You Can Pass This Exam For Free
Choose Your Study Path
Limited Azure or cloud security experience. You need to build foundational knowledge in Azure services, identity, and networking before tackling AI security.
Exam Overview
Format
40-60 questions, 120 minutes. Multiple choice, drag-and-drop, and case study questions.
Scoring
Scaled score 100-1000. Passing: 700. No penalty for wrong answers -- always guess if unsure.
Domains & Weights
- Manage Identity, Access, and Governance22%
- Secure Storage, Databases, and Networking28%
- Secure Compute25%
- Manage and Monitor Security Posture25%
Registration
$165 USD. Available at Pearson VUE testing centers or online proctored from home. Exam fee is $165 USD. Beta exam was released May 2026.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Manage Identity, Access, and Governance
This domain covers securing access using Microsoft Entra ID (conditional access, PIM, MFA, managed identities), managing secrets with Azure Key Vault, and enforcing governance through Azure Policy, RBAC, and compliance controls. Identity is the foundation of Zero Trust architecture and underpins all other security domains.
Key Topics
Must-Know Concepts
- PIM: eligible vs active role assignments, activation workflows, approval requirements, access reviews, and time-bound assignments
- Conditional access: policy components (assignments, conditions, grant controls, session controls), named locations, device compliance, and risk-based policies
- Authentication methods: MFA configuration, passwordless options (FIDO2, Windows Hello, Microsoft Authenticator), and authentication strength policies
- Application identity: enterprise app registration, OAuth permission grants, consent settings (user vs admin consent), and API permissions
- Managed identities: system-assigned vs user-assigned, when to use each, and how they authenticate to Azure services without credentials
- Key Vault: deployment, access policies vs RBAC, firewall and VNet rules, key/secret/certificate lifecycle management, and Defender for Key Vault alerts
- Azure Policy: built-in vs custom policy definitions, policy initiatives, effects (deny, audit, append, deployIfNotExists), remediation tasks, and exemptions
- RBAC: built-in roles vs custom roles (Azure and Entra), role assignment scope (management group, subscription, resource group, resource), and least privilege
- Resource locks: CanNotDelete vs ReadOnly, inheritance, and how they interact with RBAC permissions
- Infrastructure as code security: securing ARM templates, Bicep, and Terraform deployments with policy and RBAC
Common Exam Traps
Secure Storage, Databases, and Networking
The heaviest domain at 28%. Covers securing Azure Storage accounts, Azure SQL databases, and the full range of Azure networking security services including NSGs, Azure Firewall, Private Link, VPN, Virtual WAN, and Entra Private Access. Master network security fundamentals and database protection or you will struggle on nearly a third of the exam.
Key Topics
Must-Know Concepts
- Storage account security: shared access signatures (SAS), stored access policies, storage firewalls, service endpoints, private endpoints, and Microsoft Entra authorization
- Defender for Storage: threat protection configurations including malware scanning, sensitive data detection, and anomalous access alerts
- Azure SQL platform-level security: server-level firewall rules, VNet service endpoints, private endpoints, Microsoft Entra authentication, and transparent data encryption (TDE)
- Database auditing for Azure SQL Database and Azure SQL Managed Instance: configuring audit logs to storage, Log Analytics, or Event Hubs
- Defender for Databases: protection across Azure SQL, Cosmos DB, PostgreSQL, MySQL, and MariaDB with vulnerability assessment and threat detection
- NSG and ASG: inbound/outbound rules, priority-based evaluation, ASG for logical grouping, and effective security rules analysis using Network Watcher
- Azure Virtual Network Manager: centralized network access policies, connectivity configurations, and security admin rules across multiple VNets
- Azure Virtual WAN: secure hub configuration, routing, integrated firewall, and branch connectivity security
- VPN connections: site-to-site, point-to-site, and VNet-to-VNet configurations with IPsec/IKE security policies
- Microsoft Entra Private Access: ZTNA replacement for VPN using identity-based policies for private resource access
- Private endpoints and Private Link: securing PaaS resources with private network connectivity and Private Link services for custom services
- Azure Firewall: deployment modes, rule types (application, network, DNAT), threat intelligence, and DNS proxy configuration
- Network Watcher: NSG flow logs, connection troubleshoot, effective security rules, and IP flow verify diagnostics
Common Exam Traps
Secure Compute
This domain covers three major areas: AI security (the SC-500 differentiator), server and VM protection, and application platform security. AI security is the primary new content area compared to AZ-500 and includes Entra Agent ID, Purview DSPM for AI, Copilot Studio protection, Defender for AI, and Foundry guardrails. Expect significant AI security coverage despite the modest domain weight.
