Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

7. Comprehensive Glossary

This glossary provides concise definitions for the technical terms and Azure services covered throughout this guide. It serves as a quick reference for clarifying concepts and ensuring you understand the specific terminology used in the AZ-500 exam. Reviewing these terms regularly will strengthen your technical vocabulary and improve your performance on terminology-heavy questions.

A

Agentless Scanning: A vulnerability assessment methodology that uses disk snapshots to analyze VMs, Azure Functions, and Web Apps without installing agents or impacting performance.

Always Encrypted: SQL encryption where keys never leave the client—protects against DBA access.

Application Security Group (ASG): Logical grouping of VMs for simplified NSG rules.

ADX (Azure Data Explorer): The underlying technology for the Microsoft Sentinel long-term data lake.

AI Guardrails: Safety controls in Azure AI that detect and block malicious prompts and responses.

Azure Bastion: Secure RDP/SSH access without public IPs on VMs.

Azure RBAC: Role-Based Access Control for Azure resource authorization.

ASIM (Advanced Security Information Model): The standardization layer in Microsoft Sentinel used for normalizing logs across different sources.

C

CIEM (Cloud Infrastructure Entitlement Management): A security solution that manages identity permissions across multi-cloud environments (Azure, AWS, GCP) to enforce least privilege.

Code-to-Cloud: A security approach that provides visibility and protection from the initial source code and dependencies through to the running cloud resources.

Conditional Access: Policy-based access control using signals like location, device, and risk.

Custom Role: User-defined Azure RBAC role with specific permissions.

D

Data Collection Rules (DCR): Azure Monitor configuration defining data sources and destinations.

DDoS Protection Standard: Advanced protection against volumetric and protocol attacks.

Defender EASM: External Attack Surface Management—discovers internet-facing assets.

Defender for DevOps: A service that provides unified security posture management for DevOps platforms like GitHub, GitLab, and Azure DevOps.

Drift Detection: The process of identifying differences between a resource's desired state (defined in IaC) and its actual state in the cloud environment.

Dynamic Data Masking (DDM): Obscures sensitive data in query results without modifying stored data.

E

ExpressRoute Direct: High-bandwidth (up to 100 Gbps) private connection supporting MACSec encryption.

F

FIDO2: Passwordless authentication using hardware security keys.

I

IaC Scanning: The automated analysis of Infrastructure-as-Code templates (Terraform, Bicep, ARM) to detect security misconfigurations before deployment.

J

Just-in-Time (JIT) Access: Time-limited access to VM management ports.

K

Key Vault Crypto Officer: RBAC role for full key management in Key Vault.

M

Managed Identity: Azure-managed service principal—no credentials to manage.

MACSec: Layer 2 encryption for ExpressRoute Direct connections.

MCP (Model Context Protocol): A protocol used by Microsoft Sentinel to exchange context between security logs and AI reasoning engines.

Microsoft Entra ID: Azure's identity and access management service.

Microsoft Sentinel: A cloud-native SIEM and SOAR platform for unified security operations.

N

Network Security Group (NSG): Stateful firewall for filtering traffic to Azure resources.

O

OATH Tokens: One-time password tokens for MFA.

P

PIM: Privileged Identity Management—time-bound, approval-based privileged access.

Permissions Creep: The gradual accumulation of unnecessary permissions by an identity over time.

Private Endpoint: Private IP in your VNet for accessing Azure PaaS services.

Private Link Service: Provider-side configuration for exposing services via Private Endpoint.

Prompt Injection: An attack where users provide input designed to make an AI model ignore its instructions or output restricted data.

Purge Protection: Prevents permanent deletion of Key Vault items during retention period.

R

Resource Policy Contributor: Azure RBAC role for managing Azure Policy.

S

SAS: Shared Access Signature—delegated, limited access to storage.

Snapshot-Based Assessment: The process used by agentless scanning to analyze a VM's disk by creating and mounting a point-in-time snapshot in an isolated environment.

SBOM (Software Bill of Materials): A formal record containing the details and supply chain relationships of various components used in building software.

Secret Detection: The automated process of scanning code repositories to identify and prevent the exposure of sensitive credentials.

Service Endpoint: Extends VNet identity to Azure services without private IP.

Service SAS: SAS scoped to single storage service (blob, queue, table, file).

SOAR (Security Orchestration, Automation, and Response): A technology that allows organizations to automate security response tasks via playbooks.

Soft Delete: Recoverable deletion for Key Vault items and storage data.

Standardized Account Entities: A consistent naming and mapping logic in Microsoft Sentinel that enables cross-entity correlation and investigation.

T

TDE: Transparent Data Encryption—encrypts entire database at rest.

U

UDR: User-Defined Route—custom routing to override Azure default routes.

UEBA (User and Entity Behavior Analytics): A feature that uses machine learning to detect anomalous behavior by users and entities.

UNMASK: SQL permission to see original data past Dynamic Data Masking.

V

Virtual Network Manager: Centralized network management at scale.

W

WAF: Web Application Firewall—protects against OWASP vulnerabilities.

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications