Home > Training > SC-500T00: Implement End to End Security Controls for Cloud and AI Workloads
PDF Version

SC-500: Implement End to End Security Controls for Cloud and AI Workloads

MOC: SC-500T00

MS Subscription MS Subscription
Interface Gold Interface Gold

This course prepares you to design, implement, and manage end-to-end security controls across Microsoft Azure and Microsoft 365 environments — including the emerging landscape of AI workloads and autonomous agents. Through a combination of instructor-led sessions and hands-on labs, you build practical skills in identity security, cloud infrastructure protection, threat detection, and posture management. This course is intended for security engineers who are responsible for planning and implementing security controls across cloud, hybrid, and multi-cloud environments using Microsoft security technologies.


What you will learn

With a focus on practical applications, the course covers:

  • Cloud Security
  • Generative AI
  • Identity and Access
  • Azure Network
  • Azure Security
  • Azure Storage
  • Azure Virtual machine
  • Compliance
  • DevOps


What products and services will you use and learn about in this course

  • Azure
  • Microsoft Defender XDR
  • Microsoft Defender
  • Microsoft Defender for Cloud
  • Azure Policy
  • Microsoft Entra ID
  • Azure Backup
  • Azure Storage
  • Azure Key Vault
  • Azure Virtual Network
  • Azure Firewall
  • Azure VP Gateway
  • Azure Private Link

 

Prepare for the Microsoft Certified: Cloud and AI Security Engineer Associate (beta

This course is designed to help students confidently prepare for the SC-500: Microsoft Certified: Cloud and AI Security Engineer Associate (beta) exam. The study areas for the certification exam related to this course are based on the Job Task Analysis (JTA) that was conducted in February 2026.

Note: To pass the certification test, studying outside the course may be required to ensure all the concepts are fully understood.

 

Course Logo
  • $2,795
  • 4 Days, Labs, Live Q&A
  • Replay™ Class Recordings Included
  • Included in “all-you-can-eat” Microsoft Live Training Subscription

Microsoft Cloud Solutions
Course Outline

Learning Path: Secure access to resources by using Microsoft Entra

In this learning path, you build the skills to close those gaps. You start by designing and deploying secure authentication in Microsoft Entra ID, including configuring multifactor authentication. Next, you configure Conditional Access policies, passwordless options, and self-service password reset for hybrid environments. You then move into privileged access, where you implement Just-in-Time access for Microsoft Entra roles and Azure resources using Privileged Identity Management (PIM). Just-in-Time access eliminates standing permissions that create unnecessary risk. Finally, you apply these identity and access principles to a modern challenge: securing AI-powered applications and declarative agents that use API plugins to act on behalf of users.

Lessons:

  • Manage and implement authentication methods in Microsoft Entra ID
  • Implement and configure Privileged Identity Management (PIM)
  • Authenticate your API plugin for declarative agents with secured APIs

Exercise:

  • Coming soon

 

Learning Path: Secure Azure Key Vault with defense in depth for the cloud and AI workloads

Implement a defense-in-depth security strategy for Azure Key Vault. In this learning path, you apply security-hardened vault configuration, enforce least-privilege access with just-in-time activation, manage the full lifecycle of keys, secrets, and certificates, and use Microsoft Defender for Cloud to detect exposed credentials and malicious access patterns targeting your vaults.

Lessons:

  • Configure and secure Azure Key Vault
  • Manage keys and secrets in Azure Key Vault
  • Manage certificates and monitor Azure Key Vault
  • Protect Azure Key Vault with Microsoft Defender for Cloud

Exercise:

  • Coming soon

 

Learning Path: Enforce security governance and regulatory compliance

Enforce security governance and regulatory compliance across Azure environments. Configure Azure Policy and resource locks to block noncompliant deployments. Then manage security standards and remediate recommendations in Defender for Cloud, evaluate regulatory compliance posture, govern RBAC role assignments at scale, protect backup data against ransomware and deletion, and embed security controls into Bicep pipelines before resources reach production.

Lessons:

  • Enforce governance with Azure Policy and resource locks
  • Configure security controls and remediate recommendations in Defender for Cloud
  • Evaluate regulatory compliance in Defender for Cloud
  • Manage and right-size RBAC role assignments for least privilege
  • Protect backup data with Azure Backup security features
  • Implement security controls in infrastructure as code

Exercise:

  • Coming soon

 

Learning Path: Implement security for Azure Storage for the cloud and AI security engineer

Implement a defense-in-depth security strategy for Azure Storage. In this learning path, you harden storage accounts against common attack vectors and govern access with Microsoft Entra ID managed identities and stored access policies. Next you configure network perimeter controls using firewall rules and private endpoints and enable Microsoft Defender for Storage to detect threats including malicious file uploads and compromised AI agent credentials.

Lessons:

  • Describe Azure storage services
  • Implement security and manage access for Azure Storage
  • Configure network security for Azure Storage
  • Implement Microsoft Defender for Storage

Exercise:

  • Coming soon

 

Learning Path: Implement security for Azure SQL databases

Implement end-to-end security for Azure SQL Database and SQL Managed Instance. Configure Entra ID authentication with managed identity access, deploy private endpoints, and apply encryption and access controls to protect sensitive financial data. Establish compliant audit trails and enable Microsoft Defender for Databases to detect SQL injection, anomalous access, and vulnerability exposures.

Lessons:

  • Configure platform-level security for Azure SQL
  • Configure auditing for Azure SQL Database and SQL Managed Instance
  • Implement Microsoft Defender for Databases

Exercise:

  • Coming soon

 

Learning Path: Implement network security controls in Azure

Implement defense-in-depth network security controls in Azure. Segment workloads and enforce least-privilege access using NSGs, ASGs, and Azure Virtual Network Manager. Inspect and control traffic centrally with Azure Firewall. Harden remote and hybrid connectivity and replace broad VPN access with Zero Trust application-level access using Microsoft Entra Private Access. Eliminate public exposure of PaaS and AI services using private endpoints and Azure Private Link.

Lessons:

  • Segment and isolate Azure workloads using network security controls
  • Centralize and enforce traffic inspection using Azure Firewall
  • Secure remote and hybrid connectivity using VPN gateways and Microsoft Entra Private Access
  • Eliminate public network exposure of Azure PaaS services

Exercise:

  • Coming soon

 

Learning Path: Implement security for AI

You start by discovering and assessing AI data risks using Microsoft Purview Data Security Posture Management (DSPM). Next you secure agent identities using Microsoft Entra Agent ID and Conditional Access, and analyze AI identity blast radius and attack paths in Microsoft Defender XDR. From there, you configure real-time runtime protection for Copilot Studio agents using Microsoft Defender for Cloud Apps, and secure AI model traffic using AI Gateway in Microsoft Foundry. Finally, you configure guardrails in Microsoft Foundry, protect AI workloads using Microsoft Defender for Cloud, and govern deployed agents using Microsoft Agent 365.

Lessons:

  • Secure access for Microsoft Entra Agent Identity
  • Analyze AI identity risks using Microsoft Defender XDR
  • Enable real-time protection for Copilot Studio agents
  • Configure AI Gateway security in Microsoft Foundry
  • Configure and manage guardrails in Microsoft Foundry
  • Protect AI workloads with Microsoft Defender for Cloud
  • Enable Defender for AI Services workload protection in Microsoft Defender for Cloud
  • Manage agents using Microsoft Agent 365
  • Identify AI data risks using Microsoft Purview Data Security Posture Management

Exercise:

  • Coming soon

 

Learning Path: Implement security for servers and virtual machines

Implement layered security controls across Azure virtual machines and Arc-enabled hybrid servers. Configure disk encryption options including encryption at host with customer-managed keys and confidential disk encryption. Enable Trusted Launch security features—Secure Boot, vTPM, and integrity monitoring—to protect against boot-level threats. Eliminate public RDP and SSH exposure with Azure Bastion. Extend Azure security governance to on-premises and multicloud servers using Azure Arc. Deploy Microsoft Defender for Servers for vulnerability scanning, endpoint detection, agentless machine scanning, and File Integrity Monitoring. Enforce just-in-time VM access to eliminate permanently open management ports. Apply Azure Machine Configuration to audit and enforce OS security baselines across your entire server estate.

Lessons:

  • Implement disk encryption for Azure virtual machines
  • Configure trusted launch security features for Azure virtual machines
  • Plan and implement Azure Bastion
  • Manage security for Arc-enabled hybrid servers
  • Implement Microsoft Defender for Servers
  • Enable and enforce just-in-time VM access
  • Enforce VM security configuration with Azure Machine Configuration

Exercise:

  • Coming soon

 

Learning Path: Secure Azure application platform services for the cloud and AI security engineer 

Implement security controls across Azure application platform services—from container workloads to the API layer. Configure Microsoft Defender for Containers to detect risks in AKS and ACR, enforce AKS security baselines, harden container registries and runtime environments. Then apply authentication, network access, and policy controls across Azure Function apps, Logic apps, App Services, Web Application Firewall, and Azure API Management.

