CertLabProMicrosoft Azure Security Engineer Associate
225問の練習問題
最終確認:April 2026
学習のための個人ノートとリソースリンク
認定でフィルター
AZ-500 validates the day-to-day skills of an Azure security engineer: managing identity and access through Microsoft Entra, securing networks, hardening compute / storage / databases, and running security operations with Microsoft Defender for Cloud and Microsoft Sentinel. The audience is working security engineers and Azure administrators specializing in security. The exam is implementation-focused — closer to AZ-104 in style than to expert-tier design exams — with 40–60 questions in 120 minutes including drag-and-drop, hot-area, multiple-response, and at least one case study with scenario-driven items rewarding hands-on portal experience.
Largest domain at 27%. Microsoft Entra ID (users, groups, MFA, Conditional Access, PIM, Identity Protection, B2B / B2C), enterprise applications, app registrations, RBAC, and custom roles. Expect heavy Conditional Access scenarios.
About 23%. NSGs, ASGs, Azure Firewall, Web Application Firewall on Front Door / Application Gateway, DDoS Protection, Private Endpoints / Private Link, Service Endpoints, and Bastion. Heavy on traffic-flow scenarios.
About 22%. VM hardening, Azure Disk Encryption, Microsoft Defender for Servers, Container security, Storage account security (firewalls, SAS, encryption, immutability), Key Vault, and Azure SQL security (TDE, Always Encrypted, RLS).
About 28%. Microsoft Defender for Cloud (CSPM, CWPP, regulatory compliance), Microsoft Sentinel (data connectors, analytics rules, workbooks, KQL hunting, automation), Azure Policy for security, and built-in security alerts and incident response.
$110k–$150k–$205k USD annual
Range covers US-based mid-to-senior cloud security engineers where Azure proficiency is required. Senior cloud security engineers at FAANG / fintech / regulated industries often clear $230k TC. The cert is a screening signal; production security incident-response experience drives the high end.
Source: levels.fyi 2025 cloud security / IAM-engineer roles, U.S. BLS OEWS May 2024 (15-1212 information security analysts), Glassdoor 2025. Figures are approximate; actual compensation depends on role, region, and experience.
AZ-500 is the most-requested Azure security cert in JDs and one of the highest-volume Microsoft security exams overall. Demand has accelerated through 2024–2026 as enterprises consolidate security tooling onto Microsoft Defender for Cloud and Microsoft Sentinel. Recruiters at financial services, healthcare, government contractors, and Microsoft-partner consultancies treat it as the canonical proof of Azure security competence. It pairs naturally with AZ-104 (most common pairing for security-leaning admins), with AZ-305 for security-leaning architects, with AZ-700 for network-security engineers, and with SC-200 (Security Operations Analyst) and SC-100 (Cybersecurity Architect) to round out the Microsoft security portfolio.
There are no formal prerequisites. Microsoft recommends one to two years of Azure administration experience plus working knowledge of identity, networking, and security principles. AZ-104 is highly complementary — many AZ-500 questions assume Azure-administrator-level fluency with Microsoft Entra, RBAC, and core networking. SC-900 is a useful conceptual on-ramp for candidates new to Microsoft security, but is not required.
The official Microsoft Learn path covers all four domains in roughly 35–45 hours. Hands-on lab time is essentially required: a personal Azure subscription with Microsoft Entra P2 trial, Microsoft Defender for Cloud enabled, and a small Sentinel workspace lets candidates practice Conditional Access, PIM, security alerts, and KQL hunting queries. Many candidates supplement with the official practice assessment plus a third-party video course.
AZ-500 sits in the Associate tier and is widely considered moderately to highly challenging — comparable to AZ-204 in difficulty, harder than AZ-104 by a meaningful margin given the depth of Microsoft Entra and Sentinel content. Plan on 80–120 hours of study over 8–12 weeks with prior Azure-admin experience; substantially longer without that background. The exam runs about 120 minutes — longer than most associate exams — with 40–60 questions in multiple-choice, multiple-response, drag-and-drop, hot-area, and case-study formats.
The most common stumbling block is the breadth of Microsoft Entra advanced features — Conditional Access, PIM, Identity Protection, Entitlement Management, and Access Reviews each have distinct configuration surfaces and the exam tests subtle scenario differences. Microsoft Sentinel KQL hunting queries and analytics-rule configuration also frequently surprise candidates whose only Azure experience is administrative.
Most recent skills-measured update. Expanded Microsoft Defender for Cloud CSPM coverage, added Microsoft Defender for Containers and DevOps content, modernized Sentinel automation framing. Microsoft refreshes AZ-500 approximately every 12–18 months without changing the exam code.
Restructured into the current four-domain layout, rebalanced toward security operations, renamed Azure AD references to Microsoft Entra ID, and integrated unified Microsoft Defender XDR concepts.
Initial GA. Original outline focused on Azure AD, network security groups, Azure Security Center, and Azure Sentinel (preview at the time).
AZ-500 (Microsoft Azure Security Engineer Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80–150 hours of study spread over 6–12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.