How to pass Microsoft Cybersecurity Architect (SC-100)
24 min read4 domains coveredFree practice, no sign-up
The Microsoft Cybersecurity Architect (SC-100) tests one capability above product recall: designing an end-to-end security strategy that holds up across Microsoft, hybrid, and multicloud estates. Microsoft hands you a business scenario with constraints on resilience, identity, compliance, infrastructure, or data, then asks which design meets every stated requirement. The difficulty is rarely knowing what a product does. It is choosing the design that satisfies all the constraints at the architectural level when two or three options look plausible and only one is the Microsoft-recommended fit.
It suits experienced security professionals who already operate in the Microsoft ecosystem: security engineers, identity specialists, and cloud architects moving up into a strategy role. The exam draws across four weighted domains, with security operations, identity, and compliance carrying the most marks, infrastructure security close behind, and best practices and application and data security sharing the rest. SC-100 is an expert-level exam and Microsoft expects prior hands-on depth, typically demonstrated by holding an associate certification such as SC-200, SC-300, or AZ-500 before attempting it.
The exam rewards design judgement, not feature memorisation. Most questions are scenarios where several Microsoft capabilities are technically capable and only one is the best architectural fit once you weigh what was actually asked: ransomware resilience that survives a compromised admin, near-real-time revocation, preventive separation of duties, or agentless onboarding of a whole site. Case studies stack several of these decisions on one organisation. The skill being tested is reasoning to the right design under that pressure, which is why practising on scenario questions with a worked explanation, and a reason every wrong option is wrong, beats reading service overviews.
SC-100 is a design-the-strategy exam: almost every question is a scenario with resilience, identity, compliance, infrastructure, or data constraints, and the right answer is the Microsoft capability or reference-architecture pattern that satisfies all of them at the architectural level with the least standing risk.
Difficulty
Advanced
Best for
Experienced Microsoft security practitioners stepping into a strategy role: security engineers, identity and access specialists, SOC and compliance leads, and cloud and infrastructure architects who must design Zero Trust strategy, security operations, and protection for identity, infrastructure, applications, and data across hybrid and multicloud environments.
Prerequisites
None enforced, but this is an expert-level exam and Microsoft assumes advanced experience across identity, access, platform protection, security operations, and data and application security. Most candidates hold an associate certification first, such as SC-200, SC-300, or AZ-500, and bring real design exposure to Microsoft Entra, Microsoft Defender, Microsoft Purview, and Azure security controls.
Typically 40 to 60 questions
Questions
120 min
Time allowed
700 / 1000
Pass mark
$165
Exam cost (USD)
306
Practice questions
How this exam thinks
One habit decides this exam: read the scenario for its constraint, then choose the design that meets it the way Microsoft would. Almost every question is a business situation with a stated requirement on resilience, identity, compliance, infrastructure, or data, and the answer is the capability or reference pattern that fits that requirement. Several options usually work in isolation. Only one is the best architectural fit once you weigh what the scenario actually demands.
The default tie-breaker is the design that removes standing risk and enforces controls at the platform level, aligned to the Microsoft reference architectures. SC-100 frames everything through Zero Trust: assume breach, verify explicitly, and grant least privilege. So when two answers both work, the one that holds even after a privileged identity is compromised usually wins. Immutable backups beat a second region copy. Continuous access evaluation beats a shorter token lifetime. A preventive separation-of-duties rule beats a manual approver who might notice. Group managed service accounts beat a manually rotated shared password. The pattern is the same each time: choose the control that the attacker cannot defeat with the access they already hold.
