- Overview: What the AZ-500 Domains Actually Cover
- Domain 1: Secure Identity and Access (15-20%)
- Domain 2: Secure Networking (20-25%)
- Domain 3: Secure Compute, Storage, and Databases (20-25%)
- Domain 4: Secure Azure Using Defender for Cloud and Sentinel (30-35%)
- How Domains Show Up in Actual Exam Questions
- Allocating Study Time Across the Four Domains
- Registration, Fee, and Retirement Timeline
- Who Hires for This Domain Mix
- FAQ
- Domain 4 (Defender for Cloud and Sentinel) is worth 30-35% - the single largest content area.
- Domains 2 and 3 each carry 20-25%, together outweighing identity by a wide margin.
- Domain 1 (identity) is the smallest domain at 15-20%, despite being the most-studied topic by beginners.
- The exam retires August 31, 2026 - after that date it cannot be earned or renewed.
Overview: What the AZ-500 Domains Actually Cover
The AZ-500 skills outline, currently dated January 22, 2026, breaks the exam into four content areas. Unlike some certifications where domains carry near-equal weight, AZ-500 is deliberately lopsided: two networking-and-workload domains and one massive detection-and-response domain dwarf the identity section that most candidates assume is the "core" of the exam. If you've read the AZ-500 Study Guide 2026: How to Pass on Your First Attempt, you already know the exam blends multiple-choice questions with case studies and interactive lab-style items. This article goes deeper into what each domain actually tests, so you can allocate study hours by weight rather than by comfort level.
Each domain corresponds to a dedicated deep-dive on this site: Domain 1: Secure identity and access, Domain 2: Secure networking, Domain 3: Secure compute, storage, and databases, and Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel. Use this guide as the map, then use those pages for topic-level checklists.
Domain 1: Secure Identity and Access (15-20%)
This is the smallest of the four domains, but it's foundational - networking and workload security controls in Domains 2 and 3 assume you already understand identity plumbing. Expect questions on Microsoft Entra ID configuration, conditional access policy logic, and role-based access control scoping.
Domain 1: Secure Identity and Access
Candidates must understand how identity governs every other Azure security control, not just authentication.
- Conditional access: sign-in risk, device compliance, and session controls
- Privileged Identity Management (PIM) activation workflows and approval chains
- Custom RBAC role definitions vs. built-in roles, and scope inheritance
- Hybrid identity: Entra Connect sync, password hash sync vs. federation
Because this domain sits at only 15-20%, don't let it consume half your study calendar. A common mistake documented across candidate feedback in the AZ-500 Pass Rate 2026: What the Data Shows analysis is spending disproportionate hours on identity because it's conceptually approachable, then arriving underprepared for the heavier domains.
Domain 2: Secure Networking (20-25%)
Networking jumps to 20-25% and tests whether you can actually design defense-in-depth for Azure infrastructure - not just recite service names. Expect scenario questions requiring you to pick between NSGs, Azure Firewall, and Application Gateway WAF based on traffic direction and layer.
Domain 2: Secure Networking
This domain rewards candidates who can trace packet flow through a layered Azure network topology.
- Network Security Groups and Application Security Groups: rule precedence and evaluation order
- Azure Firewall vs. third-party NVAs in hub-and-spoke topologies
- Private Link and Private Endpoint configuration to eliminate public exposure
- DDoS Protection Standard tiers and Web Application Firewall rule sets
Key Takeaway
Practice diagramming hub-and-spoke networks by hand. Networking questions on AZ-500 are almost always scenario-based, and visualizing traffic flow beats memorizing service definitions.
Domain 3: Secure Compute, Storage, and Databases (20-25%)
Also weighted 20-25%, this domain covers securing the workloads themselves - VMs, containers, storage accounts, and PaaS databases. It's broad by design, so candidates need working familiarity across multiple Azure services rather than deep expertise in just one.
Domain 3: Secure Compute, Storage, and Databases
Expect questions that span from VM disk encryption to container image scanning to database auditing - often within the same case study.
- Azure Disk Encryption, Azure Key Vault integration, and managed identities for compute
- Container security: Microsoft Defender for Containers, AKS network policies, image vulnerability scanning
- Storage account access: SAS tokens, storage firewalls, and encryption scope
- Database security: transparent data encryption, dynamic data masking, and auditing for SQL and Cosmos DB
If you're unsure how demanding this breadth is compared to other Microsoft security exams, the How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026 article breaks down why Domain 3's service sprawl is a frequent difficulty complaint among candidates.
Domain 4: Secure Azure Using Defender for Cloud and Sentinel (30-35%)
This is the domain that decides most outcomes. At 30-35%, it's larger than any other single domain and roughly double the weight of identity. It tests your ability to configure, interpret, and act on security posture and threat detection tooling across an entire Azure estate.
Domain 4: Secure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel
This domain blends configuration knowledge with analytical reasoning - you need to interpret alerts and recommendations, not just enable services.
