- Domain 3 Overview: What "Implement Azure Security" Actually Covers
- Core Topics You Must Master
- Identity and Access: Microsoft Identity Platform, Managed Identities, and Shared Access Signatures
- Implementing User Authentication and Authorization
- Securing App Configuration and Secrets
- How Domain 3 Questions Are Actually Asked
- Scheduling Domain 3 Inside Your Broader AZ-204 Plan
- How Domain 3 Compares to the Other Four Domains
- Common Mistakes Candidates Make on Security Questions
- FAQ
- Domain 3 (Implement Azure security) is worth 15-20% of the AZ-204 exam, tied for second-highest weight.
- Focus areas: Microsoft identity platform, managed identities, SAS tokens, Key Vault, and user authentication/authorization.
- The exam runs 100 minutes with roughly 40-60 questions across all five domains, so security topics get real airtime.
- Passing requires a scaled score of 700+ out of 1000; there's no separate per-domain pass threshold.
Domain 3 Overview: What "Implement Azure Security" Actually Covers
Domain 3, Implement Azure security, accounts for 15-20% of the AZ-204 exam according to the official skills measured outline (last updated January 14, 2026). It sits behind only Domain 1 (Develop Azure compute solutions, 25-30%) and Domain 5 (Connect to and consume Azure services and third-party services, 20-25%) in terms of weight. That places it roughly on par with Domain 2 (Develop for Azure storage, 15-20%), and well ahead of Domain 4 (Monitor, troubleshoot, and optimize Azure solutions, 5-10%).
Unlike storage or compute topics, which are largely about provisioning and configuring resources, Domain 3 is about protecting the applications you build elsewhere on the exam. Expect questions that combine an App Service, a Function, or a container with an identity or secrets-management requirement. If you haven't yet reviewed the other content areas, the complete guide to all five AZ-204 content areas is a useful map before you drill into this one.
Core Topics You Must Master
Microsoft's skills-measured outline groups Domain 3 into a handful of practical implementation tasks rather than abstract security theory. Based on the current outline, candidates should be prepared to work hands-on with:
- The Microsoft identity platform, including app registrations, OAuth 2.0 and OpenID Connect flows, and the Microsoft Authentication Library (MSAL)
- Managed identities for Azure resources (system-assigned and user-assigned) and how they eliminate credential storage
- Shared access signatures (SAS) for Blob Storage, Queue Storage, and other storage services, including account SAS vs. service SAS
- Azure Key Vault for storing and retrieving secrets, keys, and certificates from application code
- Solution-level security recommendations, including Microsoft Entra ID (formerly Azure AD) roles, conditional access basics as they relate to app development, and role-based access control (RBAC) as applied to app resources
These topics don't exist in isolation. A question about Blob Storage access might actually be testing whether you know a managed identity is a better fit than a SAS token for a server-side app - which means Domain 3 knowledge frequently overlaps with the storage topics in Domain 2's study guide.
Microsoft Identity Platform
Candidates must understand how to register an application, request tokens, and use MSAL libraries to authenticate users and call protected APIs.
- Difference between v1.0 and v2.0 endpoints and when each applies
- Scopes, consent, and delegated vs. application permissions
- Token validation and refresh token handling in application code
Managed Identities
You need to know when to use system-assigned versus user-assigned managed identities and how they interact with Azure RBAC.
- System-assigned identities are tied to a single resource's lifecycle
- User-assigned identities can be shared across multiple resources
- Managed identities remove the need for connection strings or embedded credentials
Shared Access Signatures
SAS tokens grant delegated, time-limited access to storage resources without sharing account keys.
- Know the difference between account SAS and service SAS scope
- Understand stored access policies for revocation control
- Recognize when SAS is appropriate versus when Entra ID authentication is preferred
Identity and Access: Microsoft Identity Platform, Managed Identities, and Shared Access Signatures
This is the heart of Domain 3 and where the exam concentrates most of its scenario-based questions. You'll be asked to reason through situations like: an Azure Function needs to read a secret from Key Vault without storing a client secret in application settings - which authentication approach fits? The expected answer path usually leads to a managed identity granted appropriate Key Vault access policy or RBAC role, not a service principal with a hardcoded secret.
Similarly, expect questions where a mobile client needs temporary, scoped access to upload a file directly to Blob Storage. That's a textbook SAS scenario, and the exam will test whether you know to generate a service SAS with the narrowest possible permissions and expiration rather than exposing the storage account key.
Key Takeaway
When a Domain 3 scenario involves an Azure resource calling another Azure resource, managed identity is almost always the preferred answer over stored credentials or SAS tokens.
Implementing User Authentication and Authorization
Beyond resource-to-resource identity, Domain 3 also covers user-facing authentication: signing users into a web or mobile app, securing APIs behind Entra ID, and using App Service's built-in authentication (Easy Auth) feature. You should be comfortable with:
- Configuring App Service authentication providers (Microsoft, Google, Facebook, etc.) without writing custom auth code
- Securing an API with Entra ID and validating bearer tokens in incoming requests
- Implementing authorization checks based on app roles or group claims returned in a token
- Understanding the difference between authentication (who you are) and authorization (what you can do) in the context of Azure resources
These topics connect directly to the compute services covered in Domain 1's study guide, since App Service, Functions, and containers are the delivery mechanisms for the identity code you write here.
Securing App Configuration and Secrets
Key Vault appears throughout Domain 3, not just as a standalone service but as a dependency woven into compute and storage scenarios elsewhere on the exam. Candidates should know how to:
- Create and configure a Key Vault, including access policies versus Azure RBAC-based permission models
- Retrieve secrets, keys, and certificates from application code using the appropriate SDK
- Reference Key Vault secrets directly in App Service configuration using Key Vault references
- Rotate secrets and understand versioning behavior for keys and secrets
How Domain 3 Questions Are Actually Asked
AZ-204 is a proctored Microsoft exam delivered through Pearson VUE test centers or OnVUE online proctoring. Microsoft doesn't publish an exact question count for AZ-204, but most Microsoft certification exams - this one included - typically run 40-60 questions within a 100-minute time limit. Some items are unscored and used for exam calibration, though you won't know which ones during the test.
For Domain 3 specifically, expect:
- Scenario-based multiple choice questions describing an app requirement and asking which identity mechanism satisfies it
- "Choose two" or "choose all that apply" formats where partial credit isn't given - you need the complete correct set
- Possible case studies where a single business scenario spans multiple questions, some touching security and others touching compute or storage
- Code-completion or "select the missing configuration" style items involving SDK calls to Key Vault or MSAL
Passing requires a scaled score of 700 or higher out of a possible 1000 - there's no separate minimum per domain, so a weak Domain 3 showing can be offset by stronger performance elsewhere, though skipping it entirely is risky given its 15-20% weight. For a full breakdown of exam mechanics and difficulty expectations, see the complete AZ-204 difficulty guide.
Scheduling Domain 3 Inside Your Broader AZ-204 Plan
Because Domain 3 concepts (managed identities, Key Vault, SAS tokens) depend on understanding the compute and storage services they protect, it makes sense to study it after - or in parallel with - Domains 1 and 2 rather than first. Here's one way to sequence a multi-week plan that accounts for this dependency:
Compute Foundations
- Work through App Service, Functions, and container basics from Domain 1
- Build one small deployed app to use as a testbed for later security work
Storage Foundations
- Cover Blob Storage, Cosmos DB basics, and access tiers from Domain 2
- Note where SAS tokens and storage account keys come up naturally
Domain 3 Deep Dive
- Configure Key Vault and connect it to your test app
- Implement a managed identity end-to-end and compare it against a SAS-based approach
- Practice Microsoft identity platform token flows with MSAL
Integration and Practice Questions
- Run scenario-based practice questions mixing Domains 1-3
- Review Domain 5 connectivity topics since they often overlap with authentication scenarios
If you want a broader, domain-agnostic framework for pacing your overall preparation, the first-attempt study guide covers timing, resource selection, and exam-day logistics in more depth.
How Domain 3 Compares to the Other Four Domains
Seeing Domain 3's weight next to the other four helps with prioritizing study hours proportionally:
| Domain | Weight | Primary Focus |
|---|---|---|
| Domain 1: Develop Azure compute solutions | 25-30% | App Service, Functions, containers, deployment |
| Domain 2: Develop for Azure storage | 15-20% | Blob Storage, Cosmos DB, data connections |
| Domain 3: Implement Azure security | 15-20% | Identity platform, managed identities, Key Vault, SAS |
| Domain 4: Monitor, troubleshoot, optimize | 5-10% | Application Insights, caching, autoscale |
| Domain 5: Connect to and consume services | 20-25% | API Management, Event Grid, Service Bus, third-party integration |
Notice that Domains 2 and 3 carry identical weight ranges, and together with Domain 1 they represent well over half the exam. That means security implementation isn't a side topic - it's core exam content deserving proportional study time. For the complete picture of all five areas together, revisit the exam domains overview.
Common Mistakes Candidates Make on Security Questions
- Confusing authentication with authorization in scenario wording - the exam is precise about this distinction, and so should your answer choices be.
- Defaulting to storage account keys when a scenario clearly calls for scoped, time-limited access via SAS or Entra ID.
- Overlooking Key Vault access policy vs. RBAC permission models - these are configured differently and the exam may test which one applies to a given setup.
- Treating managed identities as optional rather than the default recommended approach for resource-to-resource authentication.
- Not practicing MSAL code patterns hands-on, which makes code-completion style questions much harder under time pressure.
Once you're comfortable with the identity and secrets-management concepts here, reinforce them with realistic scenario questions on our AZ-204 practice test platform, then cycle back through weaker domains. Repeated exposure to Domain 3-style scenarios - especially ones mixing managed identities with Key Vault and App Service - is one of the most efficient ways to convert conceptual knowledge into exam-day speed. You can also run full-length simulated exams on the practice test site to see how Domain 3 questions blend with the other four areas under real time pressure.
FAQ
Microsoft doesn't publish an exact number, but since Domain 3 is weighted at 15-20% of the exam and most Microsoft certification exams contain roughly 40-60 questions, you can expect a meaningful cluster of security-focused items, though the precise count varies by exam version.
Microsoft doesn't require prerequisites, but it recommends proficiency with Azure SDKs, CLI, and app authentication/authorization concepts. Hands-on practice with Key Vault, managed identities, and MSAL will make scenario questions far easier to answer correctly.
Difficulty is subjective, but Domain 3 requires precise distinctions between similar-sounding mechanisms (SAS vs. managed identity vs. service principal), which some candidates find more conceptually demanding than the broader compute topics in Domain 1. See the difficulty guide for a fuller comparison.
No. Microsoft reports a single scaled score from 1-1000, and you need 700 or higher overall to pass. There's no published per-domain minimum, though ignoring any domain entirely is risky given the overall weighting.
The current skills-measured outline was last updated January 14, 2026, and the certification along with its exam and renewal assessments retire July 31, 2026. Always check the official skills outline close to your test date for any last updates.
- AZ-204 Domain 1: Develop Azure compute solutions (25-30%) - Complete Study Guide 2026
- AZ-204 Domain 2: Develop for Azure storage (15-20%) - Complete Study Guide 2026
- AZ-204 Domain 4: Monitor, troubleshoot, and optimize Azure solutions (5-10%) - Complete Study Guide 2026
- AZ-204 Exam Domains 2026: Complete Guide to All 5 Content Areas