The rest is a set of discriminations the exam leans on, each driven by the constraint. For best practices, map the requirement to the right framework: MCRA and MCSB for reference patterns, the Cloud Adoption Framework and Well-Architected Framework for operating-model and pillar decisions, and the Rapid Modernization Plan when the scenario asks where to start. For operations and identity, distinguish posture from runtime, prevention from detection, and grant-time enforcement from after-the-fact review. For infrastructure, match the protection to the surface: posture management versus workload protection, the right Defender plan for endpoints, servers, IoT, or shipped embedded devices, and Security Service Edge for agentless network onboarding. For applications and data, place the control at the correct layer and lifecycle stage: threat modelling at design, presentation-layer masking versus encryption at rest, least-privilege scoping over rotation, and app protection without enrolment. Name the constraint, then choose the design Microsoft built for it.
What each domain tests and how to study it
The SC-100 blueprint is split across 4 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Given a scenario about resilience, framework alignment, or where to begin, choose the design that matches the Microsoft reference architecture, benchmark, or adoption framework the requirement points to, and that survives a fully compromised privileged identity.
In one sentenceThe strategy domain: aligning designs to MCRA, MCSB, CAF, and WAF, sequencing work with the Rapid Modernization Plan, and building ransomware resilience that holds even when an admin is compromised.
Recall check: answer these from memory first
A ransomware operator already holds Global Administrator and intends to delete every backup before detonating. Which single backup design property defeats this, and why does cross-region replication not?
Which Microsoft framework answers each: reference architecture diagrams and capability mapping, a prescriptive control baseline, the cloud operating model and landing zones, and the security pillar with its trade-offs?
The Rapid Modernization Plan sequences which workstream first, and why does Microsoft place it ahead of network segmentation and endpoint onboarding?
What it tests. Designing a security strategy from Microsoft's own best-practice guidance rather than ad hoc preference. Building a resiliency strategy for ransomware and other attacks, where backups and the identity foundation must survive an attacker who already holds privileged rights; aligning designs to the Microsoft Cybersecurity Reference Architectures (MCRA) and the Microsoft cloud security benchmark (MCSB) for reference patterns and control baselines; aligning to the Cloud Adoption Framework for Azure (CAF) for landing zones, governance, and DevSecOps, and to the Azure Well-Architected Framework (WAF) for the security pillar and trade-offs; and sequencing the highest-leverage work with the Rapid Modernization Plan, which leads with privileged access and identity.
How to study it. Make assume-breach your reflex, because the resilience questions are decided by it. When a scenario names a compromised Global Administrator or a ransomware operator targeting backups, the answer is the control the attacker cannot defeat with the access they hold: immutable, time-locked backup storage, and a dedicated isolated recovery path for the directory itself. Learn what each framework is for so you map the requirement to the right one: MCRA for reference architecture diagrams and capability mapping, MCSB for prescriptive control baselines, CAF for the operating model, landing zones, and shift-left DevSecOps such as policy-as-code in the pipeline, and WAF for the security pillar and its trade-offs against cost and operations. Fix the Rapid Modernization Plan ordering: it sequences privileged access and identity first as the highest-leverage early risk reduction, ahead of network segmentation, data protection, or endpoint onboarding.
Easy to confuse
Immutable time-locked backups versus cross-region replication. Immutability with a retention lock makes restore points undeletable by any role, including a compromised Global Administrator, which is the ransomware threat; cross-region replication only survives a regional outage and still lets a privileged attacker delete both copies. Resilience against a compromised admin needs immutability, not geographic redundancy.
MCRA versus MCSB. The Microsoft Cybersecurity Reference Architectures are diagram-led reference patterns that map capabilities across the estate; the Microsoft cloud security benchmark is a prescriptive set of control recommendations measured in Defender for Cloud. Reach for MCRA when the scenario asks how the pieces fit together, MCSB when it asks which controls to enforce and measure.
Cloud Adoption Framework versus Well-Architected Framework. CAF guides the cloud operating model, landing zones, governance, and adoption lifecycle including DevSecOps; WAF evaluates a workload against five pillars and the security-versus-cost-and-operations trade-offs within it. CAF for how the organisation adopts and governs the cloud, WAF for how a specific workload is engineered.
