SC-500 — Microsoft Certified: Cloud and AI Security Engineer Associate Exam Blueprint
Practical SC-500 exam blueprint for Microsoft Certified: Cloud and AI Security Engineer Associate candidates reviewing cloud, AI, identity, data, and security operations topics.
How to Use This Exam Blueprint
Use this checklist as a practical study map for the Microsoft Certified: Cloud and AI Security Engineer Associate (SC-500) exam from Microsoft. It is designed to help you decide what to review, what skills to practice, and what “ready” looks like before exam day.
This page does not assign official weights or claim to reproduce the Microsoft exam outline. Instead, it organizes the major readiness areas a cloud and AI security engineer should be able to reason through: identity, access, posture management, workload protection, data security, AI security, monitoring, incident response, and governance.
For each area, ask:
- Can I choose the right Microsoft security control for a scenario?
- Can I explain why a tempting alternative is weaker?
- Can I secure both traditional Azure workloads and AI-enabled solutions?
- Can I troubleshoot misconfigurations without over-permissioning?
- Can I connect prevention, detection, and response controls into one design?
SC-500 readiness map
| Readiness area | What to review | You are ready when you can… |
|---|---|---|
| Identity and access security | Microsoft Entra ID, Azure RBAC, managed identities, workload identities, Conditional Access, privileged access | Choose the correct identity and access control for users, apps, services, pipelines, and AI workloads |
| Privileged access and governance | Least privilege, role assignment scope, just-in-time access, access reviews, separation of duties | Reduce standing privilege without blocking operational tasks |
| Cloud security posture | Microsoft Defender for Cloud, secure score-style recommendations, regulatory/compliance mappings, attack path thinking | Prioritize posture findings and explain which control reduces which risk |
| Network and perimeter security | Private endpoints, service endpoints, firewall rules, NSGs, application-layer controls, segmentation | Decide when to isolate services, restrict public access, and control east-west traffic |
| Compute and workload protection | VMs, containers, AKS, serverless, app services, registries, runtime protection | Secure workloads across deployment, configuration, vulnerability, and runtime stages |
| Data protection | Encryption, keys, secrets, Key Vault, storage access, database security, Microsoft Purview concepts | Protect sensitive data at rest, in transit, in use, and in logs |
| AI platform security | Azure AI services, Azure OpenAI Service, Azure AI Foundry, Azure Machine Learning, model endpoints, vector stores | Secure AI access paths, data flows, prompts, tools, outputs, and monitoring |
| AI application risk | Prompt injection, data leakage, tool misuse, grounding data exposure, unsafe output, abuse monitoring | Add layered controls beyond a system prompt or model setting |
| DevSecOps | Secure CI/CD, GitHub or Azure DevOps security, secret scanning, IaC scanning, dependency risk, deployment approvals | Shift security checks left while preserving traceability and least privilege |
| Monitoring and detection | Azure Monitor, Log Analytics, Microsoft Sentinel, Defender alerts, KQL, diagnostic settings | Identify which logs matter and write or interpret simple detections |
| Incident response | Alert triage, investigation, containment, automation, evidence preservation, post-incident hardening | Move from alert to scope, impact, containment, and control improvement |
| Policy and compliance | Azure Policy, initiatives, exemptions, tagging, audit versus deny, Microsoft Purview governance | Enforce standards without confusing policy enforcement with threat detection |
Core SC-500 mental model
Security scenarios on SC-500 are rarely about a single feature in isolation. They usually test whether you can connect the control to the risk.
| Security question | Strong answer pattern |
|---|---|
| Who is allowed? | Microsoft Entra identity, group-based assignment, Azure RBAC, least privilege, scoped permissions |
| Under what conditions? | Conditional Access, device/session risk controls, privileged access workflows |
| From where? | Network isolation, private endpoints, firewall rules, trusted service access where appropriate |
| To what data? | Classification, data-plane permissions, encryption, key control, access logging |
| By which workload? | Managed identity, workload identity federation, service principal hardening |
| How is it deployed? | Secure pipeline, IaC review, policy guardrails, approvals |
| How is it monitored? | Diagnostic settings, central logs, alerts, analytics rules, incident workflow |
| What changes with AI? | Prompt and grounding data risks, tool-calling permissions, model endpoint access, output controls, sensitive log handling |
Identity and access checklist
Identity is the control plane for most Microsoft cloud security scenarios. Be ready to distinguish between human access, workload access, application access, and data-plane access.
