AZ-500 vs SC-200 vs SC-300: Which Azure Security Cert Should You Get in 2026?

The Wrong Cert Is Eight Months of Wasted Study Time

A senior engineer at a financial firm spent eight months studying for AZ-500 while his daily job was running incident response in Microsoft Sentinel. He passed with a 760. Six months later, he had forgotten most of the Bicep deployment security and Key Vault RBAC content because he never used it. His actual job was writing KQL detection rules, triaging Defender XDR incidents, and tuning Sentinel analytics rules. SC-200 would have directly reinforced what he did every day.

This is the failure mode for Azure security certifications: picking based on prestige, manager suggestion, or "it sounds broader" rather than job function alignment. AZ-500, SC-200, and SC-300 cover legitimately different domains. Choosing wrong does not mean you learn nothing — it means you spend 200 hours studying 30% of your actual job deeply and 70% of it not at all.

---

What Each Exam Actually Measures

AZ-500: Microsoft Azure Security Technologies

AZ-500 is the broadest of the three. The exam blueprint as of early 2026 covers four domains:

The identity and access domain covers Entra ID configuration, Conditional Access policy design, Privileged Identity Management, External Identities, and managed identity patterns. This overlaps significantly with SC-300, but AZ-500 tests at shallower depth — configure and troubleshoot, not architect.

The networking domain covers NSGs, Azure Firewall, Application Gateway WAF, DDoS Protection Standard, Private Link, and Service Endpoints. This content appears in no other Microsoft security certification.

Compute, storage, and databases covers VM hardening (disk encryption, JIT VM access, Defender for Servers), AKS security configurations (pod security standards, Defender for Containers), Storage Account access controls (SAS tokens, RBAC, firewall rules, private endpoints), Key Vault access policies and RBAC model, and SQL Database TDE.

Security operations covers Defender for Cloud (posture management, workload protection plans, regulatory compliance), Microsoft Sentinel (workspace setup, data connectors, analytics rules, playbooks), and Defender XDR (incident management fundamentals). This section is shallower than what SC-200 covers for the same tools. Who passes AZ-500 easily: Engineers who have deployed Azure infrastructure security controls hands-on. Architects who design security baselines across subscriptions. Platform teams managing posture across multiple Azure environments. Who struggles with AZ-500: Pure SOC analysts who have never configured an NSG or Key Vault access policy. IAM engineers who have never touched Azure Firewall configuration.

---

SC-200: Microsoft Security Operations Analyst

SC-200's exam blueprint shifted significantly in mid-2024. As of early 2026:

Microsoft Sentinel dominates this exam — and correctly so for its audience. SC-200 tests your ability to write production-quality KQL, configure data connectors for realistic log sources, build analytics rules with correct MITRE ATT&CK tactic mappings, design workbooks for SOC operational dashboards, and manage automation with Logic Apps playbooks.

The KQL component is serious. You need to write queries across multiple tables — SecurityEvent, AzureActivity, SigninLogs, OfficeActivity, CommonSecurityLog — and understand the schema well enough to diagnose queries returning zero results due to column name mismatches or unconfigured data connectors. The exam presents log excerpts in scenario questions and asks you to write or fix the query.

Defender XDR coverage includes Defender for Endpoint (advanced hunting, device isolation, onboarding methodologies), Defender for Office 365 (anti-phishing policies, safe links, DKIM validation), Defender for Identity (LDAP monitoring, lateral movement detection alerts), and incident management in the unified XDR portal.

Defender for Cloud coverage in SC-200 focuses on alert response, not policy configuration — that belongs to AZ-500. Who passes SC-200 easily: SOC analysts who use Sentinel daily. Threat hunters who write KQL regularly. Incident responders working in the unified Defender XDR portal. Who struggles with SC-200: Engineers who configure security controls but rarely respond to incidents or write detection logic.

---

SC-300: Microsoft Identity and Access Administrator

SC-300 is the narrowest in scope but the deepest in its domain. The current exam blueprint:

The authentication and access management domain goes into Conditional Access at a depth AZ-500 does not reach: named locations, authentication strength policies, compliant network enforcement, sign-in frequency and session controls, continuous access evaluation (CAE), and the interaction between Conditional Access and Defender for Cloud Apps session controls.