Worked example from the SC-100 bank
lock_openFree sampleDesign Solutions that Align with Security Best Practices and Prioritieshard
A government agency wants its ransomware recovery design to guarantee that, after an attack, it can restore not just files but a trustworthy version of its core identity foundation, so it can re-establish authentication and authorisation before applications come back. A review finds the agency backs up application data and virtual machines but has no separate, validated recovery path for the directory that everything else depends on. Which design addition most directly closes this gap?
AEstablish a dedicated, isolated recovery path for the identity foundation with secured backups of directory state, so a trustworthy directory can be rebuilt before applications are restored.check_circle Correct
BAdd application-consistent snapshots of every virtual machine more frequently so that the servers hosting the directory can be rolled back quickly alongside the rest of the estate.
CReplicate the directory to a warm standby in a second region so that if the primary is encrypted the agency can fail authentication over to the continuously synchronised copy.
DTighten Conditional Access on all directory administrator accounts so that a compromised admin cannot make the changes that would damage the directory during an attack.
Resilient recovery needs a dedicated isolated path with secured directory backups so a trustworthy identity foundation can be rebuilt before applications are restored. Applications cannot return until authentication and authorisation are trustworthy, so the identity foundation needs its own validated recovery path rather than ordinary machine backups or live replication that may carry the compromise forward. A dedicated, isolated recovery path with secured directory-state backups lets the organisation rebuild a clean directory first, which frequent snapshots, warm standbys, or tighter admin access cannot guarantee.
Why A is correct: A dedicated isolated recovery path with secured backups of the directory lets the agency rebuild a trustworthy identity foundation first, which is the prerequisite for restoring authentication and authorisation before applications, exactly as the requirement states.
Why B is wrong: More frequent machine snapshots speed server rollback and seem to cover the directory hosts, but restoring infected or tampered directory state from ordinary snapshots can reintroduce the compromise, so it does not provide the validated trustworthy directory recovery required.
Why C is wrong: A synchronised standby aids availability and is tempting for fast failover, but live replication faithfully copies a compromised or encrypted directory to the standby, so the agency fails over into the same tainted state rather than a trustworthy one.
Why D is wrong: Hardening admin access reduces the chance of directory damage and is worthwhile, but it is a preventive control that provides no recovery path, so once the directory is destroyed the agency still has no validated way to rebuild it.
What you must be able to do. Given a scenario about detection and response, identity and access, privileged access, or regulatory compliance, choose the design that enforces the requirement at grant time or in near real time and produces auditable accountability, using the right Microsoft operations, identity, and Purview capability.
In one sentenceThe largest domain: designing security operations, identity and access governance, privileged access, and compliance so enforcement is preventive and near real time rather than detective and after the fact.
Recall check: answer these from memory first
A revoked or risky user must lose access mid-session within minutes on Exchange and SharePoint Online. Which capability enforces this, and why do shorter token lifetimes and sign-in frequency fall short?
Which design prevents a user from ever holding two incompatible privileged roles at once, and why is recurring access review or manager approval not preventive?
An auditor needs control implementation, named owners, and stored evidence for a standard with no built-in template. Which Microsoft tool manages this, and why not Azure Policy or Defender for Cloud?
What it tests. Designing the operations, identity, and compliance backbone. Security operations across detection, response, logging, SOAR, and threat-detection coverage with Microsoft Sentinel and the Microsoft Defender XDR suite; identity and access management across SaaS, PaaS, IaaS, hybrid, and multicloud with Microsoft Entra ID, including near-real-time enforcement such as continuous access evaluation and risk-based Conditional Access; privileged access using the enterprise access model, with Privileged Identity Management for just-in-time activation and entitlement management for access packages and separation of duties; service-account hardening such as group managed service accounts in Active Directory Domain Services; and translating regulatory requirements into security controls with Microsoft Purview Compliance Manager assessments, ownership, and evidence.
