Azure Mastery

Microsoft Certification SC-500

Predict your score. Pass with proof.

On-device AI scores your readiness, builds an adaptive study plan, and flags topics fading from memory — before they cost you the exam.

361 practice questions AI score prediction 100% offline
Download free iPhone & iPad · Free to start

SC-500 Study App for iOS — Microsoft Cloud and AI Security Engineer

Get exam-ready for SC-500 (Microsoft Cloud and AI Security Engineer) — the new exam succeeding AZ-500 — on iPhone or iPad. Azure Mastery uses on-device AI to predict your readiness score across all four SC-500 domains, build a personalised study plan from your weak spots, and surface topics you're forgetting — all without sending a single byte off your device.

The exam

What is the SC-500 exam?

SC-500 is the Microsoft Certified: Cloud and AI Security Engineer Associate exam — the credential hiring managers expect when posting "Cloud Security Engineer", "Azure Security Specialist", or "Cloud and AI Security" roles. It's the direct successor to AZ-500 (Microsoft Azure Security Engineer), which retires on 31 August 2026. SC-500 keeps the core Azure security-engineering content and broadens the role to cover securing cloud and AI workloads. It's the natural next step after AZ-104 for anyone administering Azure who's now responsible for security posture, and it pairs with SC-900 on the way up to the SC-100 Cybersecurity Architect Expert credential.

SC-500 is hands-on and operational. It validates that you can manage identity, access, and governance (Microsoft Entra ID, Conditional Access, PIM, managed identities, Azure Key Vault, Azure Policy and RBAC); secure storage, databases, and networking (Defender for Storage, Azure SQL security, NSGs, Azure Firewall, Private Link); secure compute and AI workloads (disk encryption, Defender for Servers and Containers, plus securing AI — Microsoft Entra Agent ID, Defender for AI, AI Gateway in API Management for Foundry, and Purview DSPM for Copilot); and manage and monitor security posture with Microsoft Defender for Cloud, Microsoft Sentinel, and Microsoft Security Copilot. Expect scenario questions that show you a config snippet or attack signal and ask what you'd do next.

Microsoft published the SC-500 skills outline for the May 2026 beta, with full training and exam expected from July 2026. Every question in Azure Mastery's SC-500 bank is mapped to that outline — including the new AI-security objectives, not just the AZ-500 carry-over. Read the official outline at learn.microsoft.com.

Skills measured · May 2026

SC-500 exam objectives

Four domains, with weights set by Microsoft's May 2026 update. Every domain summary below is paraphrased from the official skills outline; bullet-level objectives in Azure Mastery are tagged so you always know which domain you're being tested on and where your weak spots cluster.

Manage identity, access, and governance20–25%

Secure access and lock down the control plane. Microsoft Entra ID — authentication (passwordless, MFA), Conditional Access, Privileged Identity Management, identity for enterprise apps and app registrations, OAuth consent, and managed identities. Azure Key Vault — deploy, configure access and firewall, manage keys/secrets/certificates, and Defender for Key Vault. Governance — Azure Policy (built-in and custom), regulatory compliance in Defender for Cloud, resource locks, built-in and custom RBAC roles, remediating overprivileged access, Azure Backup security, and security controls via infrastructure as code. Around 10–14 questions per sitting.

Secure storage, databases, and networking25–30%

The largest domain by weight. Storage: account security, Azure Storage firewall rules, Defender for Storage threat protection, and access policies. Databases: platform-level security in Azure SQL, auditing for SQL Database and Managed Instance, and Defender for Databases. Networking: NSGs and application security groups, Azure Virtual Network Manager, Virtual WAN security, VPN, Microsoft Entra Private Access, Private Endpoints and Private Link, Azure Firewall, and effective-rules analysis with Network Watcher. Around 12–16 questions.

Secure compute and AI workloads20–25%

The headline addition over AZ-500. Security for AI: identify data overexposure with Purview DSPM for Microsoft Copilot and AI apps, real-time protection for Copilot Studio agents, Conditional Access and blast-radius analysis for Microsoft Entra Agent ID via Defender XDR, deploy AI Gateway in API Management for Microsoft Foundry, enable Defender for AI, and configure Foundry agent guardrails. Plus servers and VMs (disk encryption, Azure Bastion, JIT access, Azure Arc, Defender for Servers, secure boot and vTPM) and the app platform (Defender for Containers, AKS, ACR, Container Apps, Functions, Logic Apps, App Service, Web Application Firewall, API Management). Around 10–14 questions.

Manage and monitor security posture20–25%

The operational core. Microsoft Defender for Cloud: Defender CSPM, compliance against security frameworks, workload protection plans, connecting AWS and GCP, Defender Vulnerability Management, and External Attack Surface Management (EASM). Microsoft Sentinel: workspaces and roles, content hub, data connectors, syslog/CEF and Windows event collection via data collection rules, custom log tables, automation rules and playbooks, retention, and querying Purview Audit in Defender XDR. Plus Microsoft Security Copilot — workspaces, roles, plugins, and agents. Around 10–14 questions.

