Cloud Certifications: Azure Security Engineer Associate

Cloud-based solutions have been high in demand in the last several years, and this is not likely to change in the future. With an increased frequency of large and well-established corporations, academic institutions, and even cities being affected by insufficient security practices and attacks, knowing how to properly and efficiently secure Azure cloud infrastructure is essential to organizations. In this guide you will learn about the Microsoft Azure Security Engineer Associate certification and what exam you can take to achieve it.

The Azure Security Engineer Associate certification follows Microsoft's departure from more broad certifications like the Microsoft Certified Systems Administrator (MCSA) or its older sibling, the Microsoft Certified Systems Engineer (MCSE). Nowadays the focus is on specific roles.

As the name suggests, this certification has "security" written all over it, specifically Azure security offerings and features. Since it is an Associate-level certification the required exam covers a wide range of security topics and technologies.

As a candidate for the Azure Security Engineer certification you should have subject matter expertise implementing security controls and threat protection, managing identity and access, and protecting data, apps, and networks in cloud and hybrid environments as part of an end-to-end infrastructure.

Responsibilities for this role include maintaining the security posture, identifying and remediating vulnerabilities by using a variety of security tools, implementing threat protection, and responding to security incident escalations.

As an Azure Security Engineer you will often serve as part of a larger team dedicated to cloud-based management and security or hybrid environments as part of an end-to-end infrastructure.

You should have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud N-tier architecture, and a strong familiarity with cloud capabilities and products and services for Azure, plus other Microsoft products and services.

Having a strong IT security background is an absolute must-have to fully comprehend and understand these topics.

A single exam, AZ-500, is required to gain the Azure Security Engineer Associate certification. It is important to understand that Microsoft has taken up the practice of retiring and replacing exams at a much faster pace than in the past. Since the cloud is ever changing, Microsoft updates live exams frequently. The AZ-500 exam has received at least three updates since May 2019 and another one is incoming end of June 2020.

The price for the exam is US$165/€165. Microsoft offers a student discount if you verify your academic status when booking the exam by using one of the following: a school email account, a school account, an International Student Identity Card, a verification code. Alternatively you can also supply documentation proving your eligibility for the student discount.

While there are no specific prerequisites to achieving this certification beyond passing the AZ-500 exam, it is worth noting that experience with the required skills is key to a successful experience. Having passed the AZ-900 exam and achieved the corresponding Azure Fundamentals certification, while not mandatory, will help you prepare for this level since they introduce a number of technologies covered in the AZ-500 exam.

Ensure that you possess sufficient experience and invest the time to go through the relevant Pluralsight courses and other resources.

Your skills will be measured in the following four categories:

• Manage identity and access (20-25%)
• Implement platform protection (35-40%)
• Manage security operations (15-20%)
• Secure data and applications (30-35%)

These categories are broken down into details as follows:

Configure Azure Active Directory for workloads

• Create App Registration
• Configure App Registration permission scopes
• Manage App Registration permission consent
• Configure Multi-Factor Authentication settings
• Manage Azure AD directory groups
• Manage Azure AD users
• Install and configure Azure AD Connect
• Configure authentication methods
• Implement Conditional Access policies
• Configure Azure AD identity protection

Configure Azure AD Privileged Identity Management

• Monitor privileged access
• Configure Access Reviews
• Activate Privileged Identity Management

Configure Azure tenant security

• Transfer Azure subscriptions between Azure AD tenants
• Manage API access to Azure subscriptions and resources

Implement network security

• Configure virtual network connectivity
• Configure Network Security Groups (NSGs)
• Create and configure Azure Firewall
• Create and configure Azure Front Door service
• Create and configure app security groups
• Configure remote access management
• Configure baseline
• Configure resource firewall

Implement host security

• Configure endpoint security within the VM
• Configure VM security
• Harden VMs in Azure
• Configure system updates for VMs in Azure
• Configure baseline

Configure container security

• Configure network
• Configure authentication
• Configure container isolation
• Configure AKS security
• Configure container registry
• Implement vulnerability management

Implement Azure Resource management security

• Create Azure resource locks
• Manage resource group security
• Configure Azure policies
• Configure custom RBAC roles
• Configure subscription and resource permissions

Configure security services

• Configure Azure Monitor
• Configure diagnostic logging and log retention
• Configure vulnerability scanning

Configure security policies

• Configure centralized policy management by using Azure Security Center
• Configure Just in Time VM access by using Azure Security Center

Manage security alerts

• Create and customize alerts
• Review and respond to alerts and recommendations
• Configure a playbook for a security event by using Azure Sentinel
• Investigate escalated security incidents

Configure security policies to manage data

• Configure data classification
• Configure data retention
• Configure data sovereignty

Configure security for data infrastructure

• Enable database authentication
• Enable database auditing
• Configure Azure SQL Database Advanced Threat Protection
• Configure access control for storage accounts
• Configure key management for storage accounts
• Configure Azure AD authentication for Azure Storage
• Configure Azure AD Domain Services authentication for Azure Files
• Create and manage Shared Access Signatures (SAS)
• Configure security for HDInsight
• Configure security for Cosmos DB
• Configure security for Azure Data Lake

Configure encryption for data at rest

• Implement Azure SQL Database Always Encrypted
• Implement database encryption
• Implement Storage Service Encryption
• Implement disk encryption

Configure app security

• Configure SSL/TLS certs
• Configure Azure services to protect web apps
• Create an app security baseline

Configure and manage Key Vault

• Manage access to Key Vault
• Manage permissions to secrets, certificates, and keys
• Configure RBAC usage in Azure Key Vault
• Manage certificates
• Manage secrets
• Configure key rotation

Make sure you check out Pluralsight's Microsoft Azure Security Engineer (AZ-500) learning path, which currently contains 21 different courses split into beginners, intermediate, and advanced sections.

As always, the newer the course the more relevant the material will be to your learning journey.

Microsoft Learn provides several training resources free of charge. Take a look at the following learning paths:

• Secure your cloud applications in Azure

• Implement resource management security in Azure

• Implement network security in Azure

• Implement virtual machine host security in Azure

• Manage identity and access in Azure Active Directory

• Manage security operations in Azure

Utilizing Microsoft Docs and navigating to the relevant topics will also help you prepare for this exam.

The cloud business has been booming in the last several years. Microsoft has closed the gap with its main competitor and keeps growing. While COVID-19 has affected everyone in some way, it certainly doesn't seem to have had a negative impact on Microsoft's cloud growth.

Gaining an up-to-date certification like the Azure Security Engineer Associate certification from a household name like Microsoft should make you much more attractive to both your current and future employers, especially since the cloud security field is booming. Your current employer might not raise your salary, but the next time you go looking for a job make sure you check trusted Internet sources for up-to-date information on salaries in your region.

It's difficult to provide absolute figures because they will depend on numerous factors like your experience, company type and size, industry, and region. Expect salaries for experienced Azure Security Engineers to range from US$120,000 to US$225,000 in the United States.

As an Associate-level certification, gaining the Azure Security Engineer Associate credentials, while challenging, will earn you the recognition to prove that you are a subject matter expert in this field. All it takes is a single exam, and you have dozens of excellent courses available to gain the required knowledge and earn that badge. Sign up to Microsoft Azure, utilize the free cloud credits and services and book the exam, which you can take right in your home or in one of many testing centers.

I hope that this guide is useful and wish you good luck with gaining your certification.