How to study it. Drill three distinctions the domain returns to again and again. First, near-real-time enforcement versus fixed timers: continuous access evaluation pushes revocation and critical events to supporting services in minutes, which a shorter token lifetime or tighter sign-in frequency cannot match because they only act at the next interval. Second, preventive versus detective governance: an entitlement management separation-of-duties rule blocks a request for an incompatible access package at grant time, whereas manager approval, recurring access reviews, or just-in-time activation only catch or limit the toxic combination after the fact. Third, the right home for control management: a custom Microsoft Purview Compliance Manager assessment decomposes an arbitrary standard into improvement actions with owners and evidence, which resource-scoped tools like Azure Policy or Defender for Cloud cannot. For service accounts, fix group managed service accounts as the design that lets Active Directory generate, rotate, and scope passwords so no administrator ever knows them.
Easy to confuse
Continuous access evaluation versus shorter token lifetime or sign-in frequency. Continuous access evaluation has Microsoft Entra ID push critical events such as account disablement, password change, and elevated risk to supporting services, which reject an already issued token within minutes; a shorter token lifetime or sign-in frequency only re-checks at the next fixed interval, leaving a window open. Near-real-time revocation needs CAE, not a tighter timer.
Entitlement management separation of duties versus access reviews. An entitlement management separation-of-duties rule blocks the request for an incompatible access package at grant time, so the toxic combination never forms; recurring access reviews only detect and remove an accumulated conflict later, after the risk has existed. Preventive enforcement needs the grant-time rule, detective cleanup is too late.
Group managed service accounts versus manual password rotation or Local System. Group managed service accounts let Active Directory generate, rotate, and scope a long random password to authorised hosts so no administrator ever knows or stores it; manual rotation still leaves an admin-known shared secret, and moving to Local System changes the security context rather than solving credential management. Eliminating the admin-known shared password needs gMSAs.
Compliance Manager assessment versus Azure Policy or Defender for Cloud. A Microsoft Purview Compliance Manager assessment tracks control implementation, assigns improvement actions to owners, and stores audit evidence for any standard, including custom ones; Azure Policy and Defender for Cloud measure resource configuration against technical baselines but do not manage ownership and evidence for an arbitrary regulatory standard. Auditable control accountability lives in Compliance Manager.
Worked example from the SC-100 bank
lock_openFree sampleDesign Security Operations, Identity, and Compliance Capabilitieshard
A bank's separation-of-duties policy states that no single person may simultaneously hold both the role that approves payment batches and the role that releases funds, because together they enable undetected fraud. The architect is designing how staff request these privileged roles and must ensure the access governance design itself blocks anyone from obtaining the second role while they hold the first. Which design best enforces this incompatible-access rule?
ARequire manager approval on each role request so an approver can manually notice when a requester already holds the conflicting role and decline the request.
BPlace both roles under Privileged Identity Management so each must be activated just in time, limiting how long either role is held at once.
CRun recurring access reviews across both roles so reviewers can detect and remove anyone who has accumulated the conflicting combination over time.
DDefine both roles as Microsoft Entra entitlement management access packages with a separation-of-duties rule that prevents requesting one package while assigned the incompatible package.check_circle Correct
Use entitlement management separation-of-duties rules between access packages to prevent a user from obtaining incompatible privileged roles. Separation of duties is enforced preventively when the access governance layer encodes which entitlements are mutually exclusive; entitlement management separation-of-duties rules block a request for one access package while the requester holds the incompatible package, stopping the toxic combination at grant time.
Why A is wrong: It is tempting because approval adds a human gate, but it is wrong because it depends on an approver remembering and checking conflicts, which is error-prone and does not systematically enforce the incompatible-access rule.
Why B is wrong: It is tempting because PIM limits standing time, but it is wrong because a user could still activate both eligible roles simultaneously, since PIM does not encode mutual exclusivity between incompatible roles.
Why C is wrong: It is tempting because reviews catch accumulated access, but it is wrong because detection happens only at review intervals after the conflict exists, rather than preventing the incompatible combination from being granted in the first place.
