Skip to content
Azure security cert retires in August: take AZ-500 now or wait for SC-500?
news

Azure security cert retires in August: take AZ-500 now or wait for SC-500?

By ReadRoost Teamโ€ขJune 20, 2026
Microsoft has finally put a hard date on AZ-500: the Azure Security Engineer exam and the certification behind it both retire on 31 August 2026. Whenever an exam gets a retirement date, the same question floods the study forums, and I usually have a quick answer. With CompTIA I tell people to sit the current version now. With Microsoft, the honest answer is almost the reverse, and it catches people out every time, because Microsoft certifications expire and renew in a way CompTIA's simply do not. So before you cram to beat the August deadline, work out which of these two camps you are actually in.

What is actually changing

AZ-500, the Azure Security Engineer Associate, retires on 31 August 2026. After that date you cannot sit the exam or earn the certification. Its replacement is SC-500, the Cloud and AI Security Engineer Associate, and it is not just a rename. SC-500 widens the scope to cover securing AI workloads and copilots alongside the traditional identity, platform, and data-protection material AZ-500 tested, and by most accounts it sits a notch harder.

This is not happening in isolation. AZ-500 is one of around a dozen role-based certifications Microsoft is retiring between June and September 2026, the biggest overhaul of its certification program since the move to role-based credentials in 2019. The through-line is AI: Microsoft is rebuilding the whole catalogue on the assumption that security, development, and operations roles all now need AI skills baked in. SC-500 is the security corner of that rebuild.

The catch nobody mentions (this is the bit that decides it)

A CompTIA certification is good for three years no matter what happens to the exam, which is why "sit it before it retires" is sound advice there. Microsoft works nothing like that. A Microsoft certification is valid for one year, and you keep it alive by passing a free online renewal assessment every year. Cheap, quick, no re-sit. The problem is what happens to that renewal when a certification retires.

Once a certification retires, it can no longer be renewed. You keep it on your transcript and it stays in your Active Certifications for the remainder of your current year, but when that year lapses it drops into Historical, and there is no path to bring it back. There is also no free upgrade: a retired AZ-500 does not convert into SC-500, you would earn SC-500 by passing its own exam.

Put those two facts together and the picture is clear. Passing AZ-500 in August 2026 buys you a credential with a roughly one-year clock on it and no renew button at the end of it. That, not the exam content, is what should drive your decision.

When sitting AZ-500 now still makes sense

If you are basically there already, booked, prepped, and confident you will pass in the next few weeks, then go and pass it. You earn a genuine certification, it stays on your transcript permanently as evidence you had the skills at that level, and you get roughly a year of it showing as current on your profile. For someone who needs "Azure Security Engineer" on their CV for a role or a promotion that is live right now, that is a perfectly fair trade.

The only thing I would ask is that you go in clear-eyed. You are buying a credential with a known expiry, not a renewable one, and in about a year it will quietly become a historical line on your transcript. If that still serves the immediate goal, finishing what you started is the right call. Walking away from an exam you are a fortnight from passing would be the waste, not the deadline.

When to go straight to SC-500 (most people)

If you are more than a few weeks out, do not start a fresh AZ-500 study plan now. You would be pouring weeks into either an exam that retires before you are ready, or a credential that goes non-renewable almost the moment you earn it. Both are bad uses of your evenings.

SC-500 is the version with a future. It is renewable, it is the one Microsoft will be pointing employers and hiring managers at from September onward, and it covers the AI-security material the field is genuinely moving toward rather than the 2023-era scope. Just as importantly, the effort compounds instead of expiring: every hour you spend on SC-500 builds toward a credential you can keep current for years, not one with a built-in use-by date.

There is no overlap trap to fear here either. You are not racing a clock on SC-500, so you can study it properly, at a sane pace, and sit it when you are actually ready instead of when a deadline forces you.

How to study whichever one you land on

ReadRoost has both an AZ-500 pack and an SC-500 pack, so once the decision above lands you on one, you can point your prep straight at it without changing tools. If you are in the finish-AZ-500 camp, the AZ-500 questions are tuned to the live objectives while they are still live. If you are in the SC-500 camp, those questions already cover the AI-workload security content that is new to the exam, so you are not stuck waiting for the rest of the internet to catch up.

Whichever camp you are in, the deciding factor is simple: how close are you to passing today? Close enough to beat August, finish AZ-500. Not close enough, switch to SC-500 now and let the work count toward something that lasts.

