Considering becoming a Microsoft Security Specialist, then Az-500 is the certification for you. But if azure cloud security is not your fulltime job, then the exam can be a little challenging (and even if it is, it is probably still challenging as it covers a wide range of disciplines).
I have taken many Microsoft certifications over the years and was asked (October 2021) to take the Az-500 security exam as part of maintaining our Microsoft partner status. I have a pretty deep understanding of Azure in general and normally don’t have any issues passing developer focused exams, but this one was a bit tricky. The main thing that threw me of if how many of the questions that are of the type read and comprehend a scenario and answer multiple questions about the scenario – this type of questions is not limited to the case sections of the exams there is also many of them in the section for the normal questions. When a large percentage of the questions are of this type, you end up having to answer what I would guess is closer to 150 questions, which makes it a quite draining exam and one that takes quite a while to complete. It doesn’t help that many of the questions is what I would consider pay attention to detail questions, e.g., a question contains information about multiple VMs and their IP addresses their NIC assignments and their relation to Network Security Groups and their rules and then you get four questions of whether machine X can talk to machine Y over protocol Z. If you e.g., misread an IP or NSG rule list, then you will not get full points for this type of question.
But enough rambling about the format lets run through the topics that you need to nail to have an easier time passing:
Virtual Networks and Subnets
A lot of question involves virtual network and virtual machines so you really need to understand networking in azure. How the default routing works and understand CIDR notation. I have passed both Az104 and Az303 before, if you have done the same then this part of the exam is basically a rerun of the same questions.
Network security groups and Application Security Groups
You need to know how NSGs work, but also Application security group, so that you can determine if two machines can communicate.
The Azure firewall comes up quite a few times in the exam, you need to know what it can do and what it can’t and when you have to use e.g. Application Gateway or Frontdoor instead. Getting a good grasp of the feature difference between those products and you will be good.
Azure AD Applications
If you are a cloud developer, you have probably made many Azure AD applications, if not, I urge you to spend time on practicing how that works, because it will make many of the questions in that area quite easy. Also understand what features you get from enterprise applications will secure you some easy points.
Many questions revolve around managed identity – if you are not familiar with how to use those in relation to VMs or App service and KeyVault, then I would practice that before the exam.
Azure Security Policies
You should study Azure Security policies especially how to deploy them and their json definition language.
Azure Security Center / Azure Defender
These are Microsoft offerings that you are probably very familiar with if you are working with security – if you like me are developer oriented it is good idea to read up on (this was one area where I could have scored more points).
I was quite surprised with the number of questions about Key Vault, but I guess it makes sense to promote it, since it is a cornerstone of Azure cloud security. Beside many questions around day to day use of key vault (e.g. what permissions you can grant using RBAC and which you can only grant using Key vault policies) there was also a big focus on backup and restore of keyvault.
Multi factor authentication and conditional access
One of Microsoft key features for cloud security is MFA and conditional access, so no surprise that they test your knowledge in that area. You should know how to configure it and what consequences different configurations have for the end users.
Azure AD groups and permissions and AD Connect
Luckily the exam is very focused on cloud only security there are very few questions about hybrid scenarios, the ones that are, are about SSO and how AD connect works, but if this area isn’t interesting to you, you can easily pass the exam without studying that in-depth. However, you should have a good understanding of Azure AD Security Groups Microsoft 365 Groups what they offer in terms of features and how dynamic group membership works.
Privileged identity management and Just in time access
Another feature Microsoft likes to promote, so of course there’s questions about how it works, but since the features are pretty simple, the questions never really get too difficult.
That’s it, if you study the above topics or maybe just 8 out of 10 of them then you should be in for a good experience when you take the exam. Good luck!