SC-500: Cloud and AI Security Engineer Associate

About the SC-500 Exam

Secure Azure infrastructure, workloads, identities, and the AI systems that ride on top of them.

SC-500 is the new Microsoft Certified: Cloud and AI Security Engineer Associate exam — released in beta in May 2026 and built to replace AZ-500 (which retires 31 August 2026). It is the first Microsoft security exam that formally tests AI security as its own discipline — Microsoft Copilot risk, Entra Agent ID, Defender for AI Service, Foundry AI Gateway, and Defender XDR blast-radius analysis for agents — alongside the traditional Azure infrastructure security content that AZ-500 has always covered.

⚠️ SC-500 replaces AZ-500 (retiring 31 August 2026). If you’re starting Azure security prep today, study SC-500 — your AZ-500 runway is short, and the AI security content on SC-500 is genuinely new.

Who Should Take This Exam?

The SC-500 is designed for security engineers who protect organisational systems and data across cloud and hybrid environments. The audience profile is explicit: implementing comprehensive security controls that proactively prevent unauthorised access and mitigate risk across identity, network, application, data, and compute — and ensuring that platforms, data, identities, and infrastructure used by AI workloads are securely implemented and monitored.

You should be comfortable with:

• Administering Azure and hybrid environments (compute, network, storage)
• Microsoft Entra ID — directory, conditional access, PIM, identities
• Microsoft 365 administration at a working level (the AI security objectives lean on M365 + Purview + Copilot)
• Security operations fundamentals — alerts, incidents, posture management
• Defender for Cloud and Microsoft Sentinel basics

You’ll work closely with architects, administrators, engineers, analysts, and developers responsible for Azure, Microsoft 365, identity and access, information protection, security operations, DevOps, application development, database platforms, and networks.

Typical study time: 6–10 weeks of part-time study if you’ve done AZ-500. 10–14 weeks if you’re new to Azure security and need the AI security crash course.

Exam Quick Facts

Skills Measured

The official Microsoft SC-500 study guide (published May 2026) lists 4 domains. Plan your study time using the weights below — the AI security sub-domain in Domain 3 is the single biggest difference vs. AZ-500.

1. Manage identity, access, and governance (20–25%)

Secure access to resources by using Microsoft Entra ID

• Implement and configure Privileged Identity Management (PIM)
• Implement conditional access policies
• Implement and configure authentication methods, including MFA and passwordless
• Implement and configure identity for applications — enterprise applications and app registrations
• Manage OAuth permission grants and consent settings
• Implement and configure managed identities for Azure resources

Secure secrets and keys by using Azure Key Vault

• Deploy and configure Key Vault (settings, access, firewall)
• Manage keys, secrets, and certificates
• Scan for secrets using Defender Cloud Security Posture Management (Defender CSPM)
• Implement Defender for Key Vault

Implement governance to enforce security and regulatory compliance

• Implement security controls via Azure Policy (built-in + custom definitions)
• Evaluate regulatory compliance by using Microsoft Defender for Cloud
• Implement and configure security controls in Defender for Cloud — security standards and recommendations
• Implement resource locks
• Manage Azure built-in role assignments and custom roles (Azure + Microsoft Entra roles)
• Evaluate and remediate overprivileged access assignments using Azure RBAC
• Configure security controls for backup protection by using Azure Backup security features
• Implement security controls via infrastructure as code

2. Secure storage, databases, and networking (25–30%)

Implement security for storage accounts

• Configure security for storage accounts and Azure Storage firewall rules
• Implement Defender for Storage threat protection configurations
• Manage access to storage, including access policies

Implement security for databases

• Implement platform-level security configurations in Azure SQL
• Configure database auditing for Azure SQL Database and SQL Managed Instance
• Configure Defender for Databases protection across Azure database services

Implement security for Azure network services

• Implement and manage NSGs and ASGs
• Implement network access policies via Azure Virtual Network Manager
• Configure security for Azure Virtual WAN
• Implement and configure security for VPN connections
• Implement and configure Microsoft Entra Private Access
• Configure Azure private endpoints and Private Link services
• Implement and configure Azure Firewall
• Evaluate effective security rules using Azure Network Watcher diagnostics

3. Secure compute (20–25%)

🔥 This is the AI security section — and the single biggest differentiator from AZ-500. Microsoft has folded a full sub-domain of AI workload security into the compute domain. Expect this section to drive a meaningful share of your study time even though the weight reads modest.

Implement security for AI

• Identify overexposure of data in SharePoint
• Identify risks related to Microsoft Copilot and AI apps by using Microsoft Purview DSPM (Data Security Posture Management)
• Enable and configure real-time protection for Microsoft Copilot Studio agents
• Implement conditional access for Microsoft Entra Agent ID
• Analyse blast radius for security risks related to Entra Agent ID by using Defender XDR
• Manage Entra Agent ID access
• Configure and deploy AI Gateway in Azure API Management for Microsoft Foundry
• Enable Defender for AI Service in Cloud Workload Protection in Defender for Cloud
• Configure guardrails for agent security in Foundry
• Monitor AI security using the Data and AI security dashboard in Defender for Cloud
• Manage agents in Microsoft 365 admin center

Implement security for servers and virtual machines (VMs)

