Four domains, with weights set by Microsoft's May 2026 update. Every domain summary below is paraphrased from the official skills outline; bullet-level objectives in Azure Mastery are tagged so you always know which domain you're being tested on and where your weak spots cluster.
Manage identity, access, and governance20–25%
Secure access and lock down the control plane. Microsoft Entra ID — authentication (passwordless, MFA), Conditional Access, Privileged Identity Management, identity for enterprise apps and app registrations, OAuth consent, and managed identities. Azure Key Vault — deploy, configure access and firewall, manage keys/secrets/certificates, and Defender for Key Vault. Governance — Azure Policy (built-in and custom), regulatory compliance in Defender for Cloud, resource locks, built-in and custom RBAC roles, remediating overprivileged access, Azure Backup security, and security controls via infrastructure as code. Around 10–14 questions per sitting.
Secure storage, databases, and networking25–30%
The largest domain by weight. Storage: account security, Azure Storage firewall rules, Defender for Storage threat protection, and access policies. Databases: platform-level security in Azure SQL, auditing for SQL Database and Managed Instance, and Defender for Databases. Networking: NSGs and application security groups, Azure Virtual Network Manager, Virtual WAN security, VPN, Microsoft Entra Private Access, Private Endpoints and Private Link, Azure Firewall, and effective-rules analysis with Network Watcher. Around 12–16 questions.
Secure compute and AI workloads20–25%
The headline addition over AZ-500. Security for AI: identify data overexposure with Purview DSPM for Microsoft Copilot and AI apps, real-time protection for Copilot Studio agents, Conditional Access and blast-radius analysis for Microsoft Entra Agent ID via Defender XDR, deploy AI Gateway in API Management for Microsoft Foundry, enable Defender for AI, and configure Foundry agent guardrails. Plus servers and VMs (disk encryption, Azure Bastion, JIT access, Azure Arc, Defender for Servers, secure boot and vTPM) and the app platform (Defender for Containers, AKS, ACR, Container Apps, Functions, Logic Apps, App Service, Web Application Firewall, API Management). Around 10–14 questions.
Manage and monitor security posture20–25%
The operational core. Microsoft Defender for Cloud: Defender CSPM, compliance against security frameworks, workload protection plans, connecting AWS and GCP, Defender Vulnerability Management, and External Attack Surface Management (EASM). Microsoft Sentinel: workspaces and roles, content hub, data connectors, syslog/CEF and Windows event collection via data collection rules, custom log tables, automation rules and playbooks, retention, and querying Purview Audit in Defender XDR. Plus Microsoft Security Copilot — workspaces, roles, plugins, and agents. Around 10–14 questions.