AZ-500 Retiring: What Microsoft Announced
The AZ-500 Azure Security Engineer certification is officially retiring on August 31, 2026, at 11:59 PM Central Standard Time. Microsoft confirmed the retirement directly on the official Azure Security Engineer certification page, updated on January 22, 2026. After that deadline, no one can earn or renew this certification. For IT professionals currently studying for the AZ-500, this creates a narrow window to finish — or a signal to pivot toward alternative credentials that will remain active beyond 2026.
The retirement affects not only the exam itself but also all renewal assessments tied to the certification. Anyone who holds AZ-500 and whose renewal date falls after August 31 will not be able to extend it. Microsoft has not yet announced a direct replacement certification under the same name, but the company’s broader security certification portfolio offers several paths forward for Azure-focused security practitioners.
This is not the first time Microsoft has retired a security certification. The company regularly updates and retires certifications to align with evolving technology stacks, as discussed in Windows Forum’s analysis of Microsoft’s 2026 certification strategy. What makes this retirement significant is that AZ-500 was the primary intermediate-level certification for Azure security engineers — a role that has grown in demand as organizations accelerate cloud adoption. The retirement leaves a gap that candidates must fill with more specialized credentials.
What AZ-500 Tests Today
The AZ-500 exam, as updated on January 22, 2026, covers four major domains. Understanding these domains matters because the skills themselves remain valuable regardless of the certification retiring. According to the official AZ-500 study guide on Microsoft Learn, the breakdown is:
| Domain | Weight |
|---|---|
| Secure identity and access | 15–20% |
| Secure networking | 20–25% |
| Secure compute, storage, and databases | 20–25% |
| Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel | 30–35% |
The largest domain — Defender for Cloud and Sentinel — reflects Microsoft’s push toward unified security operations. Candidates must configure workload protection plans, implement agentless scanning for VMs, manage vulnerability assessments, set up Microsoft Defender for DevOps, and build automation with Microsoft Sentinel analytics rules. The exam tests practical implementation skills, not theory alone.
The identity and access domain covers Microsoft Entra ID, Conditional Access, Privileged Identity Management, managed identities, and app registrations. Networking dives into NSGs, Azure Firewall, Application Gateway, Front Door, WAF, Private Link, VPN Gateway, Virtual WAN, and DDoS Protection. The compute and storage domain tests AKS security, Azure Disk Encryption, Azure Bastion, JIT VM access, storage access controls, and Azure SQL security including TDE and Always Encrypted.
Should You Still Take AZ-500?
This depends entirely on your timeline and career situation. If you can schedule and pass the exam before the AZ-500 retiring date of August 31, 2026, the certification remains valid for one full year from your pass date — meaning it could stay on your resume through August 2027. For professionals who need an Azure security credential for a job application, a promotion, or a compliance requirement right now, that window is still open and worth pursuing.
However, if you are just starting your study plan and cannot realistically prepare in time, investing dozens of hours into a retiring certification may not be the best use of your energy. The knowledge itself transfers directly to other Microsoft security exams (SC-200, SC-300) and to real-world Azure security work. But the credential will not be renewable, and its value on your resume will diminish after 2027. As CertStud’s certification preparation platform notes in its 2026 guidance, candidates should prioritize certifications with active development cycles over those approaching retirement.
A practical rule of thumb: if you have already started studying and are scoring 75% or higher on practice tests, finish what you started. If you are at square one, redirect your effort toward a certification with a longer lifespan.
Consider also the cost factor. The AZ-500 exam is priced at $165 USD in the United States, with regional pricing variations. If you fail and need to retake, Microsoft’s retake policy requires a 24-hour wait for the first retake and progressively longer waits after that. Given the tight deadline, budget for only one attempt — and make it count. For general exam preparation strategies that apply across certifications, see our ranking of the best IT certification practice tests for 2026.
SC-200: Security Operations Analyst
The Microsoft Certified: Security Operations Analyst Associate (SC-200) is the most direct alternative for professionals focused on Azure threat detection and response. This certification remains active and was last updated on April 16, 2026. It validates skills in Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud — all tools that overlap heavily with the AZ-500’s largest domain.
The SC-200 exam covers three domains: managing a security operations environment, responding to security incidents, and performing threat hunting. Candidates work with Kusto Query Language (KQL), Sentinel Graph, Microsoft 365 Defender, and Microsoft Entra ID. The role focuses on triage, incident response, and detection engineering rather than infrastructure hardening — which is where AZ-500 leaned. This makes SC-200 a natural next step for security professionals transitioning from infrastructure-focused roles into SecOps.
For Azure security engineers whose day-to-day work involves SIEM operations, this certification is a strong strategic move. The study path is shorter than AZ-500 if you already have Defender for Cloud experience, and the credential has no announced retirement date. The exam is 100 minutes long and follows the same scoring model (700 or higher to pass).
SC-300: Identity and Access Admin
The Microsoft Certified: Identity and Access Administrator Associate (SC-300) targets the identity and access management slice of Azure security — the domain that accounted for 15–20% of the AZ-500 exam. This certification remains active, last updated on April 27, 2026, and carries no retirement announcement.
SC-300 covers four domains: implementing and managing user identities, implementing authentication and access management, planning and implementing workload identities, and planning and implementing identity governance. The exam dives deep into Microsoft Entra ID, Conditional Access, Privileged Identity Management, and identity governance — all skills that are in high demand as organizations adopt Zero Trust architectures.
