AZ-500 Study Guide

I recently passed the AZ-500: Azure Security Engineer Associate certification, and thought that now that most of the world is under some level of COVID-19 related quarantine, what better way to spend one's time than study for a certification test?This study guide aims to help with that process.

In this guide you will find the current (as of 24.5.2020) learning objectives of the exam, with at least a single link to a relevant piece of the Azure Documentation or other related resource to learn about the specific objective.

What is AZ-500? Who should take it?

According to Microsoft themselves:

The candidates for this exam are Microsoft Azure security engineers who implement security controls, maintain the security posture, manage identity and access, and protect data, applications, and networks. Candidates identify and remediate vulnerabilities by using a variety of security tools, implement threat protection, and respond to security incident escalations. As a Microsoft Azure security engineer, candidates often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

If you identify with that description at all, perhaps take a look at the official site for Microsoft about the exam below.

Exam AZ-500: Microsoft Azure Security Technologies - Learn

Exam AZ-500: Microsoft Azure Security Technologies

Microsoft Docskrsanty

Skills measured

NOTE: The exams do NOT cover any services that are in preview at the time you are taking it.

Manage identity and access (20-25%)

Configure Azure Active Directory for workloads

Good set of labs

• create App Registration
• configure App Registration permission scopes (theory)
• manage App Registration permission consent (theory)
• configure Multi-Factor Authentication settings
• manage Azure AD directory groups
• manage Azure AD users
• install and configure Azure AD Connect
• configure authentication methods
• implement Conditional Access policies
• configure Azure AD identity protection (and this)

Configure Azure AD Privileged Identity Management

• monitor privileged access
• configure Access Reviews
• activate Privileged Identity Management

Configure Azure tenant security

• transfer Azure subscriptions between Azure AD tenants (also this)
• manage API access to Azure subscriptions and resources (RBAC in general)

Implement platform protection (35-40%)

Implement network security

Good set of labs

• configure virtual network connectivity
• configure Network Security Groups (NSGs)
• create and configure Azure Firewall
• create and configure Azure Front Door service
• create and configure application security groups (good blog)
• configure remote access management
• configure baseline (also security center)
• configure resource firewall

Implement host security

• configure endpoint security within the VM
• configure VM security
• harden VMs in Azure (also CIS)
• configure system updates for VMs in Azure
• configure baseline (also security center)

Configure container security

Good set of labs

• configure network
• configure authentication
• configure container isolation
• configure AKS security (the whole security and auth section is good)
• configure container registry
• implement vulnerability management (also this)

Implement Azure Resource management security

• create Azure resource locks
• manage resource group security
• configure Azure policies (Lab module)
• configure custom RBAC roles (tutorial)
• configure subscription and resource permissions

Manage security operations (15-20%)

Configure security services

Good set of labs

• configure Azure Monitor
• configure diagnostic logging and log retention
• configure vulnerability scanning

Configure security policies

• configure centralized policy management by using Azure Security Center
• configure Just in Time VM access by using Azure Security Center

Manage security alerts

• create and customize alerts
• review and respond to alerts and recommendations
• configure a playbook for a security event by using Azure Sentinel
• investigate escalated security incidents

Secure data and applications (25-30%)

Decent overall labs

Configure security policies to manage data

Relevant pluralsight course

• configure data classification
• configure data retention
• configure data sovereignty

Configure security for data infrastructure

• enable database authentication
• enable database auditing
• configure Azure SQL Database Advanced Threat Protection
• configure access control for storage accounts
• configure key management for storage accounts
• configure Azure AD authentication for Azure Storage
• configure Azure AD Domain Services authentication for Azure Files
• create and manage Shared Access Signatures (SAS)
• configure security for HDInsight
• configure security for Cosmos DB
• configure security for Azure Data Lake

Configure encryption for data at rest

Good set of labs / intro

• implement Azure SQL Database Always Encrypted
• implement database encryption
• implement Storage Service Encryption (Great best practice guide)
• implement disk encryption

Configure application security

• configure SSL/TLS certs
• configure Azure services to protect web apps
• create an application security baseline

Configure and manage Key Vault

• manage access to Key Vault
• manage permissions to secrets, certificates, and keys
• configure RBAC usage in Azure Key Vault
• manage certificates
• manage secrets
• configure key rotation (also this)

And that's it!

Hopefully you will find this guide useful. If you notice any broken links etc. contact me on either the comments below or via twitter.