SC-200 vs AZ-500: which Microsoft security cert first?
AZ-500 is for cloud engineers configuring Azure security. SC-200 is for SOC analysts living inside Sentinel. Here's which one actually fits your job.
If you have to pick one Microsoft security cert and you don't know which, here's the short version: AZ-500 if you build and configure Azure resources, SC-200 if you investigate alerts and hunt threats. Both are $165, both are role-based associate-level, both are reasonably hard. They cover overlapping ground β identity, networking, Sentinel β but the day-to-day work they map to is genuinely different, and picking the wrong one means studying for somebody else's job.
I get this question often enough that it's worth a full post rather than a one-liner.
What AZ-500 is
AZ-500 β Microsoft Certified: Azure Security Engineer Associate β tests your ability to implement security controls across Azure. The current blueprint splits roughly:
- Manage identity and access (~25β30%): Entra ID, Conditional Access, PIM, managed identities, MFA configuration.
- Secure networking (~20β25%): NSGs, ASGs, Azure Firewall, WAF on Front Door / App Gateway, private endpoints, DDoS protection.
- Secure compute, storage, databases (~20β25%): Defender for Cloud, disk encryption, storage hardening, Key Vault, SQL TDE / Always Encrypted.
- Manage security operations (~25β30%): Sentinel basics, Defender for Cloud secure score, Azure Policy, regulatory compliance dashboards.
It's broad. The questions feel hands-on for multiple-choice β case studies at the start of the exam force you to work through a hypothetical company's environment. KQL is light. Sentinel is light. The center of gravity is "configure Azure resources to be secure."
What SC-200 is
SC-200 β Microsoft Certified: Security Operations Analyst Associate β tests your ability to operate a Microsoft security stack day-to-day. Current blueprint:
- Mitigate threats using Microsoft Defender XDR (~25β30%): Defender for Endpoint, Office 365, Cloud Apps, Identity. Investigation, triage, response.
- Mitigate threats using Defender for Cloud (~15β20%): cloud workload protection, secure score, regulatory compliance from an analyst lens.
- Mitigate threats using Microsoft Sentinel (~50β55%): data connectors, analytics rules, hunting queries, workbooks, playbooks, SOAR, KQL β heavy KQL.
The exam center of gravity is Sentinel. If you can't write or read KQL fluently by exam day, you'll struggle. The case studies often hand you a query and ask what it returns, or hand you a scenario and ask which KQL operator you'd use to refine it.
The role mapping
This is the part nobody puts on the marketing page clearly:
| If your title is... | Take this first |
|---|---|
| Cloud Engineer / DevOps Engineer / Platform Engineer | AZ-500 |
| Security Engineer (configuration-focused) | AZ-500 |
| Azure Administrator wanting to specialize | AZ-500 |
| SOC Analyst / Tier 1β2 Analyst | SC-200 |
| Threat Hunter / Detection Engineer | SC-200 |
| Incident Responder | SC-200 |
| Generalist IT / want both eventually | AZ-500 first |
| Career switcher into security | SC-200 (more demand at junior level) |
The reason AZ-500 lands first for most cloud roles is that it covers more ground that a non-pure-security person actually has to know. If you're a cloud engineer who occasionally fields security questions, AZ-500 makes you better at your day job. SC-200 only pays off if you're sitting in front of Sentinel most days.
Difficulty: roughly equal, differently shaped
Both exams are 40β60 questions, 100 minutes, $165 USD list price (with regional pricing dropping that to ~$80 in some markets). Both have free 1-year renewal via a 30-question online assessment. Both use case studies plus standard multiple-choice / multi-select / drag-drop.
Where they differ:
AZ-500 is broader, SC-200 is deeper. AZ-500 asks you to know a little about a lot β identity, networking, compute, storage, ops. SC-200 asks you to know a lot about Sentinel and the Defender suite specifically.
KQL is the SC-200 differentiator. AZ-500 asks you to read KQL queries and understand outputs. SC-200 asks you to write them, optimize them, debug them. If you've never used KQL, SC-200 will surprise you.
AZ-500 has more identity content. Conditional Access, PIM, External Identities, Identity Protection β the first 25β30% of AZ-500 is identity-heavy. SC-200 touches identity but mostly through the lens of Defender for Identity alerts.
Pass rates aren't published by Microsoft, but anecdotally both sit in the 60β70% range first attempt for prepared candidates. SC-200's KQL section is where most people lose points; AZ-500's case studies are where most people lose points.
Prep time
| Background | AZ-500 | SC-200 |
|---|---|---|
| Azure-experienced security engineer | 40β60 hrs | 50β80 hrs |
| Generalist Azure engineer | 80β100 hrs | 100β130 hrs |
| SOC analyst, Microsoft stack | 80β100 hrs | 50β80 hrs |
| New to Azure | 150+ hrs | 180+ hrs |
SC-200 trends slightly longer because the KQL muscle has to be built from scratch for most candidates. If you're already fluent in KQL or another query language with similar syntax (Splunk SPL transfers reasonably well), knock 20β30 hours off.
Microsoft Learn's official paths for both exams are free and current. John Savill's YouTube channel has cram videos for both. For SC-200 specifically, "KQL from scratch" by Rod Trent is the canonical free resource for the Sentinel content. For AZ-500, spinning up a free Azure subscription and clicking through Conditional Access, PIM, Defender for Cloud, and Key Vault yourself is non-negotiable β case-study questions are nearly impossible to answer without portal-level familiarity.
Salary signal
Neither cert moves salaries directly in a clean A/B sense. Both open interviews. Per BLS OEWS May 2024, Information Security Analysts (15-1212) median wage is around $124k, 90th percentile around $182k. Microsoft-shop security roles cluster in the upper half of that range.
levels.fyi 2025β2026 data:
- Microsoft L62 Security Engineer total comp ~$230k.
- AWS L5 Security Specialist total comp ~$245k.
- Mid-tier non-FAANG security engineer roles (Capital One, Stripe, Atlassian) typically $170kβ$220k base.
SC-200 holders at large enterprises with mature SOCs (banks, healthcare, federal contractors) often outearn the salary median because 24/7 SOC roles include shift differentials. AZ-500 holders skew toward standard cloud engineering pay bands.
The cert combination that tends to pay best in 2026 is AZ-500 + SC-200 + AZ-104 β it signals you can configure Azure, secure it, and operate the response. Doing all three takes about 200 hours over 6β9 months and gets your rΓ©sumΓ© through filters at most Microsoft-stack employers.
What I'd do
If you're starting from a cloud engineering or generalist IT background, take AZ-500 first. It's broader, it teaches you more about Azure-as-a-platform, and most jobs that want Microsoft security skills ask for AZ-500 by name more often than SC-200.
If you're starting from a SOC or analyst track β you're already running queries in some SIEM, you investigate alerts daily β take SC-200 first. AZ-500's configuration-heavy content will feel like a detour you don't need yet.
If you're going for both eventually, the order matters less than the gap between them. Don't space them more than 6 months apart; the overlap on identity and Sentinel basics rewards consecutive prep.
When you're ready to drill, browse the AZ-500 practice bank on CertLabPro, start an SC-200 timed exam, or use both. Microsoft's case-study format is distinctive and pattern recognition under time pressure is the part that benefits most from realistic-item drilling.