Secure cloud and AI workloads with Microsoft Certified: Cloud and AI Security Engineer Associate credential.

Learn how to design, implement, and manage security controls across Microsoft Azure, Microsoft 365, hybrid environments, and AI workloads. Develop practical skills in identity protection, cloud infrastructure security, threat detection, security posture management, and AI security using Microsoft’s security technologies.

  • Why get trained: Gain hands-on expertise securing identities, networks, applications, data, infrastructure, and AI workloads across cloud and hybrid environments.
  • Why it matters: Organizations need security professionals who can protect cloud platforms, AI solutions, and business-critical data while maintaining compliance and reducing cyber risk.
  • Who should attend: Security engineers, cloud security professionals, Azure administrators, security operations specialists, infrastructure engineers, and IT professionals responsible for securing cloud and AI environments.

Build the skills to secure modern cloud and AI environments with Microsoft security technologies. HRD Corp Claimable.

Overview

This course prepares you to design, implement, and manage end-to-end security controls across Microsoft Azure and Microsoft 365 environments; including the emerging landscape of AI workloads and autonomous agents.

Through a combination of instructor-led sessions and hands-on labs, you build practical skills in identity security, cloud infrastructure protection, threat detection, and posture management.

This course is intended for security engineers who are responsible for planning and implementing security controls across cloud, hybrid, and multi-cloud environments using Microsoft security technologies.

Skills Covered

  • Secure access to resources by using Microsoft Entra
  • Secure Azure Key Vault with defense in depth for the cloud and AI workloads
  • Enforce security governance and regulatory compliance
  • Implement security for Azure Storage for the cloud and AI security engineer
  • Implement security for Azure SQL databases

Prerequisites

  • Familiarity with Microsoft Entra ID concepts, including users, groups, and directory roles
  • Familiarity with Azure Storage accounts including Blob Storage and Azure Files
  • Working knowledge of Azure Key Vault, including deploying and using a vault
  • Familiarity with Microsoft Defender for Cloud at a foundational level
  • Working knowledge of Azure administration at the AZ-104 level, including resource management, role assignments, and virtual network concepts
  • Understanding of Azure role-based access control (RBAC), including role assignments and the Azure scope hierarchy (management group, subscription, resource group, resource)
  • Basic experience navigating the Azure portal and the Microsoft Entra admin center
  • Familiarity with Zero Trust security principles, including least privilege and assume breach
  • Awareness of Microsoft Entra ID P2 or Microsoft Entra ID Governance licensing requirements

Target Audience

As a candidate for this course, you’re a security engineer who protects organizational systems and data across cloud and hybrid environments by implementing comprehensive security controls that prevent unauthorized access and mitigate risks proactively.

This role spans multiple security domains including identity, network, application, data, and compute. This role also ensures that platforms, data, identities, and infrastructure used by AI workloads are securely implemented and monitored.

Course Curriculum

Module 1: Manage and implement authentication methods in Microsoft Entra ID

Learn to plan, deploy, and manage secure authentication in Microsoft Entra ID. This module covers authentication methods, MFA with Conditional Access, passwordless options, and self-service password reset.

Module 2: Implement and configure Privileged Identity Management (PIM)

Implement Just-in-Time privileged access using Privileged Identity Management (PIM) to reduce standing privilege across Microsoft Entra roles, Azure resources, and group-based access for cloud and AI environments.

Module 3: Authenticate your API plugin for declarative agents with secured APIs

When building apps for work, you typically integrate with secured APIs. Learn about the two common ways of how APIs are secured – API key and OAuth2, and how to integrate with them when building an API plugin for declarative agents that run in Microsoft 365 Copilot.

Module 4: Configure and secure Azure Key Vault

Configure a security-hardened Azure Key Vault for enterprise workloads. Apply soft delete and purge protection, enforce least-privilege RBAC access with just-in-time activation, and secure the network perimeter using firewall rules and private endpoints.

Module 5: Manage keys and secrets in Azure Key Vault

Manage the security lifecycle of cryptographic keys and secrets in Azure Key Vault. Configure HSM-backed keys, implement Bring Your Own Key (BYOK) for regulatory scenarios, set up automated key rotation, and build zero-downtime secret rotation using dual-credential patterns.

Module 6: Manage certificates and monitor Azure Key Vault

Manage certificate lifecycle in Azure Key Vault through integrated certificate authority issuance and autorenewal. Enable diagnostic logging to create an investigation-ready audit trail, configure log-based alert rules, and integrate Event Grid for real-time lifecycle automation.

Module 7: Protect Azure Key Vault with Microsoft Defender for Cloud

Protect Azure Key Vault with Microsoft Defender for Cloud. Use Defender CSPM agentless secret scanning to discover exposed credentials across virtual machines (VMs) and cloud deployments, enable Microsoft Defender for Key Vault to detect malicious access patterns, and respond effectively to Key Vault security alerts.

Module 8: Enforce governance with Azure Policy and resource locks

Enforce security standards before resources reach production using Azure Policy. Assign built-in policy definitions and initiatives at management group scope, author custom definitions with automated remediation tasks, and protect critical resources from deletion using Azure resource locks.

Module 9: Configure security controls and remediate recommendations in Defender for Cloud

Configure Defender for Cloud security standards at management group scope and systematically deploy security controls to remediate recommendations. Manage custom security standards, assign recommendation ownership using governance rules, and remediate at scale using Fix, Azure Policy remediation tasks, and structured exemptions.

Module 10: Evaluate regulatory compliance in Defender for Cloud

In this module, you use Microsoft Defender for Cloud to assess your organization’s compliance posture against security frameworks. You explore the regulatory compliance dashboard, investigate control gaps, assign regulatory standards, and generate audit-ready reports that communicate compliance status to stakeholders.

Module 11: Manage and right-size RBAC role assignments for least privilege

Implement least-privilege access governance across Azure and Microsoft Entra ID. Assign built-in roles at appropriate scope, create custom roles for Azure resources and Microsoft Entra directory operations. Then identify and remediate overprivileged access using Microsoft Entra access reviews and Defender for Cloud Security Posture Management (CSPM) identity insights.

Module 12: Describe Azure storage services

This module introduces you to storage in Azure, including things such as different types of storage and how a distributed infrastructure can make your data more resilient.

Module 13: Implement security and manage access for Azure Storage

Implement account-level security controls and access governance for Azure Storage. Configure secure transfer settings, choose appropriate authorization models, apply stored access policies for SAS lifecycle management, and enforce Shared Key disable using Azure Policy to protect storage accounts used by AI agents and enterprise workloads.

Module 14: Configure network security for Azure Storage

Configure network-layer access controls for Azure Storage accounts. Apply firewall rules, define virtual network and IP-based access, configure resource instance rules for Azure AI services, manage trusted service exceptions, and implement private endpoints to eliminate public endpoint exposure.

Module 15: Implement Microsoft Defender for Storage

Enable and configure Microsoft Defender for Storage to detect threats against Azure Blob Storage, Azure Files, and Azure Data Lake Storage. Configure activity monitoring, malware scanning with cost controls, sensitive data threat detection, and alert routing to ensure Defender outputs reach the appropriate security team.

Module 16: Configure platform-level security for Azure SQL

Configure authentication, network isolation, encryption, and access controls for Azure SQL Database and SQL Managed Instance. Implement Microsoft Entra ID–only authentication with managed identity access for AI workloads, deploy private endpoints, and apply transparent data encryption, dynamic data masking, and row-level security to protect sensitive financial data.

Module 17: Configure auditing for Azure SQL Database and SQL Managed Instance

Configure audit logging for Azure SQL Database and SQL Managed Instance to create tamper-resistant compliance records. Set audit action groups, route logs to Azure Monitor, Event Hubs, and immutable blob storage, and configure SQL Managed Instance–specific auditing to meet financial regulatory audit requirements.