- Microsoft Defender for Cloud: secure score, regulatory compliance dashboards, and workload protection plans
- Just-in-time VM access and adaptive application controls
- Microsoft Sentinel: data connectors, analytics rules, and Kusto Query Language (KQL) basics for hunting
- Automation: playbooks, workbooks, and incident response orchestration
How Domains Show Up in Actual Exam Questions
Microsoft doesn't publish a fixed scored/unscored question count for AZ-500, but candidates typically report 40-60 items across a 100-minute session. The format mixes standalone multiple-choice questions with case studies - multi-part scenarios describing an organization's environment, followed by several questions tied to that same scenario - plus interactive, lab-style items where you configure a setting or drag components into place.
Domain weighting doesn't mean each domain gets an equal number of isolated questions. A single case study can pull from two or three domains at once - for example, a scenario might ask you to secure a VM's network access (Domain 2), then ask about the managed identity it uses to reach Key Vault (Domain 3), then ask how Defender for Cloud would flag a misconfiguration in that same VM (Domain 4). This is why understanding domain boundaries matters less than understanding how the domains interconnect.
Allocating Study Time Across the Four Domains
Generic weekly templates don't work well for AZ-500 because the domain weights are so uneven. Instead, size your study blocks to match exam weight, with extra buffer time on Domain 4 given its analytical complexity.
Domain 1 - Identity Foundations
- Configure conditional access policies and test PIM activation flows
- Build custom RBAC roles and verify scope inheritance behavior
Domain 2 - Networking Layers
- Deploy a hub-and-spoke topology with Azure Firewall and NSGs
- Configure Private Endpoints and compare WAF rule sets
Domain 3 - Workload Security
- Encrypt VM disks and integrate managed identities with Key Vault
- Scan container images and enable database auditing features
Domain 4 - Defender for Cloud and Sentinel
- Walk through secure score recommendations end to end
- Write basic KQL queries and build a Sentinel analytics rule
- Practice full-length case studies that span all four domains
For a fuller breakdown of pacing, review habits, and common first-attempt mistakes, see the AZ-500 Study Guide 2026: How to Pass on Your First Attempt. Reinforce weak domains using timed practice sets on our AZ-500 practice test platform, then re-test the specific domain rather than retaking a full exam every time.
Registration, Fee, and Retirement Timeline
AZ-500 is administered by Microsoft and delivered through Pearson VUE, either at a test center or proctored online. The standard US registration fee is USD 165, with regionalized pricing shown at checkout since November 2024 - there are no member or non-member discount tiers. A passing score is 700 out of 1000.
There's no formal prerequisite exam, but Microsoft recommends practical Azure and hybrid administration experience along with strong familiarity with Entra ID, compute, networking, and storage before attempting it. Full pricing mechanics, including what's and isn't included in the fee, are covered in the AZ-500 Certification Cost 2026: Complete Pricing Breakdown article.
Key Takeaway
AZ-500 and its certification retire on August 31, 2026. After that date, it cannot be earned or renewed - candidates planning to sit the exam should register well before that deadline.
Once earned, the certification is valid for 12 months and can be renewed free through an unproctored online assessment on Microsoft Learn, available during the six-month window before expiry - assuming renewal is still possible before the August 2026 retirement cutoff.
Who Hires for This Domain Mix
The domain weighting reflects real job responsibilities. Security engineers who spend most of their time in Defender for Cloud and Sentinel dashboards - triaging alerts, tuning analytics rules, reviewing secure score - mirror Domain 4's 30-35% weight almost exactly. Roles blending network security architecture with workload hardening map to Domains 2 and 3. Pure identity specialists are a smaller subset, consistent with Domain 1's lighter weight.
If you're evaluating whether the credential is worth pursuing given your target role, the Is the AZ-500 Certification Worth It? Complete ROI Analysis 2026 guide and the AZ-500 Salary Guide 2026: Complete Earnings Analysis both dig into how the certification maps to hiring demand. For current openings that reference this credential directly, browse AZ-500 Jobs.
New to the credential itself? Background pieces like What Is AZ-500?, AZ-500 Meaning, and AZ-500 Certification cover the basics before you dive into domain-level prep. You can also run a free diagnostic practice test to see which domain needs the most work before committing to a study schedule.
Frequently Asked Questions
Start with Domain 1 (identity) since it's foundational to the other three, but don't linger - its 15-20% weight means it should occupy the smallest share of your total study time.
Yes. Domain 4 (Defender for Cloud and Sentinel) sits at 30-35%, compared to Domain 1's 15-20%, making it the largest content area by a significant margin.
Case studies frequently span multiple domains within one scenario - for example, a networking control, a compute security setting, and a Defender for Cloud recommendation might all reference the same environment.
Yes, until the exam and certification retire on August 31, 2026. After that date it can no longer be earned or renewed, so plan your test date accordingly.
Microsoft doesn't publish exact per-domain counts. With roughly 40-60 total items, expect the distribution to roughly track the published percentage weights, with Domain 4 appearing most frequently.
- AZ-500 Domain 1: Secure identity and access (15-20%) - Complete Study Guide 2026
- AZ-500 Domain 2: Secure networking (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 3: Secure compute, storage, and databases (20-25%) - Complete Study Guide 2026
- AZ-500 Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%) - Complete Study Guide 2026