AZ-500 logo
Focused certification exam prep
Start practice

AZ-500 Certification

TL;DR
  • AZ-500 costs USD 165 with regionalized pricing shown at checkout, no member tiers.
  • Passing requires 700/1000 across 40-60 items in 100 minutes, proctored.
  • Domain 4 (Defender for Cloud and Sentinel) is the largest area at 30-35%.
  • The exam and certification retire August 31, 2026 - after that, it cannot be earned or renewed.

What the AZ-500 Certification Actually Covers

The Microsoft Certified: Azure Security Engineer Associate credential - earned by passing exam AZ-500 - validates that a candidate can implement security controls, maintain an organization's security posture, and identify and remediate vulnerabilities across an Azure environment. It's governed directly by Microsoft Corporation and delivered through Pearson VUE, either at a physical test center or via online proctoring. If you're still mapping out exactly what this credential signals to employers, the deeper explainer at What Is AZ-500 Certification? is worth a companion read, and the naming conventions are unpacked in AZ-500 Meaning.

Unlike entry-level Azure exams, AZ-500 assumes you already operate comfortably inside Azure and hybrid administration. Microsoft doesn't require a formal prerequisite exam, but the skills outline (current version dated January 22, 2026) expects strong familiarity with Microsoft Entra ID, compute resources, networking constructs, and storage services before you sit down at the keyboard.

Positioning Note: AZ-500 sits above the foundational AZ-104 administrator track and is the security-focused counterpart to role-based exams like AZ-104 or AZ-700. It is not a generic "cybersecurity" cert - every question ties back to Azure-native tooling.

Exam Format, Fee, and Registration Mechanics

Microsoft doesn't publish a fixed scored/unscored question split, but candidates typically see 40-60 items across 100 minutes. The format mixes standard multiple-choice with case studies and interactive, lab-style tasks that ask you to configure a setting or drag components into the correct order. A passing score is 700 out of 1000.

One detail that surprises first-time takers: during the exam you get split-pane access to official Microsoft Learn documentation. This isn't a loophole - it mirrors real-world work where engineers reference docs while configuring policies - but it rewards candidates who know exactly where to look rather than those who try to memorize every parameter name. That distinction matters more here than on exams without doc access, and it's a big reason generic test-prep advice falls short for AZ-500 specifically.

The standard fee is USD 165 in the US, with regionalized pricing applied automatically and displayed at checkout - there's no member versus non-member discount structure like some other certification bodies use. For a full breakdown of what you're actually paying for (and any retake cost implications), see AZ-500 Certification Cost 2026: Complete Pricing Breakdown.

AttributeDetail
Governing bodyMicrosoft Corporation
Testing providerPearson VUE (test center or online proctored)
Standard fee (US)USD 165, regionalized at checkout
Question countTypically 40-60 items (not officially fixed)
Time allowed100 minutes
Passing score700 / 1000
Validity12 months, free renewal via Microsoft Learn
Retirement dateAugust 31, 2026

Domain-by-Domain Breakdown

AZ-500 is organized into four domains, and their weighting tells you exactly where to spend study hours. If you want the complete topic-by-topic map, AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas goes deeper than any single-page summary can.

Domain 1: Secure identity and access (15-20%)

This domain centers on Microsoft Entra ID - the identity backbone of every other domain. Expect scenario questions on conditional access, privileged identity management, and hybrid identity synchronization.

  • Configure and manage Microsoft Entra ID roles and administrative units
  • Implement Conditional Access policies and Identity Protection risk policies
  • Secure hybrid identity with Entra Connect and pass-through authentication

Domain 2: Secure networking (20-25%)

This is where NSGs, Azure Firewall, and private endpoints collide. Candidates need to reason through layered network security rather than memorize single-service configs.

  • Design and implement network security groups and Azure Firewall rules
  • Secure connectivity with VPN gateways, ExpressRoute, and private endpoints
  • Configure DDoS protection and Web Application Firewall policies

Domain 3: Secure compute, storage, and databases (20-25%)

This domain tests platform-specific hardening - VMs, containers, storage accounts, and database services each have distinct security controls that must be configured correctly, not just recognized.

  • Harden VM configurations and manage endpoint protection
  • Secure storage account access keys, SAS tokens, and encryption at rest
  • Configure database auditing, dynamic data masking, and Always Encrypted

Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)

The largest domain by far, and the one most candidates underestimate. It covers cloud security posture management, workload protections, and SIEM/SOAR operations inside Sentinel.

  • Implement and respond to Microsoft Defender for Cloud recommendations
  • Configure Sentinel analytics rules, workbooks, and automation playbooks
  • Investigate incidents and hunt threats using Kusto Query Language

Each domain also has its own dedicated deep-dive if you want to study one area at a time: Domain 1, Domain 2, Domain 3, and Domain 4.

Key Takeaway

Because Domain 4 accounts for nearly a third of the exam, treat Defender for Cloud and Sentinel as first-class study material - not a wrap-up topic you skim the week before test day.

Who Earns the AZ-500 and Why

AZ-500 attracts a specific slice of the IT workforce: cloud administrators moving into security, security analysts adding Azure depth, and dedicated cloud security engineers responsible for governance across subscriptions. Organizations running production workloads in Azure - especially regulated industries like finance, healthcare, and government contracting - use this certification as a hiring filter for roles that touch identity governance, network segmentation, and incident response tooling.

If you're evaluating whether this credential fits your career direction, AZ-500 Jobs outlines the roles that most frequently list it as required or preferred, and AZ-500 Salary Guide 2026: Complete Earnings Analysis discusses how the credential factors into compensation conversations. For a broader cost-versus-benefit view, Is the AZ-500 Certification Worth It? Complete ROI Analysis 2026 weighs the exam fee and study time against career outcomes.

The August 2026 Retirement Timeline

This is the single most time-sensitive fact about AZ-500 right now: the exam and its associated certification retire on August 31, 2026. After that date, it will no longer be possible to earn the credential by passing the exam, and it will also no longer be possible to renew it. This isn't a routine content refresh - it's a hard end date for the credential itself.

What This Means for Planning: If you intend to hold this specific certification, you need to both pass the exam and complete any renewal cycle before the retirement date. Anyone starting preparation now should build a realistic timeline backward from August 31, 2026, factoring in registration lead time and at least one potential retake.

Microsoft typically replaces retiring associate-level exams with updated versions or consolidated role-based credentials, so candidates close to their exam date should move with intention rather than delaying indefinitely.

Renewal and Validity Rules

Once earned, the AZ-500 certification is valid for 12 months. Renewal is free and doesn't require retaking the full proctored exam - instead, Microsoft opens an online, unproctored renewal assessment on Microsoft Learn during the six-month window before your certification expires. This assessment checks that your knowledge has kept pace with any skills-outline updates issued since you last certified.

Given the retirement date above, anyone certifying in the final months before August 31, 2026 should pay close attention to whether a renewal window will even be available, since renewals are also cut off once the certification retires.

Building an AZ-500-Specific Prep Plan

A generic study calendar won't account for AZ-500's lopsided domain weighting or its doc-access exam format. Instead, sequence your preparation around the four domains, weighting time roughly in proportion to their exam share, and finish with domain-specific practice rather than a single generic review pass.

Weeks 1-2

Identity and Access Foundations

  • Build and test Conditional Access policies in a sandbox tenant
  • Practice configuring Privileged Identity Management role activation
Weeks 3-4

Networking and Platform Hardening

  • Configure NSGs, Azure Firewall rules, and private endpoints end-to-end
  • Harden a VM, a storage account, and a SQL database in the same lab
Weeks 5-6

Defender for Cloud and Sentinel

  • Walk through Defender for Cloud recommendations and remediate several
  • Build a Sentinel analytics rule and a basic automation playbook
Week 7

Timed Practice and Doc-Access Rehearsal

  • Run full-length timed practice sessions under the 100-minute limit
  • Rehearse locating answers quickly inside Microsoft Learn's docs

For a more complete walkthrough of how to sequence resources, labs, and review cycles, AZ-500 Study Guide 2026: How to Pass on Your First Attempt expands on this structure in detail. And if you're still calibrating how much effort this exam actually demands compared to other Azure certifications, How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026 and AZ-500 Pass Rate 2026: What the Data Shows both offer useful context before you lock in a test date.

Practice Under Real Conditions: Because AZ-500 mixes case studies with interactive lab-style items, timed practice tests on our practice test platform are far more useful than flashcards alone - they train you to manage the 100-minute clock across mixed question formats.

Formal training resources can also accelerate the process, particularly for candidates without daily hands-on Azure security work. AZ-500 Training covers structured course options if self-directed study alone feels insufficient for Domain 4's breadth.

Frequently Asked Questions

Is there a prerequisite exam required before taking AZ-500?

No. There's no formal prerequisite exam, but Microsoft recommends practical Azure and hybrid administration experience plus strong familiarity with Microsoft Entra ID, compute, networking, and storage before attempting AZ-500.

Can I still register for AZ-500 after its retirement date?

No. The exam and certification retire on August 31, 2026. After that date it cannot be earned through the exam or renewed, so registration should happen well before then.

How many questions are on the AZ-500 exam?

Microsoft does not publish a fixed scored/unscored count, but candidates typically encounter 40-60 items across multiple-choice, case study, and interactive lab-style formats within the 100-minute time limit.

Do I get access to documentation during the exam?

Yes. AZ-500 is delivered with split-pane access to Microsoft Learn documentation during the test, whether taken online proctored or at a Pearson VUE test center.

What happens when my AZ-500 certification expires?

The certification is valid for 12 months. During the six-month window before expiry, Microsoft opens a free, unproctored online renewal assessment on Microsoft Learn - assuming the renewal window remains available before the exam's August 31, 2026 retirement.

Ready to pass your AZ-500 exam?

Put this into practice with free AZ-500 questions across every exam domain.