Designed for SC-500

How Azure Mastery helps you pass SC-500

Azure Mastery ships with 361 SC-500 practice questions, every one written specifically against the current (May 2026) skills outline — not generic security trivia. Each question carries a domain tag mapped to the official four domains (identity/access/governance, storage/databases/networking, compute and AI workloads, security posture), so you always know which area you're being tested on and where your weak spots are clustered. KQL snippets, Conditional Access JSON, Defender plan scenarios, and the new AI-security objectives (Entra Agent ID, Defender for AI, Foundry guardrails) appear throughout — matching the format of the live exam.

The on-device Exam IQ engine predicts your SC-500 score before you sit the exam. After roughly 30 questions it has enough signal to give a confidence-scored prediction (e.g. "786 ±37, 68% confidence") — and tells you the specific topics that are dragging your readiness down. No vague "study more" advice; just a ranked list of objectives where improvement would move your score the furthest.

The adaptive study plan rebuilds itself from your answer history. Get a Conditional Access scenario wrong? You'll see another Entra access-management question in the next session. Master "Defender for SQL vs Defender for Storage" three sessions running and the engine backs off, surfacing fresh Sentinel KQL or Key Vault scenarios. The plan optimises for the gap between where you are and the 700 pass score, not for blind volume.

Knowledge decay tracking matters more for SC-500 than for foundational exams — four security domains span a lot of surface area, and the topic you mastered three weeks into your study window is the topic you'll forget by exam day if you stop revising. Azure Mastery tracks every topic's decay curve and flags topics approaching expiry. The padlock icon on the Today screen is your "revisit before you forget" cue, and weak-spot drills automatically pull from decayed topics first.

Real exam simulation mode runs at SC-500's actual length and time pressure: a randomised 40–60-question set drawn from the full 310-question bank, weighted by domain percentages from the May 2026 outline, with the 100-minute timer running and no jumping back to flag-and-review. It's the closest you can get to the live Pearson VUE / online-proctored experience without sitting the exam.

Everything runs on-device. Your answer history, your readiness gauge, your decay alerts — none of it leaves your iPhone or iPad. No account required to start, no tracking, no sync server. Privacy-first by design.

6-week study plan

Suggested SC-500 study plan

Most candidates pass SC-500 after four to eight weeks of focused study, depending on prior Azure security experience. The six-week plan below maps onto the four SC-500 domains, Azure Mastery's adaptive sessions, and the in-app exam simulator. Adjust pace to taste — the readiness gauge tells you when you're done, not the calendar.

  1. Identity, access, and governance

    • Days 1–3: Microsoft Entra ID — authentication methods, MFA, passwordless. Conditional Access — named locations, sign-in risk, session controls. Privileged Identity Management (eligibility, activation, access reviews).
    • Days 4–6: Identity for applications (enterprise apps, app registrations, OAuth consent), managed identities for Azure resources. Azure Key Vault — access and firewall config, keys/secrets/certificates, Defender for Key Vault.
    • Days 7–10: Governance — Azure Policy (built-in and custom), built-in and custom RBAC roles, remediating overprivileged access, resource locks.
    • Days 11–14: Regulatory compliance in Defender for Cloud, Azure Backup security features, and security controls via infrastructure as code.
  2. Storage, databases, networking, and AI workloads

    • Days 15–17: Storage — account security, Azure Storage firewall rules, Defender for Storage, access policies. Databases — Azure SQL platform security, auditing, Defender for Databases.
    • Days 18–21: Networking — NSGs and ASGs, Virtual Network Manager, Virtual WAN, VPN, Microsoft Entra Private Access, Private Endpoints and Private Link, Azure Firewall, Network Watcher.
    • Days 22–24: Compute — disk encryption, Azure Bastion, JIT VM access, Azure Arc, Defender for Servers, secure boot and vTPM. App platform — Defender for Containers, AKS, ACR, Container Apps, Functions, Logic Apps, App Service, WAF, API Management.
    • Days 25–28: Security for AI — Purview DSPM for Copilot, Entra Agent ID Conditional Access and blast-radius analysis via Defender XDR, AI Gateway in API Management for Foundry, Defender for AI, Foundry agent guardrails.
  3. Security posture, then simulate

    • Days 29–32: Microsoft Defender for Cloud — Defender CSPM, compliance frameworks, workload protection plans, connecting AWS and GCP, Defender Vulnerability Management, EASM.
    • Days 33–37: Microsoft Sentinel — workspaces and roles, content hub, data connectors, syslog/CEF and Windows event collection, data collection rules, automation rules and playbooks. Plus Microsoft Security Copilot — plugins and agents.
    • Days 38–40: Run Focus Weak Spots every morning — the app surfaces the highest-leverage questions for your weakest domains. Weight time toward storage/databases/networking, the largest domain.
    • Days 41–42: Two end-to-end Exam Simulator runs at full 100-minute length. Review carefully after each. If readiness gauge is 750+ with reasonable confidence, schedule the exam.

