What is the SC-900 certification?

The SC-900 is Microsoft's Security, Compliance, and Identity Fundamentals certification. It covers core security concepts, Microsoft security solutions, and compliance features at a foundational level.

How hard is the SC-900 exam?

SC-900 is one of the easier Microsoft certifications. It tests foundational knowledge of security concepts rather than hands-on implementation skills. Most candidates pass with 1-2 weeks of focused study.

How much does the SC-900 exam cost?

The SC-900 exam costs $99 USD, the same as other Microsoft Fundamentals-level certifications like AZ-900, AI-900, and DP-900.

SC-900 Security Fundamentals Study Guide for 2026

By Macdara Ó Murchú · Founder, AzurePrep·Last reviewed 6 April 2026·12 min read·2,635 words

The Microsoft Security, Compliance, and Identity Fundamentals (SC-900) certification has become increasingly important for IT professionals entering the security field. Whether you're transitioning into cybersecurity or seeking to validate foundational knowledge, this SC-900 study guide provides the comprehensive coverage you need to pass the exam on your first attempt.

Understanding the SC-900 Certification

The SC-900 is Microsoft's entry-level security certification designed to establish foundational knowledge across security, compliance, and identity concepts. Unlike advanced certifications that require hands-on experience, the SC-900 focuses on conceptual understanding and awareness of Microsoft's security and compliance solutions.

Who Should Take SC-900

This certification suits multiple professional profiles:

IT professionals beginning their security journey
Help desk and support staff moving toward security roles
Compliance and risk management professionals
Non-technical managers overseeing security initiatives
Project managers working on security implementations
Anyone preparing for advanced Azure security certifications like AZ-500

The SC-900 serves as a natural stepping stone. Many professionals use it to build confidence before pursuing more demanding certifications. It's also valuable for those in non-technical roles who need security awareness without deep technical implementation skills.

Exam Format and Scoring

The SC-900 exam follows these specifications:

Duration: 45-60 minutes
Question count: 40-60 questions
Passing score: 700 out of 1000
Question types: Multiple choice, drag-and-drop, and case studies
Languages: Available in multiple languages
Delivery: Online proctored or testing center

The exam measures your ability to understand security principles, identify appropriate Microsoft solutions, and apply compliance concepts to real-world scenarios. Questions often present situations requiring you to select the best solution from multiple options.

$99Exam cost (USD)Fundamentals tier pricing

3Exam domainsSecurity, Compliance, Identity

2-3Weeks studyNo prerequisites required

SC-900 Exam Domains Breakdown

The SC-900 exam covers four distinct domains, each with specific weightings. Understanding this breakdown helps you allocate study time effectively.

Domain	Topics	Exam Weight
Security, Compliance, and Identity Concepts	Zero Trust, defense in depth, shared responsibility, identity types, authentication	10-15%
Microsoft Entra ID Capabilities	Authentication methods, SSO, MFA, Conditional Access, identity governance	25-30%
Microsoft Security Solutions	Defender suite, cloud security, threat protection, vulnerability management	35-40%
Microsoft Compliance Solutions	Purview, Data Loss Prevention, information protection, compliance manager	20-25%

Domain 1: Security, Compliance, and Identity Concepts (10-15%)

This foundational domain establishes the terminology and principles underlying all Microsoft security solutions.

Zero Trust Architecture

Zero Trust represents a fundamental shift from perimeter-based security to verification-based security. The core principle is "never trust, always verify" - every access request requires authentication and authorization, regardless of source.

Zero Trust operates on these principles:

Verify explicitly using available data points (user identity, device, service, location, data classification)
Use least privilege access with just-in-time and just-enough-access (JIT/JEA)
Assume breach and minimize blast radius through segmentation and microsegmentation
Encrypt data in transit and at rest
Monitor and analyze all traffic and log data
Automate remediation when possible

Unlike traditional security models that trust everything inside the network perimeter, Zero Trust requires continuous verification.