Why D is correct: It is correct because entitlement management supports separation-of-duties constraints between access packages, automatically blocking a request for one package while the requester holds the incompatible one, enforcing the rule at request time.
What you must be able to do. Given a scenario about posture, endpoints, workloads, or network edge across hybrid and multicloud, choose the design that matches protection to the exact surface, distinguishing configuration posture from runtime detection and selecting the right Defender plan or Security Service Edge pattern.
In one sentenceThe infrastructure domain: posture management across hybrid and multicloud, the correct Defender workload plan for each surface from endpoints to shipped IoT, and Security Service Edge for agentless network onboarding.
Recall check: answer these from memory first
Defender for Cloud already gives posture recommendations, but crypto-mining and a suspicious shell ran undetected on the servers. Which addition gives runtime detection, and why does raising Secure Score not?
Match the Defender design to the surface: a managed laptop, an Arc-enabled server, a network of devices you only monitor, and a wearable you manufacture and ship into the field.
A branch with agentless point-of-sale terminals must route its traffic through the cloud secure web gateway by egress. Which Global Secure Access design fits, and why not a per-device VPN or agent?
What it tests. Matching infrastructure protection to the surface it must defend. Posture management across hybrid and multicloud with Microsoft Defender for Cloud, Secure Score, the Microsoft cloud security benchmark, and multicloud connectors; securing server and client endpoints across platforms, mobile, IoT, and operational technology, including Windows LAPS for local administrator password rotation and Microsoft Defender for Endpoint; securing SaaS, PaaS, and IaaS including containers and workloads, with the Defender for Cloud workload protection plans such as Defender for Servers for runtime threat detection; protecting devices an organisation builds and ships with the Defender for IoT device builder micro-agent; and evaluating network security and Security Service Edge with Global Secure Access, Microsoft Entra Internet Access, and Microsoft Entra Private Access.
How to study it. Lock two splits that decide most of this domain. First, posture versus runtime: posture management scores how resources are configured, but it cannot see malicious behaviour executing, so when a scenario names crypto-mining or a suspicious shell running on servers, the answer is the Defender for Servers workload protection plan, not a higher Secure Score target. Second, match the Defender plan to the surface: Defender for Endpoint for managed endpoints, Defender for Servers for server workloads, passive Defender for IoT network sensors for monitoring a network you control, and the Defender for IoT device builder micro-agent for embedded firmware on devices you manufacture and ship. For endpoint hardening, fix Windows LAPS as the answer to identical shared local administrator passwords. For network edge, learn that Global Secure Access remote networks build an IPsec tunnel from a site router to the Microsoft Entra Internet Access edge, onboarding a whole site by its egress so agentless devices are covered without per-device software.
Easy to confuse
Cloud security posture management versus Defender for Servers workload protection. Posture management and Secure Score assess how resources are configured and recommend hardening, but they cannot detect behaviour at runtime; the Defender for Servers plan adds behavioural threat detection that alerts on activity such as crypto-mining and suspicious shells executing on the machine. Detecting active threats needs the workload plan, not a stronger configuration baseline.
Defender for IoT device builder micro-agent versus Defender for Endpoint or network sensors. The Defender for IoT device builder micro-agent is compiled into constrained embedded firmware so a shipped device reports tampering and anomalies from itself wherever it operates; Defender for Endpoint needs a full endpoint sensor the device cannot run, and passive network sensors only watch a segment you control. Protecting devices you build and ship needs the micro-agent.
Global Secure Access remote networks versus per-device VPN or agent. Global Secure Access remote networks onboard a whole site by building an IPsec tunnel from the branch router to the Microsoft Entra Internet Access edge and applying traffic forwarding profiles, covering agentless devices by egress; a per-device VPN profile or Global Secure Access client requires software on each device the point-of-sale terminals and printers cannot run. Agentless whole-site onboarding needs remote networks.
