This cheat sheet is a fast, exam-focused review of everything on AZ-500 (Microsoft Azure Security Technologies). AZ-500 is an associate-level exam, so this is a consolidation aid for your final days — pair it with hands-on labs and practice questions. Reflects the skills measured as of January 22, 2026.
Heads up: Microsoft has scheduled AZ-500 to retire on August 31, 2026. If you're pursuing the Azure Security Engineer Associate certification, plan to sit the exam before then. The skills remain highly relevant for whatever replaces it.
Exam Snapshot
Passing Score
700 / 1000
Cost
$165 USD
Questions
40–60
Time
~120 minutes
Identity & Access
15–20%
Secure Networking
20–25%
Compute/Storage/DB
20–25%
Defender & Sentinel
30–35%
1. Secure Identity & Access
| Capability | What it does |
|---|---|
| Azure RBAC | Assign built-in or custom roles at a scope (management group, subscription, resource group, resource). |
| Built-in roles | Owner, Contributor, Reader, User Access Administrator — least privilege first. |
| Entra roles vs Azure roles | Entra roles manage the directory/tenant; Azure roles manage resources via RBAC. |
| PIM | Just-in-time, time-bound privileged access; eligible vs active assignments, approvals, access reviews. |
| MFA | Require multiple verification methods for access to Azure resources. |
| Conditional Access | Grant/block access based on signals (user, device, location, risk). |
Applications & identities
| App registration | Defines an app's identity; configure permission scopes and consent. |
| Enterprise application | A service principal instance of an app in your tenant; manage OAuth grants. |
| Service principal | Identity an app/service uses to access resources. |
| Managed identity | Azure-managed credential for resources; system-assigned (tied to one resource) or user-assigned (reusable). |
Most-tested distinction: use a managed identity instead of storing secrets when an Azure resource needs to authenticate. Use PIM to make admin roles eligible and time-bound rather than permanently active.
2. Secure Networking
| Control | Purpose |
|---|---|
| NSG / ASG | NSG filters traffic on subnets/NICs with 5-tuple rules; ASG groups VMs logically for those rules. |
| Azure Firewall | Managed stateful firewall; network/application/NAT rules, FQDN filtering, threat intel; managed by Firewall Manager. |
| Web Application Firewall (WAF) | Protects web apps from OWASP attacks; runs on Application Gateway or Front Door. |
| DDoS Protection | Mitigates volumetric/protocol attacks against public endpoints. |
| UDR | User-defined routes force traffic through a firewall/appliance. |
| Network Watcher | Monitor and diagnose network traffic and security. |
Private & hybrid connectivity
| Service Endpoint | Extends VNet identity to a PaaS service over the backbone; service keeps its public IP. |
| Private Endpoint / Private Link | Gives a PaaS service a private IP in your VNet; traffic stays off the public internet. |
| VPN Gateway | Encrypted site-to-site and point-to-site connectivity. |
| ExpressRoute | Private dedicated connection; add MACsec/IPsec encryption. |
| Virtual WAN (secured hub) | Hub-and-spoke connectivity with integrated security. |
NSG vs Firewall: NSG is a free L3/L4 packet filter scoped to a subnet/NIC. Azure Firewall is a managed service protecting a whole network with FQDN, threat intel, and central policy. Use both — layered defense.
Test the concepts you just reviewed
Try 40 Free AZ-500 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →3. Compute, Storage & Database Security
Compute
| Azure Bastion | RDP/SSH to VMs over TLS in the portal — no public IP on the VM. |
| JIT VM access | Open management ports only on request, for a limited time (via Defender for Cloud). |
| Disk encryption | Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption. |
| AKS / ACR security | Network isolation and auth for AKS; control access to Azure Container Registry. |
Storage
| Access control | Prefer Microsoft Entra authorization over access keys; scope with SAS where keys are needed. |
| SAS | Shared access signature grants scoped, time-limited access to storage resources. |
| Data protection | Soft delete, versioning, backups, and immutable (WORM) storage. |
| Encryption | BYOK with customer-managed keys; infrastructure-level double encryption. |
Azure SQL Database / Managed Instance
| Entra authentication | Centralized identity-based database sign-in. |
| Auditing | Track database events to a log destination. |
| Dynamic data masking | Obfuscate sensitive fields in query results for non-privileged users. |
| TDE | Transparent Data Encryption protects data at rest (files, backups). |
| Always Encrypted | Protects data in use — encrypted client-side so the engine never sees plaintext. |
Encryption distinction: TDE protects data at rest; Always Encrypted protects data in use by encrypting it client-side; dynamic data masking only hides data in results — it is not encryption.
