Microsoft Azure Security Engineer Associate Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Secure identity and access (18.75% of the exam)

Manage security controls for identity and access

• Manage Azure built-in role assignments
• Manage custom roles, including Azure roles and Microsoft Entra roles
• Implement and manage Microsoft Entra Permissions Management
• Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments
• Implement multi-factor authentication (MFA) for access to Azure resources
• Implement Conditional Access policies for cloud resources in Azure

Summary: This section covers how to create and manage identity and role-based access controls across an Azure environment. You will explore the use of built-in roles, design and customize role assignments, and implement Microsoft Entra Permissions Management for achieving fine-grained access governance. The emphasis is on ensuring appropriate access with just-in-time privileges while balancing productivity requirements.

You will also work extensively with security-focused configurations including MFA enrollment, privilege assignments through Privileged Identity Management, and Conditional Access policy settings. By the end of this domain area, you will understand how to protect Azure identities in line with best practices while enabling secure access to corporate applications and resources.

Manage Microsoft Entra application access

• Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
• Manage Microsoft Entra app registrations
• Configure app registration permission scopes
• Manage app registration permission consent
• Manage and use service principals
• Manage managed identities

Summary: This section focuses on managing how applications integrate and authenticate with Microsoft Entra ID. You will gain experience managing app registrations and configuring permission scopes that control how applications securely interact with Azure services. Understanding OAuth permission grants, service principals, and managed identities is central to achieving reliable application identity management.

Additionally, you will learn to configure consent processes for applications, enabling administrators and developers to securely define what applications can access. These capabilities ensure enterprise applications are onboarded securely and that application identities are effectively governed to prevent unauthorized access to sensitive Azure resources.

Domain 2: Secure networking (23.75% of the exam)

Plan and implement security for virtual networks

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
• Manage virtual networks by using Azure Virtual Network Manager
• Plan and implement user-defined routes (UDRs)
• Plan and implement Virtual Network peering or VPN gateway
• Plan and implement Virtual WAN, including secured virtual hub
• Secure VPN connectivity, including point-to-site and site-to-site
• Implement encryption over ExpressRoute
• Configure firewall settings on Azure resources
• Monitor network security by using Network Watcher

Summary: This section focuses on designing and configuring secure communication within virtual networks. Essential skills include implementing NSGs and ASGs to segment and protect workloads, as well as configuring user-defined routes and virtual network peering to enable secure traffic control. VPN gateways, Virtual WANs, and secured hubs help support hybrid and global connectivity requirements.

The section also covers applying encryption for ExpressRoute circuits, securing VPN connections, and maintaining observability through monitoring tools like Azure Network Watcher. These practices ensure resilient and secure interconnectivity across networked environments.

Plan and implement security for private access to Azure resources

• Plan and implement virtual network Service Endpoints
• Plan and implement Private Endpoints
• Plan and implement Private Link services
• Plan and implement network integration for Azure App Service and Azure Functions
• Plan and implement network security configurations for an App Service Environment (ASE)
• Plan and implement network security configurations for an Azure SQL Managed Instance

Summary: This section explores service-specific private networking strategies to secure sensitive architectures. You will examine how to use Private Endpoints, Service Endpoints, and Private Link services to restrict access to trusted virtual networks. These patterns allow direct connectivity without exposing workloads to the public internet.

You will also work with securing service integrations such as App Service, Functions, ASEs, and SQL Managed Instances. By the end of this domain section, you will be skilled at configuring highly trusted, isolated connections for applications and databases while enforcing least exposure principles.

Plan and implement security for public access to Azure resources

• Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
• Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies
• Plan and implement an Azure Application Gateway
• Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
• Plan and implement a Web Application Firewall (WAF)
• Recommend when to use Azure DDoS Protection Standard

Summary: This section addresses how to secure applications and workloads exposed publicly. You will evaluate tools such as Azure Firewall, Application Gateway, Azure Front Door, and WAF policies to enforce defense-in-depth strategies. Public workloads benefit from encrypted connections with TLS to maintain data privacy.

You will also learn to recommend Azure DDoS Protection Standard where scenarios demand additional mitigation capabilities. These practices ensure that internet-facing workloads enjoy high availability while safeguarding against traffic-based threats and vulnerabilities.

Domain 3: Secure compute, storage, and databases (23.75% of the exam)

Plan and implement advanced security for compute

• Plan and implement remote access to virtual machines, including Azure Bastion and just-in-time (JIT)
• Configure network isolation for Azure Kubernetes Service (AKS)
• Secure and monitor AKS
• Configure authentication for AKS
• Configure security monitoring for Azure Container Instances (ACIs)
• Configure security monitoring for Azure Container Apps (ACAs)
• Manage access to Azure Container Registry (ACR)
• Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption
• Recommend security configurations for Azure API Management

Summary: This section covers implementing secure practices for compute and containerized workloads. Key topics include configuring remote VM access using Azure Bastion and just-in-time access, as well as applying monitoring and isolation to Kubernetes clusters, container instances, and container apps.

