Double encryption

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

• Enable Microsoft Entra database authentication
  • Microsoft Entra authentication – Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics
  • Configure and manage Microsoft Entra authentication with Azure SQL
• Enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics
• Plan and implement dynamic masking
  • Dynamic data masking
• Implement Transparent Data Encryption (TDE)
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault
• Recommend when to use Azure SQL Database Always Encrypted
  • Always Encrypted

Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)

Implement and manage enforcement of cloud governance policies

• Create, assign, and interpret security policies and initiatives in Azure Policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Initiative Definition
  • Working with security policies
  • Built-in policy definitions for Microsoft Defender for Cloud
• Configure Azure Key Vault network settings
  • Configure key vault networking settings
  • Azure Key Vault security
  • Azure Defender for Key Vault
  • Integrate Azure Key Vault with Azure Policy
• Configure access to Key Vault, including vault access policies and Azure Role Based Access
  Control
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Azure Policy built-in policy definitions for Key Vault
• Manage certificates, secrets, and keys
  • About Azure Key Vault secrets
  • Tutorial: Import a certificate in Azure Key Vault
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal
• Configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate autorotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• Perform backup and recovery of certificates, secrets, and keys
  • Azure Key Vault soft-delete overview
  • Azure Key Vault backup
• Implement security controls to protect backups
  • Overview of security features in Azure Backup
• Implement security controls for asset management
  • Azure Operational Security best practices

Manage security posture by using Microsoft Defender for Cloud

• Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
  • Secure score in Defender for Cloud
  • Mitigate risks on specific resources in the asset inventory
• Assess compliance against security frameworks by using Microsoft Defender for Cloud
  • Cloud Security Posture Management (CSPM)
• Manage compliance standards in Microsoft Defender for Cloud
  • Regulatory compliance standards
• Add custom standards to Microsoft Defender for Cloud
  • Security policies
• Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)
  • Connect AWS accounts
  • Connect GCP projects
  • Connect machines with Defender for Endpoint
  • Connect machines with Azure Arc
• Implement and use Microsoft Defender External Attack Surface Management (EASM)
  • External attack surface management in Defender for Cloud

Configure and manage threat protection by using Microsoft Defender for Cloud

• Enable workload protection services in Microsoft Defender for Cloud
  • Connect your Azure subscriptions
• Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage
  • Overview of Microsoft Defender for servers
  • Secure your management ports with just-in-time access
  • File integrity monitoring
  • Use adaptive application controls to reduce your machines’ attack surfaces
  • Improve your network security posture with adaptive network hardening
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines
  • Use Microsoft Defender for SQL
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
  • Protect storage accounts with Defender for Storage
• Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers
  • Agentless machine scanning
• Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines
  • Investigate weaknesses with Microsoft Defender Vulnerability Management
• Connect to and configure settings in Microsoft Defender for Cloud Devops Security, including GitHub, Azure DevOps, and GitLab
  • DevOps environment security posture

Configure and manage security monitoring and automation solutions

• Manage and respond to security alerts in Microsoft Defender for Cloud
  • Security alerts and incidents in Microsoft Defender for Cloud
  • Manage security alerts in Microsoft Defender for Cloud
• Configure workflow automation by using Microsoft Defender for Cloud
  • Automate responses to Microsoft Defender for Cloud triggers
• Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
  • Data collection rules (DCRs) in Azure Monitor
  • Create, view, and manage log alerts using Azure Monitor
  • Create diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
• Configure data connectors in Microsoft Sentinel
  • Connect data sources
• Enable analytics rules in Microsoft Sentinel
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Microsoft Sentinel
• Configure automation in Microsoft Sentinel
  • Tutorial: Set up automated threat responses in Azure Sentinel