Microsoft Azure Security Engineer Associate
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
AZ-500 validates the day-to-day skills of an Azure security engineer: managing identity and access through Microsoft Entra, securing networks, hardening compute / storage / databases, and running security operations with Microsoft Defender for Cloud and Microsoft Sentinel. The audience is working security engineers and Azure administrators specializing in security. The exam is implementation-focused β closer to AZ-104 in style than to expert-tier design exams β with 40β60 questions in 120 minutes including drag-and-drop, hot-area, multiple-response, and at least one case study with scenario-driven items rewarding hands-on portal experience.
Largest domain at 27%. Microsoft Entra ID (users, groups, MFA, Conditional Access, PIM, Identity Protection, B2B / B2C), enterprise applications, app registrations, RBAC, and custom roles. Expect heavy Conditional Access scenarios.
About 23%. NSGs, ASGs, Azure Firewall, Web Application Firewall on Front Door / Application Gateway, DDoS Protection, Private Endpoints / Private Link, Service Endpoints, and Bastion. Heavy on traffic-flow scenarios.
About 22%. VM hardening, Azure Disk Encryption, Microsoft Defender for Servers, Container security, Storage account security (firewalls, SAS, encryption, immutability), Key Vault, and Azure SQL security (TDE, Always Encrypted, RLS).
About 28%. Microsoft Defender for Cloud (CSPM, CWPP, regulatory compliance), Microsoft Sentinel (data connectors, analytics rules, workbooks, KQL hunting, automation), Azure Policy for security, and built-in security alerts and incident response.
Services you'll encounter on the exam and why each one matters.
Cloud identity directory with users, groups, app registrations, Conditional Access policies, MFA, and Privileged Identity Management (PIM) for just-in-time elevation.
Why it's on the exam: Domain 1 (Manage Identity and Access) is built around Entra ID β Conditional Access, MFA enforcement, and PIM activation are the most-tested topics on the exam.
Risk-based identity threat detection β sign-in risk, user risk, and atypical-travel signals feed Conditional Access policies for adaptive challenges and blocks.
Why it's on the exam: Domain 1 questions on responding to compromised credentials and risky sign-ins name ID Protection as the Azure-native signal source.
Cloud-native CSPM + CWPP β Secure Score, regulatory compliance dashboards, recommendations, and Defender plans for servers, storage, SQL, containers, App Service, and DNS.
Why it's on the exam: Domain 4 (Manage Security Operations) names Defender for Cloud as the single pane of glass for posture management and workload protection across subscriptions.
Cloud-native SIEM and SOAR β data connectors, analytics rules (KQL-driven), entity behavior analytics (UEBA), playbooks (Logic Apps), and incident triage.
Why it's on the exam: Domain 4 tests Sentinel as the AZ-500 SIEM β connector setup, analytics-rule authoring, and playbook automation surface on nearly every exam form.
Unified XDR portal correlating signals from Defender for Endpoint, Identity, Office 365, and Cloud Apps into cross-domain incidents and automated investigations.
Why it's on the exam: Domain 4 (Manage Security Operations) distinguishes Defender XDR (cross-product correlation) from Sentinel (SIEM) β knowing the boundary is repeatedly tested.
Managed stateful Layer-3/4/7 firewall with FQDN filtering, threat-intel feeds, TLS inspection (Premium), IDPS, and centralized rule management via Firewall Policy.
Why it's on the exam: Domain 2 (Secure Networking) names Azure Firewall as the egress/ingress inspection plane in hub-spoke and Virtual WAN topologies.
Layer-7 WAF deployed on Application Gateway or Front Door with OWASP Core Rule Sets, custom rules, bot protection, and per-policy detection/prevention modes.
Why it's on the exam: Domain 2 + Domain 3 questions on protecting public web endpoints from injection, scraping, and L7 DDoS name WAF as the Azure-native edge defense.
EDR/EPP for Windows, macOS, Linux, iOS, Android β attack surface reduction, automated investigation and remediation, vulnerability management, and threat hunting.
