- Domain 3 Overview: Why This Slice of AZ-500 Matters
- Securing Compute: VMs, Containers, and Serverless
- Securing Storage Accounts and Data at Rest
- Securing Azure SQL, Cosmos DB, and Managed Databases
- How Domain 3 Questions Are Actually Written
- Scheduling Domain 3 Inside Your AZ-500 Study Plan
- Who Hires for These Skills
- Common Mistakes Candidates Make on This Domain
- FAQ
- Domain 3 (compute, storage, databases) accounts for 20-25% of the AZ-500 exam.
- Expect scenario questions on VM disk encryption, storage account access keys, and Azure SQL auditing together.
- The AZ-500 exam allows split-pane access to Microsoft Learn docs - practice looking things up efficiently.
- Passing requires 700/1000 across roughly 40-60 items in 100 minutes, so pacing across four domains matters.
Domain 3 Overview: Why This Slice of AZ-500 Matters
Domain 3, officially titled "Secure compute, storage, and databases," represents 20-25% of the AZ-500 exam - tied with Domain 2 (secure networking) as the second-largest content area behind Domain 4's 30-35% weighting on Microsoft Defender for Cloud and Microsoft Sentinel. If you're mapping out your prep across all four areas, this domain sits right in the middle of the workload: not as identity-heavy as Domain 1, not as sprawling as Domain 4, but dense with hands-on configuration knowledge that examiners love to test through scenario-based questions.
Unlike Domain 1's focus on Microsoft Entra ID or Domain 2's focus on network security groups and firewalls, Domain 3 asks you to secure the actual workloads and data stores running inside Azure - virtual machines, containers, storage accounts, and both relational and NoSQL databases. If you haven't yet reviewed how this domain fits alongside the others, the AZ-500 Exam Domains 2026 guide breaks down all four content areas side by side.
Securing Compute: VMs, Containers, and Serverless
Compute security questions on AZ-500 typically revolve around three workload types: Azure Virtual Machines, container platforms (Azure Kubernetes Service and Azure Container Instances), and serverless/PaaS compute like App Service and Azure Functions. Each has distinct security controls you need to know cold.
Virtual Machine Security
Candidates must understand disk encryption options and when to use each, plus how VM identity and access control interact with the rest of the platform.
- Azure Disk Encryption vs. server-side encryption with platform-managed or customer-managed keys
- Configuring managed identities on VMs to eliminate stored credentials
- Just-in-time VM access and endpoint protection extensions
- VM security baselines and guest configuration policies
Container and Kubernetes Security
AKS security questions often test the intersection of identity, network policy, and image security - expect multi-part scenarios rather than single-fact recall.
- Azure Container Registry vulnerability scanning and image signing
- AKS network policies and pod-level security contexts
- Integrating AKS with Microsoft Entra ID for RBAC
- Secrets management for containerized workloads using Azure Key Vault CSI driver
Serverless compute security is smaller in weight but still shows up - expect at least one item on App Service authentication (easy auth), managed identities for Functions, and restricting access via private endpoints or access restrictions rather than public inbound rules.
Key Takeaway
Memorize which encryption option requires a Key Vault (customer-managed keys) versus which is automatic (platform-managed keys) - this distinction appears repeatedly across VM, storage, and database sub-topics.
Securing Storage Accounts and Data at Rest
Storage account security is one of the most testable areas in Domain 3 because Azure Storage has so many overlapping controls: shared access signatures, access keys, network rules, encryption scopes, and immutability policies. AZ-500 questions frequently present a scenario where multiple controls could technically work, and you must pick the most secure or most appropriate one given stated constraints.
- Shared Access Signatures (SAS): Know the difference between account SAS, service SAS, and user delegation SAS, and why user delegation SAS (backed by Microsoft Entra ID) is generally preferred over account-key-based SAS.
- Storage firewalls and private endpoints: Restricting storage account access to specific virtual networks or private endpoints instead of relying on public endpoint allow-lists.
