AZ-500 logo
Focused certification exam prep
Start practice

What Is AZ-500?

TL;DR
  • AZ-500 is Microsoft's Azure Security Engineer Associate exam, priced at USD 165 with regionalized pricing at checkout.
  • The exam runs 100 minutes with roughly 40-60 questions, including case studies and lab-style items.
  • Domain 4 (Defender for Cloud and Sentinel) carries the heaviest weight at 30-35% of the exam.
  • Passing requires a score of 700 out of 1000; certification lasts 12 months with free renewal.

AZ-500 Overview: What This Certification Actually Tests

AZ-500 is the exam code behind Microsoft Certified: Azure Security Engineer Associate, a role-based credential from Microsoft Corporation that validates hands-on ability to implement security controls, manage identity and access, and protect data, applications, and networks inside Microsoft Azure. Unlike foundational certifications that test broad awareness, AZ-500 assumes you already work with Azure and hybrid environments regularly and can execute specific security tasks under time pressure.

The credential is built around four scored domains, each mapping to a distinct slice of an Azure security engineer's daily responsibilities: identity and access, networking, compute/storage/databases, and the security operations layer built on Microsoft Defender for Cloud and Microsoft Sentinel. If you want a full breakdown of what each of these domains covers in practice, the AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas walks through every subtopic in detail.

For readers who landed here after searching variations of the same question, related explainers like AZ-500 Meaning, What Does AZ-500 Stand For?, and What Is A AZ-500? cover the naming and background from slightly different angles if you need more context.

Quick Definition: AZ-500 is not a general cloud certification - it's a security-specific credential. Microsoft expects candidates to already hold Azure administration experience and strong familiarity with Microsoft Entra ID, compute, networking, and storage before attempting it. There is no formal prerequisite exam, but there is a real practical bar.

Exam Format, Registration, and Fees

The exam is delivered through Pearson VUE, either at a physical test center or as an online proctored exam from home or office. You get 100 minutes to work through the exam content, and Microsoft does not publish a fixed scored/unscored question count - expect somewhere in the 40-60 item range, mixing standard multiple-choice questions with case studies and interactive, lab-style tasks that simulate configuring real Azure resources.

One detail that surprises first-time Microsoft exam takers: during the exam you get split-pane access to Microsoft Learn documentation. This isn't an open-book free-for-all - you still need to know where features live and how they interact - but it does mean the exam rewards conceptual understanding and navigation speed over rote memorization of exact syntax.

  • Standard fee: USD 165, with regionalized pricing shown at checkout since November 2024 (no member/non-member tiers)
  • Passing score: 700 out of 1000
  • Delivery: Online proctored or test center via Pearson VUE
  • Prerequisites: None formal, but strong Azure admin experience is recommended

For a line-by-line breakdown of what you're actually paying for - including retakes, training costs, and renewal - see AZ-500 Certification Cost 2026: Complete Pricing Breakdown.

Key Takeaway

Because the question count isn't fixed and case studies can consume more time per item than single multiple-choice questions, pacing matters. Budget roughly 1.5-2 minutes per item on average and flag lab-style tasks to revisit if time allows.

The Four AZ-500 Domains Explained

Microsoft organizes the current skills outline (dated January 22, 2026) into four weighted domains. Understanding the weighting is essential for allocating study time - it's the single biggest lever you control before exam day.

Domain 1: Secure Identity and Access (15-20%)

Covers Microsoft Entra ID configuration, role-based access control, conditional access policies, and identity governance.

  • Configuring Entra ID roles, groups, and hybrid identity
  • Implementing Privileged Identity Management and conditional access

Domain 2: Secure Networking (20-25%)

Focuses on network security groups, Azure Firewall, private endpoints, and securing hybrid connectivity.

  • Designing NSG and Application Security Group rules
  • Configuring Azure Firewall, Bastion, and DDoS protection

Domain 3: Secure Compute, Storage, and Databases (20-25%)

Tests securing virtual machines, containers, storage accounts, and Azure SQL/Cosmos DB resources.

  • Configuring VM endpoint protection and disk encryption
  • Managing storage account access keys, SAS tokens, and database auditing

Domain 4: Secure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%)

The largest and most heavily weighted domain, covering security posture management, threat detection, and SIEM/SOAR workflows.

  • Configuring Defender for Cloud plans and secure score recommendations
  • Building Sentinel analytics rules, workbooks, and automated playbooks

Each domain has its own dedicated deep-dive on this site if you want granular study material: Domain 1: Secure Identity and Access, Domain 2: Secure Networking, Domain 3: Secure Compute, Storage, and Databases, and Domain 4: Secure Azure Using Microsoft Defender for Cloud and Microsoft Sentinel.

DomainWeightCore Focus
Secure identity and access15-20%Entra ID, RBAC, conditional access
Secure networking20-25%NSGs, Firewall, private endpoints
Secure compute, storage, databases20-25%VM/container/storage/database security
Defender for Cloud & Sentinel30-35%Posture management, detection, SIEM

Who Hires for AZ-500 Skills

AZ-500 is aimed squarely at security engineers who work day-to-day inside Azure tenants - implementing controls, monitoring for threats, and hardening infrastructure. Organizations running production workloads on Azure, especially those in regulated industries, look for this credential when hiring or promoting into roles such as cloud security engineer, security operations analyst, Azure administrator with security responsibilities, and identity/access management specialist.

