SC-500: Securing Cloud and AI on Azure
What SC-500 covers, why AI security joined the security engineer's job description in 2026, and the four characters whose stories run through every module.
What SC-500 is, and why now
SC-500 is Microsoft’s new exam for the security engineer who has to protect cloud apps AND the AI that now rides on top of them. It replaces AZ-500 (the old Azure security exam), but it’s not a rename — it adds a whole new chunk of AI security on top.
If you’ve ever done AZ-500, about 70% of SC-500 will feel familiar: Microsoft Entra ID, Key Vault, network security groups, Azure Firewall, Defender for Cloud, Microsoft Sentinel. That all stays.
What’s new is the other 30%: securing Microsoft Copilot, securing Copilot Studio agents, locking down Microsoft Entra Agent ID, defending the AI Gateway in Azure API Management, configuring Defender for AI Service. None of that existed when AZ-500 was last updated.
The bet Microsoft is making — and that this exam codifies — is that AI workloads need a dedicated security practice. Not “the AI team handles it” and not “the platform team handles it” — a real security engineer who understands both Azure infrastructure security AND the new AI-shaped attack surface.
What changed from AZ-500
If you studied AZ-500, the table below is the cheat sheet for “what do I actually need to relearn?”
| Feature | Carries over (~70%) | New on SC-500 (~30%) |
|---|---|---|
| Identity | Entra ID, PIM, Conditional Access, MFA, managed identities, app registrations, OAuth consent | Microsoft Entra Agent ID conditional access + access management + blast radius via Defender XDR |
| Secrets + data | Azure Key Vault deploy/access/firewall, Defender for Storage / Databases / Key Vault, SQL auditing | Purview Data Security Posture Management (DSPM) for Copilot and AI apps, SharePoint overexposure scanning |
| Network | NSGs, ASGs, Azure Firewall, Private Link, Private Endpoints, vWAN, VPN, Network Watcher | Microsoft Entra Private Access (Zero Trust network access), Azure Virtual Network Manager network access policies |
| Compute | Disk encryption, Bastion, JIT, secure boot, vTPM, Defender for Servers, Arc, agentless scanning | Defender for Containers stays. Most VM/container content unchanged. |
| AI surface | — Did not exist on AZ-500 — | Defender for AI Service, Foundry AI Gateway in APIM, Foundry agent guardrails, Copilot Studio real-time protection, Data and AI security dashboard, agent admin in M365 |
| Posture + SOC | Defender for Cloud, multicloud (AWS + GCP), EASM, Sentinel workspaces/connectors/automation | Microsoft Security Copilot (workspaces, plugins, MS agents, Security Store agents) — Sentinel Purview Audit query in Defender XDR |
The single biggest gap to close, if you’re coming from AZ-500, is the AI security sub-domain in Domain 3. There is no equivalent on AZ-500, and a meaningful share of the new exam’s questions will live here.
Meet the four characters
This course follows four security engineers across all 28 modules. Their stories repeat in the practice questions too — the more you sit with the cast, the more “which Azure service?” answers itself.
| Character | Who they are | What you’ll see them do |
|---|---|---|
| 🏦 Esme at Northwind Bank | Senior security engineer at a mid-sized retail bank under prudential regulation | The bread-and-butter security engineer: PIM for privileged admins, Key Vault for HSM-backed keys, Conditional Access for the workforce, NSGs and Azure Firewall around the core banking workloads. Compliance audits are her permanent backdrop. |
| 🧬 Ravi at Maple Genomics | Solo security lead at a Series B health-genomics AI startup | The “AI-first” engineer: Defender for AI Service on every Foundry workload, AI Gateway in APIM to control model access, Copilot Studio guardrails for the customer-support bot, Entra Agent ID conditional access on every agent identity. Ships fast, can’t ship insecure. |
| 🏥 Asha at Aurora Health Service | Security architect for a public-sector health system, multicloud (Azure + AWS + GCP) | The platform-scale engineer: Azure Arc to extend governance to on-prem and AWS EC2, Microsoft Defender for Cloud multicloud connectors, EASM for shadow IT discovery, Zero Trust across hybrid identity. Sleeps poorly during Sentinel deployments. |
| 🔍 Dom at Kestrel Cyber Co-op | SOC analyst at a managed security service provider (MSSP) covering 30+ client tenants | The defender: Microsoft Sentinel content hub solutions per client, automation rules and playbooks to triage the alert volume, Microsoft Security Copilot for incident scoping, Defender XDR threat hunting. Lives in incident view. |
Why four characters and not one?
Real exam scenarios swing wildly between very different contexts — a 30-person startup deploying Copilot Studio agents, a regulated bank rotating HSM-backed keys, a public-sector multicloud environment, an MSSP automating Sentinel playbooks. One generic “Contoso” character can’t carry all of those.