- Encryption at rest: Microsoft-managed keys by default, with customer-managed keys in Key Vault for stricter compliance requirements.
- Access key rotation and Azure Storage RBAC: When to disable access keys entirely and enforce Microsoft Entra ID-based authorization instead.
- Immutable blob storage and soft delete: Protecting data from accidental or malicious deletion, a topic that overlaps with Domain 4's data protection concerns.
Securing Azure SQL, Cosmos DB, and Managed Databases
Database security in Domain 3 spans Azure SQL Database, Azure SQL Managed Instance, and Azure Cosmos DB, with occasional coverage of Azure Database for PostgreSQL/MySQL. This is where identity, network, and data protection concepts you learned in earlier domains converge.
| Database Service | Primary Security Controls to Know |
|---|---|
| Azure SQL Database | Microsoft Entra ID authentication, Transparent Data Encryption (TDE), Always Encrypted, dynamic data masking, SQL auditing |
| Azure SQL Managed Instance | Virtual network integration, private endpoints, TDE with customer-managed keys, Advanced Threat Protection |
| Azure Cosmos DB | Resource tokens, Microsoft Entra ID RBAC, IP firewall rules, encryption at rest and in transit by default |
| Azure Database for PostgreSQL/MySQL | SSL enforcement, Microsoft Entra ID admin accounts, private access via VNet integration |
Expect at least one question combining database auditing configuration with Microsoft Defender for Cloud alerting - this is a deliberate overlap point since Domain 4 covers the detection side while Domain 3 covers the configuration side. Understanding this handoff between domains is exactly why reviewing the Domain 4 study guide alongside this one pays off, since Defender for Cloud recommendations frequently reference the same database and storage settings tested here.
Data Discovery and Classification
A recurring but easy-to-overlook topic: using built-in data discovery and classification features in Azure SQL and Microsoft Purview to identify sensitive data before applying protective controls like dynamic data masking or Always Encrypted.
- Classifying columns by sensitivity label
- Applying dynamic data masking rules for non-privileged users
- Using Always Encrypted for column-level encryption where the database engine never sees plaintext
How Domain 3 Questions Are Actually Written
AZ-500 doesn't publish an exact scored question count, but candidates typically see 40-60 items across all domains within the 100-minute exam window, mixing standard multiple-choice with case studies and interactive lab-style tasks. Domain 3 questions tend to follow a few recognizable patterns:
- Scenario-first, requirement-buried: A paragraph describes an organization's compute or storage setup, then buries a specific compliance or performance constraint that determines the correct answer.
- "Choose the minimal change" framing: Given an existing configuration, which single change satisfies a new requirement without breaking existing functionality - testing whether you understand dependencies between services.
- Drag-and-drop or ordered steps: Some interactive items ask you to sequence configuration steps, such as setting up customer-managed key encryption for a storage account (create Key Vault, assign managed identity, grant key permissions, then configure the storage account).
- Case studies: Longer scenarios spanning multiple questions where earlier answers about compute or networking constrain later database or storage decisions.
Because the exam is proctored with split-pane access to Microsoft Learn documentation, you're not expected to memorize every CLI flag or portal menu path. What you do need is enough conceptual fluency to know which doc to search and evaluate answer choices quickly - spending too long searching docs mid-exam eats into your 100 minutes fast. For a broader breakdown of exam mechanics and difficulty expectations, see How Hard Is the AZ-500 Exam?.
Key Takeaway
Practice reading Domain 3 scenarios for the hidden constraint sentence - it's usually one clause (a compliance mandate, a budget limit, or a "without downtime" phrase) that eliminates 2-3 of the 4 answer choices immediately.
