Microsoft Azure

Microsoft Azure Security Technologies Exam (AZ-500): overview of domains

Introduction

Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. Hence, the need for cybersecurity professionals with skills required to protect the environment including the data stored in the cloud.

We will offer an overview of one of Microsoft Azure’s specialized certifications — the Microsoft Certified: Azure Security Engineer Associate certification, focused on securing the cloud environment. We will answer various questions that candidates might have such as the domains, the target audience of the certification, the examination format and ways to prepare for the exam.

Make Your Resume Stand Out With a Microsoft Azure Certification

Cloud technologies and services have revolutionized how we manage our IT and business ecosystems. Whether you're new to the field or an experienced professional, a Microsoft Azure certification can help build your skills and accelerate your career.

View Pricing

When you pass the Microsoft Azure Security Technologies (AZ-500) exam, you’ll earn the Microsoft Certified: Azure Security Engineer Associate certification.

The Microsoft Azure Security Technologies (AZ-500) exam

The Microsoft Azure Security Technologies exam is intended for individuals who work in a security engineer role. Individuals are to be subject matter experts in implementing, secure controls and threat protection, managing identity and access and protecting data, applications, networks in cloud and hybrid environments as part of an end-to-end infrastructure.

A Microsoft Azure Security Engineer maintains the security posture, identifies and remediates vulnerabilities using a number of security tools, implements threat protection and responds to security incident escalations. They also serve as part of a larger team dedicated to cloud-based management and secure and may also secure hybrid environments as part of an end-to-end infrastructure.

Individuals must have at least six months of hands-on experience working and security Azure cloud environments. In addition, individuals must be familiar with scripting and automation and have a deep understanding of networking, virtualization and cloud N-tier architecture. They must also have experience with Azure products and services, as well as other Microsoft products and services.

Exam and domain overview

As of September 2020, the Microsoft Azure Security Technologies exam covers four different domains. We will briefly discuss the concepts tested in each domain of the exam. The four domains are as follows:

Manage identity and access (30-35%)
Implement platform protection (15-20%)
Manage security operations (25-30%)
Secure data and applications (20-25%)

Domain 1 — Manage identity and access (30-35%)

This domain covers working with subscriptions, users and groups by configuring Microsoft Azure Active Directory for workloads. It also covers securing resources using policy, role-based access control (RBAC) and other Azure services.

For this domain, individuals must have knowledge of:

Managing Azure AD identities

Configure security for service principals
Manage Azure AD directory groups
Manage Azure AD users
Configure password writeback
Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth and passwordless
Transfer Azure subscriptions between Azure AD tenants

Configuring secure access by using Azure AD

Monitor privileged access for Azure AD Privileged Identity Management (PIM)
Configure Access Reviews
Activate and configure PIM
Implement Conditional Access policies including Multi-Factor Authentication (MFA)
Configure Azure AD identity protection

Managing application access

Create App Registration
Configure App Registration permission scopes
Manage App Registration permission consent
Manage API access to Azure subscriptions and resources

Managing access control

Configure subscription and resource permissions
Configure resource group permissions
Configure custom RBAC roles
Identify the appropriate role
Apply principle of least privilege
Interpret permissions
Check access

Domain 2 — Implement platform protection (15-20%)

This domain covers protecting and hardening virtual machines and configuring, protecting and isolating networks in Azure.

For this domain, individuals must have knowledge of:

Implementing advanced network security

Secure the connectivity of virtual networks (i.e., Virtual Private Network authentication and Express Route encryption)
Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
Create and configure Azure Firewall
Configure Azure Front Door service as an Application Gateway
Configure a Web Application Firewall (WAF) on Azure Application Gateway
Configure Azure Bastion
Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
Implement Service Endpoints
Implement Distributed Denial-of-Service (DDoS) protection

Configuring advanced security for compute

Configure endpoint protection
Configure and monitor system updates for Virtual Machines (VMs)
Configure authentication for Azure Container Registry (ACR)
Configure security for different types of containers
Implement vulnerability management
Configure isolation for Azure Kubernetes Service (AKS)
Configure security for container registry
Implement Azure Disk Encryption
Configure authentication and security for Azure App Service
Configure Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) certs
Configure authentication for Azure Kubernetes Service
Configure automatic updates

Domain 3 — Manage security operations (25-30%)

This domain configuring security policies and managing security alerts with the tools and services in Azure.