Defense in Depth

Defense in depth (also called layered defense) uses multiple security layers. If one layer is compromised, others provide protection. Microsoft implements this through:

Physical security (data center access controls)
Network security (firewalls, DDoS protection, network segmentation)
Application security (input validation, secure coding)
Data security (encryption, classification, access controls)
Identity and access management (MFA, Conditional Access)

Shared Responsibility Model

Cloud computing distributes security responsibilities between Microsoft and the customer based on service type:

For Software as a Service (SaaS) like Microsoft 365:
- Microsoft secures the infrastructure, platform, and application
- Customers secure user access, data, accounts, and devices

For Platform as a Service (PaaS) like Azure App Service:
- Microsoft secures infrastructure and platform
- Customers secure application code, data, and access

For Infrastructure as a Service (IaaS) like Virtual Machines:
- Microsoft secures physical hardware and networking
- Customers secure operating systems, applications, data, and access

Understanding this model prevents assuming Microsoft handles security that remains your responsibility.

Domain 2: Microsoft Entra ID Capabilities (25-30%)

Microsoft Entra ID (formerly Azure Active Directory) is central to modern identity management. This domain represents the largest portion of the exam, making it critical for exam success.

Authentication vs. Authorization

Authentication verifies who someone is. Authorization determines what they can access.

Authentication: "Are you really John Smith?" (Username/password verification)
Authorization: "Can John Smith access the payroll system?" (Permission verification)

Authentication Methods

Modern authentication goes far beyond passwords:

Password authentication (basic but vulnerable)
Multi-factor authentication (MFA) requiring multiple proof types
Passwordless sign-in using Windows Hello, FIDO2 keys, or Microsoft Authenticator app
Certificate-based authentication for devices and services

Single Sign-On (SSO)

SSO allows users to authenticate once and access multiple applications without re-authenticating. When you sign into Microsoft 365, you automatically access OneDrive, Teams, and other applications without entering credentials again.

Entra ID acts as the identity provider for SSO, particularly for cloud applications and services integrated with Microsoft 365.

Multi-Factor Authentication (MFA)

MFA requires at least two verification methods before granting access. Common combinations include:

Something you know (password or PIN)
Something you have (phone or hardware token)
Something you are (biometric like fingerprint or facial recognition)

MFA dramatically reduces account compromise risk even if passwords are stolen.

Conditional Access

Conditional Access policies enforce access requirements based on conditions. Examples include:

Require MFA for users accessing resources from outside the corporate network
Block access from high-risk locations
Require compliant devices for sensitive applications
Require password change for risky sign-ins

Conditional Access enables dynamic security postures that adapt to risk factors.

Identity Governance

Identity governance ensures users have appropriate access levels throughout their lifecycle:

Onboarding: Granting necessary access when joining
Ongoing: Ensuring access remains appropriate as roles change
Offboarding: Removing access when departing

Entra ID Governance provides access reviews, entitlement management, and lifecycle workflows.

Domain 3: Microsoft Security Solutions (35-40%)

This largest domain covers Microsoft's comprehensive security solutions spanning endpoints, cloud infrastructure, and threat intelligence.

Microsoft Defender Suite Overview

Microsoft Defender represents an integrated security ecosystem:

Defender for Cloud

Defender for Cloud protects cloud workloads across Azure, on-premises, and multicloud environments. It provides:

Continuous vulnerability assessment for VMs and container registries
Security posture management showing compliance gaps
Cloud security posture management (CSPM) analyzing misconfigurations
Threat protection detecting suspicious activities
Regulatory compliance tracking against standards like PCI-DSS and HIPAA

Defender for Endpoint

Defender for Endpoint protects devices (Windows, Mac, Linux) through:

Behavioral threat detection identifying suspicious actions
Automated investigation and remediation reducing response time
Threat and vulnerability management identifying weaknesses
Attack surface reduction blocking attack vectors before exploitation
Device discovery finding and inventorying all devices on the network

Defender for Office 365

Defender for Office 365 protects Microsoft 365 against threats:

Safe Attachments detects malware in email attachments before they reach inboxes
Safe Links protects against malicious URLs in emails and documents
Anti-phishing policies identify spoofed senders and suspicious messages
Anti-spam filtering reduces unwanted email volume

Defender for Cloud Apps

Defender for Cloud Apps provides visibility and control over cloud applications:

Cloud Discovery identifies shadow IT applications users access
Information protection preventing data leakage
Threat detection identifying suspicious behavior
Risk-based access controls adjusting permissions based on risk

Defender for Identity

Defender for Identity uses on-premises signals to detect identity-based attacks:

Lateral movement detection identifying suspicious movement between systems
Compromise assessment identifying exposed credentials and weak protocols
Domain dominance detection preventing complete network compromise

Security Information and Event Management (SIEM) and Extended Detection and Response (XDR)

Microsoft Sentinel serves as Microsoft's SIEM solution, collecting security data from across the environment. Microsoft's XDR approach (extended detection and response) correlates signals from Defender products to provide comprehensive threat visibility.

