AZ-500 Study Guide 2026: Complete Azure Security Engineer Exam Prep

• • Azure RBAC — built-in roles (Owner, Contributor, Reader), custom roles, deny assignments, management group inheritance
• • Microsoft Entra Privileged Identity Management (PIM) — eligible vs. permanent assignments, activation, approval workflows, access reviews
• • Conditional Access — named locations, device compliance requirements, sign-in risk, user risk, report-only mode, What If tool
• • Microsoft Entra Identity Protection — risk detections, user risk policies, sign-in risk policies, remediation
• • Managed identities — system-assigned vs. user-assigned, assigning to resources, RBAC for managed identities
• • App registrations — application vs. delegated permissions, admin consent, app roles, workload identity federation
• • Identity Governance — access packages, access reviews, Lifecycle Workflows
• • Continuous Access Evaluation (CAE) — requirements, supported clients, revocation events
• • B2B collaboration — guest user access, invitation restrictions, cross-tenant access settings
• • Microsoft Entra Password Protection — global and custom banned passwords, on-premises DC agent

Study tip: PIM and Conditional Access are tested deeply with multi-condition scenarios. Know every configuration option for PIM role settings and CA grant controls — the exam frequently presents a scenario and asks which specific setting achieves a security requirement.

• • Network Security Groups — rule evaluation order, service tags, ASGs, default rules, effective security rules
• • Azure Firewall — rule types (DNAT/network/application), rule collection groups, Firewall Policy hierarchy, threat intelligence
• • Azure Firewall Premium — IDPS signature-based detection, TLS inspection, URL filtering
• • Web Application Firewall (WAF) — OWASP rule sets, custom rules, exclusions, detection vs. prevention mode
• • DDoS Protection — Network Protection vs. IP Protection, adaptive tuning, diagnostic settings and alerts
• • Azure Bastion — SKUs (Basic/Standard/Premium), shareable links, native client support, session recording
• • Just-In-Time VM access — JIT policy configuration, request approval, audit in Activity Log
• • Private Endpoints — DNS integration, private DNS zones, cross-VNet and on-premises resolution
• • Service Endpoints — VNet rules on PaaS services, cross-subscription VNet rules, NSG interaction
• • Network Watcher — IP flow verify, packet capture, NSG flow logs, Connection Monitor

Study tip: Azure Firewall rule evaluation order (DNAT → Network → Application) and Private Endpoint DNS resolution are the most commonly tested networking security topics. Get these exactly right.

• • Azure Key Vault — access models (RBAC vs. access policies), soft-delete and purge protection, certificate lifecycle management, secret-level RBAC scoping
• • VM security — Trusted Launch (Secure Boot, vTPM), Microsoft Defender for Servers Plan 1 vs. Plan 2, JIT VM access
• • Disk encryption — Azure Disk Encryption (ADE with BitLocker/DM-Crypt), Server-Side Encryption with CMK, customer-managed key rotation without re-encryption
• • Storage account security — shared key access, SAS tokens, Defender for Storage, immutability policies with Lock, network access (firewall, private endpoints, service endpoints)
• • Azure SQL Database security — Transparent Data Encryption (TDE), Always Encrypted (deterministic vs. randomised), Dynamic Data Masking, SQL Auditing, Advanced Threat Protection
• • Container security — AKS network policies, workload identity, image signing with Notation/Ratify, Defender for Containers
• • App Service and Function security — managed identities for downstream service access, Key Vault references, authentication middleware

Study tip: Always Encrypted vs. Dynamic Data Masking vs. TDE is a classic exam comparison. Memorise: TDE = files at rest, DDM = masks in results (bypassed by privileged users), Always Encrypted = client-side only (even DBAs see ciphertext).

• • Microsoft Defender for Cloud — Secure Score, recommendations, security policies, Azure Security Benchmark
• • Defender for Cloud plans — Defender for Servers (Plan 1/2), Defender for Storage, Defender for SQL, Defender for Containers, Defender for Key Vault
• • Defender for Cloud workload protections — Continuous Export, automation rules, regulatory compliance dashboard
• • Microsoft Sentinel — workspace architecture, data connectors (native, CEF, Syslog, Log Analytics agent)
• • Sentinel analytics rules — scheduled queries, near-real-time (NRT) rules, anomaly rules, Fusion rules
• • Sentinel automation — playbooks (Logic Apps), automation rules, SOAR orchestration
• • Sentinel UEBA — entity behaviour profiles, anomaly detection, investigation graph
• • KQL (Kusto Query Language) — basic query structure, project, where, summarize, join, ago(), extend, parse
• • Threat hunting in Sentinel — hunting queries, bookmarks, custom entities
• • Incident management — severity, assignment, investigation, triage workflow, closing codes

Study tip: KQL is tested — not deeply, but enough that you need to read and understand Sentinel query logic. Study the most common KQL operators: project, where, summarize, join, extend, ago(). You will not write queries from scratch but you will be asked to identify what a given query does or which operator to add.

1. Microsoft Learn AZ-500 Learning Path (Free)

The official learning path is the most authoritative source and essential for Defender for Cloud and Sentinel content, which changes frequently as Microsoft releases new security features. Complete every hands-on exercise — Sentinel labs in particular build the operational intuition needed for scenario questions. The learning path is long (40+ hours) but comprehensive.

2. MSCertQuiz AZ-500 Practice Tests

500 AZ-500 practice questions across all four domains with detailed explanations. The question bank is particularly strong on PIM scenario questions, RBAC deny assignment edge cases, Conditional Access policy accumulation, encryption comparison scenarios, and Sentinel KQL interpretation — the areas where most candidates drop the most marks.

3. John Savill's AZ-500 Study Cram (YouTube)

Savill's AZ-500 content is among the best available. His coverage of identity security (PIM configuration, Conditional Access policy design) and the Defender for Cloud / Sentinel landscape is particularly strong. Watch his "Azure Security Master Class" for the full-depth treatment before moving to exam-focused review.

4. Microsoft Sentinel KQL for Beginners (Microsoft Learn)

KQL is a distinct query language — do not skip it. Microsoft Learn's "Write your first query with Kusto Query Language" module gives you the operators needed for the exam in about 3 hours. Focus on: where, project, summarize, extend, join, ago(), count, and string operations. The Log Analytics demo environment lets you practice against real Microsoft log data for free.

5. Azure Security Benchmark Documentation

The Microsoft Cloud Security Benchmark (successor to Azure Security Benchmark) maps Defender for Cloud recommendations to security controls. Reading through the controls for compute, networking, identity, and data sections gives you the security reasoning behind many exam scenarios — understanding why a recommendation exists helps you pick the right answer when multiple options look plausible.