The AZ-500 exam description had a major revision in September, both structurally and in content, with some items being removed while others have been expanded, especially in the networking, containers and data sections. There are enough changes in this exam that you should definitely re-evaluate your comfort level with the items on a line by line basis to make sure that the changes aren’t being missed.

Some of the areas that have been deemphasized in this update are as follows. Azure AD has less of a focus on hybrid identity, some of the focus on Azure Security Center/Azure Defender has been reduced, and the Azure Monitor and Sentinel sections are combined. This streamlining suggests to me that the exams in the SC-x00 series are taking on more of the burden for testing on these technologies, but they haven’t been eliminated from this exam as they are foundations of a secure Azure environment.

If you are starting your preparation from scratch, following are some examples of guidance for how you should focus your preparation.

If you are already familiar with Azure Active Directory (AAD) Premium P2 functionality, whether through Azure of through Microsoft 365 related services, you should be in pretty good shape for this exam. There is an exception here though – make sure you spend extra time in the managing application access section, this isn’t something you may have had exposure to. If you don’t have much AAD experience, then you will need to spend time here understanding the capabilities of AAD Premium P2, not just the free edition that’s included with Azure subscriptions by default.

If you are approaching this exam with a fairly solid understanding of networking concepts including subnets, routing, appliances etc. you are off to a strong start with the advanced network security section. The most important thing here is for you to understand how the Azure native versions of the services may differ from those of other solutions from other vendors. If you don’t have much or any networking in your prior experiences, make sure you spend some time going through some basics of TCP/IP and networking including what’s mentioned earlier in this paragraph, and then focus on the technologies in the exam objectives.

During the early days of this exam, understanding how to protect Azure virtual machines worked would have covered you quite well in the advanced security for compute section, but now you can’t just know what acronyms like ACI, ACR, AKS etc. stand for, you also need to how to secure them, including their networking configuration. At this stage it’s most likely you’re familiar with these container related technologies if you have Linux experience, but over the last few years I’ve seen more Windows centric exam takers having some exposure to these technologies as well. This update has had some major changes in the container and serverless related objectives so expect to see more questions on those.

The final thing here is to make sure you have an understanding of what’s in Azure Security Center, and the additional features you get when you move up to Azure Defender capabilities for the different workloads. Use the additional workload protections to help drive your understanding of the workloads that you aren’t familiar with. Even though this seems to have been deemphasized a little in this update, Azure Defender for Servers and Azure Defender for SQL do get mentioned, along with Azure defender vulnerability scans.

The examples I’ve just provided don’t cover all of the different combinations of exam preparation scenarios based on your skills, but hopefully they give you some idea of what I see catch people out.

Manage identity and access (30-35%)

Manage Azure Active Directory (Azure AD) identities

• create and manage a managed identity for Azure resources
  • Managed identity best practice recommendations
  • About managed identities for Azure resources
• manage Azure AD groups
  • Create a dynamic group
  • PowerShell for Azure AD groups
• manage Azure AD users
  • Add or delete users using Azure Active Directory  
• manage external identities by using Azure AD
  • Understand the B2B guest user
  • How a B2B guest redeems an invitation
• manage administrative units
  • Administrative units

Manage secure access by using Azure AD

• configure Azure AD Privileged Identity Management (PIM)
  • Deploy Azure AD Privileged Identity Management (PIM)  
  • Configure security alerts for Azure AD roles in Privileged Identity Management   
• implement Conditional Access policies, including multifactor authentication
  • Secure Azure Active Directory users with Multi-Factor Authentication
  • Configure Azure Multi-Factor Authentication settings
• implement Azure AD Identity Protection
  • What is Azure Active Directory Identity Protection?
• implement passwordless authentication
  • Passwordless authentication options for Azure Active Directory   
• configure access reviews
  • Plan Access review deployment
  • Create an access review of Azure AD roles in Privileged Identity Management  
  • Create an access review of an access package in Azure AD entitlement management

Manage application access

• integrate single sign-on (SSO) and identity providers for authentication
  • Build an app using Microsoft identities or social accounts
• create an app registration
  • QuickStart: Register an application with the Microsoft identity platform  
• configure app registration permission scopes
  • Permissions and consent in the Microsoft identity platform endpoint
• manage app registration permission consent
  • Configure how end-users consent to applications
• manage API permissions to Azure subscriptions and resources
  • Get access on behalf of a user
  • Authentication flows and application scenarios
• configure an authentication method for a service principal
  • Application and service principal objects in Azure Active Directory  

Manage access control

• configure Azure role permissions for management groups, subscriptions, resource groups, and resources
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • What is Azure role-based access control (Azure RBAC)?
• interpret role and resource permissions
  • Quickstart: View the access a user has to Azure resources  
  • List Azure role definitions  
  • List Azure role assignments using the Azure portal  
  • Best practices for Azure RBAC
  • Lock resources to prevent unexpected changes
• assign built-in Azure AD roles
  • Assign directory roles
  • View roles assigned to a group
• create and assign custom roles, including Azure roles and Azure AD roles
  • Create Custom Azure Roles
  • Create custom Azure AD roles

Implement platform protection (15-20%)

