DEV Community

ExamCert.App
ExamCert.App

Posted on

My 4-Week AZ-500 Study Sprint: What Worked, What Didn't, and How I Passed

My 4-Week AZ-500 Study Sprint: What Worked, What Didn't, and How I Passed

I came into AZ-500 with about two years of Azure admin work under my belt — enough to feel comfortable with the portal, not enough to walk into a security exam cold. I gave myself four weeks, no bootcamp, no $2,000 training course. Here's exactly how I structured it.

What AZ-500 Actually Tests (And the Weightings That Matter)

Before you plan a single study hour, understand what Microsoft actually cares about. The exam currently breaks into four domains:

  • Manage identity and access — ~25-30% — Entra ID (formerly Azure AD), conditional access policies, managed identities, privileged identity management (PIM), external identities
  • Secure networking — ~20-25% — NSGs, Azure Firewall, Azure DDoS Protection, Private Link, VPN gateways, Web Application Firewall (WAF)
  • Secure compute, storage, and databases — ~20-25% — VM security baselines, disk encryption, Storage account access keys vs. SAS tokens vs. Entra auth, SQL auditing, Key Vault
  • Manage security operations — ~25-30% — Microsoft Defender for Cloud (secure score, recommendations, alerts), Microsoft Sentinel (workspaces, analytics rules, playbooks), Azure Monitor, Log Analytics

Two domains sit at roughly equal weight: identity and security operations. Don't let the networking section fool you into under-studying it either — WAF and Private Link questions show up more than you'd expect.

Exam format facts: Roughly 40-60 questions. Expect a mix of multiple choice, drag-and-drop, and case studies. Sometimes Microsoft includes hands-on lab tasks at the end (not always, but be ready). You have 100-120 minutes. Passing score is 700/1000. Exam fee is $165 USD. Microsoft updates these domains periodically, so check the official skills outline the week before you schedule.

If you want to get a feel for the question style before committing to a date, the free AZ-500 practice test on ExamCert is a solid starting point — no account wall, no upsell to a $300 course.

Who This Exam Is For

AZ-500 targets security engineers and Azure administrators who are moving into a dedicated security role. Microsoft recommends familiarity with Azure fundamentals (AZ-104 experience helps a lot) and at least some hands-on time with Entra ID and Azure networking. If you've never spun up a VNet or assigned an RBAC role, spend a week on AZ-104 material first.

Career-wise, the cert signals Azure security competency to employers. Security-focused Azure roles — cloud security engineer, security operations analyst, Azure platform engineer with a security specialization — routinely list it as preferred or required. Salary data varies widely by region, but US-based roles listing AZ-500 as preferred tend to land in the $110K-$145K range for mid-level positions.

The certification renews annually through a free online assessment (no re-exam, no additional cost). Microsoft emails you when it's time.

My 4-Week Plan, Week by Week

I treated each week as a single domain focus, with overlap built in at the end. Four weeks is tight but doable if you can put in 1.5-2 hours on weekdays and 3-4 hours on weekends.

Week 1 — Identity and Access (Entra ID Deep Dive)

This is where I spent the most deliberate time because it's both the heaviest-weighted domain and the one where real-world habits can mislead you. Things I covered:

  • Entra ID tenant structure, user types, guest access
  • Conditional Access policies — named locations, sign-in risk, device compliance conditions
  • Privileged Identity Management (PIM): eligible vs. active assignments, just-in-time access, access reviews
  • Managed identities (system-assigned vs. user-assigned) — how apps authenticate to Azure services without storing credentials
  • Azure AD Connect sync scenarios (hybrid environments still appear on the exam)

Hands-on: I created a free-tier Entra ID tenant and built a conditional access policy from scratch. Then I set up PIM for a test account. Actually clicking through the portal is worth two hours of reading.