Because Domain 4 is weighted so heavily toward Defender for Cloud and Sentinel, the certification signals more than basic configuration knowledge - it signals familiarity with detection engineering and security operations workflows that map directly to SOC and cloud security team responsibilities. If you're evaluating where this fits into a career path, AZ-500 Jobs covers typical role titles and responsibilities, while AZ-500 Salary Guide 2026: Complete Earnings Analysis and Is the AZ-500 Certification Worth It? Complete ROI Analysis 2026 dig into whether the investment pays off for your specific situation.

Practical Note: Because the exam expects real Entra ID, networking, and storage experience rather than textbook knowledge alone, candidates who've spent time actually configuring these services in an Azure subscription - even a free trial tenant - tend to find the lab-style questions far more approachable.

The August 2026 Retirement Date

This is the most time-sensitive fact about AZ-500 right now: both the exam and the associated certification retire on August 31, 2026. After that date, it will no longer be possible to earn or renew this specific credential. Microsoft typically replaces retiring role-based exams with updated versions reflecting current product surfaces, but until a successor is announced, anyone planning to earn Azure Security Engineer Associate needs to sit AZ-500 before the retirement window closes.

This deadline affects study planning in a concrete way - it compresses the timeline for anyone still building the prerequisite Azure security experience the exam assumes. If you're weighing how much runway you actually have, How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026 and AZ-500 Pass Rate 2026: What the Data Shows are useful companion reads for setting realistic expectations before you register.

Key Takeaway

Don't wait until mid-2026 to start. Registration slots and study time both get tighter as the retirement date approaches, and there's no guarantee a direct replacement exam will be available immediately after August 31, 2026.

A Domain-Aware Approach to Preparation

Generic study advice - spaced repetition, timed practice blocks, active recall - works fine as a mechanism, but it only pays off when it's pointed at the right material in the right order. For AZ-500, that means weighting your study calendar to match domain weighting rather than splitting time evenly across all four areas.

Week 1

Identity and Networking Foundations

  • Configure Entra ID roles, conditional access, and PIM in a test tenant
  • Build out NSGs, Azure Firewall rules, and private endpoints
Week 2

Compute, Storage, and Database Controls

  • Practice VM disk encryption and endpoint protection settings
  • Work through storage account access controls and SQL auditing
Week 3-4

Defender for Cloud and Sentinel (Highest Weight)

  • Configure Defender plans and review secure score recommendations
  • Build Sentinel analytics rules, hunting queries, and playbooks

Notice that the heaviest block of time lands on Domain 4, matching its 30-35% weighting - the single largest domain on the exam. For a more complete week-by-week plan, including practice exam scheduling and review cycles, see the AZ-500 Study Guide 2026: How to Pass on Your First Attempt. Running full-length timed simulations on our practice test platform before exam day is also one of the fastest ways to identify which domain still needs work, since the interactive and case-study question formats used on our AZ-500 practice tests mirror the real exam's structure.

Maintaining the Certification

Once earned, Microsoft Certified: Azure Security Engineer Associate is valid for 12 months. Renewal is free and happens through an online, unproctored assessment on Microsoft Learn, available during the six-month window before your certification expires. This keeps the credential current without requiring a full retake of the proctored exam - but remember, this renewal path only exists as long as the certification itself is active, which per Microsoft's schedule ends August 31, 2026.

If you're comparing this credential against the broader certification landscape or just want the plain-language basics again, AZ-500 Certification and What Is AZ-500 Certification? both offer additional framing, and What Does AZ-500 Mean? covers the naming convention Microsoft uses across its Azure exam codes.

Training Resources: Beyond hands-on Azure practice, structured resources matter. The AZ-500 Training guide outlines official Microsoft Learn paths alongside third-party options worth considering before you schedule your exam.

Frequently Asked Questions

What does AZ-500 stand for?

AZ-500 is Microsoft's exam code for Microsoft Certified: Azure Security Engineer Associate. "AZ" denotes the Azure exam series, and "500" is the specific numeric identifier within that series.

How much does the AZ-500 exam cost?

The standard fee is USD 165, though pricing has been regionalized since November 2024 and the exact amount is shown at checkout based on your location. There are no member or non-member pricing tiers.

How long is the AZ-500 exam and how many questions does it have?

You get 100 minutes to complete the exam. Microsoft does not publish an exact question count, but candidates typically see 40-60 items, including multiple-choice questions, case studies, and interactive lab-style tasks.

Is AZ-500 being retired?

Yes. Both the AZ-500 exam and the associated certification retire on August 31, 2026. After that date it can no longer be earned or renewed, so candidates need to plan their attempt before the deadline.

What is the largest domain on the AZ-500 exam?

Securing Azure using Microsoft Defender for Cloud and Microsoft Sentinel is the largest domain, weighted at 30-35% of the exam, covering security posture management and SIEM/SOAR-style detection workflows.

AZ-500 remains one of the more practical, hands-on-focused certifications Microsoft offers, and its heavy weighting toward Defender for Cloud and Sentinel reflects where real-world Azure security work is heading. With the August 31, 2026 retirement date on the horizon, the practical next step is deciding your timeline and starting domain-by-domain preparation now rather than later.

Ready to pass your AZ-500 exam?

Put this into practice with free AZ-500 questions across every exam domain.