Inside the app

Every Microsoft question type, on iPhone

SC-500's question bank uses the same formats Microsoft puts on the live exam — not just multiple choice. Each visualisation below is a faithful mock of how the type renders inside Azure Mastery on iPhone and iPad. Exam-simulator mode runs all of them at full 100-minute length with no flag-and-review jumps, mirroring Pearson VUE.

Multiple choice

One correct answer from four to six options. The most common type on every Azure exam — practical recall of services, settings, and limits.

~50% of questions

Multi-select

Pick two or more correct answers from a list. Microsoft tells you exactly how many to choose. Partial credit not awarded — you need every selection right.

All-or-nothing

Drag-and-drop

Arrange items into the correct sequence — deployment steps, the order operations occur in a pipeline, troubleshooting flows. Long-press to drag on touch.

Order matters

Hotspot

Tap the correct area of an image — the right setting in a portal screenshot, the right resource in a topology diagram. Practical visual recall under time pressure.

Tap target

Case studies

A multi-paragraph scenario followed by 4–6 linked questions. Common on SC-500 in the storage and identity domains; dominant on AZ-305 and AZ-400.

Multi-question

Why Wrong AI

An Azure Mastery exclusive. When you answer incorrectly, an on-device Apple Foundation Model writes a targeted explanation grounded in the correct rationale. Never leaves your device.

App exclusive

Frequently asked

SC-500 FAQs

Is SC-500 replacing AZ-500?

Yes. SC-500 (Cloud and AI Security Engineer) is the direct successor to AZ-500 (Azure Security Engineer), which retires on 31 August 2026. The SC-500 beta opened in May 2026, with full training and exam expected from July 2026. SC-500 keeps the core Azure security-engineering content of AZ-500 and expands the role to cover securing cloud and AI workloads — including Microsoft Copilot, Microsoft Entra Agent ID, Microsoft Foundry, and Defender for AI. If you haven't yet started AZ-500, most candidates should now prepare for SC-500 instead.

How much does the SC-500 exam cost?

The SC-500 voucher is USD $165 in the United States. Pricing varies by region — in the UK it's typically around £128. Microsoft sometimes runs free-voucher promotions during events such as Microsoft Build or Microsoft Ignite, so check your Microsoft Learn profile for any active offers before booking. SC-500 is an Associate certification and requires annual renewal (free, online), so factor that into long-term cost planning.

Does the SC-500 certification expire?

Yes. Microsoft Associate certifications including SC-500 expire annually. Renewal is free — a short online assessment on Microsoft Learn within the six-month window before your expiration date. The renewal targets recent skills outline updates, so staying current is straightforward if you remain broadly active in the role. (Fundamentals certifications such as SC-900 are different — those don't expire.)

What is the SC-500 retake policy if I fail?

The first retake is allowed after 24 hours. Second and third retakes each require a 14-day wait. Microsoft caps retakes at five attempts per 12-month rolling period. Each attempt requires a new voucher purchase.

How long should I study for SC-500?

Most candidates pass SC-500 after four to eight weeks of focused study, assuming some prior Azure and Microsoft Entra experience. If cloud security is genuinely new to you, plan for two to three months — the exam expects hands-on knowledge of Defender for Cloud, Microsoft Sentinel, Entra ID, and Key Vault, not just concepts. Azure Mastery's readiness gauge tells you when you're at exam-ready; don't book until it shows roughly 720 or higher with reasonable confidence.

SC-500 vs SC-200 — which next on the security track?

Different roles. SC-500 is the Cloud and AI Security Engineer cert — it's about implementing security controls across identity, storage, networking, compute, and AI workloads. SC-200 is the Security Operations Analyst cert — it's about running Microsoft Defender XDR and Sentinel as a SOC analyst, with heavier focus on detection, investigation, and incident response across the Microsoft 365 estate. If your day job is securing cloud and AI workloads, SC-500. If it's running detection-and-response, SC-200. Many Cybersecurity Architect (SC-100) candidates hold both, with SC-900 as the connective fundamentals.

Where SC-500 fits

Certification paths that include SC-500

SC-500 is the cloud-and-AI security Associate cert — the successor to AZ-500. It pairs with SC-900 on the way into security work, and feeds into the SC-100 Cybersecurity Architect Expert credential alongside SC-200 / SC-300. Tap any linked exam below to see its dedicated study app page.

Cybersecurity Architect Expert path

Expert tier
  1. SC-900 Fundamentals (optional)
  2. SC-500 prereq option
  3. or SC-200 prereq option
  4. SC-100 Cybersecurity Architect exam
  5. Cybersecurity Architect Expert credential

Ready to pass SC-500?

Download Azure Mastery free. 361 SC-500 practice questions across all four domains, AI score prediction, full-length exam simulator, adaptive study plan. iPhone & iPad.

Download Azure Mastery — free iPhone & iPad · Free to start · No account required