I spent (a lot of) time preparing AZ-500 Microsoft Azure Security Technologies Certification. It is time now to share my preparation notes for those who are interested to pass this exam and get certified. This article is just one another preparation guide to Microsoft exam AZ-500 but I hope it will be useful 🙂

Even you don’t plan to take the exam, all this content is really interesting to read and understand if you want to discover and improve your knowledge on security on Azure.

Before starting studying, you must know very well what this certification is about and what are the prerequisites.

The topics included in this exam are the following :

  • Manage identity and access (20-25%)
  • Implement platform protection (35-40%)
  • Manage security operations (15-20%)
  • Secure data and applications (30-35%)

More details : 
https://www.microsoft.com/en-us/learning/exam-az-500.aspx

Manage identity and access (20-25%)

Configure Microsoft Azure Active Directory for workloads

How to: Use the portal to create an Azure AD application and service principal that can access resources
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Permissions and consent in the Azure Active Directory v2.0 endpoint
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

Configure Multi-Factor Authentication settings
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

Enterprise user management documentation – Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/

Manage Microsoft Azure AD directory groups
Create a basic group and add members using Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

What is guest user access in Azure Active Directory B2B?
https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

Configure Microsoft Azure AD Privileged Identity Management

Configure Microsoft Azure AD identity protection

What is Azure Active Directory Identity Protection?
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview

Vulnerabilities detected by Azure Active Directory Identity Protection
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/vulnerabilities

Configure Microsoft Azure AD Privileged Identity Management
Monitor privileged access, configure Access Reviews, activate Privileged Identity Management
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan

Configure Microsoft Azure tenant security

Transfer Microsoft Azure subscriptions between Microsoft Azure AD tenants, manage API access to Microsoft Azure subscriptions and resources

Transfer ownership of an Azure subscription to another account
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-api-authentication
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api

Implement platform protection (35-40%)

Implement network security

What is Azure Virtual Network?
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

Security Group
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Configure Network Security Groups (NSGs)
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

Understanding Application Security Groups in the Azure Portal
https://www.petri.com/understanding-application-security-groups-in-the-azure-portal

Create and configure application security groups
https://azure.microsoft.com/en-gb/blog/applicationsecuritygroups/

Services Tags
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags

What is Azure Firewall ?
https://docs.microsoft.com/en-us/azure/firewall/overview

Tutorial: Deploy and configure Azure Firewall using the Azure portal
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

Configure remote access management – Security management in Azure
https://docs.microsoft.com/en-us/azure/security/azure-security-management

Configure baseline – Protect your network resources in Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-network-recommendations

Configure Azure Storage firewalls and virtual networks
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Azure SQL Database and SQL Data Warehouse IP firewall rules
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure

Implement host security

configure VM Security – Security best practices for IaaS workloads in Azure
https://docs.microsoft.com/en-us/azure/security/azure-security-iaas

Manage endpoint protection issues with Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection

Manage virtual machine access using just-in-time
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Manage Windows updates by using Azure Automation
https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management

Automate resources in your datacenter or cloud by using Hybrid Runbook Worker
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

Configure Baseline – Customize OS security configurations in Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-customize-os-security-config

Configure container security

Container Security in Azure
https://azure.microsoft.com/mediahandler/files/resourcefiles/container-security-in-microsoft-azure/Open%20Container%20Security%20in%20Microsoft%20Azure.pdf

Configure network – Enable containers to use Azure Virtual Network capabilities
https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview

Configure authentication – Service principals with Azure Kubernetes Service (AKS)
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal

Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/en-us/azure/aks/use-network-policies

Configure AKS security – Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/en-us/azure/aks/concepts-security

Configure container registry
https://docs.microsoft.com/en-us/azure/container-registry/

Best practices for Azure Container Registry
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-best-practices

Configure container instance security
https://docs.microsoft.com/en-us/azure/container-instances/

Implement vulnerability management
https://www.aquasec.com/solutions/azure-container-security/

Implement Microsoft Azure Resource management security

Create Microsoft Azure resource locks
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

Manage resource group security with Azure RBAC
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Built-in roles for Azure resources
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Configure custom RBAC roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Configure Microsoft Azure policies
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

Configure subscription and resource permissions
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Manage security operation (15-20%)

Configure Security Services

Configure Microsoft Azure Monitor
Azure Monitor overview
https://docs.microsoft.com/en-us/azure/azure-monitor/overview

Configure Azure Log Analytics for data security
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-security

Configure Azure diagnostic logs
https://docs.microsoft.com/en-us/azure/security/azure-log-audit#azure-diagnostics-logs

Configure Microsoft Azure Log Analytics
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access

Configure diagnostic logging and log retention
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-overview

Configure vulnerability scanning
https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations

Configure Security Policies

Working with security policies
https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy

Azure security policies monitored by Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions

Configure centralized policy management by using Microsoft Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy

Configure Just in Time VM access by using Microsoft Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Managed Security Alerts

Create and customize alerts
Custom Alert Rules in Azure Security Center (Preview)
https://docs.microsoft.com/en-us/azure/security-center/security-center-custom-alert

Review and respond to alerts and recommendations
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations

Configure a playbook for a security event by using Microsoft Azure Security Center
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks

Investigate escalated security incidents
https://docs.microsoft.com/en-us/azure/security-center/security-center-investigation

Secure Data and Applications (30-35%)

Configure security policies to manage data

Achieving Compliant Data Residency and Security with Azure
https://azure.microsoft.com/mediahandler/files/resourcefiles/achieving-compliant-data-residency-and-security-with-azure/Achieving_Compliant_Data_Residency_and_Security_with_Azure.pdf

Configure data sovereignty using Azure Policy
https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations

Configure Data Retention
https://www.microsoft.com/en-us/trustcenter/privacy/data-management

Configure data retention (Storage Analytics)
https://docs.microsoft.com/en-us/rest/api/storageservices/setting-a-storage-analytics-data-retention-policy

Azure Data Explorer (Retention)
https://docs.microsoft.com/en-us/azure/kusto/management/retention-policy
https://docs.microsoft.com/en-us/azure/kusto/concepts/retentionpolicy

Configure data classification
https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-settings-tutorial

Configure security for data infrastructure

Enable database authentication
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication

Configure and manage Azure Active Directory authentication with SQL
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure

Get started with SQL database auditing
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing

Azure SQL Database threat detection for single or pooled databases
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection

Azure Storage security guide
https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

Configure key management for storage accounts
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys

Create and manage Shared Access Signatures (SAS)
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

An introduction to Apache Hadoop security with Enterprise Security Package
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction

Configure security for HDInsights
https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds

Security in Azure Cosmos DB – overview
https://docs.microsoft.com/en-us/azure/cosmos-db/database-security

Secure access to data in Azure Cosmos DB
https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data

Data encryption in Azure Cosmos DB
https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest

High availability with Azure Cosmos DB
https://docs.microsoft.com/en-us/azure/cosmos-db/high-availability

Online backup and on-demand data restore in Azure Cosmos DB
https://docs.microsoft.com/en-us/azure/cosmos-db/online-backup-and-restore

Configure security for Microsoft Azure Data Lake
https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-network-security
https://docs.microsoft.com/en-us/azure/storage/common/storage-data-lake-storage-security-guide

Configure encryption for data at rest —-

Implement Microsoft Azure SQL Database Always Encrypted
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault

Implement database encryption
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

Transparent data encryption for SQL Database and Data Warehouse
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql?view=sql-server-2017

Azure SQL Transparent Data Encryption with customer-managed keys in Azure Key Vault: Bring Your Own Key support
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql?view=sql-server-2017

How to use Key Vault soft-delete with PowerShell
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell

Azure Storage Service Encryption for data at rest
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption

Storage Service Encryption using customer-managed keys in Azure Key Vault
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys

Azure Disk Encryption for IaaS VMs
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

Implement backup encryption
https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption

Implement security for application delivery

Securing PaaS deployments
https://docs.microsoft.com/en-us/azure/security/security-paas-deployments

Monitor availability and responsiveness of any web site
https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability

—- Configure application security

App Service and Functions hosted apps can now update TLS versions!
https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/

Configure SSL/TLS certs
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl

Tutorial: Bind an existing custom SSL certificate to Azure App Service
https://docs.microsoft.com/fr-fr/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-1112

Configure Microsoft Azure services to protect web apps
https://docs.microsoft.com/en-us/azure/application-gateway/create-web-app

Create an application security baseline
https://docs.microsoft.com/en-us/azure/security/security-paas-deployments

Configure and manage Key Vault

About keys, secrets, and certificates
https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates

Secure access to a key vault
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault

Manage certificates, manage secrets, configure key rotation
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring

Azure Storage account key management
https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#azure-storage-account-key-management

Azure Key Vault managed storage account – CLI
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys

Azure Storage Account Keys Automatic Rotation
http://www.wahidsaleemi.com/2017/08/azure-storage-account-keys-automatic-rotation/

Hope this preparation guide will be useful for you. Don’t hesitate to post a comment or send me a message on Twitter @squastana or on LinkedIn
https://www.linkedin.com/in/stanislasquastana/

Last but not least, don’t forget to spend time on http://microsoft.com/learn where you can find additional materials to prepare your certification.

— Stanislas Quastana —

  1. Man this is a very good job right here. You made my preparations easier with this. I’ve got the exam scheduled less than 48 and I’m sure this will help me brush up.

    • Hi James, How your exam went? I’m also preparing to appear for this exam if you could help with guiding me.

      Below are my contact details, it would be really helpful if you can share your experience.

      Email – ankit1767@gmail.com
      WhatsApp Contact – +91-9643895235

Leave a Reply