Identity governance covers Entitlement Management (access packages, connected organizations, multi-stage approval workflows), Access Reviews (programmatic creation via Microsoft Graph API, multi-stage reviews with auto-remediation), Lifecycle Workflows (new hire provisioning triggered by HR attribute changes, leaver automation), and PIM for groups.

Workload identities covers service principal security hardening, managed identity selection tradeoffs at scale, app registration security (certificate credentials over secrets, token lifetime policies), and federated identity credentials for GitHub Actions and Kubernetes workload identities. This last topic is now significant enough to carry dedicated exam questions. See the Entra ID workload identity federation guide for the implementation depth the exam tests at. Who passes SC-300 easily: IAM engineers who manage Entra ID configurations daily. Identity architects who design Conditional Access policies, governance workflows, and zero trust access models. Who struggles with SC-300: Engineers who understand identity concepts but have not operated Entitlement Management or Lifecycle Workflows hands-on in a real tenant.

---

Overlap Map

---

The Decision Framework

Take AZ-500 if your job involves deploying or reviewing Azure security controls across multiple service types — networking, compute, storage, and identity. You are responsible for security baseline implementation, not just policy writing or incident triage. AZ-500 is the natural certification for a cloud security engineer or Azure security architect. Take SC-200 if you spend most of your day in Microsoft Sentinel, Defender XDR, or incident response workflows. You write KQL. You triage alerts and build detection rules. You own detection and response for a SOC or a security engineering team. SC-200 validates that you can operate these platforms effectively, not just understand them conceptually. Take SC-300 if Entra ID is your primary domain. You design Conditional Access policies, manage application registrations, configure Entitlement Management, operate Lifecycle Workflows, or implement zero trust access for SaaS and enterprise applications. SC-300 is the IAM specialist certification — it goes deeper on identity governance than any other Microsoft certification. Take AZ-500 first if you are undecided. Its breadth makes it the strongest foundation for a Microsoft security career. SC-200 and SC-300 specialize from there. Combinations that make practical sense:

• AZ-500 plus SC-200: Cloud security engineer who also owns detection and response (common in mid-size teams where one person covers both security engineering and SOC functions)
• AZ-500 plus SC-300: Cloud security engineer who owns the identity platform alongside infrastructure security
• SC-200 plus SC-300: SOC analyst who also manages Entra ID governance and IAM workflows
• All three: Security team lead, MSSP engineer, or consultant covering the full Microsoft security stack

---

Preparation Strategies

For AZ-500

Hands-on lab work outperforms any study guide for this exam. The Azure portal evolves quickly enough that memorizing navigation paths is counterproductive — understanding the capability is what the exam tests. Build these scenarios in a test subscription:

# Enable JIT VM access via Azure CLI
az security jit-policy create \
  --resource-group security-lab-rg \
  --location eastus \
  --kind Basic \
  --virtual-machines '[{"id":"/subscriptions/<sub-id>/resourceGroups/security-lab-rg/providers/Microsoft.Compute/virtualMachines/test-vm","ports":[{"number":22,"protocol":"TCP","allowedSourceAddressPrefix":"*","maxRequestAccessDuration":"PT3H"}]}]'
# Review Defender for Cloud unhealthy assessments for a resource group
az security assessment list \
  --resource-group security-lab-rg \
  --query "[?properties.status.code=='Unhealthy'].{Name:displayName, Status:properties.status.code}" \
  --output table
# List Key Vault role assignments for audit
az role assignment list \
  --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault-name> \
  --query "[].{Principal:principalName, Role:roleDefinitionName}" \
  --output table

The exam frequently presents scenario questions about Defender for Cloud recommendation priorities, Conditional Access policy conflict resolution, and NSG rule evaluation order. Practice explaining why a given policy produces a specific outcome, not just where to find the setting.

