Microsoft Azure Security Technologies Exam (AZ-500): overview of domains

Introduction

Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. Hence, the need for cybersecurity professionals with skills required to protect the environment including the data stored in the cloud.

We will offer an overview of one of Microsoft Azure’s specialized certifications — the Microsoft Certified: Azure Security Engineer Associate certification, focused on securing the cloud environment. We will answer various questions that candidates might have such as the domains, the target audience of the certification, the examination format and ways to prepare for the exam.

When you pass the Microsoft Azure Security Technologies (AZ-500) exam, you’ll earn the Microsoft Certified: Azure Security Engineer Associate certification. 

The Microsoft Azure Security Technologies (AZ-500) exam

The Microsoft Azure Security Technologies exam is intended for individuals who work in a security engineer role. Individuals are to be subject matter experts in implementing, secure controls and threat protection, managing identity and access and protecting data, applications, networks in cloud and hybrid environments as part of an end-to-end infrastructure.

A Microsoft Azure Security Engineer maintains the security posture, identifies and remediates vulnerabilities using a number of security tools, implements threat protection and responds to security incident escalations. They also serve as part of a larger team dedicated to cloud-based management and secure and may also secure hybrid environments as part of an end-to-end infrastructure.

Individuals must have at least six months of hands-on experience working and security Azure cloud environments. In addition, individuals must be familiar with scripting and automation and have a deep understanding of networking, virtualization and cloud N-tier architecture. They must also have experience with Azure products and services, as well as other Microsoft products and services.

Exam and domain overview

As of September 2020, the Microsoft Azure Security Technologies exam covers four different domains. We will briefly discuss the concepts tested in each domain of the exam. The four domains are as follows:

  1. Manage identity and access (30-35%)
  2. Implement platform protection (15-20%)
  3. Manage security operations (25-30%)
  4. Secure data and applications (20-25%)

Domain 1 — Manage identity and access (30-35%)

This domain covers working with subscriptions, users and groups by configuring Microsoft Azure Active Directory for workloads. It also covers securing resources using policy, role-based access control (RBAC) and other Azure services.

For this domain, individuals must have knowledge of:

  • Managing Azure AD identities
    • Configure security for service principals
    • Manage Azure AD directory groups
    • Manage Azure AD users
    • Configure password writeback
    • Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth and passwordless
    • Transfer Azure subscriptions between Azure AD tenants
  • Configuring secure access by using Azure AD
    • Monitor privileged access for Azure AD Privileged Identity Management (PIM)
    • Configure Access Reviews
    • Activate and configure PIM
    • Implement Conditional Access policies including Multi-Factor Authentication (MFA)
    • Configure Azure AD identity protection
  • Managing application access
    • Create App Registration
    • Configure App Registration permission scopes
    • Manage App Registration permission consent
    • Manage API access to Azure subscriptions and resources
  • Managing access control
    • Configure subscription and resource permissions
    • Configure resource group permissions
    • Configure custom RBAC roles
    • Identify the appropriate role
    • Apply principle of least privilege
    • Interpret permissions
    • Check access

Domain 2 — Implement platform protection (15-20%)

This domain covers protecting and hardening virtual machines and configuring, protecting and isolating networks in Azure.

For this domain, individuals must have knowledge of:

  • Implementing advanced network security
    • Secure the connectivity of virtual networks (i.e., Virtual Private Network authentication and Express Route encryption)
    • Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
    • Create and configure Azure Firewall
    • Configure Azure Front Door service as an Application Gateway
    • Configure a Web Application Firewall (WAF) on Azure Application Gateway
    • Configure Azure Bastion
    • Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
    • Implement Service Endpoints
    • Implement Distributed Denial-of-Service (DDoS) protection
  • Configuring advanced security for compute
    • Configure endpoint protection
    • Configure and monitor system updates for Virtual Machines (VMs)
    • Configure authentication for Azure Container Registry (ACR)
    • Configure security for different types of containers
    • Implement vulnerability management
    • Configure isolation for Azure Kubernetes Service (AKS)
    • Configure security for container registry
    • Implement Azure Disk Encryption
    • Configure authentication and security for Azure App Service
    • Configure Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) certs
    • Configure authentication for Azure Kubernetes Service
    • Configure automatic updates

Domain 3 — Manage security operations (25-30%)

This domain configuring security policies and managing security alerts with the tools and services in Azure.

