Who should take the SC-900 exam?
The SC-900 is designed for business stakeholders, new IT professionals, and students who want foundational knowledge of Microsoft's security, compliance, and identity services. It is ideal for professionals in compliance, legal, risk management, and procurement roles who interact with Microsoft security products but do not administer them. It is also a useful starting credential for IT professionals entering the security field.
The Microsoft Certified: Security, Compliance, and Identity Fundamentals credential, earned by passing the SC-900 exam, occupies a unique position in Microsoft's certification ecosystem. While most fundamentals exams (like AZ-900 and MS-900) focus on a technology stack, the SC-900 cuts across the entire Microsoft cloud portfolio to address a single theme: security, compliance, and identity. These topics appear everywhere in enterprise Microsoft environments, which makes the SC-900 broadly relevant to a wider audience than most fundamentals certifications.
The context for this exam matters. Cybersecurity incidents cost organizations globally an average of $4.45 million per data breach in 2023, according to IBM Security's Cost of a Data Breach Report. Microsoft's security portfolio -- spanning identity management through Entra ID, threat protection through Microsoft Defender, compliance through Microsoft Purview, and governance through Microsoft Sentinel -- has grown into one of the most comprehensive commercial security ecosystems available. Understanding this portfolio at a conceptual level is valuable for anyone making or influencing security purchasing and policy decisions.
SC-900 Exam Overview
The SC-900 exam contains 40-60 questions with 60 minutes allowed. The passing score is 700 out of 1000. All questions are knowledge-based -- there are no performance-based lab simulations. Question formats include multiple choice, multiple select, drag-and-drop, and yes/no scenario questions.
| Domain | Approximate Weight |
|---|---|
| Describe security, compliance, and identity concepts | 10-15% |
| Describe Microsoft Entra capabilities | 25-30% |
| Describe Microsoft security solutions | 35-40% |
| Describe Microsoft compliance solutions | 20-25% |
Objectives current as of 2024. Verify at learn.microsoft.com/certifications/security-compliance-and-identity-fundamentals.
The SC-900 exam was updated in 2023 to reflect Microsoft's product rebranding -- Azure Active Directory became Microsoft Entra ID, Azure Defender became part of Microsoft Defender for Cloud, and Azure Purview became Microsoft Purview. Candidates must use current product names. Exam questions use the new names exclusively.
Domain 1: Security, Compliance, and Identity Concepts (10-15%)
Zero Trust and Shared Responsibility
Zero Trust -- a security model that assumes no user, device, or network should be inherently trusted, requiring explicit verification for every access request regardless of origin, guided by three principles: verify explicitly, use least-privilege access, and assume breach.
The Zero Trust model is central to Microsoft's security strategy and appears prominently in SC-900 questions. The three guiding principles translate to specific Microsoft capabilities:
- Verify explicitly: Multi-factor authentication, conditional access policies, identity risk signals
- Use least-privilege access: Privileged Identity Management, just-in-time access, access reviews
- Assume breach: Continuous monitoring through Microsoft Sentinel, threat detection through Microsoft Defender, network segmentation through Azure Firewall
Shared responsibility model for cloud security divides security obligations between Microsoft and the customer. Microsoft is always responsible for physical security of datacenters, network infrastructure, and the hypervisor layer. Customers are always responsible for their data and user access management. The division of OS, network controls, and application security depends on whether the service is IaaS, PaaS, or SaaS.
"The shared responsibility model is not just contractual -- it is operational. Organizations that assume Microsoft handles security end up with unprotected data. Organizations that understand exactly where their responsibility begins configure effective defenses." -- Ann Johnson, Corporate Vice President of Security, Compliance, and Identity Business Development at Microsoft, from the CyberSecurity Unplugged podcast
Defense in Depth
Defense in depth -- a security strategy that employs multiple layers of security controls so that if one layer is breached, additional layers continue to provide protection. Microsoft's conceptual model for defense in depth uses concentric layers:
- Physical security: Datacenter access controls (Microsoft's responsibility in cloud deployments)
- Identity and access: Authentication, authorization, and access management
- Perimeter: DDoS protection, firewalls
- Network: Network segmentation, VNet controls, NSGs
- Compute: Patch management, endpoint protection, secure baselines
- Application: Input validation, output encoding, secrets management
- Data: Encryption at rest and in transit, data classification, access controls
Encryption Fundamentals
Encryption at rest: Data stored in Azure is encrypted by default using service-managed encryption keys. Customers can optionally use customer-managed keys stored in Azure Key Vault for additional control.
Encryption in transit: Data moving between Azure services and from Azure to end users is encrypted using TLS (Transport Layer Security). Azure enforces minimum TLS 1.2 for most services.
Azure Key Vault: A managed service for storing and controlling access to secrets (connection strings, API keys), keys (used for data encryption), and certificates. SC-900 tests basic understanding of Key Vault's purpose and the distinction between keys, secrets, and certificates.
