Career Roadmap
Azure Security Engineer: Zero to Hero
This roadmap reflects the 2026 Microsoft security certification landscape. AZ-500 retires August 31, 2026 and is replaced by SC-500 (Cloud and AI Security Engineer Associate), which beta launched May 2026 and reaches general availability in July 2026. SC-300 (Identity and Access Administrator) is added as a dedicated specialization step given how heavily identity is tested across all Microsoft security exams. SC-100 (Cybersecurity Architect Expert) is included as the senior follow-on for professionals targeting architecture-level roles. Use ExamOS practice quizzes at every step to make progress measurable before each exam attempt.
Embark on your career roadmap by setting a target and staying accountable
Set targetStep 0 - Security and networking foundations
Build the foundational security and networking knowledge that every Azure security concept depends on. These fundamentals appear directly in exam scenarios and in real security work.
2-3 weeks2-3 weeks
Step 0 - Security and networking foundations
Build the foundational security and networking knowledge that every Azure security concept depends on. These fundamentals appear directly in exam scenarios and in real security work.
- Networking fundamentals — TCP/IP, DNS, HTTP/S, ports, TLS, subnets, routing, firewalls
- Security fundamentals — authentication versus authorization, CIA triad, least privilege, defense in depth
- Identity concepts — directory services, federation, single sign-on, MFA, tokens (JWT, SAML, OAuth)
- Cryptography basics — symmetric versus asymmetric encryption, hashing, certificates, PKI
- Threat concepts — attack vectors, MITRE ATT&CK framework at a conceptual level, the kill chain
- Compliance fundamentals — what GDPR, ISO 27001, SOC 2, and NIST mean in cloud contexts
💡 Microsoft Security, Compliance, and Identity Fundamentals (SC-900) validates this foundation and is a practical first credential for candidates new to Microsoft security. 45 questions, 45 minutes, 700 passing score.
💡 Candidates with existing security experience (CompTIA Security+, CISSP, or equivalent) can skip SC-900 and proceed directly to Step 1.
💡 Use ExamOS quizzes to verify that security fundamentals are solid before applying them in Azure-specific contexts.
Step 1 - Azure administration fundamentals (AZ-104)
Build operational Azure knowledge across compute, networking, storage, and identity. AZ-104 is the recommended prerequisite for both AZ-500 and SC-500 and is non-negotiable for effective security work in Azure environments.
6-8 weeks6-8 weeks
Step 1 - Azure administration fundamentals (AZ-104)
Build operational Azure knowledge across compute, networking, storage, and identity. AZ-104 is the recommended prerequisite for both AZ-500 and SC-500 and is non-negotiable for effective security work in Azure environments.
- Azure resource hierarchy — Management Groups, Subscriptions, Resource Groups, Resources
- Virtual Machines, App Services, and compute fundamentals
- Azure Networking — VNets, NSGs, load balancers, VNet peering, Private Endpoints, Azure Firewall
- Storage Accounts — types, access tiers, access control, encryption options
- Microsoft Entra ID fundamentals — users, groups, service principals, managed identities
- Azure RBAC — built-in roles, custom roles, role assignment scopes and inheritance
- Azure Monitor and Log Analytics — diagnostic settings, log queries, metric alerts
- Azure Policy — policy definitions, initiatives, assignment scopes, compliance reporting
Certifications
💡 AZ-104 is the recommended prerequisite for AZ-500 and SC-500. Both Microsoft and the community consistently flag that candidates without AZ-104-level Azure administration knowledge struggle with the platform protection and networking security domains.
💡 Use ExamOS daily scenario practice to identify weak areas in networking and RBAC — the two areas most consistently tested on security exams.
💡 AZ-900 (Azure Fundamentals) is optional here. Candidates with no Azure experience may benefit from it first. Candidates with general IT or cloud backgrounds should go directly to AZ-104.
Step 2 - Identity and access management deep dive (SC-300)
Build the deep identity knowledge that Microsoft security exams consistently test. Identity is the primary security perimeter in Microsoft cloud environments and SC-300 covers it with the operational depth that AZ-104 does not.
6-8 weeks6-8 weeks
Step 2 - Identity and access management deep dive (SC-300)
Build the deep identity knowledge that Microsoft security exams consistently test. Identity is the primary security perimeter in Microsoft cloud environments and SC-300 covers it with the operational depth that AZ-104 does not.
- Microsoft Entra ID architecture — tenants, directories, hybrid identity with Entra Connect sync
- Authentication methods — passwordless (FIDO2, Windows Hello), certificate-based, legacy protocols
- Multi-factor authentication — registration policies, authentication strengths, SSPR
- Conditional Access — policy design, named locations, sign-in risk, device compliance, session controls
- Privileged Identity Management (PIM) — eligible versus active assignments, approval workflows, access reviews
- Microsoft Entra ID Governance — entitlement management, access packages, lifecycle workflows
- Workload identities — service principals, managed identities, workload identity federation
- Application registrations — delegated versus application permissions, admin consent, app proxy
- External identities — B2B collaboration, cross-tenant access settings, B2C at a conceptual level
Certifications
💡 SC-300 is not formally required before AZ-500 or SC-500, but identity is tested at SC-300 depth across both of those exams. Candidates who have done SC-300 preparation find the identity sections of AZ-500 and SC-500 significantly more approachable.
💡 PIM is one of the most consistently tested identity topics across all Microsoft security exams. Invest real time in understanding PIM role settings, activation workflows, and access review configuration.
💡 Conditional Access policy design is heavily tested. Know how conditions, controls, and session management combine and what happens when policies conflict.
💡 Use ExamOS to practice identity scenario questions that test PIM activation decisions, Conditional Access policy conflicts, and permission boundary designs.
Step 3 - Azure platform protection and network security
Secure compute, storage, networking, and application workloads on Azure. This maps to the platform protection domain that accounts for a significant portion of AZ-500 and SC-500.
4-5 weeks4-5 weeks
Step 3 - Azure platform protection and network security
Secure compute, storage, networking, and application workloads on Azure. This maps to the platform protection domain that accounts for a significant portion of AZ-500 and SC-500.
- Azure Firewall — standard versus premium tiers, IDPS, TLS inspection, policy management
- Network Security Groups — rule evaluation order, application security groups, flow logs
- Azure DDoS Protection — standard tier, adaptive tuning, mitigation telemetry
- Azure Web Application Firewall (WAF) — policy modes, rule sets (OWASP), custom rules, exclusions
- Private Endpoints and Private Link — securing PaaS services, DNS configuration for private resolution
- Just-in-Time (JIT) VM access — reducing attack surface on management ports
- Azure Bastion — secure RDP/SSH without public IP exposure, Bastion subnet requirements
- Disk encryption — Azure Disk Encryption, server-side encryption, customer-managed keys
- Container security — Defender for Containers, image scanning in ACR, AKS security controls
- App Service security — managed identity, HTTPS enforcement, access restrictions, TLS configuration
Certifications
💡 The platform protection content is largely consistent between AZ-500 and SC-500. The difference is that SC-500 adds AI workload security on top of the existing infrastructure security content.
💡 Use ExamOS for scenario-based platform protection questions that test NSG rule interactions, Private Endpoint DNS configuration, and network security control selection for specific workload requirements.
Step 4 - Security operations, Defender, and Microsoft Sentinel
Detect, investigate, and respond to threats across Azure and hybrid environments using Microsoft's security operations stack. Security operations content is heavily weighted across AZ-500, SC-500, and SC-200.
4-5 weeks4-5 weeks
Step 4 - Security operations, Defender, and Microsoft Sentinel
Detect, investigate, and respond to threats across Azure and hybrid environments using Microsoft's security operations stack. Security operations content is heavily weighted across AZ-500, SC-500, and SC-200.
- Microsoft Defender for Cloud — security posture management, Secure Score, regulatory compliance, workload protections
- Defender for Cloud Plans — Defender for Servers, Defender for Containers, Defender for Databases, Defender for Storage
- Microsoft Defender XDR — unified security operations, incident correlation across Defender products
- Microsoft Sentinel — workspace architecture, data connectors, analytics rules, workbooks, playbooks
- KQL (Kusto Query Language) — query fundamentals for Sentinel log analysis and threat hunting
- SIEM and SOAR patterns — how Sentinel analytics rules trigger automated playbooks via Logic Apps
- Threat intelligence integration — TAXII feeds, Microsoft threat intelligence in Sentinel
- Security incident response — investigation workflow, entity behavior analytics, UEBA
Certifications
💡 Microsoft Sentinel is one of the most heavily tested topics on AZ-500 and is expected to carry similar weight on SC-500. Candidates who treat it as a secondary topic consistently struggle with security operations scenarios.
💡 KQL query understanding appears in exam scenarios at a recognition level. You do not need to write complex queries from memory, but you need to understand what a given query does and whether it would detect the described threat pattern.
💡 Defender for Cloud's integration with regulatory compliance frameworks (CIS, NIST, PCI-DSS) appears in governance scenarios across both AZ-500 and SC-500.
💡 Use ExamOS for scenario-based security operations questions that test Sentinel rule configuration decisions, Defender for Cloud recommendation prioritization, and incident response sequencing.