Can you do this?
- Explain the difference between Microsoft Entra roles, Azure RBAC roles, and application permissions.
- Choose the correct RBAC scope: management group, subscription, resource group, or resource.
- Identify when a user needs a built-in role versus a custom role.
- Reduce excessive permissions without breaking the required task.
- Use groups for role assignment instead of assigning many individual users directly.
- Recognize when Privileged Identity Management-style controls are appropriate for elevated access.
- Choose managed identity for Azure-hosted workloads that need to call Azure services.
- Choose workload identity federation for external automation when avoiding long-lived secrets is the goal.
- Know when a client secret or certificate is a fallback, not the preferred design.
- Distinguish authentication failure, authorization failure, network denial, and policy denial during troubleshooting.
Identity decision path
flowchart TD
A[Caller needs access to a cloud or AI resource] --> B{Is the caller human?}
B -->|Yes| C[Use Microsoft Entra identity, group assignment, least-privilege role, and conditional controls]
B -->|No| D{Is the workload running in Azure?}
D -->|Yes| E[Use managed identity with scoped Azure RBAC or data-plane permissions]
D -->|No| F{Is it a CI/CD or external workload?}
F -->|Yes| G[Prefer workload identity federation and scoped permissions]
F -->|No| H[Use service principal with strong secret/certificate handling and rotation]
C --> I[Monitor access and review privilege]
E --> I
G --> I
H --> I
Common identity traps
| Trap | What to watch for |
|---|---|
| Confusing Azure RBAC with data-plane permissions | A user may manage a resource but still lack permission to read data inside it, or the reverse |
| Granting Contributor too broadly | Contributor is often more privilege than the scenario requires |
| Treating network access as authorization | Private access limits paths, but identity still controls allowed operations |
| Storing app secrets in code or pipeline variables | Prefer managed identity or federation; otherwise use Key Vault and rotation |
| Ignoring inherited permissions | A role assigned at a higher scope may explain unexpected access |
Cloud security posture and governance
SC-500 candidates should be able to move from “a finding exists” to “this is the right remediation path.”
| Topic | Review focus | Ready check |
|---|---|---|
| Microsoft Defender for Cloud | Recommendations, workload protections, attack paths, posture prioritization | Can you decide which recommendation should be remediated first and why? |
| Azure Policy | Audit, deny, modify, deploy-if-not-exists concepts, initiatives, exemptions | Can you enforce a security baseline without confusing policy with detection? |
| Management hierarchy | Management groups, subscriptions, resource groups, inheritance | Can you place a control at the right scope? |
| Security baselines | Standardized configurations for networking, identity, logging, encryption, and tagging | Can you identify drift from the baseline? |
| Exceptions | Temporary or justified deviations with review | Can you explain when an exemption is safer than disabling the policy globally? |
| Compliance evidence | Control mapping, logs, configuration state, access records | Can you identify what evidence supports a control? |
Governance prompts
For each scenario, ask:
- What is the asset being protected?
- Is the risk caused by identity, configuration, data exposure, network exposure, or missing monitoring?
- Should the control prevent, detect, audit, or remediate?
- Where should the control be applied so it covers future resources?
- What exception process prevents permanent policy bypass?
Network, workload, and application security
Be ready to secure workloads without assuming every answer is “block public access.” Some services need controlled public access, while others should be private-only.
| Scenario cue | Strong response |
|---|---|
| Azure service should not be reachable from the internet | Use private endpoint/private access patterns where supported, restrict public network access, configure DNS correctly |
| App tier talks to data tier | Use segmentation, least privilege identity, encrypted transport, and minimal inbound rules |
| Web app receives internet traffic | Use appropriate edge protection, application-layer controls, TLS, identity integration, and logging |
| AKS workload pulls container images | Secure registry access, scan images, restrict credentials, and monitor runtime risk |
| VM has broad inbound management ports | Replace broad exposure with controlled management access and just-in-time or bastion-style approaches |
| Serverless function calls storage or AI service | Use managed identity and scoped permissions instead of embedded secrets |
Workload protection checklist
- Identify management-plane versus runtime risk.
- Secure inbound and outbound network paths.
- Require encrypted transport where applicable.
- Use managed identities for service-to-service calls.
- Apply vulnerability management to VMs, containers, dependencies, and images.
- Centralize logs from workloads and platform resources.
- Understand when Defender for Cloud recommendations relate to workload hardening.
- Know how container registry, image scanning, admission controls, and runtime monitoring fit together.
- Avoid solving every workload problem with a network rule when identity or data permissions are the real issue.
Data protection, secrets, and key management
Data security scenarios often combine identity, encryption, storage configuration, and monitoring.
| Topic | What to know | Ready check |
|---|---|---|
| Azure Key Vault | Secrets, keys, certificates, access control, logging, rotation planning | Can you decide what belongs in Key Vault and who or what can retrieve it? |
| Managed identities | Passwordless access from workloads | Can you replace embedded secrets with managed identity? |
| Encryption | Platform-managed keys, customer-managed keys, key access, rotation considerations | Can you explain the operational impact of controlling keys? |
| Storage access | Microsoft Entra auth, shared keys, SAS, firewall rules, private access, immutability concepts | Can you reduce data exposure without breaking the access pattern? |
| Database security | Identity-based access, encryption, auditing, threat detection, network restrictions | Can you secure both administration and application access? |
| Microsoft Purview | Classification, labeling, data governance, DLP-related concepts | Can you distinguish governance/classification from encryption or threat protection? |
Data security “can you do this?” checklist
- Decide when to use Key Vault for a secret versus managed identity to avoid a secret.
- Explain why a SAS token can be risky if it is long-lived or over-scoped.
- Identify where logs may leak sensitive data, including AI prompts and responses.
- Apply least privilege to data-plane operations, not just resource management.
- Separate key administration from data access when the scenario requires separation of duties.
- Recognize the difference between encryption, masking, classification, and access control.
- Protect backup, export, and replication paths, not only the primary service.
AI security readiness
For SC-500, AI security is not just “use an AI service securely.” You should be able to reason about data flow, identity, model access, grounding data, prompt handling, tools, output, and monitoring.
AI workload threat model
| AI component | Security questions to ask |
|---|---|
| User interface | Who can submit prompts? Are sessions authenticated? Are abusive inputs monitored? |
| Application layer | Does the app validate input, enforce authorization, and avoid leaking system instructions? |
| Model endpoint | Who can call the model? Is access scoped? Is the endpoint exposed publicly or privately? |
| Grounding data / RAG source | Is retrieval authorization-trimmed? Can one user retrieve another user’s data? |
| Vector index | Does the index contain sensitive data? Is access isolated by tenant, role, or workload? |
| Tools / function calls | Can the model trigger actions? Are tools allowlisted and least-privileged? |
| Output layer | Is content filtered, reviewed, logged safely, or blocked when risky? |
| Logs and telemetry | Are prompts, completions, documents, and embeddings protected as sensitive data? |
| Evaluation and red teaming | Are prompt injection, jailbreaks, data exfiltration, and tool misuse tested? |
AI security controls checklist
- Secure Azure AI service access with Microsoft Entra identity and scoped permissions where applicable.
- Use managed identity for apps that call Azure AI services from Azure workloads.
- Restrict AI service network access when the architecture requires private connectivity.
- Protect API keys when key-based access is unavoidable.
- Treat prompts and responses as potentially sensitive data.
- Add content safety controls for harmful or policy-violating output.
- Defend against prompt injection with layered controls, not only stronger prompt wording.
- Limit tool/function permissions so the AI app cannot perform actions beyond the user’s authorization.
- Apply authorization checks before retrieval from grounding data sources.
- Monitor unusual AI usage patterns, errors, denials, and possible abuse.
- Prevent sensitive data from being copied into training, evaluation, logs, or analytics without controls.
- Document trust boundaries between users, app services, model endpoints, tools, and data stores.
