Microsoft Azure Security Engineer Associate (AZ-500)

The Microsoft Azure Security Engineer Associate (AZ-500) is Microsoft's flagship security credential for Azure. It validates that you can implement, manage, and monitor security across Azure identity, networking, compute, data, and operations — protecting workloads from initial threat modeling through detection, response, and post-incident hardening.

This practice test gives you 250 scenario-style multiple-choice questions with detailed, multi-sentence explanations. Questions are written at the associate-engineer level: realistic Azure environments, multiple plausible defenses, and the right choice usually trades two valid options against a constraint (compliance, latency, blast radius, cost) you have to spot. The bank follows the latest AZ-500 curriculum and matches the official exam-blueprint weighting.

What the AZ-500 exam covers

• Manage identity and access (25–30%) — Microsoft Entra ID (tenant management, custom and built-in roles, Conditional Access, Identity Protection, Privileged Identity Management, Authentication Methods policy, passwordless, FIDO2, B2B and External ID, Cross-Tenant Access Settings), hybrid identity (Microsoft Entra Connect, Cloud Sync, Pass-Through Authentication, Password Hash Sync, federation), application security (Service Principals, Managed Identities, app registrations, OAuth scopes, consent framework, application proxy), Azure RBAC at scale (custom roles, scope boundaries, Just-In-Time elevation, Access Reviews), Microsoft Entra Domain Services for legacy workloads.
• Secure networking (20–25%) — Virtual Network design (subnetting, NSGs, ASGs), Azure Firewall (Standard / Premium tiers, IDPS, TLS inspection, threat intelligence), Azure Bastion for jump-host elimination, Web Application Firewall (on Application Gateway / Front Door / CDN with OWASP CRS and bot management), DDoS Protection (Standard / IP Protection), Private Endpoints vs Service Endpoints, Private DNS Zones, secure remote access (Point-to-Site VPN with Entra auth, Azure Virtual Desktop, Just-In-Time VM access), service tags, ExpressRoute encryption, hub-spoke + Azure Virtual WAN security inspection.
• Secure compute, storage, and databases (20–25%) — VM hardening (Trusted Launch, Confidential Computing, Azure Disk Encryption, ADE with Key Vault, host encryption), Azure Kubernetes Service security (managed identity, Pod Identity, Workload Identity, Microsoft Defender for Containers, OPA Gatekeeper via Azure Policy, network policies, private clusters), App Service security (TLS, authentication, networking, slot deployment), serverless security (Function Apps, managed identity), data protection (Storage Account firewalls, blob immutability, soft delete, shared key vs Entra ID auth, SAS scopes, Azure Files identity-based auth), Azure SQL security (Always Encrypted, TDE with CMK, Microsoft Defender for SQL, Vulnerability Assessment, Auditing, Dynamic Data Masking, Row-Level Security), Cosmos DB (RBAC, IP firewall, Private Endpoints), Key Vault (access policies vs RBAC, soft delete, purge protection, network restrictions, Managed HSM).
• Manage security operations (25–30%) — Microsoft Defender for Cloud (Secure Score, regulatory compliance dashboard, Defender plans per workload, Just-In-Time VM access, adaptive application controls, file integrity monitoring), Microsoft Defender XDR integration, Microsoft Sentinel (data connectors, workbooks, analytics rules, hunting queries, playbooks via Logic Apps, SOAR, UEBA, Microsoft Sentinel content hub), KQL hunting, Azure Monitor for security signals (Activity Logs, Diagnostic Settings, Log Analytics), security baselines (Azure Policy with regulatory initiatives — NIST SP 800-53, ISO 27001, PCI DSS, CIS, HIPAA, FedRAMP), incident response runbooks, security automation, vulnerability management (Defender Vulnerability Management, Qualys / TVM integration), threat hunting and intelligence.

Exam format on Microsoft Learn

The live AZ-500 has 40–60 questions over roughly 120 minutes of seat time (about 150 minutes total including instructions). It uses multiple-choice, multiple-response, drag-and-drop ordering, hot-area, and case studies (a long scenario followed by linked questions). Passing score is 700 / 1000 (~70%). The exam is available in English, Japanese, Simplified Chinese, Korean, German, French, Spanish, and Portuguese, at Pearson VUE test centers or online proctored. Recertification is annual via free renewal assessment on Microsoft Learn.

Who should take this?

Working Azure security engineers, cloud security analysts, SOC engineers, platform engineers, and DevSecOps engineers with hands-on Azure experience. Microsoft recommends prior AZ-104 (Administrator) familiarity and a working knowledge of Microsoft Entra, networking, and the Azure portal. Many candidates pair AZ-500 with SC-200 (Security Operations Analyst) for blue-team depth, SC-300 (Identity and Access Administrator) for IAM depth, SC-100 (Cybersecurity Architect Expert) for architect-tier breadth, and AZ-305 (Solutions Architect Expert) for full-stack architecture. AZ-500 is also a common stepping stone toward CCSP and CISSP.

Free to attempt with a TestsWorld account. No card required.