If your work focuses heavily on identity security, hybrid identity, or Entra ID governance, SC-300 is arguably more targeted and valuable than AZ-500 ever was. Pair it with SC-200 and you cover both the identity and the operations sides of Azure security, replacing AZ-500’s breadth with two deeper, more specialized credentials.
The SC-300 exam assumes familiarity with Azure, Microsoft 365 services, Active Directory Domain Services (AD DS), PowerShell, and KQL. It does not require another certification as a prerequisite, but practical experience with Entra ID deployments is strongly recommended before sitting the exam. If you need a foundational Azure credential first, our Azure AZ-104 exam guide covers the administrator associate certification that pairs well with any security specialization.
CompTIA Security+ as Alternative
For professionals who want a vendor-neutral security certification that never retires (only updates versions), CompTIA Security+ remains the industry standard. The current version, SY0-801, covers threats, attacks, and vulnerabilities; architecture and design; implementation; operations and incident response; and governance, risk, and compliance. It is DoD 8570 compliant and recognized across both government and private sectors. According to CertLand’s certification analysis, Security+ consistently ranks among the most-requested entry-level security certifications by employers worldwide.
Security+ does not test Azure-specific skills, but it validates foundational security knowledge that applies to any cloud environment. For professionals building a long-term certification roadmap, starting with Security+ and then adding a Microsoft-specific security credential (SC-200 or SC-300) creates a strong, defensible portfolio that covers both breadth and depth.
The exam costs approximately $404 USD and requires no prerequisites, though CompTIA recommends two years of IT administration experience with a security focus. It is a smart alternative if AZ-500 was going to be your first security certification and you want a credential with long-term staying power. For another vendor-neutral security certification to consider alongside Security+, see our CompTIA CySA+ V4 guide covering the updated cybersecurity analyst certification.
8-Week Study Plan Before Deadline
If you decide to take AZ-500 before it is retiring, here is a concrete 8-week study plan designed for a working IT professional who can dedicate 10–15 hours per week. This plan follows the blueprint-first approach recommended by PrepForCerts’ certification preparation methodology, which emphasizes starting with official exam objectives and building labs around each domain.
Weeks 1–2: Identity and Access (15–20% of exam) — Focus on Microsoft Entra ID, role-based access control (RBAC), Conditional Access, MFA, Privileged Identity Management, managed identities, and app registrations. Complete the Microsoft Learn learning path for “Secure identity and access.” Practice creating Conditional Access policies in a free Azure trial tenant. Create custom RBAC roles and assign them to test users. Configure app registrations with delegated and application permissions.
Weeks 3–4: Networking (20–25% of exam) — Cover NSGs, ASGs, Azure Firewall, Application Gateway, Front Door, WAF, Private Link, Private Endpoints, VPN Gateway, Virtual WAN, and DDoS Protection. Build a lab with a virtual network, deploy Azure Firewall, configure NSG rules, and set up a Private Endpoint for Azure Storage. Test connectivity with and without Private Link to understand the traffic flow. Configure a site-to-site VPN in your lab environment.
Weeks 5–6: Compute, Storage, and Databases (20–25% of exam) — Study Azure Disk Encryption, AKS security, Azure Bastion, JIT VM access, container security, storage access controls, BYOK, Azure SQL security (TDE, dynamic masking, Always Encrypted). Deploy a VM with disk encryption, configure a storage account with private access, and enable auditing on an Azure SQL database. Practice configuring Azure Key Vault for key rotation and secret management.
Weeks 7–8: Defender for Cloud and Sentinel (30–35% of exam) — This is the heaviest domain. Cover Microsoft Defender for Cloud Secure Score, workload protection plans, agentless scanning, Defender for DevOps, Microsoft Defender EASM, compliance standards, Azure Key Vault, and Microsoft Sentinel (data connectors, analytics rules, automation). Complete the full Sentinel learning path. Take the official Microsoft Practice Assessment to gauge readiness. Review your weak areas and retake the practice test until you consistently score above 80%.
What Happens After August 2026
After AZ-500 is retired, the credential will not be available for new candidates or renewals. Existing holders keep their certification until its natural expiration date (one year from when they last passed or renewed). After that, the certification simply expires with no option to renew.
Microsoft has not announced a direct successor to the Azure Security Engineer Associate title. The company’s current security certification portfolio includes SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and several specialty certifications. The absence of a broad “Azure security engineer” credential suggests Microsoft may be moving toward more specialized security roles rather than a single generalist certification. As noted in LiveCertification’s analysis of vendor certification trends, the industry-wide shift is toward role-specific credentials tied to specific products and workflows.
For career planning, this means the smart play is to diversify. Combine SC-200 or SC-300 with a vendor-neutral credential like CISSP or CompTIA Security+. Build hands-on experience through the Azure security labs available on Microsoft Learn. The skills AZ-500 tested — identity management, network security, compute hardening, and Defender for Cloud — are not going away. Only the exam is.
Watch Microsoft’s certification announcement blog for any new security certifications that may launch in late 2026. Microsoft typically previews new certifications 3–6 months before they become available, and a replacement for the Azure Security Engineer role may emerge as the company consolidates its security certification strategy around Defender and Sentinel.
References
- Microsoft Certified: Azure Security Engineer Associate — Microsoft Learn
- Study Guide for Exam AZ-500: Microsoft Azure Security Technologies — Microsoft Learn
- Passing IT Certifications in 2026: Blueprint-First Prep — Windows Forum
- Free IT Certification Practice Tests — CertStud
- IT Certification Study Guides and Exam Tips — CertLand Blog
- Certification Exam Preparation Platform — PrepForCerts
- LiveCertifications — IT Certification Guides