- Why Domain 4 Carries the Most Exam Weight
- Microsoft Defender for Cloud: Core Skills
- Defender Plans for Workloads
- Microsoft Sentinel Fundamentals
- KQL, Analytics Rules, and Automation
- How Domain 4 Questions Are Actually Asked
- Scheduling Domain 4 Inside Your Study Plan
- Registration, Fee, and Retirement Timeline
- Who Hires for This Skill Set
- Frequently Asked Questions
- Domain 4 is worth 30-35% of the AZ-500 exam - more than any other domain.
- Master Defender for Cloud's Secure Score, recommendations, and workload plans first.
- Microsoft Sentinel questions focus on data connectors, analytics rules, and KQL basics, not deep SOC analyst skills.
- The exam allows split-pane access to Microsoft Learn docs, but you still need working KQL fluency.
Why Domain 4 Carries the Most Exam Weight
If you've already reviewed the AZ-500 exam domains guide, you know the exam is built from four content areas: identity and access (15-20%), networking (20-25%), compute, storage, and databases (20-25%), and this one - Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel, at 30-35%. That weighting alone tells you where to put your heaviest study hours.
Domain 4 is different in flavor from the other three. Domains 1-3 are largely about configuring controls correctly on individual resources. Domain 4 asks whether you can operate the security posture management and detection layer that sits on top of everything else - Defender for Cloud for continuous assessment and hardening, and Microsoft Sentinel for log-based detection, investigation, and response. If you're still mapping out your overall approach, the AZ-500 study guide is a good companion to this domain-specific breakdown.
Microsoft Defender for Cloud: Core Skills
Microsoft Defender for Cloud is the cloud security posture management (CSPM) and cloud workload protection platform (CWPP) tested throughout this domain. You need to be comfortable operating it, not just describing it.
Secure Score and Recommendations
Candidates must understand how Secure Score is calculated, how recommendations map to specific security controls, and how to prioritize remediation across a subscription or management group.
- Reading and interpreting Secure Score improvements and their weighting
- Applying quick fixes versus manual remediation for recommendations
- Exempting resources or recommendations with documented justification
Regulatory Compliance and Initiatives
Defender for Cloud maps controls to standards like Azure Security Benchmark, and the exam expects you to know how to assign and interpret these initiatives.
- Assigning built-in and custom regulatory compliance standards
- Reading compliance dashboards to identify failing controls
- Using Azure Policy definitions underneath Defender for Cloud initiatives
Onboarding and Multicloud Coverage
Defender for Cloud extends beyond Azure, and the exam tests awareness of connecting AWS and GCP accounts alongside Azure subscriptions.
- Configuring auto-provisioning of monitoring agents and extensions
- Connecting non-Azure and on-premises machines via Azure Arc
- Understanding the free tier versus paid Defender plans
Defender Plans for Workloads
A large share of Domain 4 questions test knowledge of individual Defender plans - the paid, workload-specific protections layered under Defender for Cloud. Expect scenario questions that ask which plan applies to a given resource type.
| Defender Plan | Primary Protects | Exam Focus Area |
|---|---|---|
| Defender for Servers | Azure VMs, on-premises/Arc-enabled servers | Vulnerability assessment, just-in-time VM access |
| Defender for Storage | Storage accounts | Malware scanning, anomaly detection on blob activity |
| Defender for SQL | Azure SQL, SQL on VMs | Vulnerability assessment, advanced threat protection alerts |
| Defender for Containers | AKS, container registries | Runtime threat detection, image scanning |
| Defender for Key Vault | Key Vault access patterns | Anomalous access alerts, suspicious operations |
| Defender for App Service | Web apps, App Service plans | Detecting exploitation attempts against web workloads |
You don't need to memorize every alert name each plan generates, but you must know which plan is relevant to a given resource, what it costs to enable at a high level, and what type of finding it surfaces. This overlaps with the resource hardening covered in Domain 3's compute, storage, and database content, so review both together.
Key Takeaway
When a scenario names a specific resource type (SQL Managed Instance, AKS cluster, storage account), immediately map it to its Defender plan before reading the answer choices - this shortcut resolves many Domain 4 questions quickly.
Microsoft Sentinel Fundamentals
Microsoft Sentinel is Azure's cloud-native SIEM and SOAR platform, built on top of a Log Analytics workspace. AZ-500 does not test you as a full-time SOC analyst, but it does expect operational fluency with how Sentinel is deployed and configured.
Workspace and Connector Setup
Sentinel ingests data through data connectors, and the exam tests your understanding of what each connector type provides.
- Connecting Azure Activity Logs, Entra ID sign-in and audit logs, and Microsoft Defender for Cloud alerts
- Configuring Diagnostic settings to route resource logs into the workspace
- Understanding ingestion cost implications of workspace design decisions
Workbooks and Watchlists
Beyond raw detection, Sentinel provides visualization and enrichment tools that appear on the exam as configuration tasks.
- Building or customizing workbooks for visibility into specific data sources
- Creating watchlists to enrich alerts with business context (e.g., high-value asset lists)
- Using entity behavior analytics to baseline normal activity
KQL, Analytics Rules, and Automation
This is the section that most surprises candidates coming from a pure administration background. Kusto Query Language (KQL) underpins Sentinel's detection logic, and you need enough fluency to read and reason about queries - not necessarily write complex ones from scratch.
Analytics Rules
Analytics rules are the core detection mechanism in Sentinel, and the exam tests your ability to configure and tune them.
- Scheduled query rules versus Microsoft security rule templates (Fusion, near-real-time)
- Setting rule logic, entity mapping, and alert grouping to reduce noise
- Suppressing or tuning rules to cut down false positives
Incidents and Automation
Once an analytics rule fires, it becomes an incident, and the exam covers how incidents are triaged and automated.
- Assigning, tagging, and closing incidents with appropriate classification
- Building automation rules to trigger playbooks on incident creation
- Using Logic Apps-based playbooks for automated response actions
You will not be asked to write elaborate KQL from memory, but you should be able to read a basic query - SecurityEvent | where EventID == 4625 | summarize count() by Account style logic - and understand what it detects. Because the proctored exam gives split-pane access to Microsoft Learn documentation, you can look up exact syntax during the test, but you still need the conceptual fluency to know what to search for and recognize a correct configuration when you see it.
How Domain 4 Questions Are Actually Asked
Domain 4 questions tend to follow a few recognizable patterns rather than testing pure recall:
- Scenario-to-plan mapping: A description of a workload (a container registry, a SQL Managed Instance, a set of storage accounts) followed by "which Defender plan should you enable" or "which recommendation resolves this finding."
- Configuration sequencing: Multi-step tasks such as "connect this data source, then configure an analytics rule, then automate the response" presented as ordered or drag-and-drop steps.
- Case studies: A longer scenario describing an organization's Azure environment, with several questions referencing the same background - common across Defender for Cloud onboarding and Sentinel deployment scenarios.
- Interactive/lab-style items: Simulated portal screens where you select the correct setting (e.g., enabling auto-provisioning, assigning a compliance initiative) rather than choosing from static text answers.
If you're unsure how this format compares to other Microsoft exams you've taken, the AZ-500 difficulty guide covers the exam experience in more depth, and AZ-500 pass rate data gives useful context on how candidates generally perform.
Scheduling Domain 4 Inside Your Study Plan
Given its 30-35% weight, Domain 4 deserves the largest block of dedicated study time in any realistic plan. A simple way to allocate a multi-week prep schedule proportionally:
Identity and Networking (Domains 1-2)
- Build baseline Entra ID and networking knowledge before layering security tooling on top
Compute, Storage, Databases (Domain 3)
- Harden the workloads you'll later monitor with Defender plans
Defender for Cloud Deep Dive
- Secure Score, recommendations, compliance initiatives, and all workload-specific Defender plans
Microsoft Sentinel and KQL Basics
- Data connectors, analytics rules, automation rules, and reading (not memorizing) KQL
Integrated Practice and Review
- Mixed practice questions spanning all four domains, weighted toward Domain 4
This sequencing works because Domain 4 concepts (Secure Score recommendations, Defender plan alerts, Sentinel data connectors) constantly reference identity, network, and compute controls from the earlier domains. Studying Domain 4 last lets those references click instead of feeling abstract.
Registration, Fee, and Retirement Timeline
A few logistics matter specifically for how you schedule your Domain 4 study relative to your exam date:
- The exam is delivered through Pearson VUE, proctored online or at a test center, with a standard fee of USD 165 (regional pricing shown at checkout, no membership tiers).
- You get 100 minutes to complete roughly 40-60 items across multiple-choice, case studies, and interactive lab-style questions - with Domain 4 typically contributing the largest single chunk of those items.
- A passing score is 700 out of 1000.
- The certification is valid for 12 months, renewable free through an unproctored online assessment on Microsoft Learn during the six months before expiry.
- Critical deadline: AZ-500 and its certification retire on August 31, 2026. After that date, it can no longer be earned or renewed - factor this into your exam booking timeline now.
For a full cost breakdown including regional variations, see the AZ-500 certification cost guide. If you're still deciding whether to pursue it before retirement, the ROI analysis on AZ-500 and the general AZ-500 certification overview are worth reading alongside this domain guide.
Who Hires for This Skill Set
Domain 4 skills map directly to real operational roles: cloud security engineers who tune Defender for Cloud recommendations across dozens of subscriptions, and SOC/security operations staff who build and maintain Sentinel analytics rules and playbooks. Organizations running hybrid or multicloud environments particularly value candidates who can speak to both CSPM (Defender for Cloud) and SIEM/SOAR (Sentinel) in the same conversation.
If you're evaluating career fit, the AZ-500 jobs overview and AZ-500 salary guide break down where this certification tends to open doors. And if terminology is still new to you, foundational pieces like what AZ-500 is and what AZ-500 means can fill in context before you go deeper into domain-level study.
Whatever your starting point, running scenario-style practice questions specific to Defender for Cloud and Sentinel configuration is the fastest way to convert reading into exam-ready recall - you can start that practice on the main practice test site anytime.
Frequently Asked Questions
Hands-on practice is strongly recommended. Domain 4 tests configuration sequences and scenario recognition that are much easier to internalize after actually deploying a Sentinel workspace and connecting a data source or two, even in a trial environment.
Enough to read and interpret basic queries used in analytics rules - table names, where clauses, and summarize statements. You are not expected to write advanced KQL from memory, and split-pane Microsoft Learn access is available during the exam for syntax lookups.
No. Defender for Cloud is Azure's CSPM/CWPP platform covering Secure Score, recommendations, and workload protection plans. Defender for Endpoint is a separate Microsoft 365 Defender product for endpoint threat detection; AZ-500 focuses on the Azure-centric Defender for Cloud.
Microsoft publishes ranges rather than fixed percentages for all domains, and Domain 4's range reflects that it spans two substantial products - Defender for Cloud and Microsoft Sentinel - each contributing a variable number of items per exam version.
Yes - the skills (posture management, SIEM/SOAR operation) remain relevant regardless of certification lifecycle, and anyone planning to sit the exam before retirement needs Domain 4 mastery given its 30-35% weight.
- AZ-500 Domain 1: Secure identity and access (15-20%) - Complete Study Guide 2026
- AZ-500 Domain 2: Secure networking (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 3: Secure compute, storage, and databases (20-25%) - Complete Study Guide 2026
- AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas