Aspired to become a Microsoft Certified Azure Security Engineer? Here’s the
definitive guide for your AZ-500 exam preparation, follow this and start your
preparation for the Azure AZ-500 certification exam.
Microsoft is one of the strongest names in the world of cloud computing. The
cloud service platform of Microsoft, Azure, is one of the market leaders in
cloud computing along with AWS and Google Cloud. Therefore, the demand for Azure
certifications is always high. One of the most recently launched Azure exams is
Microsoft Azure AZ 500 that is ideal for the role of Microsoft Azure Security
Engineer.
Many sources on the internet help candidates in the AZ-500 exam preparation.
However, the following discussion would aim at illustrating every detail of the
exam to support your preparation. The discussion can serve as a guiding path for
you to start preparation immediately for the Azure Security certification. So,
let us get started!
Use this quick start guide to collect all the information about Microsoft Azure
Security Technologies (AZ-500) Certification exam. This study guide provides a
list of objectives and resources that will help you prepare for items on the
AZ-500 Microsoft Azure Security Technologies exam. The Sample Questions will
help you identify the type and difficulty level of the questions and the
Practice Exams will make you familiar with the format and environment of an
exam. You should refer this guide carefully before attempting your actual
Microsoft MCA Azure Security Engineer certification exam.
The Microsoft Azure Security Technologies certification is mainly targeted to
those candidates who want to build their career in Microsoft Azure domain. The
Microsoft Certified - Azure Security Engineer Associate exam verifies that the
candidate possesses the fundamental knowledge and proven skills in the area of
Microsoft MCA Azure Security Engineer.
Skills measured
The content of this exam will be updated on August 2, 2021. Please download the
exam skills outline below to see what will be changing.
Manage identity and access (30-35%)
Implement platform protection (15-20%)
Manage security operations (25-30%)
Secure data and applications (20-25%)
Manage identity and access (30-35%)
Manage Azure Active Directory identities
configure security for service principals
manage Azure AD directory groups
manage Azure AD users
manage administrative units
configure password writeback
configure authentication methods including password hash and Pass Through
Authentication (PTA), OAuth, and passwordless
transfer Azure subscriptions between Azure AD tenants
Configure secure access by using Azure AD
monitor privileged access for Azure AD Privileged Identity Management
(PIM)
configure Access Reviews
configure PIM
implement Conditional Access policies including Multi-Factor Authentication
(MFA)
configure Azure AD identity protection
Manage application access
create App Registration
configure App Registration permission scopes
manage App Registration permission consent
manage API access to Azure subscriptions and resources
Manage access control
configure subscription and resource permissions
configure resource group permissions
configure custom RBAC roles
identify the appropriate role
o apply principle of least privilege
interpret permissions
o check access
Implement platform protection (15-20%)
Implement advanced network security
secure the connectivity of virtual networks (VPN authentication, Express
Route encryption)
configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
create and configure Azure Firewall
implement Azure Firewall Manager
configure Azure Front Door service as an Application Gateway
configure a Web Application Firewall (WAF) on Azure Application Gateway
configure Azure Bastion
configure a firewall on a storage account, Azure SQL, Key Vault, or App
Service
implement Service Endpoints
implement DDoS protection
Configure advanced security for compute
configure endpoint protection
configure and monitor system updates for VMs
configure authentication for Azure Container Registry
configure security for different types of containers
o implement vulnerability management
o configure isolation for AKS
o configure security for container registry
implement Azure Disk Encryption
configure authentication and security for Azure App Service
o configure SSL/TLS certs
o configure authentication for Azure Kubernetes Service
o configure automatic updates
Manage security operations (25-30%)
Monitor security by using Azure Monitor
create and customize alerts
monitor security logs by using Azure Monitor
configure diagnostic logging and log retention
Monitor security by using Azure Security Center
evaluate vulnerability scans from Azure Security Center
configure Just in Time VM access by using Azure Security Center
configure centralized policy management by using Azure Security Center
configure compliance policies and evaluate for compliance by using Azure
Security Center
configure workflow automation by using Azure Security Center
Monitor security by using Azure Sentinel
create and customize alerts
configure data sources to Azure Sentinel
evaluate results from Azure Sentinel
configure a playbook by using Azure Sentinel
Configure security policies
configure security settings by using Azure Policy
configure security settings by using Azure Blueprint
Secure data and applications (20-25%)
Configure security for storage
configure access control for storage accounts
configure key management for storage accounts
configure Azure AD authentication for Azure Storage
configure Azure AD Domain Services authentication for Azure Files
create and manage Shared Access Signatures (SAS)
o create a shared access policy for a blob or blob container
configure Storage Service Encryption
configure Azure Defender for Storage
Configure security for databases
enable database authentication
enable database auditing
configure Azure Defender for SQL
o configure Azure SQL Database
Advanced Threat Protection
implement database encryption
o implement Azure SQL Database Always Encrypted
Configure and manage Key Vault
manage access to Key Vault
manage permissions to secrets, certificates, and keys
o configure RBAC usage in Azure Key Vault
manage certificates
manage secrets
configure key rotation
backup and restore of Key Vault items
configure Azure Defender for Key Vault
The exam guide below shows the changes that will be
implemented on August 2, 2021.
