AZ-500: Azure Security Engineer Associate — Study Guide

Exam Overview#

Domain Weightings#

---

Domain 1: Manage Identity and Access (25–30%)#

Microsoft Entra ID security#

• Conditional Access — grant access only when conditions are met: user role, device compliance, location, risk level.
• Named Locations — define trusted IP ranges; exclude from MFA requirements.
• Sign-in risk / user risk — Identity Protection calculates risk scores; policy blocks or forces MFA on risky sign-ins.
• MFA — enforce via Conditional Access (preferred) or per-user MFA. Methods: Authenticator app, FIDO2, SMS.
• SSPR (Self-Service Password Reset) — reduce helpdesk calls; configure authentication methods.

Privileged Identity Management (PIM)#

• Eligible assignments — user can activate the role JIT; not permanently active.
• Active assignments — role is always active.
• Activation settings — max duration, require MFA, require justification, require approval.
• Access reviews — periodic review to certify who still needs privileged roles.
• PIM for Groups — manage group membership with JIT just like roles.

Managed Identities and Service Principals#

• Managed Identity — Azure-managed credential for services; no secrets to manage.
• Service Principal — programmatic identity for apps/scripts; use managed identity instead when possible.
• App registration — defines the app identity; service principal is its instance in a tenant.

External identities#

• B2B Collaboration — invite external users; they use their own IdP.
• B2C — customer-facing identity; custom sign-up/sign-in experiences.
• Cross-tenant access policies — control what B2B guests can do in your tenant.

---

Domain 2: Secure Networking (20–25%)#

Network segmentation and filtering#

• NSG — Layer 4 stateful filter at subnet/NIC level; allow + deny rules by IP/port.
• Application Security Groups (ASG) — group VMs logically in NSG rules; easier than IP management.
• Azure Firewall — managed Layer 3–7 stateful firewall; FQDN rules, TLS inspection, IDPS.
• Azure Firewall Premium — adds TLS inspection, IDPS (Intrusion Detection/Prevention), URL filtering.
• Forced tunnelling — route all internet traffic through on-premises or NVA for inspection.

DDoS protection#

Private connectivity#

• Private Endpoints — inject Azure service (Storage, SQL, Key Vault) into VNet with private IP.
• Service Endpoints — route traffic to Azure services over Azure backbone; resource stays public but accessible from VNet only.
• VNet Service Endpoint Policies — restrict service endpoints to specific storage accounts.

Web Application Firewall (WAF)#

• Deploy on Application Gateway (regional) or Azure Front Door (global).
• Detection mode — log without blocking (use for initial deployment to tune rules).
• Prevention mode — actively block matching requests.
• Custom rules: IP-based, rate limiting, geolocation blocking.

---

Domain 3: Secure Compute, Storage, and Databases (20–25%)#

VM security#

• JIT (Just-in-Time) VM access — Defender for Cloud; temporarily open management ports on demand; locked by default.
• Azure Bastion — RDP/SSH via browser; no public IP on VM.
• Disk encryption — Azure Disk Encryption (BitLocker/DM-Crypt + Key Vault CMK); mandatory for compliance.
• Endpoint protection — Microsoft Defender for Endpoint (MDE) integrated with Defender for Cloud.

Storage security#

• Storage account keys — rotate regularly; prefer SAS tokens or managed identities.
• Shared Access Signatures (SAS) — delegate limited access; always set expiry and allowed IP.
• Immutable storage — WORM (Write Once Read Many) with Object Lock; compliance or legal hold.
• Microsoft Defender for Storage — detect anomalous access patterns, malware uploads, data exfiltration.
• Private Endpoint for storage — disable public access; use private endpoint for all access.

Azure Key Vault#

• Secrets — database passwords, API keys, connection strings.
• Keys — CMKs for encryption (EK, Key Vault Managed HSM for FIPS 140-2 Level 3).
• Certificates — SSL/TLS certificate lifecycle management.
• Access policies vs RBAC — use RBAC for Key Vault (granular; integrates with PIM).
• Soft delete + Purge protection — prevent accidental deletion; recovery window (7–90 days).
• Firewall and virtual network rules — restrict Key Vault to specific VNets and IPs.

Database security#

• Azure SQL Transparent Data Encryption (TDE) — default; uses service-managed or CMK.
• Always Encrypted — encrypt data at rest + in transit; even DBAs can't see plaintext.
• Row-Level Security — filter rows based on user identity.
• Dynamic Data Masking — mask sensitive columns for non-privileged users.
• Microsoft Defender for SQL — detect SQL injection, anomalous access, brute force.
• Azure SQL Auditing → Log Analytics / Storage for compliance.

---

Domain 4: Manage Security Operations (25–30%)#

Microsoft Defender for Cloud#

• Secure Score — percentage of security recommendations fulfilled; higher = more secure.
• Security recommendations — actionable steps to improve posture.
• Workload protections — Defender for Servers, Storage, SQL, Key Vault, Containers, App Service.
• Regulatory compliance — map posture against CIS, NIST, PCI-DSS, ISO 27001.
• Multicloud — connect AWS (via Defender CSPM) and GCP for unified view.

Microsoft Sentinel (SIEM + SOAR)#

• Data connectors — ingest logs from Azure, Microsoft 365, AWS, 3rd party (Palo Alto, Cisco).
• Workbooks — pre-built dashboards for each data connector.
• Analytics rules — KQL-based detection rules; create incidents from alerts.
  • Scheduled, Near-real-time, Microsoft Security, Anomaly, Threat Intelligence.
• Incidents — aggregated alerts with automated investigation.
• Automation — Playbooks (Logic Apps) triggered by alerts; auto-triage, notify, remediate.
• Hunting — proactive KQL queries to search for threats not yet detected by rules.
• UEBA — User and Entity Behavior Analytics; baseline and detect abnormal behaviour.
• Threat Intelligence — import IOCs (Indicators of Compromise); match against log data.

Azure Monitor security use cases#

// Detect mass resource deletions
AzureActivity
| where OperationNameValue contains "DELETE"
| where ActivityStatusValue == "Succeeded"
| summarize count() by Caller, bin(TimeGenerated, 1h)
| where count_ > 10

// Failed login attempts
SigninLogs
| where ResultType != "0"  // non-zero = failure
| summarize failures = count() by UserPrincipalName
| where failures > 10
| order by failures desc

---

Study Plan (8–10 Weeks)#

---

Key Resources#

---

Common Exam Traps#

• Conditional Access vs MFA per-user — always prefer Conditional Access (policy-based, flexible). Per-user MFA is legacy.
• PIM eligible vs active — eligible = JIT (not always on). Active = permanent. Exam asks which reduces attack surface.
• Azure Firewall vs NSG — NSG is subnet/NIC level, Layer 4 only. Azure Firewall is centralized, Layer 3–7, with FQDN rules.
• Private Endpoint vs Service Endpoint — Private Endpoint gives the service a private IP in your VNet. Service Endpoint routes traffic over Azure backbone but the service keeps its public endpoint.
• Defender for Cloud vs Sentinel — Defender = posture management + workload protection. Sentinel = SIEM for threat detection, investigation, and response.