Threat Intelligence and Attack Simulation

Microsoft provides threat intelligence integrated into security solutions. Attack simulation tools help organizations test security controls and user awareness without real attacks.

Domain 4: Microsoft Compliance Solutions (20-25%)

Organizations must meet regulatory requirements and industry standards. Microsoft Purview provides comprehensive compliance solutions.

Microsoft Purview Overview

Purview combines compliance management, information protection, and governance solutions:

Compliance Manager

Compliance Manager tracks regulatory requirements and compliance status:

Shows compliance gaps against standards (GDPR, HIPAA, PCI-DSS, ISO 27001, etc.)
Provides detailed improvement actions with guidance
Tracks control implementation progress
Generates compliance reports for auditors and regulators
Calculates compliance score showing overall posture

Information Protection and Data Lifecycle Management

Organizations must protect sensitive data and manage its lifecycle:

Sensitive information types identify data patterns (credit card numbers, social security numbers, medical records)
Sensitivity labels classify information (Public, Internal, Confidential, Highly Confidential)
Automatic labeling applies labels based on content patterns
Content retention policies maintain data according to legal holds and regulations
Records management declares data as records preventing deletion until retention expires

Data Loss Prevention (DLP)

DLP prevents accidental or intentional data exposure:

Policy rules identify sensitive data in emails and documents
Automatic enforcement blocks transmission or alerts users
Endpoint DLP extends protection to devices
Reports show policy violations helping identify problematic behaviors

Data Governance with Purview Data Map

Purview Data Map catalogs data across the organization:

Automated scanning discovers data sources
Classification automatically applies sensitivity labels
Lineage tracking shows data flow from source to consumption
Asset ownership assignment ensures accountability
Access management controls who can view and modify data

eDiscovery Solutions

For legal proceedings and investigations, eDiscovery tools:

Search for potentially relevant data across email, SharePoint, OneDrive
Collect and preserve findings while maintaining legal hold
Review content with advanced filtering
Generate compliance reports for legal teams

Key Concepts Mastery for SC-900

Certain concepts frequently appear on the SC-900 exam. Understanding these deeply improves your performance.

Zero Trust Principles in Practice

Zero Trust questions often present scenarios requiring you to identify Zero Trust solutions. Consider this example: "An organization wants to ensure remote workers cannot access sensitive data from personal devices."

Zero Trust response: Implement Conditional Access requiring managed devices and MFA. This aligns with "never trust, always verify" by requiring device compliance verification.

Shared Responsibility in Different Service Models

Expect questions distinguishing responsibility across service types. When Microsoft provides a SaaS solution like Microsoft 365, Microsoft handles more security responsibilities than with IaaS. Misunderstanding this causes common exam mistakes.

Authentication Scenarios

The exam tests your ability to recommend authentication solutions for specific situations:

Scenario: "Users frequently forget passwords." Solution: Implement passwordless sign-in using Windows Hello or Authenticator app.
Scenario: "Competitors are in the same building." Solution: Implement location-based Conditional Access policies.
Scenario: "Finance staff access from various locations." Solution: Implement MFA for sensitive application access.

Defender Product Distinctions

The Defender suite includes many products with overlapping names. Master which product addresses specific threats:

Detecting malware in email attachments? Defender for Office 365 Safe Attachments
Protecting virtual machines? Defender for Cloud or Defender for Endpoint
Detecting lateral movement attacks? Defender for Identity
Protecting cloud applications? Defender for Cloud Apps

Compliance Standards and Regulations

Understand compliance concepts without memorizing regulations:

GDPR (General Data Protection Regulation): Protects personal data of EU residents
HIPAA (Health Insurance Portability and Accountability Act): Protects health information
PCI-DSS (Payment Card Industry Data Security Standard): Protects payment card data
SOX (Sarbanes-Oxley): Ensures financial record accuracy

Know which Purview features address specific compliance needs.

Study Resources and Preparation Strategy

Microsoft Learn SC-900 Path

Microsoft provides a free official SC-900 learning path covering all exam domains. This self-paced learning includes:

Video explanations of security concepts
Interactive knowledge checks validating understanding
Hands-on labs (limited in SC-900) exploring Azure services
Downloadable study guides for offline review

Access the path at Microsoft Learn's official site under "Security, Compliance, and Identity Fundamentals."

AzurePrep Practice Tests

Beyond official resources, practice tests are essential. AzurePrep offers 15,000+ free Azure practice questions across 35 certifications, including comprehensive SC-900 coverage. Using AzurePrep's SC-900 practice tests provides:

Questions reflecting actual exam format and difficulty
Detailed explanations for correct and incorrect answers
Performance analytics identifying weak areas
Multiple practice sets preventing memorization of specific questions

AzurePrep practice tests simulate real exam conditions, building confidence and identifying gaps before the actual exam. Many users find the SC-900 study guide approach of combining Microsoft Learn with AzurePrep practice questions most effective.

Recommended Study Schedule

For someone with basic IT knowledge:

Week 1: Complete Microsoft Learn SC-900 path (15-20 hours)
Week 2: Review complex domains (Entra ID and Defender products)
Week 3: Complete 2-3 full-length AzurePrep practice tests
Week 4: Review weak areas and take final practice tests
Exam day: Take the official SC-900 exam

For someone with security background:

Week 1: Skim Microsoft Learn for unfamiliar Microsoft-specific concepts
Week 2: Complete AzurePrep practice tests identifying gaps
Week 3: Deep-dive on weak areas using Microsoft Learn
Exam day: Take the official SC-900 exam

Total preparation typically requires 20-30 hours for most candidates.

Supplementary Resources

Beyond Microsoft Learn and AzurePrep:

YouTube channels covering SC-900 concepts with visual explanations
Microsoft security documentation for deeper dives on specific topics
Official exam guide from Microsoft describing domains and objectives
Study groups and forums discussing difficult concepts

Common Exam Gotchas and Mistakes

Zero Trust Misunderstandings

Many candidates misunderstand Zero Trust, thinking it means denying all access. Actually, Zero Trust requires:

Verification (not denial) of every request
Least privilege (minimum necessary access, not no access)
Continuous monitoring (not just initial verification)

Questions testing Zero Trust often present scenarios where the correct answer involves verification and monitoring, not access denial.

Shared Responsibility Confusion

Candidates frequently overestimate Microsoft's security responsibilities in SaaS scenarios. Remember:

In Microsoft 365 (SaaS), users still control user access, data, and devices
Microsoft handles underlying infrastructure and platform security
Customers bear responsibility for enabling security features like MFA

Product Feature Attribution

Confusing which Defender product has specific capabilities causes mistakes:

Safe Attachments (Office 365) not Endpoint
Attack surface reduction (Endpoint) not Cloud
Behavioral threat detection (Endpoint) not Identity

Review product-specific capabilities before your exam.

Compliance Solutions Confusion

Mixing up Purview features causes errors:

Compliance Manager shows compliance status and gaps
DLP prevents data loss
Information protection labels and protects data
eDiscovery finds and preserves data for legal matters

Each tool addresses specific compliance needs.

Conditional Access Limitations

Candidates sometimes overestimate Conditional Access scope. It applies to cloud applications but has limitations:

Cannot enforce policies on legacy on-premises applications
Requires properly configured Entra ID tenant
Device compliance checks require Intune enrollment for personal devices

Understand Conditional Access boundaries in your answer selection.

Final Preparation Tips

Practice Under Exam Conditions

Use AzurePrep practice tests in exam-mode: timed, no review until completion. This builds stamina and decision-making speed.

Focus on Scenario Questions

SC-900 questions often present business scenarios requiring solution selection. Practice identifying the best solution among similar options.

Understand the "Why"

Don't memorize facts. Understand why specific solutions address particular challenges. This reasoning helps with unfamiliar question variations.

Review Weak Areas Early

Identify topics causing difficulties through practice tests. Address these gaps well before the exam rather than last-minute cramming.

Take Care of Basics

Get adequate sleep the week before
Eat well the day of the exam
Arrive early to reduce stress
Read questions carefully before answering

The SC-900 certification validates foundational security knowledge valuable across IT careers.