4. Defender for Cloud, Key Vault & Sentinel
Azure Key Vault
| Stores | Keys, secrets, and certificates; supports key rotation and backup/restore. |
| Access model | Vault access policies or Azure RBAC (RBAC is recommended). |
| Protection | Soft delete and purge protection; restrict with network/firewall settings. |
Governance & Defender for Cloud
| Capability | What it does |
|---|---|
| Azure Policy | Enforce rules with policies and initiatives; audit or deny non-compliant resources. |
| Secure Score | Measure and improve posture with prioritized recommendations. |
| Regulatory compliance | Assess against MCSB and standards; add custom standards. |
| CWP plans | Defender for Servers, Storage, SQL, Containers, and more. |
| Multicloud | Connect AWS and GCP; agentless scanning and vulnerability management. |
| EASM | External Attack Surface Management discovers internet-facing assets. |
Microsoft Sentinel
| What it is | Cloud-native SIEM + SOAR for detection, investigation, and automated response. |
| Data connectors | Ingest signals from Azure, M365, multicloud, and third-party sources. |
| Analytics rules | Detect threats and generate incidents from ingested data. |
| Automation / playbooks | Logic Apps that automate response (SOAR). |
| DCRs | Data collection rules in Azure Monitor control what telemetry is collected. |
Defender for Cloud vs Sentinel: Defender for Cloud is CSPM + workload protection focused on securing your Azure/hybrid/multicloud resources. Sentinel is the SIEM/SOAR that collects signals across the whole environment to detect and respond to threats.
5. Acronym Quick List
RBAC — Role-Based Access Control
PIM — Privileged Identity Management
MFA — Multi-Factor Authentication
NSG / ASG — Network / Application Security Group
WAF — Web Application Firewall
UDR — User-Defined Route
JIT — Just-In-Time (VM access)
SAS — Shared Access Signature
BYOK — Bring Your Own Key
TDE — Transparent Data Encryption
ADE — Azure Disk Encryption
MCSB — Microsoft Cloud Security Benchmark
CSPM — Cloud Security Posture Management
CWP — Cloud Workload Protection
SIEM / SOAR — Security Info & Event Mgmt / Orchestration
EASM — External Attack Surface Management
DCR — Data Collection Rule
AKS / ACR — Azure Kubernetes Service / Container Registry
Reviewed the cheat sheet? Now prove you're ready.
Take the free 5-minute AZ-500 readiness quiz — no signup required — or jump into 40 free practice questions calibrated harder than the real exam.
Common Questions
Is a cheat sheet enough to pass AZ-500?
No. AZ-500 is an associate-level exam with scenario and configuration questions that require hands-on Azure experience. A cheat sheet is a fast final-review aid to consolidate service names, distinctions, and when-to-use decisions — use it alongside labs, Microsoft Learn, and practice questions, not instead of them.
What is the difference between a Network Security Group and Azure Firewall?
A Network Security Group (NSG) is a free, stateful packet filter applied to subnets or NICs using 5-tuple allow/deny rules. Azure Firewall is a managed, stateful network firewall service with FQDN filtering, threat intelligence, and centralized policy — used to protect an entire virtual network or hub, not just a single subnet.
What is the difference between a service endpoint and a private endpoint?
A service endpoint extends your virtual network identity to an Azure PaaS service over the Azure backbone, but the service keeps its public IP. A private endpoint assigns a private IP from your virtual network to the service via Azure Private Link, so traffic never traverses the public internet — the more secure and isolated option.
What is the passing score and cost for AZ-500?
700 out of 1000 (roughly 70%). The exam costs $165 USD, has around 40–60 questions, and a time limit of about 120 minutes. Note: AZ-500 is scheduled to retire on August 31, 2026.
About MSCertQuiz
MSCertQuiz provides 500 practice questions per certification, calibrated harder than the real exam so test day feels easier. Questions are built by certified professionals and updated for 2026 exam objectives. Start with 40 free questions — no credit card required.