Implement advanced network security

• secure the connectivity of hybrid networks
  • VPN Gateway design  
  • ExpressRoute encryption  
  • About Point-to-Site VPN  
  • Create a Site-to-Site connection in the Azure portal  
  • Configure virtual network connectivity
• secure the connectivity of virtual networks
  • Network security groups  
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal  
  • Bastion and VNet peering
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
  • Application security groups  
• create and configure Azure Firewall
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
• create and configure Azure Firewall Manager
  • Secure virtual hub – ARM template
  • General deployment process
• create and configure Azure Application Gateway
  • Encrypt network traffic end to end with Azure Application Gateway
• create and configure Azure Front Door
  • Quickstart: Create a Front Door for a highly available global web application
• create and configure Web Application Firewall (WAF)
  • Azure Web Application Firewall on Azure Application Gateway
• configure a resource firewall, including storage account, Azure SQL, Azure Key Vault, or Azure App Service
  • Security in Azure App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall
• configure network isolation for Web Apps and Azure Functions
  • Security in Azure App Service
• implement Azure Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
• implement Azure Private Endpoints, including integrating with other services
  • Quickstart: Create a Private Endpoint using Azure portal
  • Use private endpoints for Azure Storage
• implement Azure Private Links
  • What is Azure Private Link?
  • Use portal to create private link for managing Azure resources
• implement Azure DDoS Protection
  • Azure DDoS Protection Standard overview

Configure advanced security for compute

• configure Azure Endpoint Protection for virtual machines (VMs)
  • Endpoint protection assessment and recommendations
  • Feature coverage for machines
  • Security management in Azure
  • Microsoft Antimalware for Azure Cloud Services and Virtual Machines
• Implement and manage security updates for VMs
  • Manage updates and patches for your Azure VMs
  • Manage updates for multiple VMs
  • Keep your virtual machines updated
  • Security best practices for IaaS workloads in Azure
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines
• configure security for container services
  • Container Security in Azure
  • How to use managed identities with Azure Container Instances
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
  • Update containers in Azure Container Instances
  • Service principals with Azure Kubernetes Service (AKS)
  • Integrate Azure Active Directory with Azure Kubernetes Service  
  • Use managed identities in Azure Kubernetes Service 
• manage access to Azure Container Registry
  • Authenticate with an Azure container registry
• configure security for serverless compute
  • Serverless Functions app security
• configure security for an Azure App Service
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service
• configure encryption at rest
  • Azure Disk Encryption for Windows VMs
  • Azure Storage encryption for data at rest
• configure encryption in transit
  • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service

Manage security operations (25-30%)

Configure centralized policy management

• configure a custom security policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Integrate Azure Key Vault with Azure Policy
• create a policy initiative
  • Initiative Definition
• configure security settings and auditing by using Azure Policy
  • Working with security policies
  • Azure security policies monitored by Security Center

Configure and manage threat protection

• configure Azure Defender for Servers (not including Microsoft Defender for Endpoint)
  • Overview of Azure Defender for servers
  • Secure your management ports with just-in-time access
  • File integrity monitoring
  • Use adaptive application controls to reduce your machines’ attack surfaces
  • Improve your network security posture with adaptive network hardening
• evaluate vulnerability scans from Azure Defender
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines
• configure Azure Defender for SQL
  • Use Azure Defender for SQL
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
• use the Microsoft Threat Modeling Tool
  • Getting started with the Threat Modeling Tool

Configure and manage security monitoring solutions

• create and customize alert rules by using Azure Monitor
  • Create, view, and manage log alerts using Azure Monitor
  • Create, view, and manage metric alerts using Azure Monitor
  • Tutorial: Set up automated threat responses in Azure Sentinel
• configure diagnostic logging and log retention by using Azure Monitor
  • Create diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs
• monitor security logs by using Azure Monitor
  • Security alerts in Azure Security Center
  • Manage and respond to security alerts in Azure Security Center
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
• create and customize alert rules in Azure Sentinel
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Azure Sentinel
• configure connectors in Azure Sentinel
  • Connect data sources
• evaluate alerts and incidents in Azure Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel

Secure data and applications (25–30%)

Configure security for storage

• configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Security recommendations for Blob storage
  • Configure Azure Defender for Storage
• configure storage account access keys
  • Manage storage account access keys
  • Use the Azure portal to access blob or queue data
• configure Azure AD authentication for Azure Storage and Azure Files
  • Authorize access to blobs and queues using Azure Active Directory
  • Acquire a token from Azure AD for authorizing requests from a client application
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Enable Azure Active Directory Domain Services authentication on Azure Files
• configure delegated access
  • Grant limited access to Azure Storage resources using shared access signatures

Configure security for data

• enable database authentication by using Azure AD
  • Use Azure Active Directory authentication
  • Configure and manage Azure AD authentication with Azure SQL
• enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics
• configure dynamic masking on SQL workloads
  • Dynamic data masking
• implement database encryption for Azure SQL Database
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption
  • Always Encrypted
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault
• implement network isolation for data solutions, including Azure Synapse Analytics and Azure Cosmos DB
  • Synapse workspace data exfiltration protection
  • Synapse workspace Managed private endpoints
  • Cosmos DB Configure access from virtual networks
  • Cosmos DB Configure access from private endpoints

Configure and manage Azure Key Vault

• create and configure Key Vault
  • Azure Key Vault security
  • Azure Defender for Key Vault
• configure access to Key Vault
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Azure Policy built-in policy definitions for Key Vault
• manage certificates, secrets, and keys
  • About Azure Key Vault secrets
  • Tutorial: Import a certificate in Azure Key Vault
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal
• configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate autorotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• configure backup and recovery of certificates, secrets, and keys
  • Azure Key Vault soft-delete overview
  • Azure Key Vault backup