Four characters give us four organisational postures — and once you spot which character a question’s scenario maps to, the right answer falls out faster. “Esme at Northwind Bank” cues regulation, audit, conservative defaults. “Ravi at Maple Genomics” cues AI workloads, fast iteration, single-pizza team. The exam questions you’ll see use the same cue system — read the scenario, identify the posture, then pick the answer that fits the posture.
How this course is organised
The four exam domains map to four parts of this course:
- Domain 1 — Identity, access, governance (you are here): Entra ID, PIM, Conditional Access, managed identities, Key Vault, Azure Policy, RBAC, IaC controls. 6 modules.
- Domain 2 — Storage, databases, networking: storage account security, Azure SQL, Defender for Storage and Databases, NSGs, vWAN, VPN, Entra Private Access, Private Endpoints, Azure Firewall, Network Watcher. 8 modules.
- Domain 3 — Secure compute: AI security (Purview DSPM, Copilot Studio, Entra Agent ID, Defender for AI, Foundry), VM and server security (disk encryption, Bastion, Defender for Servers, Arc), and application platform security (Defender for Containers, App Service, Functions, Logic Apps, WAF, APIM). 8 modules.
- Domain 4 — Posture and monitoring: Defender for Cloud (CSPM, workload plans, multicloud, EASM), Microsoft Sentinel (workspaces, ingestion, automation), Microsoft Security Copilot. 6 modules.
Every module follows the same shape: ELI5 explanation first, then the technical detail, then comparison tables for “X vs Y” decisions, then exam tips, then flashcards and a knowledge-check quiz. The same four characters appear in every quiz scenario.
Exam tip: read the question for 'whose problem is this?'
SC-500 question scenarios are dense — 4–8 sentences, multiple services, business context. A reliable shortcut is to identify the role embedded in the scenario before reading the answer choices.
- If the scenario mentions “agents”, “Foundry”, “Copilot Studio”, or “AI-powered” — it’s a Ravi-shaped question. The right answer almost always involves Defender for AI Service, AI Gateway, or Entra Agent ID.
- If it mentions “regulator”, “audit”, “compliance framework”, “HSM”, or “production banking” — it’s an Esme-shaped question. The right answer leans on Key Vault HSM, PIM with approvals, conservative Conditional Access, and Defender CSPM regulatory standards.
- If it mentions “multicloud”, “on-prem servers”, “AWS”, “GCP”, or “Azure Arc” — it’s an Asha-shaped question. The right answer involves Defender for Cloud multicloud connectors or Arc-enabled servers.
- If it mentions “alerts”, “incident”, “playbook”, “threat hunting”, “SOC”, or “MSSP” — it’s a Dom-shaped question. The right answer involves Sentinel automation rules, Defender XDR, or Microsoft Security Copilot.
Read for the cue word, then commit.
Why AI security gets its own sub-domain
The biggest reason this exam exists — and the reason it’s not just “AZ-500 with a new code” — is the rise of three new identity and data shapes that Microsoft now ships at scale:
- Microsoft Copilot (M365) — reads org data through Microsoft Graph. Without controls, it surfaces over-shared SharePoint content to the wrong people.
- Copilot Studio agents — low-code AI agents that ground on your org data and can take actions. Each agent has identity, data scope, and risk surface.
- Microsoft Entra Agent ID — a new identity type for autonomous agents (Copilot, Copilot Studio, custom Foundry agents). It can be governed with Conditional Access and analysed for blast radius — but only if you configure it.
For each of these, the SC-500 exam expects you to know which Microsoft service mitigates which risk — Purview Data Security Posture Management (DSPM) for AI to scan Copilot/AI app exposure, Defender XDR for blast-radius analysis on Entra Agent ID, Defender for AI Service for Foundry workload threats, AI Gateway in APIM for Foundry usage controls. We’ll spend four focused modules on this in Domain 3.
Key terms
Knowledge check
Ravi at Maple Genomics is launching a Copilot Studio agent that helps genomics researchers query lab results. He needs to ensure the agent can only access patient data when signed-in researchers are on a managed device and on the corporate network. Which SC-500 control area is he configuring?
Esme at Northwind Bank is mapping which AZ-500 study material still applies to her SC-500 prep. Which of these topics is genuinely new on SC-500 (and not just a renamed AZ-500 topic)?
Dom at Kestrel Cyber Co-op runs the SOC across 30+ client tenants. He spends most of his day in alerts, playbooks, and threat hunting. Which SC-500 domain will carry the most of his daily-job content?
What’s next
The next module zooms in on Microsoft Entra ID itself — Privileged Identity Management, Conditional Access, multifactor authentication, and passwordless. It’s the foundation everything else in the exam builds on, and the place Esme spends most of her week.