How to Pass the AZ-500 Azure Security Exam in 2026

Published:18 May 2026 - 11 min. read

Adam Bertram Image

Adam Bertram

Read more tutorials by Adam Bertram!

Audit your Active Directory for weak passwords and risky accounts. Run your free Specops scan now!

LinkedIn

You booked the AZ-500 exam for next month. You have skimmed the official skills outline, watched a couple of YouTube crash courses, and bought a practice test bundle. Then you opened a Microsoft Sentinel workspace for the first time and realized you cannot write a Kusto query to save your life. That gap, between reading about Azure security and actually configuring it, is exactly what the AZ-500 is built to find.

This tutorial walks you through a working AZ-500 preparation plan. You will pick a study cadence that fits the exam’s four domains, build a hands-on lab list that mirrors the questions you will see, learn the exam mechanics that trip up most candidates, and finish with a calibration loop using practice assessments so you can predict your real score within a few points. By the end you will have a concrete week-by-week path to the Microsoft Certified: Azure Security Engineer Associate credential, with the labs and queries you actually need to write.

One thing to flag before you start. The AZ-500 exam is scheduled to retire on August 31, 2026, after which Microsoft transitions to the SC-500: Cloud and AI Security Engineer credential. If you are reading this and you already have the certification, your annual renewal assessment continues to work. If you are still studying, this post applies cleanly through the retirement date, and the hands-on skills carry directly into SC-500.

What the AZ-500 Actually Tests

The AZ-500 validates that you can implement, manage, and monitor security across Azure, multi-cloud, and hybrid environments. That sounds broad, and the exam treats it that way. You will see 40 to 60 questions in 100 minutes of exam time, with a passing score of 700 out of 1000, and the questions lean heavily on scenarios where the wrong answer is a service that almost works.

Microsoft groups the tested skills into four domains, each with a published weighting:

Domain Focus Weight
1 Secure identity and access 15-20%
2 Secure networking 20-25%
3 Secure compute, storage, and databases 20-25%
4 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel 30-35%

Notice that Domain 4 is twice the weight of Domain 1. That is not a typo, and it should drive how you allocate study time. The exam expects you to operate Microsoft Defender for Cloud for posture management and Microsoft Sentinel for detection and response — and to know which one to reach for in a given scenario.

The chart below makes the disparity easier to internalize than the raw percentages do.

AZ-500 domain weights

Domain weight breakdown

[!IMPORTANT]

Most candidates over-study identity because it feels familiar from AZ-104, then under-study Sentinel because KQL is uncomfortable. Invert that instinct. Domain 4 is where the points are.

Who Should Take This Exam (and Who Should Wait)

The AZ-500 is not an entry-level exam. Microsoft positions it for engineers who already know how Azure works and want to specialize in security. You do not need a specific prior certification, but if you cannot answer the following without thinking, hold off and study AZ-104 first.

  • What is the difference between a subscription and a resource group, and how do they affect RBAC inheritance?

  • How does an Azure virtual network differ from a subnet, and what is the role of a route table?

  • How would you grant a virtual machine access to a storage account without storing credentials in code?

If those three questions feel unstable, the AZ-500 will feel like reading a foreign language. The exam assumes you already speak Azure; it tests whether you can secure what you already know how to build.

Prerequisites for This Study Plan

If you want to follow along hands-on, you will need:

  • An Azure free account or a Visual Studio Enterprise subscription so you can provision real resources. The free tier covers most labs, but Defender for Cloud workload plans bill outside the free credit, so monitor your spend.

  • Azure CLI version 2.50 or later. Verify by running az --version and az login to confirm authentication works.

  • A Microsoft Entra ID tenant where you have at least the Security Administrator role. If you are using the free account, the account you created with becomes the Global Administrator and that is enough.

  • A GitHub account to clone the official MicrosoftLearning/AZ500-AzureSecurityTechnologies lab repository.

  • 6 to 12 weeks of calendar time, with 1 to 2 focused hours per weekday and longer lab sessions on weekends. Skip this only if you already do security work in Azure daily.

A Microsoft Entra ID P2 license is helpful for Privileged Identity Management labs but not required. If you do not have one, a P2 trial covers the duration of your study window.

Build Your Eight-Week Study Plan

Eight weeks is the sweet spot for engineers with a year or two of Azure experience. Compress to six if you live in Azure daily, or stretch to twelve if you are coming from AWS or on-premises security work.

The roadmap below shows how the eight weeks map to the four domains, ending at exam day.

AZ-500 study roadmap

8-week study roadmap

Weeks One and Two: Identity and Access (Domain 1)

Identity is foundational, even though it is the smallest weighted domain, because Domain 4 alerts and Domain 2 access controls both depend on it. Focus on three things: Azure RBAC, Conditional Access, and Privileged Identity Management.

The single most-tested distinction in this domain is the difference between PIM, Conditional Access, and Access Reviews. Memorize this mapping and you will recover at least three questions on exam day:

  • PIM activates an existing role for a limited time, with optional approval and MFA. Think “I am a Subscription Owner for the next four hours.”