Security controls also extend to encrypting disks, managing identities for ACR, and protecting APIs through service configurations. These practices reinforce workload resilience and help maintain security postures across compute services.

Plan and implement security for storage

• Configure access control for storage accounts
• Manage storage account access keys
• Select and configure an appropriate method for access to Azure Files
• Select and configure an appropriate method for access to Azure Blob Storage
• Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
• Configure Bring your own key (BYOK)
• Enable double encryption at the Azure Storage infrastructure level

Summary: This section focuses on hardening Azure storage with comprehensive data protection controls. You will apply access rules to secure files and blobs, configure storage account keys, and select appropriate access mechanisms for different workloads.

In addition, you will implement features like soft delete, versioning, immutable storage, BYOK, and double encryption. These measures help reduce risks and ensure strong compliance with data protection and privacy requirements.

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

• Enable Microsoft Entra database authentication
• Enable database auditing
• Plan and implement dynamic masking
• Implement Transparent Data Encryption (TDE)
• Recommend when to use Azure SQL Database Always Encrypted

Summary: This section is dedicated to securing relational data in Azure-managed databases. Capabilities include enabling Entra authentication, applying auditing solutions, and enforcing configurable dynamic masking on sensitive datasets.

The use of Transparent Data Encryption ensures data is kept safe at rest, while Always Encrypted scenarios deliver client-side protection against unauthorized access. These controls ensure that database services align with both organizational security policies and compliance mandates.

Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (33.75% of the exam)

Implement and manage enforcement of cloud governance policies

• Create, assign, and interpret policies and initiatives in Azure Policy
• Configure Azure Key Vault network settings
• Configure access to Key Vault, including vault access policies and Azure Role Based Access Control
• Manage certificates, secrets, and keys
• Configure key rotation
• Perform backup and recovery of certificates, secrets, and keys
• Implement security controls to protect backups
• Implement security controls for asset management

Summary: This section promotes governance by leveraging Azure Policy to enforce secure workloads across subscriptions. You will also learn how to secure sensitive material by configuring and managing Azure Key Vaults effectively.

In addition, this portion examines certificate and secret lifecycle practices, including rotation, recovery, and asset security. The skills gained provide a strong foundation in both compliance assurance and the proactive management of organizational policies.

Manage security posture by using Microsoft Defender for Cloud

• Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
• Assess compliance against security frameworks by using Microsoft Defender for Cloud
• Manage compliance standards in Microsoft Defender for Cloud
• Add custom standards to Microsoft Defender for Cloud
• Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)
• Implement and use Microsoft Defender External Attack Surface Management (EASM)

Summary: This section covers evaluating and improving an organization’s security readiness using Microsoft Defender for Cloud. By measuring Secure Score and reviewing compliance posture, you can identify risk areas and remediate weaknesses to strengthen defenses.

Through multi-cloud integrations, including AWS and GCP, you will also apply controls to unify security posture management across environments. The addition of External Attack Surface Management tools provides extended visibility into potential exposures.

Configure and manage threat protection by using Microsoft Defender for Cloud

• Enable workload protection services in Microsoft Defender for Cloud
• Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage
• Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers
• Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines
• Connect to and configure settings in Microsoft Defender for Cloud Devops Security, including GitHub, Azure DevOps, and GitLab

Summary: This section emphasizes active threat protection and defense solutions within Defender for Cloud. You will configure defenders for servers, databases, and storage while enabling advanced features such as agentless scanning and vulnerability management.

Integration with development toolchains further strengthens security in CI/CD processes and DevOps workflows. This ensures that organizational protection extends across the development lifecycle to operational workloads.

Configure and manage security monitoring and automation solutions

• Manage and respond to security alerts in Microsoft Defender for Cloud
• Configure workflow automation by using Microsoft Defender for Cloud
• Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
• Configure data connectors in Microsoft Sentinel
• Enable analytics rules in Microsoft Sentinel
• Configure automation in Microsoft Sentinel

Summary: This section builds on monitoring and automated response capabilities. You will be introduced to alert management and automated workflows that streamline remediation efforts within Defender for Cloud.

Additionally, you will work extensively in Microsoft Sentinel for configuring data connectors, creating analytics rules, and applying automation capabilities. These operations elevate cloud security from reactive measures to orchestrated, proactive defense strategies.