Step 5 - Data security, key management, and secrets
Protect sensitive data, manage cryptographic keys, and secure application secrets across Azure workloads.
3-4 weeks3-4 weeks
Step 5 - Data security, key management, and secrets
Protect sensitive data, manage cryptographic keys, and secure application secrets across Azure workloads.
- Azure Key Vault — keys, secrets, certificates, access policies versus RBAC, soft delete, purge protection
- Key Vault integration patterns — managed identities for application access, Key Vault references in App Service and AKS
- Customer-managed keys (CMK) — storage encryption, database TDE with CMK, disk encryption with CMK
- Microsoft Purview — data catalog, data classification, sensitivity labels, data loss prevention policies
- Azure Information Protection — sensitivity label policies, document protection, unified labeling
- SQL security — Always Encrypted, Dynamic Data Masking, row-level security, Azure Defender for SQL
- Storage security — shared access signatures, stored access policies, immutable storage, Defender for Storage
- Envelope encryption — how Azure services use Key Vault for envelope encryption and what the key hierarchy means
Certifications
💡 Key Vault architecture and access control design is heavily tested on both AZ-500 and SC-500. Know the difference between Key Vault access policies and RBAC for Key Vault, when each is appropriate, and what the implications of each are.
💡 Microsoft Purview data security posture management (DSPM) is new in SC-500 and was not covered in AZ-500. If you are preparing for SC-500, invest specific time in Purview DSPM and sensitivity label policies.
💡 Use ExamOS for scenario-based data security questions involving Key Vault integration patterns, CMK configuration, and data classification decisions.
Step 6 - AI security and securing AI workloads (SC-500 specific)
Understand the new class of security challenges introduced by AI systems, models, and agentic architectures. This is the primary new domain that SC-500 adds over AZ-500.
3-4 weeks3-4 weeks
Step 6 - AI security and securing AI workloads (SC-500 specific)
Understand the new class of security challenges introduced by AI systems, models, and agentic architectures. This is the primary new domain that SC-500 adds over AZ-500.
- Prompt injection attacks — direct and indirect, detection patterns, and architectural mitigations
- Securing Azure OpenAI deployments — network isolation, managed identity access, content filtering
- Microsoft Copilot security — data oversharing risks, sensitivity label enforcement, Copilot readiness assessment
- Entra Agent ID — identity management for AI agents and non-human workloads in agentic architectures
- Defender for AI Service — threat detection for Azure AI workloads, alert types, integration with Defender XDR
- Azure AI Foundry Gateway — API security, rate limiting, credential management for AI inference endpoints
- DSPM for AI (Microsoft Purview) — discovering AI-related sensitive data exposure, remediating AI data risks
- AI supply chain security — model provenance, dependency risks in AI pipelines, artifact integrity
💡 This step covers content that only exists in SC-500 and does not appear in AZ-500. If you are sitting AZ-500 before its retirement, this step can be treated as future context. If you are preparing for SC-500, this step is a primary domain.
💡 Entra Agent ID is a new concept specific to agentic AI architectures. It extends the workload identity model you learned in SC-300 to cover AI agents that operate autonomously. The security principles are familiar but the context is new.
💡 Prompt injection is to LLMs what SQL injection is to databases. Understand the attack pattern, why it is architecturally difficult to fully prevent, and what compensating controls are available at the application and infrastructure layer.
💡 Use ExamOS for AI security scenario questions that test Defender for AI alert types, Copilot data exposure risks, and Azure OpenAI network isolation configurations.
Step 7 - Governance, compliance, and security policy at scale
Enforce security standards consistently across Azure environments using policy automation, compliance frameworks, and governance structures.
2-3 weeks2-3 weeks
Step 7 - Governance, compliance, and security policy at scale
Enforce security standards consistently across Azure environments using policy automation, compliance frameworks, and governance structures.
- Azure Policy — policy definitions, initiatives, assignment scopes, effect types (Deny, Audit, DeployIfNotExists, Modify)
- Policy-as-code — managing Azure Policy through GitHub Actions or Azure DevOps pipelines
- Azure Blueprints versus Landing Zones — understanding the shift toward Landing Zone patterns in enterprise deployments
- Microsoft Defender for Cloud regulatory compliance — mapping controls to CIS, NIST SP 800-53, PCI-DSS, ISO 27001
- Microsoft Secure Score — interpreting recommendations, prioritizing remediation, tracking improvement over time
- Subscription and management group security governance — inheritance, exemptions, and override patterns
- Azure Resource Locks — ReadOnly versus Delete locks and their interaction with policy and RBAC
- Security baseline automation — deploying and maintaining CIS Azure Foundations Benchmark compliance
Certifications
💡 Azure Policy effect types are tested at an operational level on both exams. Know what each effect does, when it executes in the policy evaluation pipeline, and what the difference between Audit and Deny means for existing resources versus new ones.
💡 DeployIfNotExists and Modify effects are the most commonly misunderstood policy effects and appear regularly in exam scenarios describing automated remediation requirements.
💡 Use ExamOS for governance scenario questions that test policy effect selection, scope assignment decisions, and compliance framework mapping.
Step 8 - Zero Trust architecture and advanced security design
Move from implementing individual security controls to designing security architectures that apply Zero Trust principles across the full Microsoft cloud stack. This is the domain that SC-100 (Cybersecurity Architect Expert) validates.
OngoingOngoing
Step 8 - Zero Trust architecture and advanced security design
Move from implementing individual security controls to designing security architectures that apply Zero Trust principles across the full Microsoft cloud stack. This is the domain that SC-100 (Cybersecurity Architect Expert) validates.
- Zero Trust principles — verify explicitly, use least privilege, assume breach — and how they apply in Azure
- Zero Trust network access (ZTNA) — replacing VPN with identity-aware access controls
- Microsoft Entra Internet Access and Private Access — ZTNA implementation in the Microsoft ecosystem
- Security architecture design patterns — defense in depth, microsegmentation, identity perimeter
- Secure access service edge (SASE) — how Microsoft's Global Secure Access fits the model
- Threat modeling for cloud and AI architectures — STRIDE methodology applied to Azure workloads
- SC-100 domains — security operations, identity, compliance, infrastructure, and application security design
💡 SC-100 (Microsoft Cybersecurity Architect Expert) is the natural senior follow-on credential for professionals who have completed AZ-500 or SC-500 alongside SC-300. It was updated April 27, 2026 with new domain weightings. It tests security architecture design across Zero Trust, GRC, SecOps, and application security simultaneously.
💡 SC-100 is an Expert-level exam. Microsoft recommends holding at least one Associate-level security credential (AZ-500, SC-500, SC-200, or SC-300) before attempting it. The combined credential profile of SC-300 + SC-500 + SC-100 is the most comprehensive Microsoft security credential stack available in 2026.
💡 Microsoft Entra Internet Access and Private Access (the Global Secure Access products) are relatively new and not yet deeply covered in most SC-100 preparation materials. Review the current skills outline carefully.
Final step - Certification readiness, validation, and the 2026 transition
The most important decision for candidates in 2026 is whether to sit AZ-500 before its August 31, 2026 retirement or prepare for SC-500 from the start. If you are at least 8 weeks from readiness, prepare for SC-500 directly — it is the forward-looking credential and the AI security content it adds will only grow in market relevance. If you are already mid-preparation for AZ-500 and close to ready, sit it before the deadline — the credential is valid and the SC-500 content can be added later. Before booking any exam, run timed ExamOS practice sessions consistently above 80% on Legend mode across multiple sessions. One strong session is not sufficient. Pay particular attention to Microsoft Sentinel, PIM, and Conditional Access — these are the topics that most consistently separate strong from average performance on Microsoft security exams.
Final step - Certification readiness, validation, and the 2026 transition
The most important decision for candidates in 2026 is whether to sit AZ-500 before its August 31, 2026 retirement or prepare for SC-500 from the start. If you are at least 8 weeks from readiness, prepare for SC-500 directly — it is the forward-looking credential and the AI security content it adds will only grow in market relevance. If you are already mid-preparation for AZ-500 and close to ready, sit it before the deadline — the credential is valid and the SC-500 content can be added later. Before booking any exam, run timed ExamOS practice sessions consistently above 80% on Legend mode across multiple sessions. One strong session is not sufficient. Pay particular attention to Microsoft Sentinel, PIM, and Conditional Access — these are the topics that most consistently separate strong from average performance on Microsoft security exams.
Certifications
Realistic timeline
- 2 hours per day: approximately 6-8 months for the complete path including AZ-104 and SC-300
- 3-4 hours per day: approximately 4-5 months
- Candidates who already hold AZ-104: remove 6-8 weeks from the timeline
- Candidates who already hold SC-300 or equivalent identity experience: remove 4-6 weeks from the timeline
- AZ-500 versus SC-500 decision: sit AZ-500 before August 31, 2026 if you are close to ready; target SC-500 if you are more than 8 weeks from readiness
- SC-100 should be planned as a 3-6 month follow-on after achieving SC-500 and SC-300
- Consistency across daily sessions produces better security exam outcomes than marathon sessions — security reasoning develops through repeated exposure, not single intensive bursts
Embark on your career roadmap by setting a target and staying accountable
Set target