Worked example from the SC-100 bank
lock_openFree sampleDesign Security Solutions for Infrastructurehard
A retailer is bringing several branch sites under its Security Service Edge. The branches host point-of-sale terminals and printers that cannot run a client agent, and the design must still route those sites' internet and software-as-a-service traffic through the organisation's cloud edge so the same secure web gateway and tenant controls apply. The architect wants to onboard each site by its egress rather than by installing software on every device. Which design approach meets this requirement?
ADeploy the Global Secure Access client to a single gateway server at each branch and configure the branch network to route all device traffic through that one machine so the agent forwards it to the edge.
BProvision an ExpressRoute circuit from each branch to an Azure hub virtual network and route the branches' internet-bound traffic through an Azure Firewall in the hub for inspection and filtering.
CSet up a point-to-site VPN profile pushed to each terminal so that the devices dial into a VPN gateway, after which their internet traffic is forced through the corporate egress for filtering.
DConfigure remote networks in Global Secure Access and establish an IPsec tunnel from each branch's edge router to the Microsoft Entra Internet Access edge, applying traffic forwarding profiles to the whole site.check_circle Correct
Onboard whole sites to Microsoft Entra Internet Access with Global Secure Access remote networks over IPsec, covering agentless devices. Global Secure Access supports remote networks, where a branch router builds an IPsec tunnel to the Microsoft Entra Internet Access edge and traffic forwarding profiles govern the site's flows. This covers devices that cannot run the client, applying the secure web gateway and tenant controls by egress rather than per device, which agent-on-a-server, ExpressRoute and point-to-site VPN designs cannot do.
Why A is wrong: Funnelling a branch through one client-hosting server seems to avoid per-device installs, but the Global Secure Access client is a per-user endpoint agent and is not designed to act as a site router for unattended terminals, so this is an unsupported and fragile way to onboard the site.
Why B is wrong: ExpressRoute with hub Azure Firewall inspects branch traffic and is a valid network design, but it is private connectivity into Azure rather than onboarding to the identity-aware Security Service Edge, so it does not bring the sites under the same secure web gateway and tenant-restriction policy plane the requirement names.
Why C is wrong: Point-to-site VPN forces traffic through a corporate egress and appears to centralise filtering, but it requires a VPN client and profile on every terminal, which the requirement explicitly rules out, and it does not deliver the cloud-edge secure web gateway model.
Why D is correct: Remote networks in Global Secure Access connect a site to the Microsoft Entra Internet Access edge over an IPsec tunnel from the branch router, so every device behind it is covered by the secure web gateway and tenant controls without any agent on the terminals, which is exactly the egress-based onboarding required.
What you must be able to do. Given a scenario about Microsoft 365 collaboration, the application lifecycle and workload identities, or data classification and protection, choose the design that places the control at the correct layer and lifecycle stage, scoping least privilege and protecting data without breaking the stated business need.
In one sentenceThe application and data domain: securing Microsoft 365 workloads, applying lifecycle practices such as design-phase threat modelling and least-privilege workload identities, and protecting data with the right layer of masking, encryption, and app-level controls.
Recall check: answer these from memory first
Design-level flaws such as missing authorisation boundaries must be found before any code is written. Which practice surfaces them, and why can static testing, dynamic testing, or a penetration test not?
Analysts must see obscured salary and account values in query results without changing stored data or app logic. Which data control fits, and why not Transparent Data Encryption or row-level security?
A pipeline service principal holds Owner over the whole subscription but only deploys to one resource group. Which change most directly shrinks the blast radius, and why not Key Vault or secret rotation?
What it tests. Placing application and data controls at the right layer and stage. Securing Microsoft 365 productivity and collaboration workloads, including protecting corporate data on unmanaged mobile devices with Microsoft Intune app protection policies; securing applications across the full lifecycle, with threat modelling at the design phase ahead of code, secure pipeline practices, and least-privilege workload identities scoped to the resource and permissions they need; and securing data through classification, encryption, and database protection, including dynamic data masking at the presentation layer, encryption at rest and in transit, and Microsoft Purview information protection and data loss prevention.