Why it's on the exam: Domain 3 (Secure Compute) and Domain 4 surface MDE as the workload-level defense feeding Defender for Cloud and Defender XDR with endpoint signals.
Always-on platform DDoS (free) plus Network and IP Protection SKUs adding application-layer telemetry, cost-protection guarantees, and rapid-response SRT access.
Why it's on the exam: Domain 2 distinguishes the free always-on tier from paid Network/IP Protection β a recurring exam scenario on hardening public-facing workloads.
Managed jumpbox brokering RDP/SSH to VMs via the portal or native client without exposing public IPs or opening inbound NSG rules.
Why it's on the exam: Domain 2 + Domain 3 secure-access scenarios name Bastion as the answer for VM administration without jumpbox infrastructure or public IPs.
Private-IP access to Azure PaaS (Storage, SQL, Key Vault, etc.) and partner services over the Microsoft backbone, eliminating public-internet exposure.
Why it's on the exam: Domain 2 + Domain 3 test Private Endpoint as the canonical pattern for removing public endpoints from PaaS while preserving service functionality.
Stateful Layer-3/4 ACLs at subnet or NIC scope with priority-ordered allow/deny rules, application security groups (ASGs), and NSG flow logs for forensics.
Why it's on the exam: Domain 2 (Secure Networking) tests NSG rule precedence, ASG-based segmentation, and flow-log capture for traffic auditing on nearly every form.
Workload-tier protection plans in Defender for Cloud β Defender for Servers (MDE integration), Storage (malware scanning), SQL (vulnerability + threat detection), Containers (Kubernetes-aware runtime).
Why it's on the exam: Domain 3 (Secure Compute, Storage, and Databases) is largely about picking the correct Defender plan per workload tier and tuning its alerts.
On-prem AD threat detection β pass-the-hash, pass-the-ticket, golden ticket, reconnaissance, and lateral movement signals from domain-controller traffic.
Why it's on the exam: Domain 1 + Domain 4 questions on detecting hybrid identity compromise cite Defender for Identity as the AD-aware threat sensor feeding Defender XDR.
Sensitivity labels, encryption, and data-loss-prevention policies across Microsoft 365, Endpoint DLP, and Azure data sources β discovery, classification, and enforcement.
Why it's on the exam: Domain 3 (Secure Compute, Storage, and Databases) names Purview IP + DLP as the data-classification and at-rest/in-motion protection layer for sensitive content.
Managed registry with Defender for Containers image scanning, content trust, retention policies, and geo-replication for multi-region pull paths.
Why it's on the exam: Domain 3 container scenarios name ACR with Defender scanning as the secure-supply-chain answer for Kubernetes/AKS image distribution.
Managed store for secrets, certificates, and software- or HSM-backed keys with Entra-integrated RBAC, soft-delete, purge protection, and BYOK/HYOK flows.
Why it's on the exam: Domain 3 (Secure Compute, Storage, and Databases) tests Key Vault for storage-account / database TDE encryption-key custody and customer-managed-key (CMK) patterns.
Declarative governance with deny/audit/deployIfNotExists effects, Initiative bundles (e.g. CIS, ISO 27001, NIST 800-53), and Blueprints for environment baselines.
Why it's on the exam: Domain 4 (Manage Security Operations) names Azure Policy as the enforcement mechanism for security baselines, encryption requirements, and tagging at scale.
Cloud access security broker (CASB) β shadow-IT discovery, SaaS posture management, session controls via Conditional Access App Control, and information-protection integration.
Why it's on the exam: Domain 1 + Domain 4 cite Defender for Cloud Apps for SaaS-side governance β discovering unsanctioned apps and enforcing real-time session policies on Microsoft 365 / connected SaaS.
Unified telemetry β activity logs, diagnostic settings, metrics, and Log Analytics workspaces queried via KQL; the substrate Sentinel and Defender for Cloud ingest into.