For this domain, individuals must have knowledge of:

  • Monitoring security by using Azure Monitor
    • Create and customize alerts
    • Monitor security logs by using Azure Monitor
    • Configure diagnostic logging and log retention
  • Monitoring security by using Azure Security Center
    • Evaluate vulnerability scans from Azure Security Center
    • Configure Just in Time VM access by using Azure Security Center
    • Configure centralized policy management by using Azure Security Center
    • Configure compliance policies and evaluate for compliance by using Azure Security Center
  • Monitoring security by using Azure Sentinel
    • Create and customize alerts
    • Configure data sources to Azure Sentinel
    • Evaluate results from Azure Sentinel
    • Configure workflow automation by using Azure Sentinel
  • Configuring security policies
    • Configure security settings by using Azure Policy
    • Configure security settings by using Azure Blueprint
    • Configure a playbook by using Azure Sentinel

Domain 4Secure data and applications (20-25%)

This domain covers securing Azure app and associated data with encryption, certificates and policies.

For this domain, individuals must have knowledge of:

  • Configuring security for storage
    • Configure access control for storage accounts
    • Configure key management for storage accounts
    • Configure Azure AD authentication for Azure Storage
    • Configure Azure AD Domain Services authentication for Azure Files
    • Create and manage Shared Access Signatures (SAS)
    • Create a shared access policy for a blob or blob container
    • Configure Storage Service Encryption
  • Configuring security for databases
    • Enable database authentication
    • Enable database auditing
    • Configure Azure SQL Database Advanced Threat Protection (ATP)
    • Implement database encryption
    • Implement Azure SQL Database Always Encrypted
  • Configuring and managing Key Vault
    • Manage access to Key Vault
    • Manage permissions to secrets, certificates and keys
    • Configure role-based access control (RBAC) usage in Azure Key Vault
    • Manage certificates
    • Manage secrets
    • Configure key rotation
    • Backup and restore of Key Vault items

The examination: Questions/format/length

The exam consists of 40 to 60 questions and you’ll have 180 minutes for the Microsoft Azure Security Technologies exam. Candidates are required to earn a minimum passing score of 700 out of 1000 points to pass.

As of September 2020, the Microsoft Azure Security Engineer Associate certificate expires after two years.

Cost of the Microsoft Azure Security Technologies (AZ-500) exam

The Microsoft Azure Security Technologies exam typically costs $165, but may differ slightly depending on the country where you write the exam.

Preparing for the Microsoft Azure Security Technologies (AZ-500) exam

There are a number of ways to prepare for the certifications, depending on the candidate’s experience level.

Microsoft Azure official site

The Microsoft Azure official site is the most reliable source of information. One of the best ways for preparing for the exam is reading the documentation, FAQs, whitepapers and case studies on the Microsoft Azure site. They are quite robust, explain the key areas in detail and provide up-to-date information.

Online courses

There are a lot of courses available today which can be taken from the comfort of your house and at your own pace. They cover everything you need to know to take the exams in-depth and are usually updated with recent changes. In addition, many courses have the hands-on labs which allow you to deploy services on Microsoft Azure with step-by-step instructions. 

Many of the questions you will encounter in the Microsoft Azure Security Technologies exam are scenario-based and case studies-based questions and having hands-on experience helps.

Practice tests

This is the most important step in preparing for the exam. Practice tests are said to be more difficult than the actual test. However, I believe encountering lots of practice tests helps to validate your understanding, identify areas of improvements and helps in developing approaches in understanding and solving the questions quickly. Practice tests also make you well-acquainted with the exam format and environment.

Where to write the Microsoft Azure Security Technologies (AZ-500) exam

Currently, there are two ways of taking the Microsoft Azure Security Technologies (AZ-500) exam.

Physical test center

This is the standard test-taking process where you register and take the exam in a local testing center. With the COVID-19 situation, most test centers are closed; however, you can check your local testing center for its policies.

Online proctoring

You can take the exam in the comfort of your home or office using your computer. The exam delivery is monitored by a proctor via webcam and microphone. However, certain requirements must be met in order to maintain the integrity of the exam such as ensuring the room is free from disruptions, a scan of the work area by the proctor.

Conclusion

This overview describes what candidates need to know before taking the Microsoft Azure Security Technologies exam. Having a Microsoft Azure Certification is likely to boost your career. It is a great way to validate your skills and differentiate yourself from others. You’ll also need practical, hands-on experience and knowledge to guide you in real-life environments.

 

Sources

Exam AZ-500: Microsoft Azure Security Technologies, Microsoft

Microsoft Certified: Azure Security Engineer Associate, Microsoft

Azure Security Engineer Learning Path, Microsoft

Be Safe

Section Guide

Mosimilolu
Odusanya

View more articles from Mosimilolu

Earn your CISSP the first time with Infosec and pass your exam, GUARANTEED!

Section Guide

Mosimilolu
Odusanya

View more articles from Mosimilolu