SC-500T00: Implement end-to-end security controls for cloud and AI workloads

SC-500T00 training

Instructor-led Microsoft Cloud and AI Security Engineer training for security engineers, Azure administrators, cloud engineers, identity administrators, security architects, AI platform teams, and cybersecurity professionals responsible for securing Azure, hybrid, multicloud, and AI-enabled workloads.

This course teaches students how to implement end-to-end security controls for identity, access, governance, storage, databases, networking, compute, AI workloads, Microsoft Defender for Cloud, Microsoft Sentinel, and Microsoft Security Copilot.

Certification URL: https://learn.microsoft.com/en-us/credentials/certifications/cloud-and-ai-security-engineer-associate/

Study guide URL: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-500

Why choose Dynamics Edge for SC-500T00 training?

Dynamics Edge delivers SC-500 training with a practical cloud, AI, identity, and security operations focus. Students learn how to secure Azure and AI workloads with Microsoft Entra ID, Azure Key Vault, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Security Copilot, Azure Policy, network security, compute security, and governance controls.

• Learn how to secure Azure, hybrid, multicloud, and AI-enabled workloads.
• Prepare for the Microsoft Certified: Cloud and AI Security Engineer Associate certification.
• Practice identity security, Key Vault, governance, storage security, database security, network security, compute security, and AI security scenarios.
• Build skills with Microsoft Defender for Cloud, Defender CSPM, Microsoft Sentinel, and Microsoft Security Copilot.
• Customize the class for enterprise cloud security, government cloud, DevSecOps, Zero Trust, or AI security teams.

What will you learn in SC-500T00 training?

This course teaches students how to protect organizational systems and data across cloud and hybrid environments by implementing comprehensive security controls. Students learn how to secure access, enforce governance, protect storage and databases, secure networks, harden compute workloads, protect AI solutions, and monitor security posture.

• Secure access to resources with Microsoft Entra ID, Conditional Access, PIM, managed identities, and Azure Key Vault.
• Enforce security and regulatory compliance with Azure Policy, Defender for Cloud, RBAC, and infrastructure as code.
• Secure storage accounts, databases, Azure network services, private access, and perimeter controls.
• Secure servers, virtual machines, containers, Azure App Service, Azure Functions, Logic Apps, APIs, and AI workloads.
• Manage and monitor security posture with Defender CSPM, Defender for Cloud, Microsoft Sentinel, and Microsoft Security Copilot.

SC-500T00 Course Outline

Module 1: Manage identity, access, and governance

Students begin by learning how identity, access, and governance controls reduce risk across Azure, hybrid, and AI-enabled environments. This module focuses on Microsoft Entra ID, privileged access, Conditional Access, application identity, Azure Key Vault, Azure Policy, RBAC, and regulatory compliance.

Topics include:

• Secure resource access with Microsoft Entra ID, MFA, passwordless authentication, and Conditional Access.
• Implement and configure Privileged Identity Management for privileged roles.
• Configure enterprise applications, app registrations, managed identities, OAuth consent, and permission grants.
• Secure secrets, keys, and certificates with Azure Key Vault and Defender for Key Vault.
• Enforce governance with Azure Policy, RBAC, resource locks, Defender for Cloud recommendations, and infrastructure as code.

Module 2: Secure storage, databases, and networking

Students learn how to protect Azure data services and network access paths. This module covers storage account security, database protection, Microsoft Defender protections, network security controls, Private Link, private endpoints, firewalls, VPN, and network diagnostics.

Topics include:

• Implement security controls for Azure Storage accounts, access policies, firewall rules, and Defender for Storage.
• Configure Azure SQL platform security, auditing, and Defender for Databases.
• Implement NSGs, ASGs, Azure Virtual Network Manager, and effective security rule diagnostics.
• Secure connectivity with VPN, Azure Virtual WAN, Microsoft Entra Private Access, private endpoints, and Private Link.
• Configure Azure Firewall and network security controls for protected cloud access.

Module 3: Secure AI workloads

Students learn how to secure AI platforms, copilots, agents, data exposure, and AI application access. This module focuses on Microsoft Purview DSPM for AI, Microsoft Copilot and AI app risks, Microsoft Entra Agent ID, Defender XDR, Azure API Management AI Gateway, Microsoft Foundry guardrails, and Defender for AI Service.

Topics include:

• Identify overexposed data in SharePoint and AI-accessible repositories.
• Identify Microsoft Copilot and AI app risks with Microsoft Purview Data Security Posture Management for AI.
• Configure real-time protection for Microsoft Copilot Studio agents.
• Implement Conditional Access, access management, and blast-radius analysis for Microsoft Entra Agent ID.
• Configure Azure API Management AI Gateway, Microsoft Foundry guardrails, Defender for AI Service, and AI security monitoring.

Module 4: Secure servers, virtual machines, and hybrid compute

Students learn how to harden Azure virtual machines, servers, and hybrid compute resources. This module covers encryption, Bastion, just-in-time VM access, Azure Arc, Defender for Servers, vulnerability scanning, endpoint detection and response, agentless scanning, secure boot, vTPM, integrity monitoring, and Azure Machine Configuration.

Topics include:

• Implement disk encryption and VM security configuration.
• Plan and deploy Azure Bastion for secure administrative access.
• Enable just-in-time VM access and reduce exposed management ports.
• Extend security controls to hybrid and multicloud servers with Azure Arc.
• Configure Defender for Servers, vulnerability scanning, EDR, agentless scanning, secure boot, vTPM, and integrity monitoring.

Module 5: Secure application platform services

Students learn how to secure modern Azure application hosting and container platforms. This module focuses on Azure Kubernetes Service, container registries, container apps, Azure Functions, Logic Apps, App Service, Web Application Firewall, API Management, and Defender for Containers.

Topics include:

• Detect container misconfigurations and runtime risks with Defender for Containers.
• Implement security controls for Azure Kubernetes Service and Azure Container Registry.
• Secure Azure Container Instances, Azure Container Apps, Azure Functions, and Logic Apps.
• Secure Azure App Service with authentication, network access, and platform configuration.
• Implement Azure Web Application Firewall and API Management policies for protected application and API access.

Module 6: Manage security posture with Microsoft Defender for Cloud

Students learn how to use Microsoft Defender for Cloud to assess, improve, and monitor security posture across Azure, hybrid, and multicloud environments. This module covers Defender CSPM, regulatory compliance, workload protection plans, vulnerability management, and external attack surface management.

Topics include:

• Identify security risks with Defender Cloud Security Posture Management.
• Evaluate compliance against security frameworks in Microsoft Defender for Cloud.
• Enable and configure Defender for Cloud workload protection plans.
• Connect Azure, hybrid, AWS, and Google Cloud environments to Defender for Cloud.
• Discover unprotected assets and vulnerabilities with Defender Vulnerability Management and Defender External Attack Surface Management.

Module 7: Implement monitoring, event collection, and automation with Microsoft Sentinel

Students learn how to collect, retain, query, and automate security data with Microsoft Sentinel. This module focuses on Sentinel workspaces, roles, content hub solutions, data connectors, syslog, CEF, Windows Security events, data collection rules, custom log tables, automation rules, playbooks, retention, and Purview Audit queries in Defender XDR.

Topics include:

• Create and connect Microsoft Sentinel workspaces.
• Assign Microsoft Sentinel roles and deploy content hub solutions.
• Configure Microsoft data connectors for Azure resources, syslog, CEF, and Windows Security events.
• Create custom log tables and configure Sentinel data retention.
• Implement automation rules, playbooks, and Microsoft Purview Audit queries in Defender XDR.

Module 8: Implement Microsoft Security Copilot

Students learn how Microsoft Security Copilot supports cloud and AI security operations. This module focuses on workspace configuration, permission management, plugins, Microsoft agents, Security Store agents, and AI-assisted security workflows.

Topics include:

• Configure workspaces for Microsoft Security Copilot.
• Manage Security Copilot permissions and roles.
• Enable and configure Security Copilot plugins.
• Enable and configure Microsoft agents and Security Store agents.
• Use Security Copilot to support cloud security investigation, posture management, and response workflows.

Hands-on Labs

Hands-on activities may vary by delivery environment, tenant configuration, licensing, and Microsoft lab availability. Dynamics Edge can align labs to the official SC-500 exam objectives and customize them for Azure, Microsoft 365, government cloud, DevSecOps, Zero Trust, or AI security teams.

• Configure Microsoft Entra ID authentication, Conditional Access, PIM, and managed identities.
• Secure Azure Key Vault, secrets, keys, certificates, RBAC, and Azure Policy.
• Configure storage, database, and network security controls.
• Secure AI workloads with Purview DSPM for AI, Entra Agent ID, Foundry guardrails, API Management AI Gateway, and Defender for AI Service.
• Configure VM, server, container, application platform, and API security controls.
• Enable Defender for Cloud workload protection and Defender CSPM.
• Configure Microsoft Sentinel connectors, automation, playbooks, and retention.
• Configure Microsoft Security Copilot workspaces, plugins, permissions, and agents.

Certification Alignment

This course aligns to Microsoft Certified: Cloud and AI Security Engineer Associate and Exam SC-500: Implementing End-to-End Security Controls for Cloud and AI Workloads.

Microsoft’s SC-500 study guide lists the current skills measured as:

• Manage identity, access, and governance: 20–25%.
• Secure storage, databases, and networking: 25–30%.
• Secure compute: 20–25%.
• Manage and monitor security posture: 20–25%.

Course Review

By the end of this course, students should be able to implement identity and access controls, secure secrets and keys, enforce governance and compliance, secure storage and database services, configure network security, secure AI workloads, harden compute services, manage Defender for Cloud posture, collect security events with Microsoft Sentinel, and configure Microsoft Security Copilot.

Certification Exam Review

This course supports preparation for Exam SC-500 by covering the core responsibilities of a Cloud and AI Security Engineer: managing identity, access, and governance; securing storage, databases, and networking; securing compute and AI workloads; and managing and monitoring security posture. Students should review the Microsoft study guide, practice hands-on Azure and Microsoft Defender tasks, review the exam sandbox, and prepare for the beta exam experience before scheduling the exam.