AZ-500 includes identity and access security topics such as configuring Azure AD PIM, configuring and managing Azure Key Vault, and configuring Azure AD for Azure workloads. It also references security considerations for an Azure subscription.
Identity and access is covered as a dedicated module in AZ-500, reflecting how access control is central to cloud security. The module is framed around modern security posture principles, including the idea of assuming breach and using a Zero Trust model, where access must be managed consistently regardless of where requests originate.The program topics listed include configuring Azure AD Privileged Identity Management (PIM). PIM is commonly used to manage privileged roles and reduce standing administrative access by enabling controlled, time-bound elevation. Understanding this capability helps security engineers reduce risk associated with long-lived permissions.The module also includes configuring and managing Azure Key Vault. Key Vault is used for managing secrets, keys, and related sensitive material, which is closely tied to both identity and application security controls. Managing Key Vault correctly is a practical requirement in many environments where credentials and encryption keys must be protected and audited.Another topic listed is configuring Azure AD for Azure workloads. This points to workload identity considerations, where applications and services need secure identity integration for access to resources. Security engineers often need to ensure that workloads follow least privilege and that identity configuration supports secure access patterns.Finally, the module references security for an Azure subscription. Subscription-level security includes governance and access boundaries that define how resources are controlled, and it influences what identity and access configurations are possible and enforceable.In combination, these identity and access topics aim to equip you with the controls needed to manage privileged access, protect secrets and keys, and ensure that both users and workloads authenticate and authorize safely in Azure.
Identity is the control plane for cloud security. If you get privileged access and workload identity wrong, no amount of network segmentation will compensate. AZ-500’s identity module is useful because it includes both human privilege controls and the tooling used to protect secrets and keys.Approach the topics with an audit mindset. Ask what can grant access, how that access is approved, and how you can verify it later. PIM matters because it changes how privilege is held over time. Key Vault matters because many breaches start with exposed secrets, not exposed ports.Also remember that subscription security is a boundary. Permissions and policies at that level shape how identities can interact with resources, and they often determine whether least-privilege designs are enforceable.
“Configure Azure AD PIM and configure and manage Azure Key Vault.”
SC-200 is a four-day course for security professionals responsible for threat detection, investigation, and response. It focuses on using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, and Microsoft 365 Defender.
View courseThis training prepares experienced security professionals to design, operate, and govern a cloud security program aligned with ISO/IEC 27017 and ISO/IEC 27018. It addresses the realities of hybrid and multi cloud environments where accountability, data protection, and shared responsibility models.
View courseAZ-104 is a four-day, instructor-led course for IT professionals who operate Microsoft Azure environments. You learn how to manage subscriptions, secure identities with Azure Active Directory, and administer core infrastructure.
View courseSC-300 develops skills in Azure AD identity management, authentication controls, application access, and identity governance.
byGerhard ROTTER
SC-300 covers identity governance through entitlements, access reviews, and privileged access management.
byGerhard ROTTER
AZ-500 covers identifying Azure data protection mechanisms and implementing Azure data encryption methods. The program also includes configuring encryption for data at rest and configuring security for data infrastructure.
AZ-500 includes configuring security services, applying security policies using Azure Security Center, managing security alerts, responding to remediation needs, and creating security baselines. It frames operations as monitoring, logging, auditing, and controlled response.
AZ-500 is for Azure Security Engineers who perform security tasks in Azure environments or plan to take the AZ-500 certification exam. It is also relevant for engineers specializing in securing Azure-based platforms and organizational data.
AZ-500 teaches how to implement Azure security controls, maintain security posture, and identify and remediate vulnerabilities. The scope spans identity and access, platform protection, data and applications, and security operations.
Browse all FAQs →
Full knowledge base
Necessary cookies are always active. You can accept, reject non-essential cookies, or customize your preferences.