Domain 2: Microsoft Entra Capabilities (25-30%)
This is the second-largest domain and tests understanding of Microsoft's identity platform.
Authentication and Authorization
Authentication -- the process of verifying that a user, device, or application is who or what it claims to be. Microsoft Entra ID supports multiple authentication methods:
- Passwords (weakest, primary target for attacks)
- Windows Hello for Business (biometric or PIN, tied to a device)
- Microsoft Authenticator app (push notifications, passwordless phone sign-in)
- FIDO2 security keys (hardware tokens, strongest phishing-resistant authentication)
- Temporary Access Pass (time-limited passcode for onboarding and recovery scenarios)
Multi-factor authentication (MFA) requires two or more verification factors from different categories (something you know, something you have, something you are). The SC-900 tests understanding of why MFA is the single most effective defense against account compromise -- Microsoft reports that MFA blocks 99.9% of automated account attacks.
Passwordless authentication eliminates passwords entirely, using Windows Hello, Microsoft Authenticator, or FIDO2 keys. Microsoft's security research shows that passwordless users experience 1/3 the account compromise rate of password-dependent users.
Conditional Access
Conditional Access (CA) policies evaluate signals before granting access: user identity, device compliance state, location (IP address), application being accessed, and sign-in risk score from Entra ID Identity Protection.
Common CA policy patterns tested on SC-900:
- Require MFA for all users accessing a specific application
- Block access from countries with no business operations
- Require Intune-compliant device for accessing corporate email
- Block legacy authentication protocols (which do not support MFA)
- Require password change for users with high-risk sign-ins
External Identities
Azure AD B2B (Business-to-Business) -- enables organizations to share resources with external partners and guests using their own identity providers. Guests receive access to specific resources without requiring a separate account in the host organization's directory.
Azure AD B2C (Business-to-Consumer) -- customer identity and access management for consumer-facing applications. Organizations use B2C to manage user accounts, sign-up/sign-in experiences, and social identity provider integration (Google, Facebook, Apple) for their applications.
| Feature | B2B | B2C |
|---|---|---|
| Primary Use | Partner/guest collaboration | Consumer app user management |
| Identity Source | External organization identity | Social or local accounts |
| User Volume | Hundreds to thousands | Thousands to millions |
| Customization | Limited | Extensive (custom policies) |
Privileged Identity Management
Privileged Identity Management (PIM) -- a Microsoft Entra ID P2 service that provides just-in-time access to privileged roles in Azure and Microsoft 365, reducing the risk of permanent privileged access.
With PIM, users are made eligible for roles rather than assigned them. When they need to perform privileged tasks, they activate the role for a limited time period (typically 1-8 hours), with optional MFA requirement and approval workflow. All activations are logged for audit purposes.
"Privileged Identity Management changed how we think about admin access. When we moved from permanent Global Admin assignments to PIM-managed eligibility, the attack surface for our most sensitive accounts shrank dramatically overnight." -- Nasrin Rezai, Chief Information Security Officer, Verizon, from the Microsoft Security Customer Stories series
Domain 3: Microsoft Security Solutions (35-40%)
This largest domain covers Microsoft Defender products, Microsoft Sentinel, and Azure security services.
Microsoft Defender Products
Microsoft Defender has evolved from a Windows endpoint tool into a family of security products spanning identity, endpoints, applications, cloud workloads, and data.
| Product | Protects |
|---|---|
| Microsoft Defender for Endpoint | Windows, macOS, Linux, iOS, Android endpoints |
| Microsoft Defender for Identity | Active Directory and Entra ID identities |
| Microsoft Defender for Office 365 | Exchange Online, SharePoint, Teams |
| Microsoft Defender for Cloud Apps | SaaS applications (shadow IT discovery, app governance) |
| Microsoft Defender for Cloud | Azure, multi-cloud, and hybrid workloads |
| Microsoft Defender Vulnerability Management | Asset inventory, vulnerability scanning |
Microsoft Defender XDR (Extended Detection and Response) integrates signals from all Defender products into a unified detection and response platform, correlating alerts across domains to surface multi-stage attack chains that would appear as isolated incidents in individual product consoles.
Microsoft Sentinel
Microsoft Sentinel -- a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform built on Azure Log Analytics. It collects security data from across an organization, applies machine learning to detect anomalies and threats, and enables automated response through playbooks.
The SC-900 tests conceptual understanding:
- Data connectors bring security signals from Microsoft products, third-party tools, and on-premises systems into Sentinel
- Analytics rules apply logic (KQL queries, machine learning models, Microsoft Security alerts) to detect threats
- Incidents aggregate correlated alerts into actionable cases for investigation
- Workbooks visualize security data and trends
- Playbooks (Azure Logic Apps) automate response actions like blocking IPs, sending notifications, or opening ITSM tickets
Azure Network Security
Azure DDoS Protection defends Azure-hosted resources against Distributed Denial of Service attacks. The Basic tier is included free for all Azure customers. The Standard tier adds adaptive tuning, attack analytics, and access to the DDoS rapid response team.
