AZ-500 logo
Focused certification exam prep
Start practice

AZ-500 Study Guide 2026: How to Pass on Your First Attempt

TL;DR
  • Domain 4 (Defender for Cloud and Sentinel) carries 30-35% of the exam - study it first.
  • Networking and compute/storage/database domains are tied at 20-25% each - don't neglect either.
  • The exam retires August 31, 2026 - after that date it cannot be earned or renewed.
  • You get split-pane access to Microsoft Learn docs during the exam, so know how to search them fast.

AZ-500 Exam Snapshot: Format, Fee, and Timing

Before building a study plan, it helps to know exactly what you're walking into. The AZ-500 exam is delivered through Pearson VUE, either at a physical test center or via online proctoring, and costs USD 165 in the United States (pricing is regionalized since November 2024 and shown at checkout - there's no member or non-member discount tier). Microsoft doesn't publish an exact scored question count, but candidates typically see 40 to 60 items across 100 minutes. That works out to roughly two minutes per question on average, though case studies and lab-style tasks will eat more time than a straightforward multiple-choice item.

A passing score is 700 out of 1000. One detail that surprises first-time Microsoft exam-takers: you get split-pane access to official Microsoft Learn documentation during the exam itself. This isn't a substitute for knowing the material, but it does mean you should practice navigating Learn docs quickly rather than memorizing every CLI flag by rote.

Format Reality Check: Expect a mix of multiple-choice questions, scenario-based case studies, and interactive or lab-style items that simulate configuring Azure resources. This isn't a pure recall test - it rewards hands-on familiarity with the Azure portal, CLI, and PowerShell.

For a full breakdown of every fee component and what you're actually paying for, see our dedicated AZ-500 Certification Cost 2026: Complete Pricing Breakdown.

Why the August 2026 Retirement Date Changes Your Plan

This is the single most important scheduling fact in this guide: the AZ-500 exam and its associated certification retire on August 31, 2026. After that date, it will no longer be possible to earn the credential or renew it. If you're reading this in 2026, that means your study timeline isn't just about personal readiness - it's about a hard external deadline.

If Microsoft replaces AZ-500 with a successor exam (as it has done with other role-based certifications), early movers who pass before retirement lock in the credential under the current skills outline, dated January 22, 2026. Waiting too long risks having to start over under a new exam code, new domains, and a new question bank.

Key Takeaway

Treat August 31, 2026 as a firm backstop, not a soft target. Book your test date early enough to leave room for a retake if needed - Pearson VUE scheduling can fill up as the deadline approaches.

The Four Domains and Where Points Actually Live

AZ-500 is organized into four domains, and the weighting tells you exactly where to spend your study hours. Understanding this distribution is more useful than any generic study hack - it's the actual blueprint Microsoft uses to build the exam.

DomainWeightCore Focus
Secure identity and access15-20%Microsoft Entra ID, conditional access, RBAC, PIM
Secure networking20-25%NSGs, Azure Firewall, private endpoints, DDoS protection
Secure compute, storage, and databases20-25%VM security, container/AKS hardening, storage encryption, SQL/database security
Secure Azure using Defender for Cloud and Sentinel30-35%Security posture management, threat protection, SIEM/SOAR workflows

Domain 1: Secure Identity and Access (15-20%)

This domain tests whether you can design and enforce identity controls in Entra ID, not just click through the portal once.

  • Conditional access policy design and troubleshooting
  • Privileged Identity Management (PIM) role activation and approval workflows
  • Custom RBAC role definitions versus built-in roles
  • Managed identities for workload authentication

Domain 2: Secure Networking (20-25%)

Expect scenario questions where you must pick the right network security control for a specific traffic pattern.

  • Network Security Groups vs. Application Security Groups vs. Azure Firewall rules
  • Private endpoints and service endpoints - knowing when each applies
  • Azure Bastion and just-in-time VM access
  • Web Application Firewall policies on Azure Front Door and Application Gateway

Domains 1 and 2 together account for roughly a third to nearly half of the exam depending on how weighting lands within each range, which is why our Domain 1 study guide and Domain 2 study guide go deeper into configuration specifics than a single blog section can cover.

Why Domain 4 Deserves Extra Attention

Domain 4 - Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel - is the largest single domain at 30-35%. That's not a rounding error; it means one out of every three questions you see is likely tied to cloud security posture management, threat protection plans, or SIEM/SOAR operations.

Domain 4: Secure Azure Using Defender for Cloud and Sentinel (30-35%)

Candidates need working knowledge of both the posture management side (Defender for Cloud) and the detection/response side (Sentinel), plus how the two integrate.

  • Secure score improvement actions and regulatory compliance dashboards
  • Defender plans for servers, storage, containers, and databases
  • Sentinel data connectors, analytics rules, and workbooks
  • Automation rules and playbooks for incident response

Because this domain also touches compute, storage, and networking concepts from the other three domains, mastering it reinforces everything else you've studied. If you only have time to deep-dive one area before your test date, our Domain 4 study guide is the highest-leverage place to start.

A Domain-Weighted Study Timeline

Generic study techniques like spaced repetition or timed practice blocks only help if you're applying them to the right material at the right time. Here's a timeline built specifically around AZ-500's domain weights rather than a generic four-week template.