Scheduling Domain 3 Inside Your AZ-500 Study Plan
Because Domain 3 shares roughly the same weight as Domain 2 (20-25% each), many candidates study them back-to-back since compute and storage security constantly reference networking controls like private endpoints and VNet integration. A simple way to sequence a multi-week plan:
Compute Security Deep Dive
- VM disk encryption options and managed identity configuration
- AKS and container registry security controls
- App Service and Functions authentication patterns
Storage and Database Security
- SAS types, storage firewalls, and encryption scopes
- Azure SQL auditing, TDE, and Always Encrypted
- Cosmos DB RBAC and Defender for Cloud database alerts (preview of Domain 4 overlap)
If you're building your full study calendar from scratch, the AZ-500 Study Guide 2026 lays out a complete week-by-week template covering all four domains, not just this one. And if you haven't reviewed Domain 1's identity and access content yet, doing so before Domain 3 helps because managed identity concepts introduced there reappear constantly in VM, storage, and database security discussions here.
Who Hires for These Skills
Domain 3 competencies map directly to day-to-day responsibilities for cloud security engineers, cloud infrastructure administrators, and DevSecOps roles working in Azure-heavy environments. Organizations running production workloads on Azure VMs, AKS clusters, or Azure SQL databases need someone who can configure encryption, access controls, and network isolation correctly the first time - not after an audit finding. Employers posting roles that reference AZ-500 typically expect candidates to already be comfortable with the compute, storage, and database controls this domain covers, alongside the identity and networking material in Domains 1 and 2.
If you're evaluating whether this credential fits your career goals, the AZ-500 Jobs overview and AZ-500 Salary Guide 2026 both discuss how this specific skill set gets used in real hiring contexts, and Is the AZ-500 Certification Worth It? weighs the broader ROI question given the exam's August 31, 2026 retirement date.
Common Mistakes Candidates Make on This Domain
- Treating storage and database encryption as one topic: They share concepts (customer-managed keys, Key Vault) but have distinct configuration paths - conflating them causes wrong answers on detail-heavy questions.
- Ignoring container security until the last week: AKS and container registry topics are smaller in volume but still tested; skipping them entirely risks losing easy points.
- Forgetting the Microsoft Entra ID connection: Nearly every compute, storage, and database control in Domain 3 has an identity-based alternative to key-based access - the exam rewards knowing when to prefer identity over keys/secrets.
- Not practicing under time pressure: With roughly 40-60 items in 100 minutes across all four domains, spending too long parsing dense Domain 3 case studies can crowd out time for Domain 4, which carries the highest weight.
Running full-length timed practice sessions on our AZ-500 practice test platform is one of the more reliable ways to catch these habits before exam day, since it forces the same pacing discipline the real 100-minute window demands. If you're also curious how your prep timeline compares to typical outcomes, AZ-500 Pass Rate 2026: What the Data Shows and AZ-500 Certification Cost 2026 round out the practical planning picture alongside registration mechanics through Pearson VUE at the standard USD 165 fee (with regionalized pricing shown at checkout).
FAQ
Domain 3, "Secure compute, storage, and databases," represents 20-25% of the exam - the same weighting as Domain 2 (secure networking) and second only to Domain 4's 30-35% on Defender for Cloud and Sentinel.
It covers virtual machines, Azure Kubernetes Service, Azure Container Registry, App Service, Azure Functions, Azure Storage accounts, Azure SQL Database, Azure SQL Managed Instance, and Azure Cosmos DB, focused on encryption, access control, and network isolation for each.
Yes. Domain 3 covers configuring security controls on compute, storage, and databases, while Domain 4 covers detecting misconfigurations and threats against those same resources using Microsoft Defender for Cloud and Microsoft Sentinel. Studying them close together reinforces both.
Yes, the AZ-500 exam provides split-pane access to Microsoft Learn docs during the proctored session, whether taken online or at a test center, so you don't need to memorize every configuration detail - just know what to search for quickly.
If your role involves securing Azure VMs, storage, or databases, the content remains professionally relevant regardless of the certification's August 31, 2026 retirement date. For exam planning specifically, prioritize based on your target test date and remaining prep time.
- AZ-500 Domain 1: Secure identity and access (15-20%) - Complete Study Guide 2026
- AZ-500 Domain 2: Secure networking (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%) - Complete Study Guide 2026
- AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas