AZ-500 Exam Guide 2026: Study the Retirement-Aware Way
AZ-500: Microsoft Azure Security Technologies is the exam for the Microsoft Certified: Azure Security Engineer Associate certification, but 2026 candidates need to know one important fact before studying: Microsoft Learn says the AZ-500 exam retires on August 31, 2026 at 11:59 PM Central Standard Time.
That changes the strategy. If you plan to test before August 31, 2026, use the current January 22, 2026 skills outline and focus on hands-on Azure security implementation. If your realistic test date is after retirement, do not build a plan around AZ-500 until Microsoft publishes the successor path for your region and role.
Official AZ-500 Facts
Microsoft's official sources are the AZ-500 exam page and the AZ-500 study guide. The study guide is the source of truth for the current skills outline.
| Item | 2026 detail |
|---|---|
| Exam | AZ-500: Microsoft Azure Security Technologies |
| Certification | Microsoft Certified: Azure Security Engineer Associate |
| Retirement | August 31, 2026 at 11:59 PM Central Standard Time |
| Current skills outline | January 22, 2026 |
| Exam time | 100 minutes to complete the assessment |
| Passing score | 700 or greater |
| Delivery | Proctored Microsoft certification exam through Pearson VUE |
| Renewal | Microsoft role-based certifications renew annually with a free Microsoft Learn assessment while active |
| Candidate profile | Azure security engineer implementing, managing, and monitoring security for Azure, multi-cloud, and hybrid environments |
Microsoft says the AZ-500 candidate should have practical experience with Azure administration and hybrid environments plus strong familiarity with Microsoft Entra ID, compute, networking, and storage.
The 4 AZ-500 Domains in the January 2026 Outline
| Domain | Weight | What to master |
|---|---|---|
| Secure identity and access | 15-20% | RBAC, custom roles, Privileged Identity Management, MFA, Conditional Access, app registrations, service principals, managed identities |
| Secure networking | 20-25% | NSGs, ASGs, Virtual Network Manager, UDRs, peering, VPN, Virtual WAN, Private Endpoints, Private Link, Azure Firewall, Application Gateway, Front Door, WAF, DDoS Protection |
| Secure compute, storage, and databases | 20-25% | VM access, Bastion, JIT, AKS security, containers, ACR, disk encryption, API Management, storage security, database security |
| Secure Azure using Defender for Cloud and Sentinel | 30-35% | Security posture, Defender plans, vulnerability remediation, alerts, incidents, analytics, workbooks, automation, regulatory compliance |
The largest domain is Defender for Cloud and Microsoft Sentinel. That does not mean you can postpone identity or networking. Defender and Sentinel questions often assume you already know how the resource is secured before monitoring finds a problem.
Article Thesis: AZ-500 Is a Security Implementation Exam, Not a Product Tour
Many AZ-500 summaries list Azure services in order. That is not enough. The exam asks you to decide how to implement security controls across an actual environment:
- Which identity should access a resource, and should it be a managed identity, service principal, group assignment, or PIM-eligible role?
- Should private access use Private Endpoint, Service Endpoint, or network integration?
- Is an alert a Defender for Cloud recommendation, a Sentinel incident, a KQL analytics rule, or an Azure Monitor signal?
- Should a workload use Azure Disk Encryption, encryption at host, customer-managed keys, confidential disk encryption, or storage account controls?
- Does the scenario call for NSG, Azure Firewall, Application Gateway WAF, Front Door WAF, or DDoS Protection?
Study decisions, not menus.
What to Study First
1. Microsoft Entra ID and Azure RBAC
Start with the identity plane because every other domain depends on it. Be able to explain the difference between Microsoft Entra roles and Azure RBAC roles, when to use built-in versus custom roles, and how Privileged Identity Management changes standing access into eligible access.
High-yield tasks:
- Assign built-in Azure roles at management group, subscription, resource group, and resource scope
- Build a least-privilege custom role from actions and dataActions
- Configure PIM activation settings, approval, MFA, justification, and access reviews
- Configure Conditional Access for Azure management access
- Use managed identities for Azure resources instead of secrets where possible
2. Network security decisions
Networking is 20-25% of the exam and shows up inside compute, storage, and database scenarios. Build a small lab with two VNets, NSGs, a private endpoint, Azure Firewall, and a web app behind an application delivery service.