Lessons:

  • Detect container risks using Microsoft Defender for Containers
  • Implement security controls for Azure Kubernetes Service
  • Implement security controls for Azure Container Registry, Container Instances, and Container Apps
  • Implement security controls for Azure Function apps and Logic apps
  • Implement security controls for Azure App Services and Web Application Firewall
  • Implement API backend security using Azure API Management

Exercise:

  • Coming soon

 

Learning Path: Manage security posture by using Microsoft Defender for Cloud 

Learn to build and maintain a strong security posture across your hybrid and multicloud estate using Microsoft Defender for Cloud. You start by connecting on-premises, AWS, and GCP environments to establish unified visibility. You then identify and prioritize security risks using Cloud Security Posture Management (CSPM)—including Secure Score, attack path analysis, and Cloud Security Explorer. You extend that posture view outside-in with Microsoft Defender External Attack Surface Management (EASM) to discover unknown internet-facing assets and surface exploitable exposure. You assess your organization's compliance posture against regulatory frameworks and generate audit-ready reports. Finally, you enable Cloud Workload Protection Platform (CWPP) plans to defend servers, storage, databases, and AI workloads against active threats. Then configure Microsoft Defender Vulnerability Management to scan and remediate vulnerabilities on Azure VMs.

Lessons:

  • Connect hybrid and multicloud environments to Microsoft Defender for Cloud
  • Identify security risks by using Cloud Security Posture Management
  • Discover unprotected assets and vulnerabilities by using Microsoft Defender External Attack Surface Management
  • Evaluate regulatory compliance in Defender for Cloud
  • Enable and configure workload protection plans in Microsoft Defender for Cloud
  • Configure Microsoft Defender Vulnerability Management settings for Azure VMs

Exercise:

  • Coming soon

 

Learning Path: Implement activity and event collection in Microsoft Sentinel

Build a complete event collection and response architecture in Microsoft Sentinel. In this learning path, you set up and secure a Microsoft Sentinel workspace, deploy Content Hub solutions, and connect Azure resource data. Then you collect Linux and Windows security events with data collection rules, and implement automated response workflows with Logic Apps playbooks. The final stage is to manage data retention and audit log access to meet compliance requirements.

Lessons:

  • Create and manage Microsoft Sentinel workspaces
  • Manage content in Microsoft Sentinel
  • Connect Microsoft services to Microsoft Sentinel
  • Connect syslog data sources to Microsoft Sentinel
  • Connect Common Event Format logs to Microsoft Sentinel
  • Connect Windows hosts to Microsoft Sentinel
  • Implement automation rules and playbooks in Microsoft Sentinel
  • Manage data storage and query audit logs in Microsoft Sentinel

Exercise:

  • Coming soon

 

Learning Path: Deploy and operate Microsoft Security Copilot 

In this learning path, you build a working foundation with Microsoft Security Copilot and advance to enterprise-grade deployment and day-to-day operations. You start by exploring core concepts, how Security Copilot processes natural language prompts, the elements of an effective prompt, and the steps to enable the solution for your organization. You then plan and configure workspaces with the right Security Compute Units, data residency settings, and role assignments to support enterprise segmentation requirements. Finally, you govern plugin access and manage the full lifecycle of both Microsoft-built and partner-built agents to keep your deployment running smoothly and securely.

Lessons:

  • Describe Microsoft Security Copilot
  • Configure workspaces for Microsoft Security Copilot
  • Manage plugins and agents in Microsoft Security Copilot

Exercise:

  • Coming soon
 
Audience

As a candidate for this course, you’re a security engineer who protects organizational systems and data across cloud and hybrid environments by implementing comprehensive security controls that prevent unauthorized access and mitigate risks proactively. This role spans multiple security domains including identity, network, application, data, and compute. This role also ensures that platforms, data, identities, and infrastructure used by AI workloads are securely implemented and monitored. You work closely with architects, administrators, engineers, analysts, and developers responsible for Azure, Microsoft 365, identity and access, information protection, security operations, devops, application development, database platforms, and networks.

 
Prerequisites

Before attending this course, students must have:

  • Strong familiarity with Microsoft Entra ID and familiarity with Microsoft 365 administration
  • Securing access to resources by using Microsoft Entra ID and Azure Key Vault
  • Enforcing security and regulatory compliance
  • Securing storage, databases, and networking
  • Securing compute
  • Securing AI solutions
  • Managing and monitoring security posture
 
x
Course:
  • This field is for validation purposes and should be left unchanged.