  • Conditional Access evaluates every sign-in against if-then policies. Think “if the user is outside the US, require MFA.”

  • Access Reviews ask owners to confirm whether a user still needs an existing assignment. Think “does Jamie still need Storage Account Contributor?”

Run these commands to provision an isolated lab sandbox and a custom role you will reuse throughout the study plan:

az group create --name rg-az500-lab --location eastus
az role definition create --role-definition '{
  "Name": "AZ-500 Lab Reader",
  "Description": "Read-only for the AZ-500 lab resource group",
  "Actions": ["*/read"],
  "NotActions": ["Microsoft.KeyVault/vaults/secrets/getSecret/action"],
  "AssignableScopes": ["/subscriptions/<your-subscription-id>"]
}'

The NotActions line is intentional. Built-in roles include actions you cannot easily remove, but custom roles let you subtract permissions, which the exam will quiz you on. Read the definition carefully — Azure RBAC computes effective permissions as Actions - NotActions, scoped to where the role is assigned.

Weeks Three and Four: Networking (Domain 2)

The networking domain wants you to know when to reach for a Network Security Group, an Azure Firewall, an Application Gateway with Web Application Firewall, or a private endpoint. All four show up in the same exam, often in the same scenario.

Build a working zero-trust network using a hub-and-spoke topology. The exam loves this architecture because it forces you to make decisions about traffic flow.

az network vnet create \
  --resource-group rg-az500-lab \
  --name vnet-hub \
  --address-prefix 10.0.0.0/16 \
  --subnet-name AzureFirewallSubnet \
  --subnet-prefix 10.0.1.0/26

az network firewall create \
  --resource-group rg-az500-lab \
  --name afw-az500-lab \
  --location eastus \
  --tier Standard
[!TIP]

The Azure Firewall subnet must be named exactly AzureFirewallSubnet and must be at least /26. The exam will test both constraints with deliberately wrong values. The same naming rule applies to AzureBastionSubnet and GatewaySubnet.

After the firewall is deployed, attach an NSG to a workload subnet and force traffic through the firewall using a user-defined route. This is the topology that powers the zero-trust scenarios on the exam — the difference between a question you guess and a question you solve is whether you have built it once.

Weeks Five and Six: Compute, Storage, and Databases (Domain 3)

Domain 3 covers a wide surface area: virtual machine hardening, Azure Bastion, just-in-time access, Azure Key Vault, disk encryption, Azure SQL security, and storage account controls. The unifying theme is “remove the secret, remove the public IP, encrypt the data, and authenticate with a managed identity.”

The single most useful pattern to internalize is the managed identity to Key Vault flow. It appears in some form in nearly every exam:

Create the Key Vault with RBAC authorization and soft-delete protection:

az keyvault create \
  --resource-group rg-az500-lab \
  --name kv-az500-$RANDOM \
  --enable-rbac-authorization true \
  --enable-purge-protection true \
  --retention-days 90

Then assign a system-assigned managed identity to a VM and grant it secret access:

az vm identity assign \
  --resource-group rg-az500-lab \
  --name vm-az500-app

az role assignment create \
  --assignee-object-id $(az vm show -g rg-az500-lab -n vm-az500-app --query identity.principalId -o tsv) \
  --role "Key Vault Secrets User" \
  --scope $(az keyvault show -g rg-az500-lab -n kv-az500-$RANDOM --query id -o tsv)

Three details to notice. The --enable-rbac-authorization flag is the modern path; the exam will offer you legacy access policies as a distractor. The --enable-purge-protection flag is irreversible once enabled — the exam tests whether you know that. And the role Key Vault Secrets User reads secrets but cannot list them, which is the right scope for an application.

Weeks Seven and Eight: Defender for Cloud and Sentinel (Domain 4)

This is the largest domain and the one that decides whether you pass. Defender for Cloud and Sentinel are two distinct products that often appear in the same scenario, and the exam tests whether you can route the right work to the right tool.

Defender for Cloud is your posture and workload protection layer. It generates a Secure Score, evaluates your environment against the Microsoft Cloud Security Benchmark, and provides workload-specific plans like Defender for Servers and Defender for SQL. Sentinel is your SIEM and SOAR layer. It ingests logs, runs KQL analytics rules, and orchestrates response with Logic Apps playbooks.

Enable Defender for Cloud on your lab subscription, then connect it to a Log Analytics workspace that you will reuse for Sentinel:

az monitor log-analytics workspace create \
  --resource-group rg-az500-lab \
  --workspace-name law-az500-lab

az security pricing create --name VirtualMachines --tier Standard
az security pricing create --name SqlServers --tier Standard
az security pricing create --name StorageAccounts --tier Standard
[!WARNING]

Enabling Defender plans starts billing immediately and meters per protected resource. For a lab, leave the plans on for a single day to walk through alerts, then run az security pricing create --name VirtualMachines --tier Free to disable them. The exam expects you to know the plans exist, not to leave them running.