Test Your Knowledge

10 questions pulled from the live ReadRoost AZ-500 pack. Answer each one to see where you stand before the exam.

Try 10 Free Questions

Question 1 of 10
Manage identity and access

What is Microsoft Entra ID (formerly Azure Active Directory)?

Select your answer below

Knowledge Check (10 questions)

Question 1 ยท Manage identity and access

What is Microsoft Entra ID (formerly Azure Active Directory)?

  • A physical server that stores Active Directory domain controllers in Azure
  • A cloud-based identity and access management service for Microsoft cloud services
  • A networking service that connects on-premises AD to Azure
  • A backup solution for on-premises Active Directory

Correct answer: A cloud-based identity and access management service for Microsoft cloud services

Microsoft Entra ID is Microsoft's cloud-based identity and access management service that helps employees sign in and access resources including Microsoft 365, the Azure portal, and thousands of other SaaS applications. It is not a physical server or backup solution.

Question 2 ยท Secure networking

A VM in subnet A cannot communicate with a VM in subnet B despite both having NSGs allowing the required traffic. What is the most likely cause?

  • The VMs are in different regions
  • NSGs are stateful and don't require return rules
  • Traffic must be explicitly allowed in both subnet NSGs (egress from A, ingress to B)
  • VMs in different subnets cannot communicate

Correct answer: Traffic must be explicitly allowed in both subnet NSGs (egress from A, ingress to B)

NSG rules apply at both subnet and NIC level, and traffic must be explicitly allowed in both directions. Outbound traffic from subnet A must be allowed by A's NSG, and inbound to subnet B must be allowed by B's NSG. NSGs are stateful, but rules must exist for both directions at their respective scopes.

Question 3 ยท Secure compute, storage, and databases

Which encryption technologies does Azure Disk Encryption use for Windows and Linux VMs?

  • BitLocker for Windows and dm-crypt for Linux
  • FileVault for Windows and LUKS for Linux
  • VeraCrypt for both Windows and Linux
  • TPM for Windows and Secure Boot for Linux

Correct answer: BitLocker for Windows and dm-crypt for Linux

Azure Disk Encryption uses BitLocker for Windows VMs and dm-crypt for Linux VMs to encrypt OS and data disks. These are industry-standard encryption technologies integrated with Azure Key Vault for key management.

Question 4 ยท Manage security operations

What are the two main capabilities of Microsoft Defender for Cloud?

  • CSPM (Cloud Security Posture Management) and CWPP (Cloud Workload Protection Platform)
  • Email security and web filtering
  • Identity management and VPN
  • Backup and disaster recovery

Correct answer: CSPM (Cloud Security Posture Management) and CWPP (Cloud Workload Protection Platform)

Microsoft Defender for Cloud provides CSPM (security assessments, secure score, compliance) and CWPP (threat detection, vulnerability scanning, file integrity monitoring, just-in-time access). It also includes DevOps security capabilities.

Question 5 ยท Manage identity and access

Which three elements comprise an Azure role assignment?

  • User, Group, and Application
  • Owner, Contributor, and Reader
  • Security principal, Role definition, and Scope
  • Subscription, Resource Group, and Resource

Correct answer: Security principal, Role definition, and Scope

An Azure role assignment consists of: 1) Security principal (user, group, service principal, or managed identity), 2) Role definition (collection of permissions like Owner or Contributor), and 3) Scope (subscription, resource group, or resource where access applies).

Question 6 ยท Manage identity and access

Which authentication method satisfies MFA requirements in a single step?

  • Password + SMS verification
  • Windows Hello for Business or FIDO2 security key
  • Password + Email verification
  • Password + Security question

Correct answer: Windows Hello for Business or FIDO2 security key

Passwordless authentication methods like Windows Hello for Business and FIDO2 security keys satisfy MFA requirements in a single step because they combine something you have (device/key) with something you are (biometric) or know (PIN).

Question 7 ยท Manage identity and access

Your company requires that users accessing sensitive financial applications from outside the corporate network must complete MFA and use a compliant device. Which Conditional Access configuration should you implement?

  • Block all access from outside the corporate network
  • Require MFA for all users accessing any cloud app
  • Create a policy targeting the financial app, excluding the corporate network IP range, requiring MFA AND compliant device
  • Enable Security Defaults for all users

Correct answer: Create a policy targeting the financial app, excluding the corporate network IP range, requiring MFA AND compliant device

The correct approach is to create a Conditional Access policy that targets only the financial application, excludes trusted locations (corporate network), and requires both MFA and device compliance (AND logic) for access to be granted.

Question 8 ยท Manage identity and access

What is the primary purpose of Microsoft Entra ID Privileged Identity Management (PIM)?

  • To permanently assign administrative roles to users
  • To provide time-based and approval-based role activation to reduce standing access
  • To replace Azure RBAC with a different permission system
  • To audit all user sign-ins to Microsoft 365

Correct answer: To provide time-based and approval-based role activation to reduce standing access

PIM enables just-in-time privileged access management by requiring eligible users to activate roles when needed. This activation can require approval, MFA, and has a time limit, reducing the risk of excessive or misused permissions.

Question 9 ยท Manage identity and access

What is the key difference between system-assigned and user-assigned managed identities?

  • System-assigned uses passwords while user-assigned uses certificates
  • System-assigned is tied to a specific resource's lifecycle, while user-assigned exists independently
  • System-assigned works only with VMs, user-assigned works with all services
  • System-assigned is free while user-assigned has a cost

Correct answer: System-assigned is tied to a specific resource's lifecycle, while user-assigned exists independently

System-assigned managed identities are tied to the lifecycle of a specific Azure resource and are automatically deleted when the resource is deleted. User-assigned managed identities are standalone resources that can be assigned to multiple resources and exist independently.

Question 10 ยท Manage identity and access

What are the two types of risk detected by Microsoft Entra ID Identity Protection?

  • Internal risk and External risk
  • User risk and Sign-in risk
  • High risk and Low risk
  • Current risk and Historical risk

Correct answer: User risk and Sign-in risk

Identity Protection detects two risk types: User risk (probability that a user identity is compromised) and Sign-in risk (probability that a specific authentication request is unauthorized by the identity owner).

Full Study Blueprint

See the complete crowdsourced blueprint with all 1 study plan for Azure Security Engineer โ€” resources, ratings, and tips from people who passed.

View Blueprint โ†’

Frequently Asked Questions

Does my AZ-500 certification still count after the exam retires?

Yes. It stays on your transcript as proof you earned it, but once your current year lapses it moves to Historical and cannot be renewed.

Will AZ-500 automatically become SC-500?

No. There is no free conversion. SC-500 is a separate exam you sit on its own.

I renewed AZ-500 recently, am I safe?

You are current until your next renewal date. After retirement that renewal will not be available, so plan your next move (usually SC-500) before then.

Is SC-500 harder than AZ-500?

Broader and generally a bit harder, mainly because it adds securing AI workloads on top of the existing AZ-500 scope.

Master Your Exams with ReadRoost

Practice questions, flashcards, and timed exams for 57 certifications.

Start FreeView Pricing

Related Articles

AWS retired its Machine Learning cert and opened a Generative AI one. What should you study now?

If your AWS study plan still has "Machine Learning Specialty" written on it, the plan is out of date. AWS quietly retired that exam in March 2026, and in the same stretch it has been rebuilding its AI track and updating the Security Specialty around generative AI. So the question I keep getting is a fair one: with the old ML cert gone and a pile of new AI options, what should you actually study now? Here is the lay of the land, minus the hype.

Security+ V8 is coming. Should you take SY0-701 now or wait?

Every time CompTIA so much as hints at a new version of Security+, the study subreddits fill up with the same question: should I rush to pass the current exam, or hold off and start fresh on the new one? It is back again now that Security+ V8 has appeared in CompTIA's draft objectives, and I want to answer it properly, because the wrong answer can cost you months for no benefit. The short version: in almost every case, you should sit SY0-701 now. Let me show you why, including the one situation where waiting actually makes sense.

Security+ or CySA+ first? The job ads disagree with the study subs.

Most people treat CySA+ as the automatic next cert after Security+. The study subs reinforce it: pass Security+, line up CySA+, keep the streak going. But while I was deciding the same thing, I went through a stack of actual SOC analyst and security-tier-1 job ads, and they told a different story. Security+ was the hard requirement, the line in the filter that screens you out if it is missing. CySA+ kept showing up under 'nice to have' or 'or equivalent'. That gap is the whole decision. If you already hold Security+, the honest question is not 'is CySA+ the next step', it is 'is CySA+ the next step for the job I actually want, or am I about to spend two months on a cert hiring managers treat as optional'. Here is how I would order them in 2026, and the one situation where doing CySA+ first is genuinely the right call.

We improve our products and advertising by using Microsoft Clarity to see how you use our website. By using our site, you agree that we and Microsoft can collect and use this data. Our privacy policy has more details.