AzureCalc.uk uses Google AdSense for ads. No tracking cookies are used by AzureCalc.uk itself. Your saved estimates are stored anonymously.

Privacy Policy

Prices from Azure Retail Prices API · UK South · GBP · Not affiliated with Microsoft

arrow_backBack to calculators

AZ-500 Study Guide UK 2026 — Microsoft Azure Security Engineer

Complete AZ-500 study guide for UK engineers. Exam structure, all topic domains, free and paid resources. Note: AZ-500 retires August 2026 — consider SC-200 as the successor. Updated March 2026.

Prices last verified: March 2026

workspace_premium

Exam Details

AZ-500

Exam nameMicrosoft Azure Security Engineer
Passing score700 / 1000
Exam cost£165
Retires31 August 2026

Skills measured

  • Manage identity and access (20–25%)
  • Secure networking (25–30%)
  • Secure compute, storage, and databases (15–20%)
  • Manage security operations (30–35%)
school

Recommended study resources

ADPluralsightMost Comprehensive

AZ-500 Microsoft Azure Security Technologies

From £29/month

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.

warning

AZ-500 retires on 31 August 2026

Microsoft has announced this exam will be retired. If you are planning to sit AZ-500, book your exam before August 2026. Certifications earned before retirement remain valid for two years from the date you pass.

After retirement, consider SC-200 (Security Operations Analyst) as the nearest successor for security roles — it has no announced retirement date and covers Microsoft Sentinel and Defender XDR in depth.

What is AZ-500?

The AZ-500 — Microsoft Azure Security Engineer Associate — validates your ability to implement and manage security controls across Azure infrastructure. This includes securing identities with Microsoft Entra ID, hardening Azure networks with firewalls and private endpoints, encrypting compute and storage resources, and operating security tooling like Microsoft Defender for Cloud and Azure Sentinel. It is a role-based certification aimed at cloud security engineers, security architects, and Azure administrators moving into security-focused roles.

The key distinction between AZ-500 and SC-200 is the direction of the work. AZ-500 is about building the secure environment — implementing Conditional Access, configuring Key Vault, deploying Azure Firewall, designing RBAC. SC-200 is about operating within that environment — detecting threats, investigating incidents, responding to alerts in Microsoft Sentinel. Most mature security teams need both skill sets; many engineers hold both certifications. If you are choosing between them, your current day-to-day role is the best guide.

AZ-104 (Azure Administrator) is strongly recommended as a prerequisite — AZ-500 assumes familiarity with Azure resource management, networking fundamentals, and identity concepts at an administrator level. The exam contains 40–60 questions across multiple formats, including multiple choice, case studies, and performance-based lab tasks in a live Azure environment. Passing score is 700 out of 1000, and the exam costs £165 via Pearson VUE.

Exam Topic Breakdown

AZ-500 covers four domains. Weightings are from Microsoft's official study guide and are approximate — your exam may vary within these ranges.

Domain 1: Manage identity and access

20–25%
  • Microsoft Entra ID (formerly Azure AD) — users, groups, roles
  • Managed identities and service principals for Azure resources
  • Conditional Access policies — MFA, device compliance, named locations
  • Privileged Identity Management (PIM) — just-in-time access, approval workflows
  • External identities and B2B collaboration settings

Domain 2: Secure networking

25–30%
  • Azure Firewall and Firewall Manager — DNAT, application, and network rules
  • Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Azure DDoS Protection — Standard plan, mitigation policies
  • Private endpoints and service endpoints — locking down PaaS services
  • VPN Gateway and ExpressRoute security configurations
  • Azure Bastion — secure RDP/SSH without public IP exposure

Domain 3: Secure compute, storage, and databases

15–20%
  • VM security — just-in-time VM access, endpoint protection, disk encryption
  • Container and AKS security — pod identity, network policies, image scanning
  • Azure Key Vault — secrets, certificates, key management, access policies
  • Storage account security — SAS tokens, access keys, customer-managed keys
  • Database security — SQL auditing, Always Encrypted, row-level security

Domain 4: Manage security operations

30–35%
  • Microsoft Defender for Cloud — CSPM, Secure Score, workload protection
  • Log Analytics and Azure Monitor — workspace configuration, diagnostics
  • Microsoft Sentinel basics — workspace setup, data connectors, simple analytics rules
  • Security policies and initiatives — Azure Policy, regulatory compliance
  • Vulnerability assessment — Defender for Servers integration, recommendations
info

Domain 4 overlaps significantly with SC-200 content. Engineers preparing for both certifications will find substantial shared material here.

UK Context

AZ-500 is well-regarded in the UK job market for senior cloud security roles. Typical salary ranges for UK engineers holding AZ-500 are £55,000–£85,000, with security architects and lead engineers in London-based financial services firms regularly exceeding £90,000. The certification has strong recognition in UK financial services, defence, and central government — sectors that have adopted Azure heavily and face significant regulatory pressure to demonstrate cloud security competence.

In UK government and defence, the Defence Cyber Protection Partnership (DCPP) requires suppliers to demonstrate appropriate cyber security standards, and holding recognised cloud security certifications strengthens this case. Many UK organisations pursuing Cyber Essentials Plus or ISO 27001 certification also require their cloud security staff to hold formal credentials — AZ-500 is commonly listed alongside CISSP and CISM in UK job specifications for these roles.

Practical information for UK candidates

Book via Pearson VUE at pearsonvue.com/microsoft — online proctored or in-person
Test centres in London, Manchester, Birmingham, Edinburgh, and Bristol
Exam is English-only — no Welsh language option currently available
Most UK employers will fund AZ-500 as continuing professional development (CPD)
Microsoft Exam Replay offers a discounted retake voucher purchasable at booking time
Reschedule free up to 6 business days before — cancellation within 6 days forfeits the fee

AZ-500 vs SC-200 — Which First?