For this domain, individuals must have knowledge of:

Monitoring security by using Azure Monitor

Create and customize alerts
Monitor security logs by using Azure Monitor
Configure diagnostic logging and log retention

Monitoring security by using Azure Security Center

Evaluate vulnerability scans from Azure Security Center
Configure Just in Time VM access by using Azure Security Center
Configure centralized policy management by using Azure Security Center
Configure compliance policies and evaluate for compliance by using Azure Security Center

Monitoring security by using Azure Sentinel

Create and customize alerts
Configure data sources to Azure Sentinel
Evaluate results from Azure Sentinel
Configure workflow automation by using Azure Sentinel

Configuring security policies

Configure security settings by using Azure Policy
Configure security settings by using Azure Blueprint
Configure a playbook by using Azure Sentinel

Domain 4 — Secure data and applications (20-25%)

This domain covers securing Azure app and associated data with encryption, certificates and policies.

For this domain, individuals must have knowledge of:

Configuring security for storage

Configure access control for storage accounts
Configure key management for storage accounts
Configure Azure AD authentication for Azure Storage
Configure Azure AD Domain Services authentication for Azure Files
Create and manage Shared Access Signatures (SAS)
Create a shared access policy for a blob or blob container
Configure Storage Service Encryption

Configuring security for databases

Enable database authentication
Enable database auditing
Configure Azure SQL Database Advanced Threat Protection (ATP)
Implement database encryption
Implement Azure SQL Database Always Encrypted

Configuring and managing Key Vault

Manage access to Key Vault
Manage permissions to secrets, certificates and keys
Configure role-based access control (RBAC) usage in Azure Key Vault
Manage certificates
Manage secrets
Configure key rotation
Backup and restore of Key Vault items

The examination: Questions/format/length

The exam consists of 40 to 60 questions and you’ll have 180 minutes for the Microsoft Azure Security Technologies exam. Candidates are required to earn a minimum passing score of 700 out of 1000 points to pass.

As of September 2020, the Microsoft Azure Security Engineer Associate certificate expires after two years.

Cost of the Microsoft Azure Security Technologies (AZ-500) exam

The Microsoft Azure Security Technologies exam typically costs $165, but may differ slightly depending on the country where you write the exam.

Preparing for the Microsoft Azure Security Technologies (AZ-500) exam

There are a number of ways to prepare for the certifications, depending on the candidate’s experience level.

Microsoft Azure official site

The Microsoft Azure official site is the most reliable source of information. One of the best ways for preparing for the exam is reading the documentation, FAQs, whitepapers and case studies on the Microsoft Azure site. They are quite robust, explain the key areas in detail and provide up-to-date information.

Online courses

There are a lot of courses available today which can be taken from the comfort of your house and at your own pace. They cover everything you need to know to take the exams in-depth and are usually updated with recent changes. In addition, many courses have the hands-on labs which allow you to deploy services on Microsoft Azure with step-by-step instructions.

Many of the questions you will encounter in the Microsoft Azure Security Technologies exam are scenario-based and case studies-based questions and having hands-on experience helps.

Practice tests

This is the most important step in preparing for the exam. Practice tests are said to be more difficult than the actual test. However, I believe encountering lots of practice tests helps to validate your understanding, identify areas of improvements and helps in developing approaches in understanding and solving the questions quickly. Practice tests also make you well-acquainted with the exam format and environment.

Where to write the Microsoft Azure Security Technologies (AZ-500) exam

Currently, there are two ways of taking the Microsoft Azure Security Technologies (AZ-500) exam.

Physical test center

This is the standard test-taking process where you register and take the exam in a local testing center. With the COVID-19 situation, most test centers are closed; however, you can check your local testing center for its policies.

Online proctoring

You can take the exam in the comfort of your home or office using your computer. The exam delivery is monitored by a proctor via webcam and microphone. However, certain requirements must be met in order to maintain the integrity of the exam such as ensuring the room is free from disruptions, a scan of the work area by the proctor.

Conclusion

This overview describes what candidates need to know before taking the Microsoft Azure Security Technologies exam. Having a Microsoft Azure Certification is likely to boost your career. It is a great way to validate your skills and differentiate yourself from others. You’ll also need practical, hands-on experience and knowledge to guide you in real-life environments.

Sources

Exam AZ-500: Microsoft Azure Security Technologies, Microsoft

Microsoft Certified: Azure Security Engineer Associate, Microsoft

Make Your Resume Stand Out With a Microsoft Azure Certification

View Pricing

Azure Security Engineer Learning Path, Microsoft

Posted: October 12, 2020

Mosimilolu Odusanya

View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.