The SC-900: Microsoft Security, Compliance, and Identity Fundamentals exam is designed for individuals seeking a foundational understanding of Microsoft’s security, compliance, and identity (SCI) capabilities, particularly within cloud-based environments and Microsoft services. This certification is ideal for anyone interested in exploring Microsoft’s SCI solutions, including:

• Business stakeholders seeking insight into organizational security and compliance strategies
• IT professionals, whether new to the field or expanding their expertise
• Students preparing for a career in cloud and security technologies

Recommended Background

While no advanced technical knowledge is required, a basic familiarity with Microsoft Azure and Microsoft 365 is beneficial. Candidates should be interested in learning how Microsoft’s SCI offerings integrate across these platforms to deliver comprehensive, end-to-end security and compliance solutions.

Exam Details

The SC-900: Microsoft Security, Compliance, and Identity Fundamentals exam is an entry-level certification designed for individuals starting their journey in cybersecurity, particularly those aspiring to roles such as Security Engineer. The assessment is 45 minutes in duration and is proctored, meaning it must be taken under supervision, and open-book resources are not permitted. In addition to traditional question formats, the exam may include interactive tasks to assess practical understanding of key concepts.

To successfully pass the exam, candidates must achieve a minimum score of 700. Microsoft also provides accommodations for individuals who use assistive technology, require extended time, or need specific modifications to the exam experience—such accommodations can be requested during the registration process.

Course Outline

The exam covers the following topics:

1. Understand the Concepts of Security, Compliance, and Identity (10—15%)

Describe security and compliance concepts

• describe the shared responsibility model (Microsoft Documentation: shared responsibility model, Shared responsibility in the cloud)
• define defense in depth (Microsoft Documentation: What is defense in depth?)
• describing the Zero-Trust model (Microsoft Documentation: zero-trust methodology)
• Describe encryption and hashing (Microsoft Documentation: Describe security and compliance concepts)
• Describe Governance, Risk, and Compliance (GRC) concepts

Define identity concepts

• define identity as the primary security perimeter (Microsoft Documentation: Identity as the primary security perimeter)
• defining authentication (Microsoft Documentation: Authentication vs. authorization)
• define authorization (Microsoft Documentation: Authentication vs. authorization)
• describing identity providers (Microsoft Documentation: Identity Providers for External Identities)
• Describe the concept of directory services and Active Directory
• describe the concept of Federation (Microsoft Documentation: federation with Azure AD)

2. Understand the capabilities of Microsoft Entra (25—30%)

Describe the basic identity services and identity types of Microsoft Entra ID

• describing Microsoft Entra ID
• describe types of identities
• describing hybrid identity (Microsoft Documentation: concept of hybrid identities)

Describe the authentication capabilities of Microsoft Entra ID

• describing the authentication methods (Microsoft Documentation: authentication and verification methods)
• describing Multi-factor Authentication (MFA) (Microsoft Documentation: Azure AD Multi-Factor Authentication, Configure Azure AD Multi-Factor Authentication settings)
• describe password protection and management capabilities (Microsoft Documentation: password protection and management capabilities of Azure AD, Eliminate bad passwords using Azure Active Directory Password Protection, Enforce on-premises Azure AD Password Protection for Active Directory Domain Services)

Describe access management capabilities of Microsoft Entra ID

• describing conditional access (Microsoft Documentation: Define Conditional Access)
• Describe Microsoft Entra roles and role-based access control (RBAC)

Describe the identity protection and governance capabilities of Microsoft Entra

• describe Microsoft Entra ID Governance
• Describe access reviews (Microsoft Documentation: Azure AD entitlement management, Azure AD access reviews)
• Describe the capabilities of Microsoft Entra Privileged Identity Management (PIM) (Microsoft Documentation: capabilities of Privileged identity Management)
• Describe Entra ID Protection
• Describe Microsoft Entra Permissions Management

3. Explore the capabilities of Microsoft Security Solutions (35—40%)

Describe core infrastructure security services in Azure

• Describe Azure distributed denial-of-service (DDoS) Protection (Microsoft Documentation: Azure DDoS Protection Standard)
• describing Azure Firewall (Microsoft Documentation: Azure Firewall)
• describing Web Application Firewall (WAF) (Microsoft Documentation: Azure Web Application Firewall)
• Describe Network Segmentation with Azure Virtual Networks
• Describe Network Security groups (NSGs) Network security groups)
• describe Azure Bastion (Microsoft Documentation: Azure Bastion)
• Describe Azure Key Vault

Describe security management capabilities of Azure

• Describe Microsoft Defender for Cloud (Microsoft Documentation: Microsoft Defender for Cloud)
• Describe Cloud security posture management (CSPM) (Microsoft Documentation: Manage cloud platform security)
• Describe how security policies and initiatives improve the cloud security posture
• Describe the enhanced security features provided by cloud workload protection

Describe security capabilities of Microsoft Sentinel

• Define the concepts of security information and event management (SIEM) and security orchestration automated response (SOAR) (Microsoft Documentation: concepts of SIEM, SOAR)
• Describe threat detection and mitigation capabilities in Microsoft Sentinel

Describe threat protection with Microsoft Defender XDR

• describe Microsoft Defender XDR services
• describe Microsoft Defender for Office 365 (Microsoft Documentation: Office 365 Security, Microsoft Defender for Office 365)
• describing Microsoft Defender for Endpoint (Microsoft Documentation: Microsoft Defender for Endpoint)
• Describe Microsoft Defender for Cloud Apps (Microsoft Documentation: Microsoft Defender for Cloud Apps overview)
• describing Microsoft Defender for Identity (Microsoft Documentation: Microsoft Defender for Identity)
• Describe Microsoft Defender Vulnerability Management
• Describe Microsoft Defender Threat Intelligence (Defender TI)
• Describe the Microsoft Defender portal (Microsoft Documentation: Visit the Microsoft 365 Defender portal)