Azure Firewall -- a managed, stateful network security service providing both Layer 4 and Layer 7 traffic inspection, application FQDN filtering, and centralized policy management across multiple VNets.
Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender) provides:
- Secure Score: A numerical assessment of security posture based on the number of active security recommendations implemented
- Security recommendations: Specific, prioritized actions to improve security posture
- Workload protection: Threat detection and protection for VMs, containers, databases, storage, and other workloads
Domain 4: Microsoft Compliance Solutions (20-25%)
Microsoft Purview
Microsoft Purview -- the unified data governance and compliance platform that replaced Azure Purview and the Microsoft 365 compliance center. It provides:
Data Loss Prevention (DLP) -- policies that identify and protect sensitive information (credit card numbers, social security numbers, health records) by monitoring and controlling how it flows through Microsoft 365 services, Teams, and endpoint devices.
Information Protection -- classifies and labels data using sensitivity labels. Labels can apply encryption, visual markings (headers, footers, watermarks), and usage restrictions. The classification and labeling can be automatic (based on content inspection) or manual (user-applied).
Retention policies and retention labels control how long content is kept and when it is deleted. Required for regulatory compliance with requirements like GDPR (right to erasure), SEC Rule 17a-4 (immutable records for financial firms), and HIPAA (medical record retention).
eDiscovery -- tools for identifying, preserving, reviewing, and exporting content in response to legal proceedings, regulatory investigations, or internal reviews. Microsoft Purview eDiscovery Premium uses machine learning to reduce review volume through near-duplicate detection and email thread analysis.
Communication compliance monitors Teams, Exchange, and Yammer communications for policy violations including workplace harassment, regulatory language requirements for financial services, and insider risk indicators.
Microsoft Compliance Manager
Compliance Manager -- a risk assessment tool in Microsoft Purview that provides pre-built assessment templates for over 300 regulatory frameworks, measures compliance posture through an overall compliance score, and provides improvement actions mapped to specific regulatory controls.
Compliance Manager differentiates between:
- Microsoft-managed controls: Security and compliance responsibilities that Microsoft owns and has already implemented in Azure and Microsoft 365 (tested through third-party audits)
- Customer-managed controls: Compliance requirements that organizations must implement themselves
- Shared controls: Requirements with both Microsoft and customer responsibilities
Preparation for SC-900
Study Timeline
The SC-900 requires 15-30 hours of preparation for candidates with basic IT familiarity. Candidates from compliance, legal, or risk management backgrounds with no IT experience may need 30-45 hours to develop comfort with technical security concepts.
Best Resources
| Resource | Type | Cost |
|---|---|---|
| Microsoft Learn SC-900 path | Structured online course | Free |
| Microsoft Security documentation | Reference | Free |
| SC-900 practice assessments (Microsoft Learn) | Official practice questions | Free |
| John Savill SC-900 YouTube guide | Video overview | Free |
The free Microsoft Learn practice assessment for SC-900 (available on the certification page) provides representative sample questions that accurately reflect the exam format and difficulty level. This is the single most valuable free resource beyond the official learning path.
Frequently Asked Questions
Who should take the SC-900 exam?
The SC-900 is designed for business stakeholders, new IT professionals, and students who want foundational knowledge of Microsoft's security, compliance, and identity services. It is ideal for professionals in compliance, legal, risk management, and procurement roles who interact with Microsoft security products but do not administer them. It is also a useful starting credential for IT professionals entering the security field.
What is the difference between SC-900 and AZ-900?
The AZ-900 covers Azure cloud services broadly, with security as one of four topic areas. The SC-900 focuses exclusively on security, compliance, and identity across all Microsoft cloud services (Azure, Microsoft 365, and Dynamics 365). Candidates who need depth on Microsoft security topics should choose SC-900. Candidates entering Azure cloud infrastructure roles should choose AZ-900.
Does the SC-900 qualify for Microsoft Security Certifications?
The SC-900 is a fundamentals credential and does not fulfill prerequisites for any higher-level security certification. The security associate and expert certifications -- including SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and SC-400 (Information Protection Administrator) -- have no formal prerequisites but assume significant hands-on security experience.
References
- Microsoft. "Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals." Microsoft Learn, 2024.
- IBM Security. "Cost of a Data Breach Report 2023." IBM Security, 2023.
- Microsoft. "Zero Trust security model." Microsoft Security documentation, 2024.
- Microsoft. "Microsoft Purview documentation." Microsoft Learn, 2024.
- Microsoft. "Microsoft Defender XDR overview." Microsoft Security documentation, 2024.
- Johnson, Ann. "CyberSecurity Unplugged podcast." Microsoft Security, 2023.
- Microsoft. "Microsoft Digital Defense Report 2023." Microsoft Security, 2023.