Why it's on the exam: Domain 4 (Manage Security Operations) leans on Azure Monitor for diagnostic-setting routing to a central workspace and KQL queries that feed Sentinel analytics rules.
$110kβ$150kβ$205k USD annual
Range covers US-based mid-to-senior cloud security engineers where Azure proficiency is required. Senior cloud security engineers at FAANG / fintech / regulated industries often clear $230k TC. The cert is a screening signal; production security incident-response experience drives the high end.
Source: levels.fyi 2025 cloud security / IAM-engineer roles, U.S. BLS OEWS May 2024 (15-1212 information security analysts), Glassdoor 2025. Figures are approximate; actual compensation depends on role, region, and experience.
AZ-500 is the most-requested Azure security cert in JDs and one of the highest-volume Microsoft security exams overall. Demand has accelerated through 2024β2026 as enterprises consolidate security tooling onto Microsoft Defender for Cloud and Microsoft Sentinel. Recruiters at financial services, healthcare, government contractors, and Microsoft-partner consultancies treat it as the canonical proof of Azure security competence. It pairs naturally with AZ-104 (most common pairing for security-leaning admins), with AZ-305 for security-leaning architects, with AZ-700 for network-security engineers, and with SC-200 (Security Operations Analyst) and SC-100 (Cybersecurity Architect) to round out the Microsoft security portfolio.
There are no formal prerequisites. Microsoft recommends one to two years of Azure administration experience plus working knowledge of identity, networking, and security principles. AZ-104 is highly complementary β many AZ-500 questions assume Azure-administrator-level fluency with Microsoft Entra, RBAC, and core networking. SC-900 is a useful conceptual on-ramp for candidates new to Microsoft security, but is not required.
The official Microsoft Learn path covers all four domains in roughly 35β45 hours. Hands-on lab time is essentially required: a personal Azure subscription with Microsoft Entra P2 trial, Microsoft Defender for Cloud enabled, and a small Sentinel workspace lets candidates practice Conditional Access, PIM, security alerts, and KQL hunting queries. Many candidates supplement with the official practice assessment plus a third-party video course.
AZ-500 sits in the Associate tier and is widely considered moderately to highly challenging β comparable to AZ-204 in difficulty, harder than AZ-104 by a meaningful margin given the depth of Microsoft Entra and Sentinel content. Plan on 80β120 hours of study over 8β12 weeks with prior Azure-admin experience; substantially longer without that background. The exam runs about 120 minutes β longer than most associate exams β with 40β60 questions in multiple-choice, multiple-response, drag-and-drop, hot-area, and case-study formats.
The most common stumbling block is the breadth of Microsoft Entra advanced features β Conditional Access, PIM, Identity Protection, Entitlement Management, and Access Reviews each have distinct configuration surfaces and the exam tests subtle scenario differences. Microsoft Sentinel KQL hunting queries and analytics-rule configuration also frequently surprise candidates whose only Azure experience is administrative.
Most recent skills-measured update. Expanded Microsoft Defender for Cloud CSPM coverage, added Microsoft Defender for Containers and DevOps content, modernized Sentinel automation framing. Microsoft refreshes AZ-500 approximately every 12β18 months without changing the exam code.
Restructured into the current four-domain layout, rebalanced toward security operations, renamed Azure AD references to Microsoft Entra ID, and integrated unified Microsoft Defender XDR concepts.
Initial GA. Original outline focused on Azure AD, network security groups, Azure Security Center, and Azure Sentinel (preview at the time).
AZ-500 (Microsoft Azure Security Engineer Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
AZ-500 is a recognized credential in the Azure ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Azure day-to-day or want to move into roles that do.
The passing score for AZ-500 is 700 / 1000. The exam contains 50 questions and lasts 2 hr.
The AZ-500 exam fee is $165 USD. Fees are set by Azure and may vary by region; always confirm the current price on the official Azure certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for AZ-500. The exam-simulation mode mirrors the real exam: 50 questions in 2 hr, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.