Key Topics
Must-Know Concepts
- AI security: identify data overexposure in SharePoint used by Copilot, identify risks from Copilot and AI apps using Purview DSPM, and configure data protection policies
- Copilot Studio: enable and configure real-time protection for Copilot Studio agents to detect and prevent security threats during agent operation
- Entra Agent ID: implement conditional access policies for AI agents, analyze blast radius for agent security risks using Defender XDR, and manage agent access
- AI Gateway: configure and deploy AI Gateway in Azure API Management for Microsoft Foundry with token limits, rate limiting, and cost controls
- Defender for AI Service: enable in Cloud Workload Protection, monitor AI security using the Data and AI security dashboard in Defender for Cloud
- Foundry guardrails: configure guardrails for agent security in Microsoft Foundry to constrain agent behavior and outputs
- Agent management: manage agents in Microsoft 365 admin center for enterprise governance
- Disk encryption: Azure Disk Encryption (ADE) using BitLocker/DM-Crypt, server-side encryption (SSE) with platform-managed or customer-managed keys
- Azure Bastion: secure RDP/SSH without public IPs, deployment in VNet, and SKU selection
- JIT VM access: time-limited NSG rule creation, approval workflows, and Defender for Servers requirement
- Azure Arc: onboarding hybrid and multi-cloud servers, extending security controls, and Defender for Servers integration
- Defender for Servers: onboarding, vulnerability scanning, EDR integration, agentless scanning, and security configuration with Machine Configuration
- VM security features: secure boot, virtual TPM (vTPM), integrity monitoring, and trusted launch security type
- Defender for Containers: runtime risk detection, image vulnerability scanning, and Kubernetes policy enforcement
- AKS security: network policies, pod security, Azure AD integration, and secrets management
- Container security: Azure Container Registry scanning, Container Instances isolation, Container Apps security
- App Service and Functions: authentication, network access restrictions, managed identity integration
- Azure Logic Apps: security controls for workflow automation including managed identity auth, network isolation, and access control
- WAF: deployment with Application Gateway, Front Door, or CDN for web application protection
- API Management: security policies for backend API protection, rate limiting, and authentication
Common Exam Traps
Manage and Monitor Security Posture
This domain covers proactive security posture management with Defender for Cloud, threat detection and response with Microsoft Sentinel, and AI-powered investigation with Security Copilot. Includes multi-cloud integration (AWS and GCP), external attack surface management, and the full Sentinel data pipeline from ingestion through automation.
Key Topics
Must-Know Concepts
- Defender CSPM: identify security risks, attack path analysis, cloud security graph, compliance evaluation against security frameworks, and security recommendations
- Defender for Cloud workload protection plans: enabling and configuring plans for Servers, Containers, Storage, Databases, Key Vault, AI, and App Services
- Multi-cloud integration: connecting AWS and GCP environments to Defender for Cloud using connectors, extending CSPM and threat protection to non-Azure clouds
- Defender Vulnerability Management: configuring vulnerability scanning for Azure VMs, prioritizing vulnerabilities by severity and exploitability
- Defender EASM: discovering unprotected external-facing assets, mapping the attack surface, and identifying shadow IT resources
- Microsoft Sentinel workspace: creation, role assignments (Sentinel Reader, Responder, Contributor), and workspace architecture decisions
- Sentinel content hub: installing and using packaged solutions for specific data sources and threat scenarios
- Data connectors: configuring Microsoft data connectors for Azure resources, syslog and CEF event collection, and Windows Security event collection using data collection rules (DCR)
- Custom log tables: creating custom tables in the Log Analytics workspace for ingesting non-standard data sources
- Sentinel automation: automation rules for incident handling and playbooks (Logic Apps) for response orchestration
- Data retention: configuring retention policies for different data tables in Sentinel
- Purview Audit: querying Microsoft Purview Audit logs in Defender XDR for compliance and investigation
- Security Copilot: configuring workspaces, managing permissions and roles, enabling and configuring plugins, and deploying Microsoft agents and Security Store agents
Common Exam Traps
Services and Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.