CLI reference I kept open:

# Assign a role via Azure CLI
az role assignment create \
  --assignee <object-id> \
  --role "Security Reader" \
  --scope /subscriptions/<sub-id>
Enter fullscreen mode Exit fullscreen mode

Week 2 — Secure Networking

I underestimated this domain initially. WAF policy modes (Detection vs. Prevention), Azure Firewall SKUs, and the relationship between NSG rules and Azure Firewall DNAT rules are all testable.

Key topics:

  • NSG flow logs, Application Security Groups (ASGs) for grouping VMs
  • Azure Firewall: DNAT rules, Network rules, Application rules — order of processing matters
  • Azure DDoS Protection: Basic vs. Network tier, telemetry and alerts
  • Private Link vs. Service Endpoints — this distinction comes up constantly
  • VPN Gateway vs. ExpressRoute security considerations

Hands-on: Deployed a basic hub-spoke VNet topology, added an Azure Firewall, and ran through forcing traffic through it. The Bicep/ARM template for this is freely available in the Azure quickstart templates repo.

# Check NSG flow logs are enabled
az network watcher flow-log show \
  --resource-group <rg> \
  --nsg <nsg-name>
Enter fullscreen mode Exit fullscreen mode

Week 3 — Compute, Storage, and Key Vault

Key Vault is its own world. I spent two full evenings just on Key Vault: access policies vs. RBAC authorization model, soft-delete and purge protection, certificate lifecycle, rotating secrets. The exam tests the difference in meaningful ways.

Storage security topics that appear frequently:

  • Shared Access Signatures (SAS): account SAS vs. service SAS vs. user delegation SAS
  • Storage account network rules, private endpoints
  • Azure Defender for Storage — malware scanning, anomalous activity alerts

Compute:

  • VM disk encryption: Azure Disk Encryption (BitLocker/dm-crypt) vs. server-side encryption with customer-managed keys
  • JIT VM access through Defender for Cloud
  • Security baselines and Azure Policy for VMs 
# Enable soft-delete on a Key Vault
az keyvault update \
  --name <vault-name> \
  --resource-group <rg> \
  --enable-soft-delete true \
  --retention-days 90
Enter fullscreen mode Exit fullscreen mode

Week 4 — Security Operations + Full Review

Defender for Cloud and Sentinel together own the "manage security operations" domain. They're distinct products with overlapping telemetry, and the exam tests both.

Defender for Cloud focus areas:

  • Secure Score: what moves it, how recommendations map to controls
  • Defender plans per resource type (servers, storage, SQL, containers)
  • Security alerts vs. incidents, alert suppression rules

Sentinel focus areas:

  • Log Analytics workspace architecture for Sentinel
  • Data connectors: enabling Azure Activity, Entra ID Sign-in logs, Microsoft 365 Defender
  • Analytics rules: Scheduled vs. NRT (Near Real-Time) vs. Fusion
  • Playbooks (Logic Apps) triggered on incidents

The last three days were pure practice questions. I used ExamCert for this — $4.99 lifetime access, 30,000+ questions, and a 100% money-back guarantee. That's not a typo: $4.99 one-time, not a monthly sub. Most platforms charge $30-$50/month or $300+ for a "bundle." I ran through question banks each morning and reviewed every wrong answer before moving on.

What I'd Do Differently

If I started over, I'd create a dedicated lab subscription from day one instead of trying to clean up shared resources. The $50-$80 in Azure credits you'll spend on lab work is worth it. The CLI and portal muscle memory matters more than I expected for the hands-on lab sections.

I'd also start Sentinel earlier. It felt unfamiliar compared to the other domains because I didn't use it day-to-day, and I probably under-prepared it going into week 3.

Scheduling and What to Expect Test Day

Book through Pearson VUE (in-person or online proctored). Pick a date that gives you a two-day buffer after your planned prep end date — that's your slack for the inevitable week where work derails your schedule.

Get your AZ-500 practice questions dialed in before you walk in. On exam day, flag anything you're uncertain about and come back. Case studies at the end are sequential — read the scenario carefully before answering; the details are specific and they matter.

Four weeks is enough. Build the hands-on time in from the start, not as an afterthought, and you'll be fine.

Top comments (0)