- AZ-500 costs USD 165 with regionalized pricing shown at checkout, no member tiers.
- Passing requires 700/1000 across 40-60 items in 100 minutes, proctored.
- Domain 4 (Defender for Cloud and Sentinel) is the largest area at 30-35%.
- The exam and certification retire August 31, 2026 - after that, it cannot be earned or renewed.
What the AZ-500 Certification Actually Covers
The Microsoft Certified: Azure Security Engineer Associate credential - earned by passing exam AZ-500 - validates that a candidate can implement security controls, maintain an organization's security posture, and identify and remediate vulnerabilities across an Azure environment. It's governed directly by Microsoft Corporation and delivered through Pearson VUE, either at a physical test center or via online proctoring. If you're still mapping out exactly what this credential signals to employers, the deeper explainer at What Is AZ-500 Certification? is worth a companion read, and the naming conventions are unpacked in AZ-500 Meaning.
Unlike entry-level Azure exams, AZ-500 assumes you already operate comfortably inside Azure and hybrid administration. Microsoft doesn't require a formal prerequisite exam, but the skills outline (current version dated January 22, 2026) expects strong familiarity with Microsoft Entra ID, compute resources, networking constructs, and storage services before you sit down at the keyboard.
Exam Format, Fee, and Registration Mechanics
Microsoft doesn't publish a fixed scored/unscored question split, but candidates typically see 40-60 items across 100 minutes. The format mixes standard multiple-choice with case studies and interactive, lab-style tasks that ask you to configure a setting or drag components into the correct order. A passing score is 700 out of 1000.
One detail that surprises first-time takers: during the exam you get split-pane access to official Microsoft Learn documentation. This isn't a loophole - it mirrors real-world work where engineers reference docs while configuring policies - but it rewards candidates who know exactly where to look rather than those who try to memorize every parameter name. That distinction matters more here than on exams without doc access, and it's a big reason generic test-prep advice falls short for AZ-500 specifically.
The standard fee is USD 165 in the US, with regionalized pricing applied automatically and displayed at checkout - there's no member versus non-member discount structure like some other certification bodies use. For a full breakdown of what you're actually paying for (and any retake cost implications), see AZ-500 Certification Cost 2026: Complete Pricing Breakdown.
| Attribute | Detail |
|---|---|
| Governing body | Microsoft Corporation |
| Testing provider | Pearson VUE (test center or online proctored) |
| Standard fee (US) | USD 165, regionalized at checkout |
| Question count | Typically 40-60 items (not officially fixed) |
| Time allowed | 100 minutes |
| Passing score | 700 / 1000 |
| Validity | 12 months, free renewal via Microsoft Learn |
| Retirement date | August 31, 2026 |
Domain-by-Domain Breakdown
AZ-500 is organized into four domains, and their weighting tells you exactly where to spend study hours. If you want the complete topic-by-topic map, AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas goes deeper than any single-page summary can.
Domain 1: Secure identity and access (15-20%)
This domain centers on Microsoft Entra ID - the identity backbone of every other domain. Expect scenario questions on conditional access, privileged identity management, and hybrid identity synchronization.
- Configure and manage Microsoft Entra ID roles and administrative units
- Implement Conditional Access policies and Identity Protection risk policies
- Secure hybrid identity with Entra Connect and pass-through authentication
Domain 2: Secure networking (20-25%)
This is where NSGs, Azure Firewall, and private endpoints collide. Candidates need to reason through layered network security rather than memorize single-service configs.
- Design and implement network security groups and Azure Firewall rules
- Secure connectivity with VPN gateways, ExpressRoute, and private endpoints
- Configure DDoS protection and Web Application Firewall policies
Domain 3: Secure compute, storage, and databases (20-25%)
This domain tests platform-specific hardening - VMs, containers, storage accounts, and database services each have distinct security controls that must be configured correctly, not just recognized.
- Harden VM configurations and manage endpoint protection
- Secure storage account access keys, SAS tokens, and encryption at rest
- Configure database auditing, dynamic data masking, and Always Encrypted
Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)
The largest domain by far, and the one most candidates underestimate. It covers cloud security posture management, workload protections, and SIEM/SOAR operations inside Sentinel.
- Implement and respond to Microsoft Defender for Cloud recommendations
- Configure Sentinel analytics rules, workbooks, and automation playbooks
- Investigate incidents and hunt threats using Kusto Query Language
Each domain also has its own dedicated deep-dive if you want to study one area at a time: Domain 1, Domain 2, Domain 3, and Domain 4.
Key Takeaway
Because Domain 4 accounts for nearly a third of the exam, treat Defender for Cloud and Sentinel as first-class study material - not a wrap-up topic you skim the week before test day.
Who Earns the AZ-500 and Why
AZ-500 attracts a specific slice of the IT workforce: cloud administrators moving into security, security analysts adding Azure depth, and dedicated cloud security engineers responsible for governance across subscriptions. Organizations running production workloads in Azure - especially regulated industries like finance, healthcare, and government contracting - use this certification as a hiring filter for roles that touch identity governance, network segmentation, and incident response tooling.
If you're evaluating whether this credential fits your career direction, AZ-500 Jobs outlines the roles that most frequently list it as required or preferred, and AZ-500 Salary Guide 2026: Complete Earnings Analysis discusses how the credential factors into compensation conversations. For a broader cost-versus-benefit view, Is the AZ-500 Certification Worth It? Complete ROI Analysis 2026 weighs the exam fee and study time against career outcomes.
The August 2026 Retirement Timeline
This is the single most time-sensitive fact about AZ-500 right now: the exam and its associated certification retire on August 31, 2026. After that date, it will no longer be possible to earn the credential by passing the exam, and it will also no longer be possible to renew it. This isn't a routine content refresh - it's a hard end date for the credential itself.
Microsoft typically replaces retiring associate-level exams with updated versions or consolidated role-based credentials, so candidates close to their exam date should move with intention rather than delaying indefinitely.
Renewal and Validity Rules
Once earned, the AZ-500 certification is valid for 12 months. Renewal is free and doesn't require retaking the full proctored exam - instead, Microsoft opens an online, unproctored renewal assessment on Microsoft Learn during the six-month window before your certification expires. This assessment checks that your knowledge has kept pace with any skills-outline updates issued since you last certified.
Given the retirement date above, anyone certifying in the final months before August 31, 2026 should pay close attention to whether a renewal window will even be available, since renewals are also cut off once the certification retires.
Building an AZ-500-Specific Prep Plan
A generic study calendar won't account for AZ-500's lopsided domain weighting or its doc-access exam format. Instead, sequence your preparation around the four domains, weighting time roughly in proportion to their exam share, and finish with domain-specific practice rather than a single generic review pass.
Identity and Access Foundations
- Build and test Conditional Access policies in a sandbox tenant
- Practice configuring Privileged Identity Management role activation
Networking and Platform Hardening
- Configure NSGs, Azure Firewall rules, and private endpoints end-to-end
- Harden a VM, a storage account, and a SQL database in the same lab
Defender for Cloud and Sentinel
- Walk through Defender for Cloud recommendations and remediate several
- Build a Sentinel analytics rule and a basic automation playbook
Timed Practice and Doc-Access Rehearsal
- Run full-length timed practice sessions under the 100-minute limit
- Rehearse locating answers quickly inside Microsoft Learn's docs
For a more complete walkthrough of how to sequence resources, labs, and review cycles, AZ-500 Study Guide 2026: How to Pass on Your First Attempt expands on this structure in detail. And if you're still calibrating how much effort this exam actually demands compared to other Azure certifications, How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026 and AZ-500 Pass Rate 2026: What the Data Shows both offer useful context before you lock in a test date.
Formal training resources can also accelerate the process, particularly for candidates without daily hands-on Azure security work. AZ-500 Training covers structured course options if self-directed study alone feels insufficient for Domain 4's breadth.
Frequently Asked Questions
No. There's no formal prerequisite exam, but Microsoft recommends practical Azure and hybrid administration experience plus strong familiarity with Microsoft Entra ID, compute, networking, and storage before attempting AZ-500.
No. The exam and certification retire on August 31, 2026. After that date it cannot be earned through the exam or renewed, so registration should happen well before then.
Microsoft does not publish a fixed scored/unscored count, but candidates typically encounter 40-60 items across multiple-choice, case study, and interactive lab-style formats within the 100-minute time limit.
Yes. AZ-500 is delivered with split-pane access to Microsoft Learn documentation during the test, whether taken online proctored or at a Pearson VUE test center.
The certification is valid for 12 months. During the six-month window before expiry, Microsoft opens a free, unproctored online renewal assessment on Microsoft Learn - assuming the renewal window remains available before the exam's August 31, 2026 retirement.