Audience Profile
Candidates for this exam should have subject matter expertise implementing
security controls and threat protection, managing identity and access, and
protecting data, applications, and networks.
Responsibilities for an Azure Security Engineer include maintaining the security
posture, identifying and remediating vulnerabilities by using a variety of
security tools, implementing threat protection, and responding to security
incident escalations.
Azure Security Engineers often serve as part of a larger team dedicated to
cloud-based management and security and may also secure hybrid environments as
part of an end-to-end infrastructure.
A candidate for this exam should be familiar with scripting and automation, and
should have a deep understanding of networking and virtualization. A candidate
should also have a strong familiarity with cloud capabilities, Azure products
and services, and other Microsoft products and services.
Skills Measured
NOTE: The bullets that follow each of the skills measured are intended to
illustrate how we are assessing that skill. This list is NOT definitive or
exhaustive.
NOTE: Most questions cover features that are General Availability (GA). The exam
may contain questions on Preview features if those features are commonly used.
Manage identity and access (30-35%)
Manage Azure Active Directory identities
configure security for service principals
manage Azure AD directory groups
manage Azure AD users
manage administrative units
configure password writeback
configure authentication methods including password hash and Pass Through
Authentication (PTA), OAuth, and passwordless
transfer Azure subscriptions between Azure AD tenants
Configure secure access by using Azure AD
monitor privileged access for Azure AD Privileged Identity Management
(PIM)
configure Access Reviews
configure PIM
implement Conditional Access policies including Multi-Factor Authentication
(MFA)
configure Azure AD identity protection
Manage application access
create App Registration
configure App Registration permission scopes
manage App Registration permission consent
manage API access to Azure subscriptions and resources
Manage access control
configure subscription and resource permissions
configure resource group permissions
configure custom RBAC roles
identify the appropriate role
o apply principle of least privilege
interpret permissions
o check access
Implement platform protection (15-20%)
Implement advanced network security
secure the connectivity of virtual networks (VPN authentication, Express
Route encryption)
configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
create and configure Azure Firewall
implement Azure Firewall Manager
configure Azure Front Door service as an Application Gateway
configure a Web Application Firewall (WAF) on Azure Application Gateway
configure Azure Bastion
configure a firewall on a storage account, Azure SQL, Key Vault, or App
Service
implement Service Endpoints
implement DDoS protection
Configure advanced security for compute
configure endpoint protection
configure and monitor system updates for VMs
configure authentication for Azure Container Registry
configure security for different types of containers
o implement vulnerability management
o configure isolation for AKS
o configure security for container registry
implement Azure Disk Encryption
configure authentication and security for Azure App Service
o configure SSL/TLS certs
o configure authentication for Azure Kubernetes Service
o configure automatic updates
Manage security operations (25-30%)
Monitor security by using Azure Monitor
create and customize alerts
monitor security logs by using Azure Monitor
configure diagnostic logging and log retention
Monitor security by using Azure Security Center
evaluate vulnerability scans from Azure Security Center
configure Just in Time VM access by using Azure Security Center
configure centralized policy management by using Azure Security Center
configure compliance policies and evaluate for compliance by using Azure
Security Center
configure workflow automation by using Azure Security Center
Monitor security by using Azure Sentinel
create and customize alerts
configure data sources to Azure Sentinel
evaluate results from Azure Sentinel
configure a playbook by using Azure Sentinel
Configure security policies
configure security settings by using Azure Policy
configure security settings by using Azure Blueprint
Secure data and applications (20-25%)
Configure security for storage
configure access control for storage accounts
configure key management for storage accounts
configure Azure AD authentication for Azure Storage
configure Azure AD Domain Services authentication for Azure Files
create and manage Shared Access Signatures (SAS)
o create a shared access policy for a blob or blob container
configure Storage Service Encryption
configure Azure Defender for Storage
Configure security for databases
enable database authentication
enable database auditing
configure Azure Defender for SQL
o configure Azure SQL Database Advanced Threat Protection
implement database encryption
o implement Azure SQL Database Always Encrypted
Configure and manage Key Vault
manage access to Key Vault
manage permissions to secrets, certificates, and keys
o configure RBAC usage in Azure Key Vault
manage certificates
manage secrets
configure key rotation
backup and restore of Key Vault items
configure Azure Defender for Key Vault
QUESTION 1
You need to meet the identity and access requirements for Group1.
What should you do?
A. Add a membership rule to Group1.
B. Delete Group1. Create a new group named Group1 that has a group type of
Microsoft 365. Add users and devices to the group.
C. Modify the membership rule of Group1.
D. Change the membership type of Group1 to Assigned. Create two groups that have
dynamic memberships. Add the new groups to Group1.
Correct Answer: B
Explanation/Reference:
Incorrect Answers:
A, C: You can create a dynamic group for devices or for users, but you can't
create a rule that contains both users and devices.
D: For assigned group you can only add individual members.
QUESTION 2
You need to ensure that User2 can implement PIM.
What should you do first?
A. Assign User2 the Global administrator role.
B. Configure authentication methods for contoso.com.
C. Configure the identity secure score for contoso.com.
D. Enable multi-factor authentication (MFA) for User2.
Correct Answer: A
Explanation/Reference:
Explanation:
To start using PIM in your directory, you must first enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example,
@yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable
PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity
Management (PIM) for contoso.com
QUESTION 3
You need to ensure that you can meet the security operations requirements.
What should you do first?
A. Turn on Auto Provisioning in Security Center.
B. Integrate Security Center and Microsoft Cloud App Security.
C. Upgrade the pricing tier of Security Center to Standard.
D. Modify the Security Center workspace configuration.
Correct Answer: C
Explanation/Reference:
Explanation:
The Standard tier extends the capabilities of the Free tier to workloads running
in private and other public clouds, providing unified security management and
threat protection across your hybrid cloud workloads.
The Standard tier also adds advanced threat detection capabilities, which uses
built-in behavioral analytics and machine learning to identify attacks and
zero-days exploits, access and application controls to reduce exposure to
network attacks and malware, and more.
Scenario: Security Operations Requirements
Litware must be able to customize the operating system security configurations
in Azure Security Center.
QUESTION 4
You need to configure WebApp1 to meet the data and application requirements.
Which two actions should you perform? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Upload a public certificate.
B. Turn on the HTTPS Only protocol setting.
C. Set the Minimum TLS Version protocol setting to 1.2.
D. Change the pricing tier of the App Service plan.
E. Turn on the Incoming client certificates protocol setting.
Correct Answer: AC
Explanation/Reference:
Explanation:
A: To configure Certificates for use in Azure Websites Applications you need to
upload a public Certificate.
C: Over time, multiple versions of TLS have been released to mitigate different
vulnerabilities. TLS 1.2 is the most current version available for apps running
on Azure App Service.
Incorrect Answers:
B: We need support the http url as well.
QUESTION 5
SIMULATION
You need to ensure that when administrators deploy resources by using an Azure
Resource Manager template, the deployment can access secrets in an Azure key
vault named KV11597200.
To complete this task, sign in to the Azure portal.
Correct Answer: See the explanation below.
Section: (none)
Explanation/Reference:
Explanation:
You need to configure an option in the Advanced Access Policy of the key vault.
1. In the Azure portal, type Azure Key Vault in the search box, select Azure Key
Vault from the search results then select the key vault named KV11597200.
Alternatively, browse to Azure Key Vault in the left navigation pane.
2. In the properties of the key vault, click on Advanced Access Policies.
3. Tick the checkbox labelled Enable access to Azure Resource Manager for
template deployment.
4. Click Save to save the changes.
Actualkey Microsoft Azure AZ-500 exam pdf, Certkingdom Microsoft Azure AZ-500 PDF
Best Microsoft Azure AZ-500 Certification, Microsoft Azure AZ-500 Training at certkingdom.com