• Implement and configure disk encryption
• Plan and implement Azure Bastion
• Enable and enforce just-in-time (JIT) VM access
• Extend security controls to hybrid and multicloud servers by using Azure Arc
• Onboard servers to Defender for Servers (hybrid + multicloud scenarios)
• Configure Defender for Servers — vulnerability scanning and endpoint detection and response (EDR)
• Implement and manage agentless scanning for VMs
• Configure VM security features — secure boot, virtual TPM (vTPM), integrity monitoring, security type
• Enforce security configuration via Azure Machine Configuration

Implement security for application platform services

• Detect misconfigurations and runtime risks in container workloads using Defender for Containers
• Implement security controls for AKS, Azure Container Registry, Azure Container Instances, and Azure Container Apps
• Implement security controls for Azure Functions (auth + network access)
• Implement security controls for Azure Logic Apps
• Implement security controls for Azure App Service
• Implement and configure Azure Web Application Firewall
• Implement security policies for back-end API protection using API Management

4. Manage and monitor security posture (20–25%)

Manage security posture by using Defender for Cloud

• Identify security risks using Defender CSPM
• Evaluate compliance against security frameworks
• Enable and configure Defender for Cloud workload protection plans
• Connect hybrid + multicloud environments (AWS, GCP) to Defender for Cloud
• Configure Microsoft Defender Vulnerability Management for Azure VMs
• Discover unprotected assets via Defender External Attack Surface Management (EASM)

Implement activity and event collection in Microsoft Sentinel

• Create and connect Sentinel workspaces and assign roles
• Implement and use content hub solutions
• Configure Microsoft data connectors for Azure resources
• Implement syslog and CEF event collections
• Implement Windows Security event collection via DCRs and Windows Event Forwarding (WEF)
• Create custom log tables for ingested data
• Implement automation rules and playbooks
• Implement data retention in Sentinel data stores
• Query Microsoft Purview Audit in Defender XDR

Implement Microsoft Security Copilot

• Configure workspaces for Security Copilot
• Manage permissions and roles
• Enable and configure plugins
• Enable and configure Microsoft agents and Security Store agents

Our Free Study Guide — In Production

A free, interactive ~28-module study guide for SC-500 is in production on the Guided platform — same approach we’ve used for AZ-900, AI-900, SC-900, AI-200, and the rest of our cert library. Each module includes ELI5 toggle, brand-scenario stories, exam tips, real-world examples, flashcards, and end-of-module quizzes.

The AI security sub-domain in Domain 3 is getting 3 dedicated modules — Copilot/Purview DSPM, Entra Agent ID + Defender XDR, and Foundry/AI Gateway/Defender for AI — because that’s where every existing AZ-500 course on the internet has nothing to teach you.

Bookmark this page or follow @aguidetocloud — we’ll announce the launch the moment modules ship. In the meantime, the official Microsoft study guide above is the authoritative source.

Microsoft Certification Path

Microsoft security certifications run Fundamentals → Associate → Expert. SC-500 sits at the Associate level alongside SC-200 (security ops), SC-300 (identity & access), and SC-401 (information protection). At the Expert level, SC-100 (Cybersecurity Architect) is the natural follow-on.

Related Certifications

If you’re studying for SC-500, these are the closest companions:

• AZ-500: Microsoft Azure Security Technologies ⚠️ Retiring 31 August 2026 — the exam SC-500 replaces. Your study material here will mostly translate, minus the AI security content.
• SC-200: Microsoft Security Operations Analyst — Sentinel, Defender XDR, threat hunting. Strong companion if you sit in a SOC.
• SC-300: Microsoft Identity and Access Administrator — deepens the Entra + PIM + Conditional Access content that Domain 1 only skims.
• SC-100: Microsoft Cybersecurity Architect — the Expert-level destination after SC-500.

Study Tips

1. Don’t underestimate the AI security section. It carries the same weight as servers/VMs, but the surface area is unique — Entra Agent ID, Defender for AI Service, Foundry AI Gateway, Purview DSPM for Copilot — none of which exist on AZ-500. Spend at least 25–30% of your study time here even though the weight reads ~7%.
2. If you’re coming from AZ-500, focus on what’s new. Microsoft Entra Private Access, Defender for AI, real-time protection for Copilot Studio agents, blast radius analysis in Defender XDR for agents — these are the deltas.
3. Practice managed identity patterns until they’re muscle memory. Almost every “right answer” question that mentions a connection string is a wrong answer. Practice the Entra + managed identity flow against Key Vault, Storage, SQL, Service Bus, and Container Registry.
4. Get hands-on in Defender for Cloud. CSPM, workload protection plans, multicloud connectors (AWS + GCP), and EASM all show up in Domain 4. Pick a test subscription and walk through enabling each plan.
5. Use the official study guide as your spine. Microsoft’s outline is the source of truth for exactly what’s tested — anything outside the bulleted skills is unlikely to appear.
6. Beta exam, beta caveat: Microsoft beta exams take ~10 weeks to score after the beta window closes. If you take it in beta to grab the 80% discount, plan accordingly — you won’t know if you passed for a while.

Quick Links

• Official SC-500 Study Guide (Microsoft Learn)
• Official SC-500 Exam Page
• Pearson VUE Scheduling
• Exam Sandbox — try the interface
• AZ-500 (Retiring) — what you’re moving away from