I recently acquired the Microsoft Certified: Azure Security Engineer Associate on my third attempt. This was both embarrassing—since I’ve never failed the same certification exam twice before—and humbling—as the exam was very clear about what the scope. The scope scope is quite broad and I found it quite challenging to study and retain the full breadth of material. I had very little experience working with cloud environments beforehand and I suspect that contributed, I had a lot to learn. It is also aimed more at a security engineer rather than a security analyst, which is my current work experience. These roles in focus—engineers are responsible for architecture, design, and implementation while security analysts are responsible for monitoring, investigation, and response.
The certification
The AZ-500: Azure Security Engineer Associate certification (called AZ-500: Microsoft Azure Security Technologies when looking at training) is an intermediate level certification focused on cloud security in the Azure environment. The official tagline says the certification demonstrates the skills necessary to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. I think this undersells it a bit. You need to be able to design and implement controls on all Azure resources, as well as setup monitoring for security issues in multi-cloud and hybrid environments. This includes understanding knowing how to implement Microsoft Defender into AWS, GCP, and on premise environments and also implement enforcement and auditing of compliance standards across resources. Architecture, administration, and development are all covered.
I think this certification is best suited for security engineers, cloud engineers, or someone who needs to understand how an Azure environment can be secured (this should include anyone who needs to monitor the compliance of an Azure environment). Practical experience administering an Azure and hybrid environment is recommended, as well as familiarity with Microsoft Entra ID and the assorted resources in Azure (compute, network, storage, and applications).
There are four skills areas covered by the exam:
- Secure identity and access (15–20%)
- Manage security controls for identity and access
- Manage Microsoft Entra application access and managed identities
- Secure networking (20–25%)
- Plan and implement security for virtual networks
- Plan and implement security for private access to Azure resources
- Plan and implement security for public access to Azure resources
- Secure compute, storage, and databases (20–25%)
- Plan and implement advanced security for compute
- Plan and implement security for storage
- Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
- Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)
- Implement and manage enforcement of cloud governance policies
- Manage security posture by using Microsoft Defender for Cloud
- Configure and manage threat protection by using Microsoft Defender for Cloud
- Configure and manage security monitoring and automation solutions
Exam
The exam is computer based obviously, lasts for 100 minutes, and has between 40 and 60 questions. These are divided into three sections, the standard multiple choice (which form the bulk of the questions), a set of related multiple choice questions that cannot be reviewed, and case studies. The case studies are a nice way to ensure you aren’t regurgitating memorised answers. These questions contain architectural descriptions, details about resources, controls that are in place, a plan for changes, and a set of requirements. Keeping all of that in mind, these questions propose actions that you need to evaluate against the specific environment and standard Azure limitations to choose the one that accomplishes the most with the least permissions.
A passing grade is 700 out of 1000 possible points.
How I went
I started by attended a week of virtual training. I got this as a discounted offer through TCM Security with New Horizons, which was also the first time I heard of this certification. An instructor walked us through the official Microsoft slides, talked about the actual reasoning and theory behind it, then walked us through practice labs. I’m fairly sure I could have passed the exam in one go a week after this training. Unfortunately, the usual complexities that arise with getting exam accommodations approved resulted in several months passing.
It was not reading the exam instructions, however, that caused me to miss my first attempt at this exam. Because I hadn’t read the instructions properly I didn’t realise when the first review of answered questions came up that I had two more sections left. Naturally, I used the time left reviewing the questions I had answered and didn’t have enough afterwards to address the more complicated remaining sections. I strongly recommend reading the boring preamble before starting exams—no matter how well prepared you think you are.
After my first dismal attempt, I watched several free online video training courses (the ones with multiple videos, not the shorter cram ones) to refresh myself on the material. I also took the official Microsoft practice exam, which I found much easier than the exam itself. I flunked the second attempt by a whopping 30 points. I’d almost have preferred to miss it by a huge margin. This time I was careful with my time management and thought I did reasonably well, but I had the exam in the morning and I woke up and started the exam without reviewing any material beforehand. I also found myself a bit fuzzy throughout because I had the brilliant idea not to drink coffee beforehand so I wouldn’t need to visit the bathroom. Not my cleverest idea, honestly. The overview after the exam indicated I had fallen short on the configuring Defender for cloud questions and so that was where I should focus.
I really knuckled down after that for my final attempt. I gave myself two weeks (the minimum period between exam attempts) and focused on the official Microsoft training material and practical labs from my original training provider. While reading and listening to lots of information helped, I found the labs better for sticking that knowledge into my head that just covering the material. My final exam attempt was in the morning again (I had to work with what times were available) but I made sure to get up earlier, eat something, have a coffee, visit the bathroom, and review some notes before signing into the exam portal. Personally, I think the coffee did it. Truly the MVP.
My Thoughts
Like many Microsoft’s certifications, this one has a 12 month lifetime. While this is pretty short, it emerges from the constant updates and changes that Azure undergoes. Even the official training material can be slightly behind the curve on changes (its not usually significant but things do move and defaults change) so I believe it is important to run practice labs and see how Azure is currently working. Shorter expiration periods are also intended to force ongoing study and maintenance by certification holders. While I’m not sure this the best way to achieve this outcome, it does demand a certain currency of knowledge.
This is probably the hardest certification exam I’ve ever taken. It combines specificity of questions with breadth of scope. It then adds unique situational context to questions that might (or not) change Azure defaults or how services work. Understanding the defaults that apply to common account types and how these are affected by licensing is worth spending time learning.
I strongly recommend reading the study guide for the exam and planning out your study as my disorganised approach to this exam clearly wasn’t ideal. I found online exam websites best for filling gaps in knowledge as most questions have commentary from other users on the topic. I cannot emphasise enough that labs and practical exercises are essential—they will help cement the ideas after you’ve studied the concepts.
I found studying for this certification quite valuable and, while I may not immediately use the knowledge, it is definitely beneficial to know how Azure environments can and should be secured.