Microsoft · AZ-500
Validates expertise in implementing, managing, and monitoring security for Azure, multi-cloud, and hybrid environments, including identity and access, networking, compute, storage, and data security.
Questions
469
Duration
100 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2025
Use this AZ-500 practice exam to prepare for Microsoft Certified: Azure Security Engineer Associate (AZ-500) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 469 questions for Microsoft AZ-500, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Identity and Access, Network Security, Compute and Storage Security, Microsoft Defender for Cloud, and Microsoft Sentinel. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Azure Security Engineer Associate (AZ-500) validates expertise in implementing, managing, and monitoring security for resources across Azure, multi-cloud, and hybrid environments. Holders of this credential demonstrate the ability to maintain an organization's security posture, implement threat protection, and identify and remediate security vulnerabilities across the full Azure infrastructure stack—including identity and access, networking, compute, storage, data, applications, asset management, backup and recovery, and DevOps security.
The exam was last updated on January 22, 2026, and reflects current Azure security capabilities including Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Entra ID (formerly Azure AD), Azure Key Vault, Azure Firewall, and a broad range of network security services. Candidates are expected to ensure infrastructure aligns with standards and best practices such as the Microsoft Cloud Security Benchmark (MCSB), and to connect multi-cloud environments—including AWS and GCP—to Defender for Cloud. This is an intermediate-level, role-based Microsoft certification requiring annual renewal through a free online assessment on Microsoft Learn.
This certification is designed for security engineers and cloud security professionals who implement security controls as part of an end-to-end infrastructure. Relevant job titles include Azure Security Engineer, Cloud Security Engineer, Information Security Analyst, Security Operations Engineer, and Security Architect. Candidates typically work alongside cloud architects, administrators, and developers to plan and implement solutions that meet security and compliance requirements, and may also collaborate with security operations teams in responding to Azure security incidents.
The ideal candidate has hands-on experience administering Microsoft Azure and hybrid environments, and strong familiarity with Microsoft Entra ID as well as Azure compute, networking, and storage services. This certification is well-suited to professionals who already hold the AZ-104 (Azure Administrator Associate) or have equivalent practical experience and are looking to specialize in cloud security.
Microsoft does not impose formal prerequisites for AZ-500, but the exam assumes substantial practical experience. Candidates should have working knowledge of Microsoft Azure administration, including experience managing virtual machines, virtual networks, storage accounts, and identity services. Strong familiarity with Microsoft Entra ID—including role assignments, Conditional Access, and app registrations—is essential.
Recommended preparation includes experience with or knowledge of network security concepts (NSGs, firewalls, VPNs), identity and access management (IAM), and security monitoring tools. Holding or having studied for AZ-104: Microsoft Azure Administrator Associate is a commonly recommended stepping stone. Familiarity with regulatory compliance frameworks and the Microsoft Cloud Security Benchmark (MCSB) will also be beneficial, as these concepts appear throughout the exam domains.
AZ-500 is a proctored exam administered through Pearson VUE, available at authorized testing centers or via online proctoring. Candidates have 100 minutes to complete the assessment. The exam may include interactive lab components in addition to traditional question types such as multiple choice, case studies, drag-and-drop, and scenario-based items. Microsoft does not publish the exact number of questions, as this varies between exam versions.
A passing score of 700 out of 1000 is required. Scoring is scaled and not a simple percentage. The exam is available in English, Japanese, Chinese (Simplified and Traditional), Korean, German, French, Spanish, Portuguese (Brazil), and Italian. Candidates who fail may retake after 24 hours; subsequent retakes require a 14-day waiting period, with a maximum of five attempts within a 12-month period. The certification is valid for one year and can be renewed at no cost via a free online renewal assessment on Microsoft Learn.
