Contains a checklist that mirrors every skill measured in the AZ‑500 Study Guide (rev Jan 2025) . Mark each item with [x] once comfortable with it or leave it blank [ ] to track what still needs work.
- Manage Azure built‑in role assignments
- Manage custom roles (Azure & Microsoft Entra)
- Implement / manage Microsoft Entra Permissions Management
- Plan & manage resources in Privileged Identity Management (PIM)
- Enable MFA for access to Azure resources
- Create and tune Conditional Access policies
- Manage access to enterprise apps (OAuth permission grants)
- Create & maintain app registrations
- Configure app‑registration permission scopes
- Manage consent for app‑registration permissions
- Create & use service principals
- Manage managed identities
- Manage Microsoft Entra application access
- Plan & implement NSGs / ASGs
- Manage vNets with Azure Virtual Network Manager
- Plan & implement user‑defined routes (UDRs)
- Configure VNet peering or a VPN gateway
- Deploy Virtual WAN & secured virtual hub
- Secure VPN connectivity (P2S & S2S)
- Encrypt ExpressRoute traffic
- Configure firewall settings on Azure resources
- Monitor with Network Watcher
- Plan & implement Service Endpoints
- Plan & implement Private Endpoints
- Plan & implement Private Link services
- Integrate networking for App Service / Functions
- Secure an App Service Environment (ASE)
- Secure networking for Azure SQL Managed Instance
- Enforce TLS for apps (App Service & API Management)
- Deploy & manage Azure Firewall (+ Firewall Manager / policies)
- Deploy Azure Application Gateway
- Deploy Azure Front Door (+ CDN)
- Deploy & tune a Web Application Firewall (WAF)
- Decide when to use Azure DDoS Protection Standard
- Secure private access to Azure resources
- Secure public access to Azure resources
- Plan & implement advanced compute security
- Configure JIT / Azure Bastion VM access
- Isolate networks for AKS
- Secure & monitor AKS
- Configure AKS authentication
- Monitor security for Azure Container Instances
- Monitor security for Azure Container Apps
- Manage access to Azure Container Registry (ACR)
- Configure disk encryption (ADE / host / confidential)
- Recommend secure configs for API Management
- Configure storage‑account access control
- Rotate / manage storage‑account keys
- Secure access to Azure Files
- Secure access to Blob Storage
- Protect data (soft delete, backup, versioning, immutable)
- Configure BYOK encryption
- Enable double encryption for Azure Storage
- Plan & implement storage security
- Secure Azure SQL DB / SQL MI
- Enable Microsoft Entra DB authentication
- Enable database auditing
- Implement dynamic data masking
- Enable Transparent Data Encryption (TDE)
- Decide when to use Always Encrypted
- Create / assign / interpret Azure Policy initiatives
- Configure Key Vault network settings
- Set vault access policies / RBAC
- Manage certificates, secrets, keys
- Configure key rotation
- Back up / recover certificates, secrets, keys
- Protect backups
- Implement security controls for asset management
- Remediate risks via Defender for Cloud Secure Score / Inventory
- Enforce cloud‑governance policies
- Manage security posture in Defender for Cloud
- Assess compliance with security frameworks
- Manage compliance standards in Defender
- Add custom standards in Defender
- Connect AWS / GCP / hybrid workloads
- Use Defender EASM (External ASM)
- Enable workload‑protection services
- Configure Defender for Servers / Databases / Storage
- Enable agentless VM scanning
- Enable Defender Vulnerability Management
- Secure CI/CD via Defender for Cloud DevOps Security
- Manage / respond to Defender alerts
- Build workflow automation in Defender
- Collect network data with Azure Monitor DCRs
- Configure data connectors in Sentinel
- Configure / manage threat protection in Defender
- Configure security monitoring & automation solutions
- Enable analytics rules in Sentinel
- Configure automation in Sentinel