Certification Overview:
The Microsoft Azure AZ-500 exam is for the people
who want to demonstrate or check their knowledge in deploying, installing,
administering, and managing Azure cloud from security standpoint. You will be
thoroughly tested for your knowledge and technical skills. It will take quite
an effort and time to cover all the required domains of the course outline.
Exam Prerequisites:
If you are planning to attempt the Azure Security
Engineer (AZ-500) exam, be sure to complete one of the following exams
beforehand, as it will give you enough exposure to Azure services and
offerings:
Official Learning Path:
AZ-500
: Azure Security Engineer Associate
Skills Measured: This exam test
you on the following topics:
Domain 1: Manage Identity and Access (30-35%)
1.1 Manage Azure Active Directory (Azure AD) identities
- Create and manage a managed
identity for Azure resources (Microsoft Documentation: managed identities for Azure resources)
- manage Azure AD groups (Microsoft
Documentation: Manage app & resource access using
groups – Azure AD)
- manage Azure AD users (Microsoft
Documentation: Quickstart: Add guest users in the Azure portal
– Azure AD)
- Manage external identities by using
Azure AD (Microsoft Documentation: External Identities in Azure Active Directory)
- manage administrative units (Microsoft
Documentation: Administrative units in Azure Active Directory)
1.2 Manage secure access by using Azure AD
- monitor Azure AD Privileged
Identity Management (PIM) (Microsoft Documentation: Privileged Identity Management)
- implement Conditional Access
policies including Multi-Factor Authentication (MFA) (Microsoft
Documentation: Conditional Access – Require MFA for all users –
Azure Active Directory)
- configure Azure AD identity
protection (Microsoft Documentation: Azure AD Identity Protection)
- Implement passwordless
authentication Enable passwordless phone sign-in authentication
methods)
- Configure Access Reviews (Microsoft
Documentation: Create Access and Review)
1.3 Manage application access
- Integrate single sign-on (SSO) and
identity providers for authentication (Microsoft Documentation: single sign-on in Azure Active Directory)
- create App Registration (Microsoft
Documentation: Register your app with the Azure AD)
- configure App Registration
permission scopes (Microsoft Documentation: Quickstart: Configure an app to access a web API
– Microsoft identity platform)
- manage App Registration permission
consent (Microsoft Documentation: Managing consent to applications and evaluating
consent requests in Azure Active Directory)
- manage API access to Azure
subscriptions and resources (Microsoft Documentation: Elevate access to manage all Azure subscriptions
and management groups)
- Configure
an authentication method for a service principal (Microsoft
Documentation: Azure authentication with service principal)
1.4 Manage access control
- Configure Azure role permissions
for management groups, subscriptions, resource groups, and resources (Microsoft
Documentation: Organize subscriptions into management groups
and assign roles to users)
- Interpret role and resource
permissions (Microsoft Documentation: Azure role-based access control (Azure RBAC))
- Assign built-in Azure AD roles (Microsoft
Documentation: Azure AD built-in roles, Assign Azure AD roles to users)
- Create
and assign custom roles, including Azure roles and Azure AD roles (Microsoft
Documentation: Create and assign a custom role in Azure Active
Directory)
Domain
2: Implement platform protection (15-20%)
2.1 Implement
advanced network security
- Secure the connectivity of hybrid
networks (Microsoft Documentation: Implement a secure hybrid network)
- Secure the connectivity of virtual
networks (Microsoft Documentation: Azure Virtual Network)
- Create and configure Azure Firewall (Microsoft
Documentation: Deploy and configure Azure Firewall using the
Azure portal)
- Create and configure Azure Firewall
Manager (Microsoft Documentation: Azure Firewall Manager deployment overview)
- Create and configure Azure
Application Gateway (Microsoft Documentation: Direct web traffic with Azure Application
Gateway)
- Create and configure Azure Front
Door (Microsoft Documentation: Create a Front Door for a highly available
global web application)
- Create and configure Web
Application Firewall (WAF) (Microsoft Documentation: Create an application gateway with a Web
Application Firewall)
- Configure a resource firewall,
including a storage account, Azure SQL, Azure Key Vault, or Azure App
Service (Microsoft Documentation: Configure Azure Key Vault firewalls and virtual
networks, Virtual network service endpoints for Azure Key
Vault)
- Configure network isolation for Web
Apps and Azure Functions (Microsoft Documentation: Azure Functions networking options)
- implement Service Endpoints (Microsoft
Documentation: Azure virtual network service endpoints)
- Implement Azure Private Endpoints,
including integrating with other services (Microsoft Documentation: private endpoint)
- Implement Azure Private Links (Microsoft
Documentation: Create a Private Link service by using the Azure
portal)
- implement Azure DDoS protection (Microsoft