These two certifications cover adjacent but distinct skill sets, and the right choice depends on your current role and career direction.

Choose AZ-500 if

  • You build and secure Azure infrastructure (security engineer role)
  • You already hold AZ-104 or work as an Azure administrator
  • You work in cloud architecture or DevSecOps
  • Your organisation needs someone to design and implement security controls
  • You need this cert before the August 2026 retirement date

Choose SC-200 if

  • You work in a SOC or threat hunting role
  • You use Microsoft Sentinel or Defender XDR daily
  • You are a security analyst rather than a security engineer
  • You want a certification with no announced retirement date
  • You are starting from scratch in Azure security
schedule

Retirement consideration

AZ-500 retires August 2026. SC-200 has no announced retirement date. For a long-term career investment, SC-200 is currently the stronger standalone choice. Many security engineers hold both — AZ-500 for the architecture and implementation depth, SC-200 for the operational and detection coverage.

Free Study Resources

Microsoft provides strong free coverage for AZ-500 through Microsoft Learn. The main gap — as with all Microsoft certification free resources — is the lack of realistic practice exam questions and structured feedback on weak areas.

Official AZ-500 learning path on Microsoft Learnopen_in_new

Covers all four exam domains with modules, knowledge checks, and sandbox labs. Start here.

AZ-500 study guide (official PDF from Microsoft)open_in_new

Official list of every exam objective with links to corresponding Learn modules. Use as a revision checklist.

Azure security documentationopen_in_new

Deep reference documentation for Azure security features — Key Vault, Defender for Cloud, network security.

Azure security baseline documentationopen_in_new

Microsoft Cloud Security Benchmark — covers security controls across all Azure services. Directly relevant to Domain 4.

John Savill's AZ-500 YouTube seriesopen_in_new

Widely regarded as the best free Azure certification resource. John Savill's AZ-500 coverage is comprehensive and explains the reasoning behind each security control.

Recommended Study Plan

The following 8-week plan assumes part-time study of 1–2 hours per day. AZ-500 requires more hands-on lab time than most Azure certifications — factor in time to work in a live Azure environment, not just watch videos.

Weeks 1–2

Identity and Access (Domain 1)

  • Complete Microsoft Entra ID modules on Microsoft Learn
  • Practice PIM configuration — create eligible assignments, configure approval workflows
  • Build Conditional Access policies in a trial tenant — block legacy auth, require MFA
  • Understand the difference between RBAC, Azure AD roles, and PIM-managed roles
Weeks 3–4

Secure Networking (Domain 2)

  • Deploy Azure Firewall in a hub-spoke topology in your lab subscription
  • Configure NSG flow logs and review traffic in Network Watcher
  • Create private endpoints for a Storage Account and SQL Database
  • Understand the difference between service endpoints and private endpoints — commonly tested
  • Deploy Azure Bastion and test RDP access without a public IP
Week 5

Compute, Storage, and Databases (Domain 3)

  • Create an Azure Key Vault, add secrets and certificates, configure access policies
  • Practice storage SAS token types — account SAS vs service SAS vs stored access policy
  • Enable disk encryption with customer-managed keys (CMK) on a VM
  • Configure just-in-time VM access in Defender for Cloud
Weeks 6–7

Security Operations (Domain 4)

  • Work through Defender for Cloud CSPM — review Secure Score and recommendations
  • Configure a Log Analytics workspace and connect Azure diagnostics
  • Set up a basic Sentinel workspace — add data connectors, create a scheduled analytics rule
  • This domain overlaps with SC-200 — if you plan to sit both, this is your shared study area
  • Review Azure Policy — create a custom policy definition and assign at subscription scope
Week 8

Practice exams and lab tasks

  • Take a full MeasureUp practice test under timed conditions
  • Identify and review every incorrect answer before re-testing
  • Practice specific lab task types: configure PIM, deploy Key Vault, create custom RBAC roles
  • Review Microsoft Learn modules for your two lowest-scoring domains
  • Book the exam when consistently scoring 75%+ on practice tests

Exam Labs Warning

science

AZ-500 includes performance-based lab tasks

Unlike AZ-900 and SC-200, AZ-500 includes hands-on performance-based tasks in a live Azure environment. You cannot prepare for these with multiple-choice practice tests alone — you must have real hands-on experience in Azure before exam day.

Lab tasks in AZ-500 exams typically involve completing a real Azure configuration in a sandboxed subscription. Common tasks include: configuring Privileged Identity Management role assignments, deploying an Azure Key Vault and assigning access policies, setting up a Conditional Access policy, creating a custom RBAC role definition, and enabling Defender for Cloud on a subscription. You are given a set of instructions and must complete the tasks in the live portal — there are no multiple- choice options.

How to prepare for the labs

Set up a free Azure trial subscription (30-day trial, or Visual Studio subscription if you have one)
Complete all Microsoft Learn sandbox exercises — do not just read the instructions
Practice each common lab task type until you can complete it from memory without documentation
Time yourself — lab tasks have a shared time budget with the rest of the exam
Know both the Azure portal interface and Azure CLI/PowerShell approaches — the lab may not specify which
Common lab task list: PIM role assignment, Key Vault creation, Conditional Access policy, custom RBAC role, DDoS protection plan, storage account network rules
ADMeasureUpOfficial Microsoft Partner

AZ-500 Official Practice Test

From £99

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.

Related calculators

calculateLog Analytics & Sentinel Calculator