For SC-200

KQL is the gating skill. If you cannot write a query joining SigninLogs with AuditLogs to correlate a risky sign-in with a subsequent privileged role assignment change, you will fail. Practice these queries daily against a real or trial Sentinel workspace:

// Correlate high-risk sign-in with subsequent privileged role assignment
let riskySignins = SigninLogs
| where RiskLevelDuringSignIn in ("high", "medium")
| where TimeGenerated > ago(24h)
| project TimeGenerated, UserId, UserPrincipalName, IPAddress, RiskState;
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName == "Add member to role"
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| join kind=inner riskySignins on $left.TargetUser == $right.UserPrincipalName
| project TimeGenerated, TargetUser, IPAddress, RiskState, OperationName
| order by TimeGenerated desc

Build Sentinel analytics rules from scratch in the KQL editor — not by cloning community templates. The exam tests whether you understand what a query detects and what data it requires, not whether you can find a working template and adapt it.

For SC-300

The exam emphasizes scenario-based questions on Entitlement Management and Lifecycle Workflows — features that are undersupported in third-party study guides relative to their actual exam weight. Spend at least 20 hours in the Entra ID portal configuring access packages with multi-stage approval, access reviews with auto-remediation, and Lifecycle Workflow triggers based on HR attribute changes.

Federated identity credentials is now a full topic. Make sure you can configure a federated credential for a GitHub Actions workflow and for an AKS workload identity, and explain the trust relationship between the issuer URL, subject, and audience claim.

---

Difficulty and Pass Rates

Microsoft does not publish pass rates, but community data from Reddit, TechExams.net, and LinkedIn consistently shows:

AZ-500 has the lowest pass rate because its breadth catches engineers who are strong in one domain but shallow in others. An IAM engineer who knows Entra ID deeply will struggle with NSG rule evaluation and AKS pod security admission. A network engineer will struggle with PIM activation workflows and Conditional Access policy design.

SC-200 is technically demanding due to KQL but has clearer scope: if you use Sentinel daily, the exam content maps closely to real work. SC-300 is the narrowest; engineers who own the Entra ID platform consistently find it the most manageable of the three.

---

Renewal Requirements

All three certifications require annual renewal. Microsoft replaced periodic re-takes with free online renewal assessments:

• Renewal assessments are approximately 30-40 questions, taken via Microsoft Learn
• Available starting 180 days before your certification expires
• Must be completed before the expiration date or the certification lapses
• No proctored exam, no payment, no scheduling required

The renewal assessment reflects current exam blueprint updates. When Microsoft revised SC-200 in mid-2024 to increase the Sentinel domain weight to 50-55%, the renewal assessment included the new content immediately. Engineers who had not kept pace with Sentinel feature releases found renewal harder than they expected.

---

Study Readiness Checklist

• [ ] Mapped your primary daily job function to the correct exam: security operations (SC-200), IAM administration (SC-300), or broad Azure security controls (AZ-500)
• [ ] Reviewed the current exam blueprint at learn.microsoft.com/certifications — blueprints update every 6-12 months; verify the version posted at registration time
• [ ] Set up an Azure trial or MSDN subscription for hands-on practice in a real environment, not just a simulator
• [ ] Completed at least one full Microsoft Learn path for your chosen certification
• [ ] Written 20-plus KQL queries from scratch against live Sentinel data — required for SC-200, highly useful for AZ-500
• [ ] Configured a Conditional Access policy with named locations, authentication strength, and compliant network enforcement (AZ-500 and SC-300)
• [ ] Configured an access package in Entitlement Management with multi-stage approval and a connected organization (SC-300)
• [ ] Built a Sentinel analytics rule from scratch with correct MITRE ATT&CK tactic and technique tags and a corresponding playbook (SC-200)
• [ ] Completed at least one MeasureUp or Whizlabs practice exam set for timed, scenario-format question practice
• [ ] Scheduled your exam within 14 days of completing preparation — knowledge decay on this breadth of material is significant if you delay
• [ ] Reviewed the renewal requirement: plan to complete the renewal assessment annually, available 180 days before certification expiration