Documentation: Azure DDoS Protection Standard Overview)
2.2 Configure advanced security for compute
- To begin with, configure endpoint
protection for virtual machines (Vms) (Microsoft Documentation:(Microsoft
Documentation: Install Endpoint Protection)
- Then, configure and monitor system
updates for VMs (Microsoft Documentation: Azure Security Fundamentals, Automation Update Management)
- Configure security for container
services (Microsoft Documentation: Security considerations for Azure Container
Instances)
- Manage access to Azure Container
Registry (Microsoft Documentation: Azure Container Registry roles and permissions)
- Configure security for serverless
compute (Microsoft Documentation: Serverless Functions security)
- Configure security for an Azure App
Service (Microsoft Documentation: Security in Azure App Service)
- Configure encryption at rest (Microsoft
Documentation: Azure Data Encryption at rest)
- Configure encryption in transit (Microsoft
Documentation: Azure encryption overview)
Domain
3: Manage Security Operations (25-30%)
3.1 Configure centralized policy management
- Configure a custom security policy (Microsoft
Documentation: Create custom security initiatives and policies)
- Create a policy initiative (Microsoft
Documentation: Create and manage policies to enforce compliance)
- Configure security settings and
auditing by using Azure Policy (Microsoft Documentation: Manage security policies)
3.2 Configure and manage threat protection
- Configure Microsoft Defender for
Servers (not including Microsoft Defender for Endpoint) (Microsoft
Documentation: Onboard Windows servers to the Microsoft
Defender for Endpoint service)
- Evaluate vulnerability scans from
Microsoft Defender for Cloud (Microsoft Documentation: Defender for Cloud’s integrated Qualys
vulnerability scanner for Azure and hybrid machines)
- Configure Microsoft Defender for
SQL (Microsoft Documentation: Microsoft Defender for SQL)
- Use
the Microsoft Threat Modeling Tool (Microsoft Documentation: Microsoft Threat Modeling Tool)
3.3 Configure and manage security monitoring solutions
- Create and customize alert rules by
using Azure Monitor (Microsoft Documentation: Create a new alert rule)
- Configure diagnostic logging and
log retention by using Azure Monitor (Microsoft Documentation: Diagnostic settings in Azure Monitor)
- Monitor security logs by using
Azure Monitor (Microsoft Documentation: Azure Monitor Logs overview)
- Create and customize alert rules in
Microsoft Sentinel (Microsoft Documentation: Create custom analytics rules to detect threats)
- Configure connectors in Microsoft
Sentinel (Microsoft Documentation: Microsoft Sentinel data connectors)
- Evaluate
alerts and incidents in Microsoft Sentinel (Microsoft Documentation: Investigate incidents with Microsoft Sentinel)
Domain
4: Secure Data and Applications (25-30%)
4.1 Configure
security for storage
- To begin with, configure access
control for storage accounts (Microsoft Documentation: Azure Storage Authentication)
- Configure storage account access
keys (Microsoft Documentation: Manage storage account access keys)
- Also, configure Azure AD
authentication for Azure Storage and Azure Files (Microsoft
Documentation: Create a profile container with Azure Files and
Azure Active Directory)
- Configure
delegated access
4.2 Configure
security for databases
- Enable database authentication by
using Azure AD (Microsoft Documentation: Configure and manage Azure AD authentication
with Azure SQL)
- Enable database auditing (Microsoft
Documentation: SQL Database Auditing)
- Configure dynamic masking on SQL
workloads (Microsoft Documentation: Dynamic data masking)
- Implement database encryption for
Azure SQL Database (Microsoft Documentation: Transparent data encryption for SQL Database)
- Implement
network isolation for data solutions, including Azure Synapse Analytics
and Azure Cosmos DB (Microsoft Documentation: Azure Synapse Link for Azure Cosmos DB)
4.3 Configure
and manage Key Vault
- Create and configure Key Vault (Microsoft
Documentation: Create a key vault using the Azure portal)
- Configure access to Key Vault (Microsoft
Documentation: Assign a Key Vault access policy)
- Manage certificates, secrets, and
keys (Microsoft
Documentation: Azure Key Vault keys, secrets and certificates
overview)
- Configure key rotation (Microsoft
Documentation: Configure cryptographic key auto-rotation in
Azure Key Vault)
- Configure
backup and recovery of certificates, secrets, and keys (Microsoft
Documentation: Azure Key Vault backup and restore)
Recommendations:
I would recommend a very good knowledge and hands on experience on the
Azure cloud especially from the IAM perspective. It will help you a lot in
understanding the requirements and needs asked in the exam questions.
Practice, Practice, Practice!! This will save you.
Take it easy, read the question slowly (2-3 times, if required) and
understand the specific need.
This exam is not that easy when it is compared with other Azure exams,
but you will sail through it; if you are focused and pay enough attention
towards the requirements in the exam questions.
I hope this will be helpful and encouraging!!
Best of luck!!