AZ-500: Microsoft Azure Security Technologies Exam Study Notes

What better than to have started blogging about my exam preparation notes that with this perfectly representative AZ-500: Microsoft Azure Security Technologies exam from Microsoft! I had taken this when it was in Beta format and narrowly failed the exam, arguably because I hadn’t prepared one bit for the concepts being evaluated. Sure, you *could* rely on roughly 10 years of Azure experience, but as this technology changes daily, I highly recommend preparing fully for this expansive exam!

I also understand that there might be live labs with tasks you need to complete, but your mileage may vary – I wouldn’t be surprised, but if you have fully prepared for this exam, you should have NOTHING to worry about!

Let’s start with a link to the exam details itself, as these skills definitions sometimes change without notice: https://www.microsoft.com/en-us/learning/exam-az-500.aspx.

If you’re looking to take some of the pressure off of your exam tries, consider purchasing the MCP + exam retake package: https://us.mindhub.com/microsoft-exam-replay-mcp-exam-plus-retake/p/Microsoft-Exam-Replay

If you’re looking for courses to learn the materials, here are a few recommendations:
Skylines Academy ($99 USD): https://courses.skylinesacademy.com/p/az-500
EDx course (free): https://openedx.microsoft.com/courses/course-v1:Microsoft+AZ-500.0+2019_T2/course/

Below, I have broken out each of the exam sections into links for both docs.microsoft.com and MSLearn resources to jump start learning for each of the exam pillars/domains:

Manage identity and access (20-25%)

Configure Microsoft Azure Active Directory for workloads

create App registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
- V1 endpoint: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app
- V2 endpoint: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-register-an-app
configure App registration permission scopes
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
manage App registration permission consent
- https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience
configure multi-factor authentication settings
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
manage Microsoft Azure AD directory groups
manage Microsoft Azure AD users
install and configure Microsoft Azure AD Connect
configure authentication methods
- https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn
- https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
implement conditional access policies
configure Microsoft Azure AD identity protection

Configure Microsoft Azure AD Privileged Identity Management

Configure Microsoft Azure tenant security

transfer Microsoft Azure subscriptions between Microsoft Azure AD tenants
manage API access to Microsoft Azure subscriptions and resources

Implement platform protection (35-40%)

Implement network security

configure virtual network connectivity
configure Network Security Groups (NSGs)
create and configure Microsoft Azure firewall
- https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
- https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal
create and configure application security groups
- https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
configure remote access management
- https://docs.microsoft.com/en-us/azure/security/fundamentals/management
- https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources
configure baseline
- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection
- https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-auditing-powershell
configure resource firewall
- https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

Implement host security

configure endpoint security within the VM
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-virtual-network
configure VM security
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-azure-security
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/virtual-machines-windows-security-controls
harden VMs in Microsoft Azure
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/security-policy
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/isolation
configure system updates for VMs in Microsoft Azure
- https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management
configure baseline
- https://docs.microsoft.com/en-us/azure/security-center/security-center-virtual-machine-protection

Configure container security (MSLearn course on Administering containers in Azure: https://docs.microsoft.com/en-us/learn/paths/administer-containers-in-azure/ )

configure network
- https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-drivers-topologies
- https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/advanced
configure authentication
configure container isolation
- https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-isolation
configure AKS security
- https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security
configure container registry
- https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr
configure container instance security
- https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security
- https://docs.microsoft.com/en-us/azure/container-instances/container-instances-image-security
implement vulnerability management
- https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations

Implement Microsoft Azure Resource management security (MSLearn course on Managing Azure Resources: https://docs.microsoft.com/en-us/learn/paths/manage-resources-in-azure/)

Manage security operations (15-20%)

Configure security services

configure Microsoft Azure monitor
configure Microsoft Azure log analytics
configure diagnostic logging and log retention
- https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/logs-structure
- https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-retention-privacy
configure vulnerability scanning
- https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations

Configure security policies

configure centralized policy management by using Microsoft Azure Security Center
configure Just in Time VM access by using Microsoft Azure Security Center
- https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Manage security alerts

create and customize alerts
- https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview
review and respond to alerts and recommendations
- https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
- https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
configure a playbook for a security event by using Microsoft Azure Security Center
- https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
investigate escalated security incidents
- https://docs.microsoft.com /en-us/azure/security-center/tutorial-security-incident
- https://docs.microsoft.com/en-us/azure/security-center/security-center-investigation

Secure data and applications (30-35%)

Configure security policies to manage data

Configure security for data infrastructure

enable database authentication
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-control-access
enable database auditing
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-auditing
configure Microsoft Azure SQL Database threat detection
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview
configure access control for storage accounts
configure key management for storage accounts
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-storage-keys-powershell
create and manage Shared Access Signatures (SAS)
- https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
- https://docs.microsoft.com/en-us/azure/key-vault/storage-keys-sas-tokens-code
configure security for HDInsights
configure security for Cosmos DB
configure security for Microsoft Azure Data Lake
- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-access-control
- https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

Configure encryption for data at rest

implement Microsoft Azure SQL Database Always Encrypted
- https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted
implement database encryption
- https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql
- https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql
implement Storage Service Encryption
- https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
implement disk encryption
implement backup encryption
- https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption
- https://docs.microsoft.com/en-us/azure/backup/backup-azure-manage-vms

Implement security for application delivery

implement security validations for application development
- https://docs.microsoft.com/en-us/azure/devops/migrate/security-validation-cicd-pipeline?view=azure-devops
- https://docs.microsoft.com/en-us/azure/security/fundamentals/paas-deployments
configure synthetic security transactions
- https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-overview

Configure application security

configure SSL/TLS certs
- https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
- https://docs.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load
configure Microsoft Azure services to protect web apps
create an application security baseline
- https://docs.microsoft.com/en-us/azure/app-service/overview-security

Configure and manage Key Vault

manage access to Key Vault
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
manage permissions to secrets, certificates, and keys
- https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates
manage certificates
- https://docs.microsoft.com/en-us/azure/key-vault/certificate-scenarios
manage secrets
- https://docs.microsoft.com/en-us/azure/key-vault/quick-create-portal
- https://docs.microsoft.com/en-us/azure/key-vault/quick-create-template?tabs=CLI
configure key rotation
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

Best of luck to you on your studies and learning journeys, and do let me know how you did when you sit the exam. Also, if this resource helps you, please share with others!

Last, but certainly not least, I owe the inspiration to blog my cloud experience and expertise to both Gregor Suttie and Richard Hooper (aka Pixel Robots). They have fully embraced #HustleAsAService for the past few years, and have made the Azure community better with their efforts! I can only hope to follow in their footsteps and provide the #AzureFamily community yet another learning perspective!