The Azure Certified Security Engineer Certification Logo

After much procrastination and delay, I finally got around to sitting (and passing!) my AZ-500 exam this last week. Having posted previously on my experiences with the MS equivalent (MS-500), I thought I’d repeat the process for AZ-500. To anyone preparing for, or considering taking AZ-500, I hope you find this brief overview useful…

For those unfamiliar, AZ-500 is the exam focussed on the security aspects of the Azure platform. This goes beyond the Microsoft 365 elements covered in MS-500, looking instead at the infrastructure and platform aligned tools that can help you to improve your security posture when leveraging Azure. A full summary of the skills measured can be found on the exam page. By way of an overview though, the following key areas are measured:

  • Managing Identity & Access (20%-25%)
  • Implementing Platform Protection (35%-40%)
  • Managing Security Operations (15%-20%)
  • Securing Data & Applications (30%-35%)

I’d been considering this exam for some time, it’s a logical follow-on from MS-500. For various reasons though I’d put it off, and put it off… until finally I figured I’d just get on and book it to give me a deadline to work to 🙂 The impetus to finally get on with it was two-fold. One, having exam passes in both AZ-500 and MS-500 is a pre-requisite to the new(ish) Microsoft Security competency. Two, I plan to spend some considerable time over the coming few months working on some security-centric activity. These things, coupled with some time over the Christmas period ended up being the catalyst I needed. With hindsight, I wonder what took me so long!

So how was it, and what are the key things you need to know to help you prepare for the AZ-500 Exam?

Some initial repetition here with my MS-500 post: If you’re here for the inside scoop / gossip in the form of exam content, you’ve come to the wrong place. That’s not my style, and I’d suggest you have a read of this link 😉

What follows are some pointers based on my experience, and some useful content that will help you on your way…

Know your content. Some more needless repetition, but every bit as valid. You absolutely need to have real world experience on the topics covered in this exam. Know your way around the Azure portal, have a sense of the various services that are available, and understand how they interact with one another. This exam in particular goes well beyond the “how does this work” style of some others. You need to be familiar with concepts and principles as much as the mechanics of how things are configured.

Be prepared for Labs. This exam isn’t all about Q&A, there’s a lab based element too (sorry, “Performance Testing” element 🙂). You will need to put into practice the things you are expected to know. I only had a single lab, but it was wide-ranging - covering Storage, Key Vault, IAM, Monitor, Azure Security Center, and a number of other elements.

Read the Microsoft Azure Cloud Adoption Framework (CAF), notably the strategy, plan, and govern sections. This document lays out the recommendations Microsoft want you to be aware of when it comes to Azure planning and adoption. You’ll also discover best practice references which will help you to narrow down your responses to some of the questions.

Don’t rely on your own understanding, read / learn more widely. Microsoft Docs is a resource which has come on leaps and bounds since the days of TechNet. Detailed how-to guides, in addition to deep-dives on specific features and services are available in abundance. Focus in on the areas you feel weak on, and take advantage of some of the guides others have put together which collate useful links for learning. I found the following particularly useful in my preparation:

Have the right learning foundations in place. If you haven’t already, I’d suggest you take AZ-103 before you sit this exam. Much of the AZ-300 / AZ-301 content is also relevant, specifically design principles around governance which extend naturally into the security considerations AZ-500 focuses on.

Performance Testing Gripes…

It wasn’t all plain sailing for me, and whilst I typically refrain from negativity in these posts, this feels worthy of a mention. When it came to my lab section (I had just one, with ~12 tasks from memory), I encountered a couple of issues that totally threw me for 5-10 minutes. In the grand scheme of things it made no difference, but had I been tight for time or close to passing I’d have been more than a bit annoyed. I know I’m not alone on this - colleagues have experienced similar - but to anyone at Microsoft reading this, the labs have to be solid and reliable if they are to continue to increase in their importance within exams.

For the record, I think Performance Testing is a good thing. It minimises the use of cheat-sheets / dumps (which have become so prevalent). It also better assesses candidates understanding of the things they should know… That said, every experience I’ve had has been poor. Labs crashing, poorly worded tasks, or insufficient access to complete tasks.

I won’t give specifics away, but there were two activities I had to skip. One due to a lack of permissions within the environment. The other down to a badly worded question which didn’t match the lab environment I had access to. Neither was a disaster in my case, but annoying none the less to know I could have scored better than I did…

In Summary…

As is typically the case with these more focussed exams, much of the content is niche in nature. A significant portion of the content is probably only relevant to a subset of customers I deal with. Notwithstanding, it never ceases to amaze me just how vast and comprehensive the Azure portfolio is. Would I recommend you take it? If Infrastructure Security is your thing, or an area of interest - absolutely.

For those interested, I secured a fairly respectable score of 823. Not a scrape, but by no means an ace. I couldn’t possibly admit to forgetting about having booked it for the day I did… fortunately I didn’t need the excuse! I enjoyed this exam. It gave me an opportunity to cement my understanding of some specific services. It also opened my eyes to some new services I’d previously glossed over.

To those who have stumbled here looking to take AZ-500, good luck! I hope at least some of this has proven useful in your search for information! ?