AZ-500 Microsoft Azure Security Technologies
Articles covering Microsoft Azure Security Technologies (AZ-500) exam objectives. These guides focus on identity and access management, platform protection, security operations, and data and applications security.
AZ-500 Objective 1.1: Manage Security Controls for Identity and Access
Master identity and access management with Azure built-in roles (Owner, Contributor, Reader), custom Azure and Entra ID roles with JSON definitions, Privileged Identity Management for just-in-time access, multi-factor authentication implementation, and Conditional Access policies for zero trust security.
AZ-500 Objective 1.2: Manage Microsoft Entra Application Access
Learn enterprise application access with OAuth permission grants, app registrations with delegated and application permissions, permission scopes and consent (admin vs user), service principals for application identity, and managed identities eliminating credential management.
AZ-500 Objective 2.1: Plan and Implement Security for Virtual Networks
Master virtual network security with Network Security Groups (stateful filtering), Application Security Groups (workload-based rules), Virtual Network Manager (centralized management), user-defined routes (traffic control), VPN and Virtual WAN connectivity, ExpressRoute encryption, and Network Watcher monitoring.
AZ-500 Objective 2.2: Plan and Implement Security for Private Access to Azure Resources
Learn Service Endpoints (optimized routing), Private Endpoints (dedicated private IPs eliminating public exposure), Private Link services (exposing custom services), App Service VNet integration (outbound connectivity), App Service Environment (single-tenant isolation), and SQL Managed Instance network security.
AZ-500 Objective 2.3: Plan and Implement Security for Public Access to Azure Resources
Master TLS implementation for App Service and API Management, Azure Firewall with Firewall Manager and centralized policies, Application Gateway with WAF, Azure Front Door with CDN and global load balancing, Web Application Firewall protection against OWASP threats, and DDoS Protection Standard.
AZ-500 Objective 3.1: Plan and Implement Advanced Security for Compute
Learn Azure Bastion and JIT VM access, AKS network isolation with Azure CNI and network policies, AKS security monitoring with Defender and Policy, AKS authentication with Azure AD and RBAC, container security for ACI and ACA, ACR access with RBAC and content trust, disk encryption (ADE, encryption at host, confidential), and API Management security.
AZ-500 Objective 3.2: Plan and Implement Security for Storage
Master storage account access control with RBAC and data plane roles, access key management with rotation and Key Vault, Azure Files authentication (Azure AD DS, AD DS), Blob Storage access (Azure AD, SAS, anonymous), data protection (soft delete, versioning, immutable storage, backup), BYOK with customer-managed keys, and infrastructure-level double encryption.
AZ-500 Objective 3.3: Plan and Implement Security for Azure SQL Database and SQL Managed Instance
Learn Microsoft Entra ID authentication with contained users and managed identities, database auditing to Log Analytics and Storage with action groups, dynamic data masking protecting PII with masking functions, Transparent Data Encryption with service-managed or customer-managed keys, and Always Encrypted with deterministic and randomized encryption.
AZ-500 Objective 4.1: Implement and Manage Enforcement of Cloud Governance Policies
Master Azure Policy with policy definitions, effects (Deny, Audit, DeployIfNotExists), and initiatives. Configure Key Vault network settings with Private Endpoints and firewall rules, access control using Azure RBAC, manage certificates, secrets, and keys with automatic rotation, implement backup and recovery with soft delete and purge protection.
AZ-500 Objective 4.2: Manage Security Posture by Using Microsoft Defender for Cloud
Learn Secure Score for security posture measurement with prioritized recommendations and quick fixes, Inventory for centralized asset visibility and Defender plan coverage, Regulatory Compliance assessment against Azure Security Benchmark, PCI DSS, HIPAA, and ISO 27001, custom compliance standards using Azure Policy, hybrid and multi-cloud connections (Azure Arc, AWS, GCP), and External Attack Surface Management (EASM) discovering internet-facing assets.
AZ-500 Objective 4.3: Configure and Manage Threat Protection by Using Microsoft Defender for Cloud
Master workload protection with Defender for Servers (Plan 1 vs Plan 2, Microsoft Defender for Endpoint, vulnerability assessment, file integrity monitoring, adaptive application controls, JIT access), Defender for Databases (SQL vulnerability assessment, threat detection), Defender for Storage (malware scanning, sensitive data discovery), agentless VM scanning with snapshots, Microsoft Defender Vulnerability Management with risk-based prioritization, and Defender for DevOps Security for GitHub, Azure DevOps, and GitLab.
AZ-500 Objective 4.4: Configure and Manage Security Monitoring and Automation Solutions
Learn Defender for Cloud alert management with triage, investigation, and suppression, workflow automation using Logic Apps for notifications and remediation, Data Collection Rules (DCRs) for NSG flow logs and VM network monitoring with Traffic Analytics, Microsoft Sentinel data connectors for Azure services, Microsoft 365, AWS, and third-party sources, analytics rules with scheduled queries, anomaly detection, and Fusion, and automation with playbooks and automation rules.