- AZ-500 is Microsoft's Azure Security Engineer Associate exam, priced at USD 165 through Pearson VUE.
- The exam has 4 domains; Defender for Cloud and Sentinel alone make up 30-35% of questions.
- You get 100 minutes, roughly 40-60 items, and need 700 out of 1000 to pass.
- The certification and exam retire August 31, 2026 - no new attempts or renewals after that.
What Exactly Is the AZ-500?
AZ-500 is the exam code behind Microsoft's Azure Security Engineer Associate certification. It's a Microsoft Corporation credential, delivered through Pearson VUE, that validates your ability to implement security controls, manage identity and access, protect data and applications, and respond to threats across an Azure environment. If you've searched "what is AZ-500" and landed here expecting a marketing pitch, here's the practical answer instead: it's a scenario-heavy, 100-minute proctored exam that tests whether you can actually secure Azure workloads, not just recite terminology.
Unlike foundational exams that check surface-level awareness, AZ-500 assumes you've already worked hands-on with Azure. Microsoft doesn't publish a fixed scored/unscored question count - expect somewhere between 40 and 60 items, mixing standard multiple-choice with case studies and interactive, lab-style tasks. During the exam you also get split-pane access to Microsoft Learn documentation, which tells you a lot about the exam's philosophy: Microsoft isn't testing memorization, it's testing whether you know where to look and how fast you can apply what you find.
For a broader breakdown of naming, scope, and how this credential fits into the wider Azure certification family, see our companion piece on what AZ-500 actually stands for and the related explainer on what does AZ-500 stand for.
Who the AZ-500 Is Built For
Microsoft designed this exam for people who are already doing Azure administration or security work, not for total beginners entering cloud computing. There's no formal prerequisite exam, but the recommended background is explicit: practical experience administering Azure and hybrid environments, plus strong familiarity with Microsoft Entra ID, compute, networking, and storage. If you've never provisioned a virtual network or configured a conditional access policy, this exam will feel abstract fast.
In practice, the people who pursue AZ-500 tend to fall into a few buckets:
- Cloud/Azure administrators moving into a security-focused role or wanting to formalize security skills they've picked up on the job.
- Security analysts transitioning from on-prem or generalist security work into cloud-native tooling like Defender for Cloud and Sentinel.
- DevSecOps and platform engineers responsible for securing CI/CD pipelines, storage accounts, and managed databases in Azure.
- Consultants and MSP staff who need a vendor-recognized credential to bid on Azure security engagements.
If you're weighing whether this fits your career path, our detailed ROI analysis of the AZ-500 certification and the AZ-500 jobs overview both go deeper into hiring patterns and typical role titles than a definitional article like this one can.
Exam Format, Registration, and Fees
Here's what actually happens when you register and sit the exam, stripped of fluff:
- Cost: USD 165 as the standard US price, though pricing has been regionalized since November 2024 - your local price shows at checkout. There are no member or non-member tiers.
- Provider: Pearson VUE, either at a physical test center or via online proctoring from home.
- Length: 100 minutes of exam time.
- Question count: Not fixed by Microsoft, typically 40-60 items across multiple formats.
- Question types: Multiple-choice, multi-select, case studies with multi-part scenarios, and interactive/lab-style tasks that simulate real Azure configuration screens.
- Passing score: 700 out of 1000.
- Reference access: A split-pane window to Microsoft Learn documentation is available during the exam - a detail unique to how Microsoft structures this test.
The interactive items and documentation access are the two features that most catch people off guard if they've only taken traditional multiple-choice certification exams before. You're not just picking an answer from memory - you may need to navigate a simulated portal blade or cross-reference a Learn article mid-question. For a full walkthrough of how these mechanics affect difficulty, read how hard the AZ-500 exam really is, and if budgeting is your main concern right now, the complete AZ-500 pricing breakdown covers retake costs and regional variance in more detail.
Key Takeaway
Budget your prep time around the interactive and case-study formats specifically - reading about Azure security isn't the same as clicking through a simulated policy configuration under time pressure.
The Four Domains You're Actually Tested On
The current skills outline, dated January 22, 2026, organizes AZ-500 into four domains. Their weightings matter enormously for how you should spend your prep time - this isn't an exam where every topic deserves equal attention.
Domain 1: Secure Identity and Access (15-20%)
Covers Microsoft Entra ID configuration, role-based access control, Privileged Identity Management, and conditional access policies.
- Configuring Entra ID roles and custom RBAC definitions
- Implementing PIM for just-in-time privileged access
- Designing conditional access and identity protection policies
Domain 2: Secure Networking (20-25%)
Focuses on network security groups, Azure Firewall, DDoS protection, and securing hybrid connectivity.
- Designing NSG and application security group rules
- Configuring Azure Firewall and Web Application Firewall
- Securing VNets, private endpoints, and hybrid network paths
Domain 3: Secure Compute, Storage, and Databases (20-25%)
Tests your ability to lock down VMs, containers, storage accounts, and Azure SQL/Cosmos DB resources.
- Applying disk encryption and endpoint protection on VMs
- Configuring storage account access policies and SAS tokens
- Securing database authentication and auditing
Domain 4: Secure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)
The largest domain by far - configuring cloud security posture management, threat protection, and SIEM/SOAR workflows.
- Enabling and interpreting Defender for Cloud recommendations
- Building Sentinel analytics rules, workbooks, and automation playbooks
- Responding to alerts and investigating incidents end-to-end
Notice that Domain 4 alone carries nearly as much weight as Domains 1 and 2 combined. That's a deliberate signal from Microsoft: cloud-native detection and response tooling is now central to the Azure security engineer role, not a bonus topic. For a domain-by-domain breakdown with study resources for each area, see our full AZ-500 exam domains guide, or drill into individual domains with the dedicated guides for Domain 1: Secure identity and access, Domain 2: Secure networking, Domain 3: Secure compute, storage, and databases, and Domain 4: Secure Azure using Defender for Cloud and Sentinel.
| Domain | Weight | Core Focus |
|---|---|---|
| Secure identity and access | 15-20% | Entra ID, RBAC, PIM, conditional access |
| Secure networking | 20-25% | NSGs, Azure Firewall, private endpoints |
| Secure compute, storage, and databases | 20-25% | VM/container hardening, storage and DB security |
| Secure Azure using Defender for Cloud and Sentinel | 30-35% | CSPM, threat protection, SIEM/SOAR |
Why the August 2026 Retirement Date Matters
This is the single most important operational fact for anyone researching AZ-500 right now: this exam and certification retire on August 31, 2026. After that date, you cannot sit the exam to earn it, and you cannot renew it. If you're currently holding the credential or planning to pursue it, that deadline should directly shape your timeline.
Two practical implications follow from this:
- If you want to earn AZ-500 as your credential of record, you need to schedule and pass it well before the August 2026 cutoff - leave buffer time for a possible retake.
- If you already hold it, remember certifications are valid for 12 months and renew free through an unproctored assessment on Microsoft Learn, available during the six-month window before expiry - but that renewal path also disappears once the exam retires.
A Domain-Aware Way to Schedule Your Prep
Generic study advice - flashcards, spaced repetition, timed drills - only helps if it's mapped to what AZ-500 actually weights. Given that Domain 4 (Defender for Cloud and Sentinel) makes up nearly a third of the exam, it deserves proportionally more calendar time than a topic like identity, even though identity is foundational and should come first conceptually.
Secure Identity and Access
- Build and test Entra ID RBAC assignments in a sandbox tenant
- Configure PIM roles and conditional access policies hands-on
Secure Networking
- Practice NSG and ASG rule design against real traffic scenarios
- Deploy Azure Firewall and WAF policies in a test VNet
Secure Compute, Storage, and Databases
- Encrypt disks, configure storage SAS tokens, and lock down SQL auth
- Review container and Kubernetes security baselines
Defender for Cloud and Sentinel (heaviest weight)
- Enable Defender plans and work through secure score recommendations
- Build Sentinel analytics rules, playbooks, and run mock investigations
- Practice case-study style questions combining multiple domains
Notice the last block gets three weeks instead of two - that's a direct reflection of the 30-35% weighting, not an arbitrary study template. For a more complete week-by-week plan with resource recommendations and practice exam strategy, see our full AZ-500 study guide for 2026.
What Happens After You Pass
Passing gets you the Microsoft Certified: Azure Security Engineer Associate badge, valid for 12 months. Renewal is free and happens through an unproctored assessment on Microsoft Learn, but only within the six-month window before your certification expires - mark that window on a calendar so you don't let it lapse.
Beyond the credential itself, most candidates use AZ-500 as a signal in job applications, internal promotion conversations, or client-facing consulting proposals. It's worth reviewing what the certification typically opens up before you invest the study hours - our AZ-500 salary guide and AZ-500 pass rate breakdown both use only verified, publicly available data rather than invented figures, which is a good habit to carry into your own research on this exam too.
If you're still deciding whether to commit, working through timed AZ-500 practice tests before you register is one of the fastest ways to gauge your baseline against the real exam's case-study and interactive question formats. Many candidates also use practice exams as a diagnostic tool to figure out which of the four domains needs the most attention before locking in a Pearson VUE date. Once you've mapped your weak spots, a second pass through full-length practice tests closer to your exam date helps confirm you're consistently clearing the 700/1000 threshold under realistic time pressure.
Frequently Asked Questions
No. It's an Associate-level exam that assumes practical Azure and hybrid administration experience along with familiarity with Entra ID, compute, networking, and storage. There's no required prerequisite exam, but jumping in without hands-on Azure experience is not recommended.
Microsoft does not publish a fixed scored/unscored count. Expect roughly 40 to 60 items across multiple-choice, case studies, and interactive lab-style formats within the 100-minute time limit.
No. The exam and certification retire on August 31, 2026. After that date it cannot be earned or renewed, so any registration or renewal plans need to happen before then.
Securing Azure using Microsoft Defender for Cloud and Microsoft Sentinel, weighted at 30-35% of the exam - larger than any other single domain.
The standard US price is USD 165 through Pearson VUE. Pricing has been regionalized since November 2024, so your exact fee is shown at checkout based on your location.