AZ-500

Microsoft Purview

Secure.Microsoft.com
Rules

Data Data Data

Catalog Map Loss P

Automation
Microsoft Defender Microsoft Sentinel
XDR

Microsoft Defender
Log Analytics
B2B for Endpoint
Invite Workspace
External
Playbook
External
Entitlement Management Landing Zone
443 HTTP/2 Settings

OAUTH 2.0
Azure Monitor
Visualization
ARM Templates
Entra Permissions Identity
Azure Arc JSON/BICEP Microsoft Defender Workflow
Logic App
Management Governance automation
[CIEM] Azure Blueprints for Cloud
Secure score Dashboard Azure Workbooks
Access Access 2nd Check
Reviews Package Search
1st Check Azure RM
On Premises Owner
Global Administrator Contributor Inventory CSPM Regulatory Custom
PHS User Administrator Reader compliance Policies
Activity Log Metrics Alerts and actions
PTA Microsoft
Entra ID Roles
AD FS Sync
Entra ID
Sync
RBAC Azure Policy
Subscription
Security principal
Issue

Scope Scope KQL Query

Verified ID
Entra ID Licenses Log Analytics
Group
Microsoft Entra Users Groups Workspace
Policy Management
Connect
Groups
External Attack Microsoft Defender
User Surface for Servers
AD DS Scope Management
Administrative
Invite Units Service Principal Managed Identity
Subscriptions Lock Agentless Scanning
Link NSG Flow logs Next Hop
B2C
UDR: IP, Next hop
Network Watcher
License Server
Associate Data
Collection
Resource group Source/Dest Route Tables Rule
User Network Security Provider VNet
Flow Password Self Service Associate Groups
Protection Password Reset
Application Services Subnet
Add member
Graph Registration Application Security
SAML Cert Single HUB Virtual Groups
Sign-on DDoS Protection
Network Address space Approval Backend NIC
DevOps Plans
Security Multi-Factor Virtual Machine
Authentication IP Alias Load Balancer
Entra ID Associate
Conditional Access Identity Infra Subnet
Private Endpoint Private Link Service Azure PaaS
Protection instance
Associate Rules to BE [NIC] NIC

Application Public IP
Proxy Load Balancers
Virtual Machine Service Endpoint Azure Service
Azure DevOps

Microsoft Defender
for Storage
Storage Account

Entra Domain AD DS
Services ACL Hybrid [Option] ACL Hybrid [Option]
Dev Workstation Rules
File share

Access

Auth
Azure Firewall SMB
Devices Manager
AzureFirewallSubnet
REST Storage blob Storage Container
Associate

Public IP Address Shared Access

Firewall Signature

Storage Queue Table

App Gateway Soft Delete

Access Keys
Point-in-time restore
Associate
Encryption Scope
Public IP Address WAF
WAF Application
Front Door Gateway Storage Service Encryption
Azure API
Management
CMK

ASE Subnet Use remote gateway

CMK
Always Encrypted
CDN Profiles Spoke2Hub Hub2Spoke Data Masking
App Services Function Apps App Service Spoke Virtual
Network controls Key Vault
Environments Network

Access
Peering Service

Auth
Hosted by Gateway transit Associate
Vnet Integration
Subnet NIC
Same Region Microsoft Defender
Azure SQL
Virtual Machine for Database
App Services Sql Admin
App Service Plans
Container CMK
Transparent Data Encryption
Microsoft Defender
Container for Containers SSE: MMK / CMK CMK Key Vault
App

AKS Subnet
AKS VMSS
ManagedInstances
Kubernetes AKS Load Balancer
Container Services SQL Managed
Instances Container RDP: 3389 or SSH: 22 Instance
Registries
AzureBastionSubnet
Azure Portal Associate
RDP over TLS: 443
Public IP Address Bastion Server
HSM Subnet Certificates
Remote Workstation Certificates

GatewaySubnet Dedicated HSM

Key Vault
IPSEC Tunnel Associate
Key Secret
Public IP Addresses Key Secret
Virtual Network
Gateway
Public VPN Routers
Upload using KEK

On Premises
Virtual WANs

Express Route Routers VPN BYOK

Site
IPsec

Private connection

Encryption