Passing the Microsoft Azure Security Technologies (AZ-500) Exam

Azure Security Engineer

Last month I wrote and passed the Microsoft Azure Security Technologies exam, which makes me an Azure Security Engineer Associate. I’d been meaning to do this for a while now, so it feels great to check it off the list. I figured I’d write up a few notes for those thinking of taking the exam, or those already studying for it. I’ll tell you what I did, followed by some general points and recommendations around the exam experience and how to prepare.


I came to the exam as an architect and strategist and not an administrator, which put me at a disadvantage even though I had a good level of Azure knowledge. Several posts I read about the exam suggested doing the Azure fundamentals or administrator exam first because AZ-500 is very broad but also tests many hands-on aspects (even down to specific PowerShell commands and JSON file contents). You don’t have to do these beforehand (and I didn’t), but you will be in a better position if you have. You might consider doing one of these fundamental exams if you are completely new to Azure.

What I Did

This may or may not work for you, but I always find it helpful to see hear about others’ experiences. If you have a background similar to mine and are doing this in your spare time, then this could be a good starting point.

  1. Read some posts and study guides about the exam, including:
  2. Went through the Microsoft AZ-500 Certification: Azure Security Technologies course on Udemy. I found I could watch most of it on 1.5 or 2x speed. I probably spent 2-3 hours a week on this over 1-2 months. The course has good structure and coverage but I’d say it does not always go into enough detail, so in certain areas I delved into the official Microsoft Azure documentation.
  3. Wrote 2/3 practice exams a week for the next month.

Some Pointers

A few general points about the exam and how to prepare:

  • Do a practice exam, especially if you aren’t familiar with Microsoft exams. There is a lot to be gained by just understanding the exam format and conventions, and how questions are structured and worded.
  • Use Anki (or similar tool) for spaced repetition of key facts. If I found a tough topic or question I would add it to a “deck”, which made review easy and efficient.
  • The exam is a bit of a blur, but I found the coverage was quite broad and couldn’t say there were a ton of questions on X, or absolutely none on Y. No big surprises and it seemed to follow the published list of exam topics.
  • Be prepared for a live lab. I had one in my exam, although I wasn’t sure I would get one since I had read posts talking about having and not having a live lab.
  • Save a good amount of time (perhaps an hour) for the live lab. You have 210 minutes to write the exam (which is pretty generous, given it is 40-60 questions) but I was surprised by how long it took me to do the 10 live lab questions.
  • Clarify if/how you can take notes during the exam. I wrote my exam in a test centre and they gave me dry-erase markers and a laminated sheet. You cannot bring anything to the exam.
  • Do some hands-on setup as you study. Set up your own Azure tenant and subscription and make use of free trials if you have to. Know how to navigate the Azure portal but also know how to do some command-line work (e.g., PowerShell or Azure CLI for disk encryption and Kubernetes setup).

Here are a few points on certain question types or themes that might help you get an extra point or two:

  • Look for answers you can exclude because they are embedded in other answers. E.g., in a multi-select question one of the correct answers might be “compute”. If you see “VM” as an option, it is likely not correct because VMs are part of the compute area.
  • In networking questions, note whether rules use IP addresses or FQNs. NSGs can operate only on IP addresses, while firewalls and application gateways are able to work with FQDNs.
  • Key vaults have to be in the same region as the resources they support. All other relationships can span different regions.
  • When you see SQL Server in a question, make sure you’re clear on if they are looking to secure the SQL Server database or an application that is using a SQL server database.


The exam was challenging but is a great way to solidify your knowledge of Azure security. As with most exams like this, there is knowing the topic and there is knowing how to write the exam. The latter aspect is in some ways a necessary evil that comes with having a standardized test that can scale and be consistent across the world. I hope you found this post helpful and if you end up writing the exam – best of luck!