Now learn just enough KQL to write a credible analytics rule. You do not need to be fluent. You need to read a query, recognize what it filters and what it groups, and modify the threshold. Start with this one, which detects multiple failed sign-ins from a single IP:

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0
| summarize FailedCount = count() by IPAddress, UserPrincipalName
| where FailedCount >= 10

Read it left to right. SigninLogs is the table. The first where filters to the last hour. The second where keeps only failed sign-ins. The summarize groups by IP and user to count failures. The final where keeps only IPs with 10 or more failures. Almost every Sentinel KQL question on the exam looks like this pattern — table, time filter, condition filter, aggregation, threshold.

The four operators to memorize: where (filter), project (select columns), summarize (group and aggregate), and join (combine tables). If you can describe what each does and write a query that uses three of them, you have enough KQL for the exam.

Lab Like You Mean It

Reading about Azure security is not the same as configuring it. The exam includes scenario questions where the four answer options describe slightly different configurations, and the only way to pick the right one is muscle memory from having actually deployed each.

Clone the official Microsoft Learning AZ-500 lab repository and work through the labs in order. The repo maps lab numbers to exam objectives, and the instructions assume you can read an Azure portal screenshot — which is also a skill the exam tests.

Prioritize these five labs if you are short on time:

  1. Lab 02 — Manage Azure Active Directory Identities. Practice creating Conditional Access policies and assigning PIM-eligible roles.

  2. Lab 04 — Implement Conditional Access policies including Multi-Factor Authentication. Build a risky sign-in policy that requires MFA, then test it by signing in from an InPrivate window.

  3. Lab 06 — Implement Perimeter Security. Deploy Azure Firewall, configure forced tunneling, and validate traffic with tcpping from a workload VM.

  4. Lab 09 — Implement Key Vault. Configure RBAC, enable purge protection, and grant a managed identity access to a single secret.

  5. Lab 14 — Implement Microsoft Sentinel. Create a workspace, enable a data connector, write your first analytics rule, and trigger a Logic App playbook.

If you can deploy these five labs from CLI without referring to the instructions, you are ready for the exam.

Use the Right Practice Tests

Not all practice tests are equal. The exam-team-authored official Microsoft practice assessment is free, unlimited, and the closest match to the real exam in wording and difficulty. Start there.

For broader coverage, MeasureUp sells the official Microsoft practice test at around 99 dollars and matches the exam’s depth of scenario questions. Whizlabs is cheaper and gives you a larger question bank, but the questions skew shallower than the real exam. Avoid braindump sites — the questions are often outdated, the explanations are wrong, and at least one large site is currently selling questions Microsoft pulled from the live exam, which is a violation of the exam policies and non-disclosure agreement.

Treat practice tests as a calibration tool, not a study guide. Aim for 85 percent or higher on at least two consecutive attempts before booking the real exam, and read every explanation — including for questions you got right. The explanation is where you discover the why behind the right answer, which is the muscle the exam is actually testing.

Exam Day Mechanics That Trip Up Candidates

A few logistical points will save you stress on the day:

  • You can open learn.microsoft.com inside the exam in a split pane. The clock keeps running, but it is faster than recalling whether --enable-purge-protection is irreversible.

  • Flag questions you are unsure about and revisit them after the case studies. Case studies are time-heavy and you do not want to leave them with two minutes left.

  • If the exam includes a hands-on lab segment, do the lab last. Lab questions are typically worth more than multiple choice, but they are also time sinks.

  • Register with a personal Microsoft account, not your work or school account. If you change employers, an organizational account loses access to your exam records.

[!TIP]

The most common avoidable mistake on the AZ-500 is over-reading scenario questions. Each scenario typically has one obvious distractor (a service that almost works but has a hard constraint that fails), one absurd distractor (a service that does the wrong thing entirely), and two plausible answers. Eliminate the obvious distractor first, then choose based on the constraint Microsoft has hidden in the scenario text — usually a compliance requirement, a network boundary, or a billing model.

What Comes After AZ-500

The AZ-500 retires on August 31, 2026, and SC-500: Cloud and AI Security Engineer becomes the successor credential. The SC-500 expands the scope to include AI workload security, but most of the AZ-500 content carries forward — Defender for Cloud, Sentinel, identity protection, and zero-trust networking remain core topics.

If you pass AZ-500 before August 2026, your certification remains valid for a year and renews via a free online assessment on Microsoft Learn. After it expires post-retirement, you will need to take SC-500 fresh. Plan accordingly — if your exam date is close to the deadline and you fail the first attempt, you have a 14-day cooldown before retesting, which may push you past the cutoff.

The exam is hard because the job is hard. If you follow this plan, build the labs, and calibrate with practice tests, you will pass and you will actually deserve the credential. That is the difference between a certification you display and a certification you use.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

More from ATA Learning and Partners

Looks like you're offline!