The AZ-500 certification positions professionals for dedicated cloud security roles in organizations running Azure or hybrid infrastructures. Common job titles held by AZ-500 certified professionals include Azure Security Engineer, Cloud Security Engineer, Security Architect, and Information Security Manager. According to ZipRecruiter (February 2026), Azure Security Engineers in the United States earn average annual salaries of approximately $146,000–$165,000, with top earners in the 90th percentile exceeding $210,000. Salaries are highest in high-demand markets such as Washington D.C., California, Massachusetts, and Washington State.
The credential is well-positioned in the job market as organizations accelerate cloud adoption and face increasing regulatory pressure around data security and compliance. The AZ-500 is a natural complement to the AZ-104 (Azure Administrator Associate) and serves as a foundation for pursuing higher-level credentials such as the SC-100 (Microsoft Cybersecurity Architect Expert). Compared to vendor-neutral security certifications, the AZ-500 provides deep, platform-specific expertise that is directly applicable to Azure-heavy enterprise environments, making it particularly valuable for professionals targeting Microsoft ecosystem organizations.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 469 questions.
Preview — answers shown1. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. You are designing a critical application that must remain available even if a single data center within an Azure region fails. You plan to deploy multiple virtual machine instances. Solution: You deploy two or more virtual machines across two or more Availability Zones in the same Azure region. Does this meet the goal?
Explanation
Yes, this solution meets the goal. Availability Zones are physically separate locations within an Azure region. Deploying VMs across multiple zones is the recommended strategy to protect against data center-level failures and ensures high availability with a 99.99% SLA.
2. An architect is designing a network using a hub-and-spoke topology with Azure Firewall in the hub VNet. They want to protect all the workloads in the spoke VNets from DDoS attacks. What is the recommended best practice for deploying DDoS Network Protection?
Explanation
In a hub-and-spoke model where all traffic is forced through a central Azure Firewall, the best practice is to attach a single DDoS Network Protection plan to the hub VNet. This protects the public IP of the firewall, which is the single entry point for all traffic, thereby protecting all the downstream spoke resources in a centralized and cost-effective manner. While Azure Firewall is highly secure, DDoS Network Protection is a separate, specialized service that provides protection against large-scale volumetric attacks.
3. A web app needs to access a database server located in your company's on-premises data center. The connection must be secure and must not require opening up your corporate firewall to public IP addresses. Which App Service connectivity feature establishes a secure point-to-point TCP tunnel to the on-premises resource?
Explanation
A hybrid connection is designed for this scenario. It creates a secure TCP tunnel from the App Service to a specific endpoint in an on-premises network via a relay agent. This allows the web app to access the on-premises resource without exposing the on-premises network to the internet.
4. An Azure Policy has been assigned to a subscription. This policy uses the 'deployIfNotExists' effect to automatically deploy a specific VM extension to any non-compliant virtual machines. A compliance administrator, 'Admin1', needs the ability to trigger the remediation tasks for this policy assignment. To follow the principle of least privilege, which Azure RBAC role should be assigned to Admin1?
Explanation
The Resource Policy Contributor role includes the specific permissions required to manage resource policies and trigger remediation tasks, making it the perfect choice for this scenario under the principle of least privilege. The Owner and Contributor roles would also work, but they grant far too many permissions beyond policy management, such as the ability to create and delete any resource. The Compliance Administrator is a Microsoft Entra role, not an Azure RBAC role, and it is used for managing compliance within Microsoft 365 services, not for Azure Policy remediation.
5. A small startup, 'Appify', is deploying a new mobile app backend. They want to protect it against the most common web vulnerabilities listed in the OWASP Top 10. Which Azure WAF feature provides the quickest and most comprehensive way to get this protection?
Explanation
Enabling the managed Core Rule Set (CRS) is the most efficient solution. This rule set is based on the OWASP Top 10 and is managed and updated by Microsoft. By simply enabling it, Appify gets immediate, broad protection against a wide range of common vulnerabilities without having to become security experts and write complex rules themselves. Creating custom rules from scratch is time-consuming and requires deep security knowledge. A custom response page determines what blocked users see, it does not provide protection. Logging records events but does not prevent attacks.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam