AZ-204 logo
Focused certification exam prep
Start practice

AZ-204 Domain 3: Implement Azure security (15-20%) - Complete Study Guide 2026

TL;DR
  • Domain 3 (Implement Azure security) is worth 15-20% of the AZ-204 exam, tied for second-highest weight.
  • Focus areas: Microsoft identity platform, managed identities, SAS tokens, Key Vault, and user authentication/authorization.
  • The exam runs 100 minutes with roughly 40-60 questions across all five domains, so security topics get real airtime.
  • Passing requires a scaled score of 700+ out of 1000; there's no separate per-domain pass threshold.

Domain 3 Overview: What "Implement Azure Security" Actually Covers

Domain 3, Implement Azure security, accounts for 15-20% of the AZ-204 exam according to the official skills measured outline (last updated January 14, 2026). It sits behind only Domain 1 (Develop Azure compute solutions, 25-30%) and Domain 5 (Connect to and consume Azure services and third-party services, 20-25%) in terms of weight. That places it roughly on par with Domain 2 (Develop for Azure storage, 15-20%), and well ahead of Domain 4 (Monitor, troubleshoot, and optimize Azure solutions, 5-10%).

Unlike storage or compute topics, which are largely about provisioning and configuring resources, Domain 3 is about protecting the applications you build elsewhere on the exam. Expect questions that combine an App Service, a Function, or a container with an identity or secrets-management requirement. If you haven't yet reviewed the other content areas, the complete guide to all five AZ-204 content areas is a useful map before you drill into this one.

Why This Domain Trips People Up: Security scenarios on AZ-204 rarely test memorized definitions. They test whether you know which Azure identity mechanism fits a specific scenario - managed identity versus service principal versus SAS token - and that distinction is where most point losses happen.

Core Topics You Must Master

Microsoft's skills-measured outline groups Domain 3 into a handful of practical implementation tasks rather than abstract security theory. Based on the current outline, candidates should be prepared to work hands-on with:

  • The Microsoft identity platform, including app registrations, OAuth 2.0 and OpenID Connect flows, and the Microsoft Authentication Library (MSAL)
  • Managed identities for Azure resources (system-assigned and user-assigned) and how they eliminate credential storage
  • Shared access signatures (SAS) for Blob Storage, Queue Storage, and other storage services, including account SAS vs. service SAS
  • Azure Key Vault for storing and retrieving secrets, keys, and certificates from application code
  • Solution-level security recommendations, including Microsoft Entra ID (formerly Azure AD) roles, conditional access basics as they relate to app development, and role-based access control (RBAC) as applied to app resources

These topics don't exist in isolation. A question about Blob Storage access might actually be testing whether you know a managed identity is a better fit than a SAS token for a server-side app - which means Domain 3 knowledge frequently overlaps with the storage topics in Domain 2's study guide.

Microsoft Identity Platform

Candidates must understand how to register an application, request tokens, and use MSAL libraries to authenticate users and call protected APIs.

  • Difference between v1.0 and v2.0 endpoints and when each applies
  • Scopes, consent, and delegated vs. application permissions
  • Token validation and refresh token handling in application code

Managed Identities

You need to know when to use system-assigned versus user-assigned managed identities and how they interact with Azure RBAC.

  • System-assigned identities are tied to a single resource's lifecycle
  • User-assigned identities can be shared across multiple resources
  • Managed identities remove the need for connection strings or embedded credentials

Shared Access Signatures

SAS tokens grant delegated, time-limited access to storage resources without sharing account keys.

  • Know the difference between account SAS and service SAS scope
  • Understand stored access policies for revocation control
  • Recognize when SAS is appropriate versus when Entra ID authentication is preferred

Identity and Access: Microsoft Identity Platform, Managed Identities, and Shared Access Signatures

This is the heart of Domain 3 and where the exam concentrates most of its scenario-based questions. You'll be asked to reason through situations like: an Azure Function needs to read a secret from Key Vault without storing a client secret in application settings - which authentication approach fits? The expected answer path usually leads to a managed identity granted appropriate Key Vault access policy or RBAC role, not a service principal with a hardcoded secret.

Similarly, expect questions where a mobile client needs temporary, scoped access to upload a file directly to Blob Storage. That's a textbook SAS scenario, and the exam will test whether you know to generate a service SAS with the narrowest possible permissions and expiration rather than exposing the storage account key.

Key Takeaway

When a Domain 3 scenario involves an Azure resource calling another Azure resource, managed identity is almost always the preferred answer over stored credentials or SAS tokens.

Implementing User Authentication and Authorization

Beyond resource-to-resource identity, Domain 3 also covers user-facing authentication: signing users into a web or mobile app, securing APIs behind Entra ID, and using App Service's built-in authentication (Easy Auth) feature. You should be comfortable with:

  • Configuring App Service authentication providers (Microsoft, Google, Facebook, etc.) without writing custom auth code
  • Securing an API with Entra ID and validating bearer tokens in incoming requests
  • Implementing authorization checks based on app roles or group claims returned in a token
  • Understanding the difference between authentication (who you are) and authorization (what you can do) in the context of Azure resources

These topics connect directly to the compute services covered in Domain 1's study guide, since App Service, Functions, and containers are the delivery mechanisms for the identity code you write here.

Securing App Configuration and Secrets

Key Vault appears throughout Domain 3, not just as a standalone service but as a dependency woven into compute and storage scenarios elsewhere on the exam. Candidates should know how to:

  • Create and configure a Key Vault, including access policies versus Azure RBAC-based permission models
  • Retrieve secrets, keys, and certificates from application code using the appropriate SDK
  • Reference Key Vault secrets directly in App Service configuration using Key Vault references
  • Rotate secrets and understand versioning behavior for keys and secrets
Practical Tip: Spin up a free or pay-as-you-go Azure subscription and actually configure a Key Vault reference in an App Service application setting. Reading about it is not the same as watching the resolved value appear at runtime.

How Domain 3 Questions Are Actually Asked

AZ-204 is a proctored Microsoft exam delivered through Pearson VUE test centers or OnVUE online proctoring. Microsoft doesn't publish an exact question count for AZ-204, but most Microsoft certification exams - this one included - typically run 40-60 questions within a 100-minute time limit. Some items are unscored and used for exam calibration, though you won't know which ones during the test.

For Domain 3 specifically, expect:

  • Scenario-based multiple choice questions describing an app requirement and asking which identity mechanism satisfies it
  • "Choose two" or "choose all that apply" formats where partial credit isn't given - you need the complete correct set
  • Possible case studies where a single business scenario spans multiple questions, some touching security and others touching compute or storage
  • Code-completion or "select the missing configuration" style items involving SDK calls to Key Vault or MSAL

Passing requires a scaled score of 700 or higher out of a possible 1000 - there's no separate minimum per domain, so a weak Domain 3 showing can be offset by stronger performance elsewhere, though skipping it entirely is risky given its 15-20% weight. For a full breakdown of exam mechanics and difficulty expectations, see the complete AZ-204 difficulty guide.

Scheduling Domain 3 Inside Your Broader AZ-204 Plan

Because Domain 3 concepts (managed identities, Key Vault, SAS tokens) depend on understanding the compute and storage services they protect, it makes sense to study it after - or in parallel with - Domains 1 and 2 rather than first. Here's one way to sequence a multi-week plan that accounts for this dependency:

Week 1-2

Compute Foundations

  • Work through App Service, Functions, and container basics from Domain 1
  • Build one small deployed app to use as a testbed for later security work
Week 3

Storage Foundations

  • Cover Blob Storage, Cosmos DB basics, and access tiers from Domain 2
  • Note where SAS tokens and storage account keys come up naturally
Week 4

Domain 3 Deep Dive

  • Configure Key Vault and connect it to your test app
  • Implement a managed identity end-to-end and compare it against a SAS-based approach
  • Practice Microsoft identity platform token flows with MSAL
Week 5

Integration and Practice Questions

  • Run scenario-based practice questions mixing Domains 1-3
  • Review Domain 5 connectivity topics since they often overlap with authentication scenarios

If you want a broader, domain-agnostic framework for pacing your overall preparation, the first-attempt study guide covers timing, resource selection, and exam-day logistics in more depth.