Decision table:
| Need | Usually tested answer |
|---|---|
| Control L3/L4 subnet or NIC traffic | NSG, optionally ASG for grouping VMs |
| Central outbound/inbound inspection | Azure Firewall and firewall policy |
| Protect regional HTTP/S app | Application Gateway with WAF |
| Protect global HTTP/S app | Azure Front Door with WAF |
| Keep PaaS resource off public internet | Private Endpoint plus public access disabled |
| Extend subnet identity to public PaaS endpoint | Service Endpoint |
| Protect from volumetric attacks | Azure DDoS Protection Standard |
| Manage VNet security at scale | Azure Virtual Network Manager |
3. Workload and data security
This domain is broad. Avoid memorizing one-off feature names until you can map each workload to its control surface.
- VMs: Bastion, JIT access, disk encryption, update/security recommendations
- AKS: network isolation, authentication, image and runtime monitoring
- Containers: ACR access, Defender coverage, container monitoring
- Storage: access keys, SAS, shared key disablement, private endpoints, encryption, lifecycle and immutability concepts
- Databases: Microsoft Entra authentication, firewall/private access, auditing, Defender, vulnerability assessment, TDE and key choices
- API Management: TLS, client certificates, managed identity, private networking, policy controls
4. Defender for Cloud and Sentinel
This is the largest domain. Learn the workflow:
- Enable the right Defender plans.
- Review secure score and recommendations.
- Remediate vulnerabilities or exempt with justification.
- Investigate alerts and incidents.
- Use Sentinel analytics, KQL, workbooks, playbooks, and automation rules.
- Report regulatory compliance and security posture.
The exam expects you to understand the difference between posture management and security operations. Defender for Cloud often identifies risk and recommends remediation. Sentinel is where you collect signals, correlate incidents, investigate, and automate response.
6-Week AZ-500 Study Plan Before the Retirement Date
| Week | Focus | Hands-on output |
|---|---|---|
| 1 | Exam scope and identity | RBAC custom role, PIM workflow, Conditional Access policy, managed identity lab |
| 2 | Network security | NSG/ASG rules, Private Endpoint, Azure Firewall, Application Gateway WAF, Front Door WAF comparison |
| 3 | Compute and container security | Bastion, JIT VM access, disk encryption options, AKS authentication and network controls, ACR permissions |
| 4 | Storage, database, and API security | Storage public access lock-down, SAS comparison, SQL private access, database auditing, API Management security |
| 5 | Defender for Cloud | Defender plans, secure score, recommendations, vulnerability management, regulatory compliance |
| 6 | Sentinel and timed review | Analytics rule, incident workflow, KQL basics, workbook, playbook, full timed practice |
If you cannot complete hands-on labs, delay the exam. AZ-500 questions often hinge on portal and configuration details that are hard to learn from reading alone.
Common AZ-500 Mistakes
- Ignoring the retirement date. As of May 13, 2026, AZ-500 is still active, but Microsoft lists August 31, 2026 as the retirement date. Plan backward from that date.
- Studying Defender and Sentinel as one product. Defender for Cloud and Sentinel overlap in security operations, but they are tested as different workflows.
- Using owner permissions in labs. Practice least privilege with scoped roles and managed identities.
- Confusing Private Endpoint and Service Endpoint. Private Endpoint gives the service a private IP in your VNet; Service Endpoint extends subnet identity to a public service endpoint.
- Skipping KQL. You do not need to be a full-time detection engineer, but you must read and reason about basic Sentinel queries.
- Treating WAF placement as interchangeable. Application Gateway WAF is regional; Front Door WAF is global edge-oriented.
Official Resources
- AZ-500 exam page on Microsoft Learn
- AZ-500 study guide and January 22, 2026 skills outline
- Microsoft exam scoring and score reports
- Microsoft certification renewal
- Microsoft Defender for Cloud documentation
- Microsoft Sentinel documentation
Buy on Amazon