Module 18: Implement Microsoft Defender for Databases

Enable Microsoft Defender for Databases to detect SQL injection, anomalous query patterns, and vulnerability exposures across Azure SQL services. Enable protection at subscription scope using Azure Policy, configure vulnerability assessment baselines, and route security alerts to the security operations team.

Dates & Locations

Let’s make it work for you

Can’t find a date that fits? Need to train your whole team? Looking for a discount?
Speak to one of our learning experts today.

x Clear all selections

September 1, 2026 - September 4, 2026

Location: Kuala Lumpur
Modal: ILT
Availability: TBC
Exam:
RM 374
RM 3000

September 1, 2026 - September 4, 2026

Location: Online
Modal: VILT
Availability: TBC
Exam:
RM 374
RM 3000

December 1, 2026 - December 4, 2026

Location: Kuala Lumpur
Modal: ILT
Availability: TBC
Exam:
RM 374
RM 3000

December 1, 2026 - December 4, 2026

Location: Online
Modal: VILT
Availability: TBC
Exam:
RM 374
RM 3000
Trainocate exam and cert

Exam & Certification

Microsoft Certified: Cloud and AI Security Engineer Associate.

This certification validates your ability to design, implement, and manage end‑to‑end security controls across Azure, hybrid, and AI-enabled environments to protect identities, data, applications, infrastructure, and maintain regulatory compliance.

  • Level: Intermediate
  • Product: Azure, Microsoft Defender XDR, Microsoft Defender
  • Role: Security Engineer
  • Subject: Cloud security, Generative AI, Identity and access, Networking, Security, Storage, Virtual machine

Training & Certification Guide

  • Duration: 120 minutes
  • Passing Score: 700 / 1000
  • Format: Proctored exam with scenario choices and interactive lab components
  • Status: Available in Beta (Launched May 2026); General Availability in July 2026
  • Retake Policy: Can be taken again 24 hours after a first failed attempt

You will have 120 minutes to complete this assessment.

Exam policy

This exam will be proctored. You may have interactive components to complete as part of this exam. To learn more about exam duration and experience, visit: Exam duration and exam experience.

If you fail a certification exam, don’t worry. You can retake it 24 hours after the first attempt. For subsequent retakes, the amount of time varies. For full details, visit: Exam retake policy.

Assessed on this exam

  • Manage identity, access, and governance
  • Secure storage, databases, and networking
  • Secure compute
  • Manage and monitor security posture

This certification is built for hands-on technical professionals managing cloud defense. It is ideal for:
  • Cloud Security Engineers: Professionals implementing protection mechanisms for networks, identities, and databases.
  • AI Security Specialists: Platform engineers tasked with protecting models, data pipelines, and intelligent apps.
  • Prerequisites: Candidates need practical experience in Azure administration (compute, network, storage) and strong familiarity with Microsoft Entra ID.

The SC-500 exam requires technical proficiency across multiple high-stakes protection layers:
1. Identity, Access, and Governance
    • Securing access to enterprise resources using Microsoft Entra ID and Azure Key Vault.
    • Enforcing global governance frameworks and tracking regulatory compliance. 

2. Cloud Infrastructure & Platform Security
    • Configuring security features for Azure Storage and Azure SQL Databases.
    • Implementing advanced network security controls and firewalls within Azure.
    • Securing virtual machines, application platform services, and server instances. 

3. AI Workload and Solution Protection
    • Securing data platforms, vector pipelines, and identities utilized by active AI models.
    • Managing autonomous agent accountability using advanced tools like Microsoft Entra Agent ID. 

4. Posture Management & Threat Defense 
  • Monitoring cloud assets using Microsoft Defender for Cloud to detect vulnerabilities.
  • Setting up event data collection pipelines inside Microsoft Sentinel.
  • Deploying and operating Microsoft Security Copilot to automate incident analysis.

Frequently Asked Questions

Speak to a Training Consultant

All courses are HRD Claimable.
Get in touch with our team via the form or WhatsApp us on +6011-5119 6631

Preferred mode of training
Checkboxes