How Domain 3 Compares to the Other Four Domains

Seeing Domain 3's weight next to the other four helps with prioritizing study hours proportionally:

DomainWeightPrimary Focus
Domain 1: Develop Azure compute solutions25-30%App Service, Functions, containers, deployment
Domain 2: Develop for Azure storage15-20%Blob Storage, Cosmos DB, data connections
Domain 3: Implement Azure security15-20%Identity platform, managed identities, Key Vault, SAS
Domain 4: Monitor, troubleshoot, optimize5-10%Application Insights, caching, autoscale
Domain 5: Connect to and consume services20-25%API Management, Event Grid, Service Bus, third-party integration

Notice that Domains 2 and 3 carry identical weight ranges, and together with Domain 1 they represent well over half the exam. That means security implementation isn't a side topic - it's core exam content deserving proportional study time. For the complete picture of all five areas together, revisit the exam domains overview.

Common Mistakes Candidates Make on Security Questions

  • Confusing authentication with authorization in scenario wording - the exam is precise about this distinction, and so should your answer choices be.
  • Defaulting to storage account keys when a scenario clearly calls for scoped, time-limited access via SAS or Entra ID.
  • Overlooking Key Vault access policy vs. RBAC permission models - these are configured differently and the exam may test which one applies to a given setup.
  • Treating managed identities as optional rather than the default recommended approach for resource-to-resource authentication.
  • Not practicing MSAL code patterns hands-on, which makes code-completion style questions much harder under time pressure.
Registration Reminder: AZ-204 costs a standard exam fee, and Microsoft states most Associate and Expert-level exams run US$165 (subject to regional variation), booked through Pearson VUE. If you haven't finalized budget and timing, review the complete pricing breakdown before scheduling, especially since this certification and its exam retire on July 31, 2026.

Once you're comfortable with the identity and secrets-management concepts here, reinforce them with realistic scenario questions on our AZ-204 practice test platform, then cycle back through weaker domains. Repeated exposure to Domain 3-style scenarios - especially ones mixing managed identities with Key Vault and App Service - is one of the most efficient ways to convert conceptual knowledge into exam-day speed. You can also run full-length simulated exams on the practice test site to see how Domain 3 questions blend with the other four areas under real time pressure.

FAQ

How many questions on AZ-204 come from Domain 3?

Microsoft doesn't publish an exact number, but since Domain 3 is weighted at 15-20% of the exam and most Microsoft certification exams contain roughly 40-60 questions, you can expect a meaningful cluster of security-focused items, though the precise count varies by exam version.

Do I need hands-on Azure experience to pass Domain 3 questions?

Microsoft doesn't require prerequisites, but it recommends proficiency with Azure SDKs, CLI, and app authentication/authorization concepts. Hands-on practice with Key Vault, managed identities, and MSAL will make scenario questions far easier to answer correctly.

Is Domain 3 harder than Domain 1 or Domain 5?

Difficulty is subjective, but Domain 3 requires precise distinctions between similar-sounding mechanisms (SAS vs. managed identity vs. service principal), which some candidates find more conceptually demanding than the broader compute topics in Domain 1. See the difficulty guide for a fuller comparison.

Does passing AZ-204 require a minimum score on each domain?

No. Microsoft reports a single scaled score from 1-1000, and you need 700 or higher overall to pass. There's no published per-domain minimum, though ignoring any domain entirely is risky given the overall weighting.

Will Domain 3 content change before the exam retires?

The current skills-measured outline was last updated January 14, 2026, and the certification along with its exam and renewal assessments retire July 31, 2026. Always check the official skills outline close to your test date for any last updates.

Ready to pass your AZ-204 exam?

Put this into practice with free AZ-204 questions across every exam domain.