AI scenario decision checks
| Scenario | Better answer direction |
|---|---|
| App calls Azure OpenAI Service using a stored key in source code | Move secret out of code; prefer managed identity or secure secret storage depending on supported pattern |
| AI assistant can search internal documents | Enforce user authorization before retrieval; avoid returning documents the user cannot access |
| Model can trigger business actions | Use allowlisted tools, scoped permissions, validation, audit logging, and human approval for high-risk actions |
| Users attempt prompt injection | Combine content safety, instruction hierarchy, input validation, output checks, retrieval controls, and monitoring |
| Prompts include customer data | Classify and protect logs, retention, access, and downstream analytics |
| AI endpoint is exposed publicly but only internal apps should use it | Restrict network path, authenticate callers, and monitor access |
| Fine-tuning or evaluation uses production data | Minimize, classify, approve, protect, and track lineage of the data |
AI traps
| Trap | Why it is risky |
|---|---|
| “A system prompt is enough security” | Prompts guide behavior but do not replace authorization, network control, or data protection |
| “Content safety equals data security” | Content filters reduce harmful output but do not enforce data access permissions |
| “The model decides what the user may see” | Authorization must be enforced by the application and data layer |
| “Vector data is harmless” | Embeddings and indexes can represent sensitive source data |
| “Tool calls are just output” | Tool calls can change systems, send data, or trigger transactions |
| “AI logs are ordinary telemetry” | Prompts and completions may contain confidential, regulated, or customer-sensitive content |
DevSecOps and deployment security
A cloud and AI security engineer should understand how insecure code and pipeline choices become runtime risk.
| Area | Review focus | Ready check |
|---|---|---|
| Source control | Secret scanning, branch controls, code review, dependency visibility | Can you detect and respond to leaked secrets? |
| CI/CD identity | Federated credentials, service principals, managed identities, scoped permissions | Can you deploy without giving the pipeline broad permanent access? |
| Infrastructure as Code | Policy validation, template scanning, secure defaults, drift detection | Can you catch insecure configuration before deployment? |
| Container supply chain | Image scanning, signed/trusted images, registry access, base image updates | Can you explain how build-time and runtime controls differ? |
| Deployment approvals | Separation of duties, environment promotion, change records | Can you protect production while keeping deployments repeatable? |
| AI app release | Prompt/config review, safety evaluation, data-source approval, tool permission review | Can you treat prompt and agent changes as security-relevant changes? |
Pipeline security checklist
- Avoid long-lived deployment credentials when federation is available.
- Scope pipeline permissions to the target environment.
- Store secrets in approved secret stores, not repository files.
- Scan IaC for public exposure, missing encryption, missing diagnostics, and overly broad roles.
- Require review for changes to model configuration, retrieval sources, safety filters, and tool permissions.
- Ensure deployment logs do not expose secrets, prompts, keys, or sensitive outputs.
- Monitor changes to RBAC assignments, policy exemptions, network rules, and AI endpoints.
Monitoring, detection, and incident response
SC-500 readiness includes knowing which telemetry supports investigation and response. You do not need to memorize every KQL function, but you should recognize useful queries and detection logic.
| Need | Microsoft-aligned service or concept | Ready check |
|---|---|---|
| Collect platform logs | Azure Monitor, diagnostic settings, Log Analytics | Can you identify which resource logs must be enabled? |
| Correlate alerts and incidents | Microsoft Sentinel, Microsoft Defender signals | Can you move from alert to affected identity, resource, and timeline? |
| Investigate identity events | Microsoft Entra logs, sign-in events, audit events | Can you distinguish risky sign-in, failed auth, and role changes? |
| Investigate resource changes | Azure Activity logs, policy events, Defender findings | Can you identify who changed a security setting? |
| Detect data access anomalies | Storage/database logs, Purview-related signals where applicable | Can you tell normal access from suspicious bulk or unusual access? |
| Respond consistently | Automation, playbooks, containment steps, documentation | Can you propose containment without destroying evidence? |
KQL readiness examples
Be able to interpret and adapt simple queries like these.
SigninLogs
| where ResultType != 0
| summarize FailedSignIns = count() by UserPrincipalName, AppDisplayName, bin(TimeGenerated, 1h)
| order by FailedSignIns desc
AzureActivity
| where OperationNameValue has "roleAssignments"
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue, ResourceGroup, ResourceProviderValue
| order by TimeGenerated desc
SecurityAlert
| summarize AlertCount = count() by ProviderName, AlertSeverity
| order by AlertCount desc
Command and artifact checks
You should be comfortable recognizing the purpose of common administrative checks, even if the exam does not ask you to type exact commands.
az role assignment list --assignee <principal-id> --scope <scope>
az monitor diagnostic-settings list --resource <resource-id>
az keyvault secret list --vault-name <vault-name>
Know what each command helps answer:
| Command pattern | Security question |
|---|---|
az role assignment list | Who or what has access at this scope? |
az monitor diagnostic-settings list | Are logs being sent to the expected destination? |
az keyvault secret list | What secrets exist in the vault, and should access be reviewed? |
Scenario and decision-point practice
Use these prompts to test readiness across multiple topic areas.
| Scenario cue | What to decide |
|---|---|
| A developer needs temporary production access | Use least privilege, time-bound elevation, approval, logging, and review |
| A workload needs to call storage and Azure AI services | Use managed identity, scoped permissions, network restrictions, and diagnostics |
| A storage account contains sensitive documents for RAG | Apply classification, access controls, private access, logging, and authorization-trimmed retrieval |
| Defender for Cloud reports multiple recommendations | Prioritize exposed, high-impact, easily exploitable paths before low-impact hygiene items |
| A policy blocks deployment | Determine whether the deployment is insecure, needs remediation, or qualifies for a controlled exemption |
| An AI app starts returning confidential snippets | Investigate grounding data permissions, prompt injection, retrieval logic, logs, and output controls |
| A pipeline has Contributor at subscription scope | Replace with scoped permissions and safer workload identity patterns |
| Users report access denied after private endpoint deployment | Check DNS, network path, identity permissions, firewall settings, and service configuration |
| A key is rotated and an app fails | Check whether the app uses the correct identity, secret reference, versioning, and refresh pattern |
| An alert shows unusual role assignments | Identify caller, scope, time, affected identities, persistence risk, and containment action |
Common weak areas to fix before exam day
| Weak area | How to strengthen it |
|---|---|
| Overusing one control for every scenario | Practice mapping risk to control: identity, network, data, policy, detection, or response |
| Mixing up Microsoft Entra roles and Azure RBAC | Make a two-column comparison and add examples for each |
| Ignoring data-plane authorization | Review storage, Key Vault, database, and AI data-source access separately from resource management |
| Assuming private endpoint solves all access risk | Pair network isolation with identity, DNS, logging, and data permissions |
| Treating AI security as only content filtering | Add controls for retrieval, tools, prompts, logs, identity, and endpoints |
| Forgetting logs must be enabled | Review diagnostic settings and where logs are routed |
| Choosing broad admin roles for convenience | Practice least-privilege alternatives and scoped role assignments |
| Confusing posture management with SIEM | Defender for Cloud helps with posture and workload protection; Sentinel focuses on detection, correlation, and response |
| Missing pipeline identity risk | Review federated credentials, secret avoidance, and scoped deployment permissions |
| Memorizing product names without scenarios | For every service, know when to choose it and when not to |
Final-week checklist
| Final review task | Done when… |
|---|---|
| Cross-check current Microsoft SC-500 objectives | Your notes align to the current public exam areas |
| Build one end-to-end architecture | You can secure an AI app with identity, network, data, keys, logging, policy, and incident response |
| Review identity scenarios | You can choose between user access, managed identity, service principal, and federation |
| Review AI threat scenarios | You can explain prompt injection, grounding data exposure, tool misuse, and sensitive logging risks |
| Practice KQL interpretation | You can read a query and explain what investigation question it answers |
| Drill RBAC scope questions | You can identify least-privilege scope and avoid unnecessary subscription-wide access |
| Revisit wrong answers | You can explain why each wrong option is wrong, not just why the correct option is correct |
| Review posture versus detection | You can separate preventive configuration, policy enforcement, alerting, and incident response |
| Summarize service selection | You can map Microsoft Entra, Defender for Cloud, Sentinel, Purview, Key Vault, Azure Policy, and Azure AI services to use cases |
| Rest and simplify | You have a concise list of weak areas, not a pile of unfocused notes |
Practical next step
Pick three weak rows from this checklist and turn each into a scenario: the asset, the risk, the Microsoft control, the reason it fits, and the reason two alternatives are weaker. Then test yourself with original SC-500 practice questions that force service selection, troubleshooting, and security design decisions.