Week 1-2

Domain 4 first - it's the biggest slice

  • Configure Defender for Cloud plans in a sandbox subscription
  • Build and test Sentinel analytics rules and automation playbooks
  • Review regulatory compliance dashboard mechanics
Week 3

Domain 2: Secure networking

  • Practice NSG vs. Firewall rule scenarios
  • Set up private endpoints and Bastion in a test environment
Week 4

Domain 3: Compute, storage, and databases

  • Harden a VM and an AKS cluster
  • Configure storage account encryption and SQL auditing
Week 5

Domain 1: Identity and access

  • Build conditional access policies and test PIM activation flows
  • Compare custom RBAC roles against built-ins
Week 6

Integration and practice exams

  • Run full-length timed practice tests to simulate the 100-minute limit
  • Review weak domains identified from practice scores

Notice this schedule front-loads Domain 4 because it's worth the most points, then works down the weighting scale. For the complete methodology behind this approach, our flagship AZ-500 Study Guide 2026: How to Pass on Your First Attempt walks through resource selection and lab environments in more detail, and the AZ-500 Exam Domains 2026 guide maps every subtopic to its domain.

What the Questions Actually Look Like

AZ-500 mixes several question formats rather than relying on one style throughout:

  • Standard multiple-choice: Single or multi-select questions on discrete facts, like which Defender plan covers a specific resource type.
  • Case studies: A multi-paragraph scenario describing an organization's Azure environment, followed by several questions that reference the same background material.
  • Interactive/lab-style items: Tasks that simulate configuring a resource - for example, ordering NSG rules correctly or selecting the right sequence of PIM approval steps.

Because you have split-pane access to Microsoft Learn during the test, questions are less about memorizing exact syntax and more about understanding architecture and trade-offs - knowing why you'd choose a private endpoint over a service endpoint, not just the command to create one. If you're wondering how this format compares to other associate-level exams, our How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026 breaks down the difficulty curve, and AZ-500 Pass Rate 2026: What the Data Shows covers what's publicly known about outcomes.

Practice Strategy: Don't just drill flashcards. Spend time in an actual Azure subscription (a free trial or sandbox works) configuring the exact services named in each domain - Defender for Cloud, Sentinel, Entra ID conditional access, NSGs - so the lab-style questions feel familiar rather than foreign.

Who Hires for AZ-500 Skills

The AZ-500 credential targets Azure security engineers who implement security controls, manage identity and access, protect data and networks, and respond to incidents. In practice, this maps to roles like cloud security analyst, security operations center (SOC) engineer, Azure administrator with a security specialization, and cloud infrastructure security consultant. Organizations running production workloads in Azure - especially those in regulated industries needing Defender for Cloud's compliance dashboards or Sentinel's SIEM capabilities - are the most common hirers.

Because the certification doesn't require a formal prerequisite exam, candidates typically arrive with hands-on Azure or hybrid administration experience and strong familiarity with Entra ID, compute, networking, and storage rather than a prior credential. If you're evaluating whether this cert fits your career path, see AZ-500 Jobs for role examples and AZ-500 Salary Guide 2026: Complete Earnings Analysis for how the credential factors into compensation conversations. For a broader cost-benefit view, Is the AZ-500 Certification Worth It? Complete ROI Analysis 2026 weighs the retirement timeline against the investment.

Registration, Renewal, and Keeping It Valid

Registration happens through Pearson VUE at the USD 165 fee level (regionalized pricing applies outside the US, shown at checkout). There are no membership tiers or discount codes built into the standard pricing structure. Once earned, the certification is valid for 12 months and can be renewed free of charge through an online, unproctored assessment on Microsoft Learn, available during the six-month window before expiration.

Given the retirement date, renewal mechanics matter less for anyone earning the cert in the final months before August 31, 2026 - but if you pass earlier and need to renew before that cutoff, plan to complete the Microsoft Learn renewal assessment inside your eligibility window rather than waiting until the last week.

If any of the terminology in this guide is new to you - the exam code itself, what the certification represents, or how it fits into Microsoft's broader role-based framework - our foundational pieces cover that ground: What Is AZ-500?, AZ-500 Meaning, What Does AZ-500 Stand For?, and What Is AZ-500 Certification? all address the basics before you dive into domain-level study.

For structured coursework alongside self-study, review options in AZ-500 Training, and when you're ready to test your readiness under realistic timing conditions, run through practice questions on our AZ-500 practice test platform - it's built to mirror the 100-minute format and domain weighting described above. Consistent scoring above your target on full-length practice runs is one of the more reliable signals that you're ready to book the real exam.

Frequently Asked Questions

How many questions are on the AZ-500 exam?

Microsoft doesn't publish an exact number, but candidates typically encounter 40 to 60 scored and unscored items across the 100-minute session.

What is the passing score for AZ-500?

You need 700 out of 1000 points to pass.

Can I still take the AZ-500 exam after August 2026?

No. The exam and certification retire on August 31, 2026, after which it cannot be earned or renewed.

Which domain should I study first?

Domain 4, Secure Azure Using Defender for Cloud and Microsoft Sentinel, carries the largest weight at 30-35%, so it offers the highest return on study time.

Do I get access to documentation during the exam?

Yes. AZ-500 provides split-pane access to Microsoft Learn documentation during the test, whether taken online or at a Pearson VUE test center.

Ready to pass your AZ-500 exam?

Put this into practice with free AZ-500 questions across every exam domain.