4. Understand the Capabilities of Microsoft Compliance Solutions (20—25%)

Describe Microsoft’s Service Trust Portal and privacy principles

• Describe the Service Trust Portal offerings (Microsoft Documentation: Get started with Microsoft Service Trust Portal)
• Describe the privacy principles of Microsoft (Microsoft Documentation: Privacy overview)
• Describe Microsoft Priva

Describe the compliance management capabilities of Microsoft Purview

• Describe the Microsoft Purview compliance portal (Microsoft Documentation: Microsoft Purview compliance portal)
• describing compliance manager (Microsoft Documentation: Microsoft Compliance Manager)
• describe use and benefits of compliance score (Microsoft Documentation: Understanding your compliance score)

Describe information protection, data lifecycle management, and data governance capabilities of Microsoft Purview

• describing data classification capabilities (Microsoft Documentation: Know your data – data classification, data classification capabilities in the Microsoft 365 Compliance Center)
• describe the benefits of content explorer and activity explorer (Microsoft Documentation: activity explorer, content explorer)
• describing sensitivity labels and sensitivity label policies (Microsoft Documentation: sensitivity labels)
• describing Data Loss Prevention (DLP) (Microsoft Documentation: Overview of data loss prevention, Data loss prevention)
• describe Records Management (Microsoft Documentation: records management in Microsoft 365)
• Describe retention policies, retention labels, and retention label policies (Microsoft Documentation: retention policies and retention labels)
• Describe unified data governance solutions in Microsoft Purview

Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview

• describe Insider risk management (Microsoft Documentation: insider risk management in Microsoft 365)
• Describe eDiscovery solutions in Microsoft Purview
• Describe audit solutions in Microsoft Purview

Microsoft SC-900 Exam FAQs

Click Here for FAQs!

Microsoft Certification Exam Policies

Microsoft has implemented a robust set of certification exam policies to uphold the integrity, fairness, and global credibility of its certification program. These guidelines are designed to provide a consistent, secure, and equitable testing experience for all candidates, whether they are taking exams remotely or at authorized testing centers. By adhering to these policies, candidates help maintain the high standards and professional value associated with Microsoft certifications.

Exam Retake Policy

If a candidate does not pass a Microsoft certification exam on their first try, a 24-hour waiting period is required before retaking it. For subsequent attempts (from the second to the fifth), a 14-day waiting period must be observed between each try. To ensure the integrity of the certification process, Microsoft limits candidates to five exam attempts within a 12-month period, starting from the date of the first attempt.

Rescheduling and Cancellation Policy

Microsoft offers flexibility for candidates needing to reschedule or cancel their exams. Changes made at least six business days prior to the scheduled exam date can be processed without incurring any fees. However, any modifications made within five business days of the exam may result in additional charges. Failing to appear for the exam or canceling with less than 24 hours’ notice will lead to the forfeiture of the entire exam fee. Candidates facing documented emergencies or requiring special accommodations due to accessibility needs may request exceptions, which Microsoft will consider upon submission of appropriate documentation.

Microsoft SC-900 Exam Study Guide

Step 1: Understand the Exam Objectives

Start your preparation by carefully reviewing the official exam skills outline available on Microsoft Learn or the certification exam page. The SC-900 exam evaluates your foundational knowledge across major domains. Understanding these objectives helps you grasp the scope of the exam and ensures your preparation covers all required topics. Take note of subtopics within each domain and familiarize yourself with key technologies and services such as Microsoft Entra, Defender, Purview, and compliance manager.

Step 2: Assess Your Current Knowledge

Before jumping into study materials, take time to assess where you currently stand. Ask yourself how familiar you are with Microsoft Azure, Microsoft 365, and identity and security concepts. You might want to use informal quizzes or diagnostic tools to test your baseline knowledge. This will help you identify areas where you’re already strong and areas that require deeper study. Having this clarity allows you to focus your time and energy more efficiently throughout your preparation.

Step 3: Follow Microsoft Learning Paths

Microsoft provides official, free learning paths tailored specifically for the SC-900 exam through the Microsoft Learn platform. These interactive, self-paced modules are designed to align directly with the exam objectives. Each module includes explanations, real-world scenarios, and hands-on labs where applicable. These learning paths help reinforce your understanding through both theoretical knowledge and practical application, making them an essential resource in your study plan. The modules are:

• Concepts of security, compliance, and identity
• Understand the capabilities of Microsoft Entra
• Learn about Microsoft security solutions
• Understand the capabilities of Microsoft Priva and Microsoft Purview

Step 4: Join Study Groups and Online Communities

Connecting with others who are also preparing for the SC-900 exam can enhance your learning experience. Look for study groups, forums, or communities on platforms like LinkedIn, Reddit, or Tech Community. Engaging in discussions, asking questions, and sharing resources can give you new perspectives, clarify doubts, and keep you motivated. Many learners also share exam tips, preparation strategies, and common areas of difficulty that can guide your approach.

Step 5: Take SC-900 Practice Tests

Practice tests are a critical part of exam preparation. They help you get familiar with the exam format, question style, and time constraints. Use practice exams from reputable sources to simulate the real test environment. After completing each practice test, review your answers carefully—especially the ones you got wrong—to understand the reasoning behind the correct options. This not only reinforces your learning but also helps reduce anxiety on exam day.