How to study it. Train yourself to ask which layer and which lifecycle stage the requirement names, because that is what separates the right answer from the plausible ones. For the lifecycle, threat modelling is the design-phase practice that surfaces authorisation and trust-boundary flaws before code exists, unlike static or dynamic testing and penetration tests that need built or running software. For data, distinguish the layers: dynamic data masking obscures sensitive column values in query results for limited-privilege users without changing stored data or application logic, which encryption at rest and row-level security do not do; choose encryption when the stored value itself must be protected. For workload identities, least privilege is scoping the role assignment to the smallest resource scope and permissions, which shrinks the blast radius of a compromise, whereas network conditions, secret vaulting, or rotation only limit where or how long a credential works. For unmanaged mobile, Intune app protection policies enforce a work PIN, block data transfer to personal apps, and selectively wipe corporate data without enrolling the device.
Easy to confuse
Threat modelling versus static or dynamic application security testing. Threat modelling reasons about data flows and trust boundaries during the design phase to find architectural and authorisation flaws before code exists; static testing needs committed source and dynamic testing needs a running build, so both act after implementation. Catching design-level flaws before code needs threat modelling.
Dynamic data masking versus encryption at rest. Dynamic data masking obscures sensitive column values in query results for non-privileged users at the presentation layer while leaving the stored data and application unchanged; Transparent Data Encryption and Always Encrypted protect the stored or transmitted value but do not selectively obscure results for some readers. Showing masked values to limited-privilege analysts needs dynamic data masking.
Scoping a workload identity versus vaulting or rotating its secret. Scoping the role assignment to the single resource group and the least permissions confines what a compromised identity can do, shrinking the blast radius; storing the secret in Key Vault or rotating it only changes where the credential lives or how long it lasts while leaving its subscription-wide authority intact. Reducing blast radius needs least-privilege scoping.
Intune app protection policies versus device enrolment with MDM. Intune app protection policies apply a work PIN, block data transfer to personal apps, and selectively wipe only corporate data at the managed-app level on unenrolled personal phones; full mobile device management enrolment manages the whole device, which the scenario's bring-your-own users refuse. Protecting corporate data on unmanaged phones needs app protection policies, not enrolment.
Worked example from the SC-100 bank
lock_openFree sampleDesign Security Solutions for Applications and Datahard
A product team is about to begin building a new customer-facing payments service and asks a security architect when, in the application lifecycle, design-level security flaws such as missing authorisation boundaries and unsafe trust assumptions should be identified. The architect wants the practice that surfaces these flaws before code is written, by reasoning about the system's data flows and trust boundaries. Which practice best meets this requirement?
APerform threat modeling during the design phase, enumerating data flows and trust boundaries to identify and rank design weaknesses before any code exists.check_circle Correct
BRun dynamic application security testing against a deployed staging build so that exploitable runtime weaknesses are discovered before the service reaches production traffic.
CAdd static application security testing to the build pipeline so that insecure coding patterns are flagged automatically every time a developer commits source.
DSchedule an external penetration test ahead of launch so that an independent team validates the service's defences against realistic attacker techniques first.
Threat modeling is the design-phase practice that reveals architectural and trust-boundary flaws before code exists, unlike testing that runs against built software. Threat modeling reasons about a system's data flows, trust boundaries, and assets to enumerate how it could be attacked while the design is still on paper. Because it precedes implementation, it catches authorisation, trust, and exposure flaws when they are cheapest to fix, which testing techniques that need running or committed code cannot do.
Why A is correct: Threat modeling is the design-phase activity that maps data flows and trust boundaries to expose architectural weaknesses such as missing authorisation, so it identifies and ranks design flaws exactly when the requirement demands, before implementation begins.
Why B is wrong: Dynamic testing is valuable and tempting because it finds real exploitable issues, but it runs against built, deployed code and so cannot surface the design-level trust-boundary flaws the requirement targets before code is written.
Why C is wrong: Static analysis catches insecure code patterns and feels like the earliest control, but it operates on committed source rather than the architecture, so it misses design flaws that exist before code and that no scanner reads from a diagram.
Why D is wrong: A penetration test gives independent assurance and is appealing as a gate, but it happens against a near-complete system late in the lifecycle, so it finds design flaws only after they are expensively built rather than before code is written.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official Microsoft exam guide and the four domains with their weights. Book a provisional date now, because a fixed date turns open-ended study into a plan and is the strongest predictor of actually sitting. Note that Security Operations, Identity, and Compliance and Infrastructure Security carry the most marks between them, so plan the heaviest study there, and confirm you have the assumed associate-level depth before committing.
Internalise the Zero Trust assume-breach lens
Week 1
Before drilling any domain, fix the decision rule the whole exam rests on: assume breach, verify explicitly, least privilege. Practise choosing the control that holds after a privileged identity is compromised, with the canonical cases of immutable backups, a dedicated directory recovery path, continuous access evaluation, and preventive separation of duties. Learn the framework map too: MCRA, MCSB, CAF, and WAF, and the Rapid Modernization Plan ordering that leads with privileged access and identity.
Go deep on operations, identity, and compliance (Domain 2)
Weeks 1 to 2
This is the largest domain, so it gets the most time. Drill the three distinctions until they are automatic: near-real-time enforcement versus fixed timers, preventive grant-time governance versus detective review, and the right home for control management in Microsoft Purview Compliance Manager. Add the enterprise access model, Privileged Identity Management, entitlement management, and group managed service accounts. Read the worked explanation on every practice question, including the ones you got right.
Lock infrastructure protection by surface (Domain 3)
Weeks 2 to 3
Infrastructure security is reliable marks if you drill it as posture-versus-runtime and surface-to-Defender-plan mappings. Fix Defender for Cloud posture management against the Defender for Servers, Endpoint, and IoT workload plans, the device builder micro-agent for shipped embedded hardware, Windows LAPS for local administrator passwords, and Global Secure Access remote networks for agentless whole-site onboarding. Do each surface-to-plan call by hand until the constraint alone decides it.
Cover application and data design (Domains 1 and 4)
Weeks 3 to 4
Tie the best-practices resilience and framework questions together with the application and data layer decisions. Drill threat modelling as the design-phase practice, least-privilege scoping of workload identities for blast radius, the data control layers from dynamic data masking to encryption at rest, and Intune app protection policies for unmanaged mobile. Keep checking that the control sits at the layer and lifecycle stage the scenario names, not just one that is technically capable.
Drill weak domains and rehearse case studies
Weeks 4 to 5
Use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know. Then rehearse the case-study format, where one organisation stacks several design decisions, so you practise reading a long scenario, holding multiple constraints, and answering each linked question on its own merits. Space the review: revisit each domain's recall prompts after a few days and again a week later.
Sit a timed mock and calibrate
Weeks 5 to 6
Take at least one full timed mock under exam conditions to rehearse pacing, the flag-and-return habit, and the case-study sections that consume time fast. Treat the score as a per-domain readiness signal, not a single number, and review every missed question, naming the constraint you misread and why the Microsoft-preferred design wins, before you book or sit.
Know when you're ready
Readiness for the Microsoft Cybersecurity Architect is a score on scenario questions you have not seen before, not a feeling that the products are familiar. Those are different things, and the gap between them is where people fail at expert level. Re-reading the documentation builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can read a fresh scenario, name the constraint, and choose the right design while explaining why each other option is wrong, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of early confidence on the product map. Knowing what Microsoft Sentinel, Defender for Cloud, Microsoft Entra, and Purview each do is the easy half; choosing the design that survives a compromised admin, enforces a control at grant time, or matches protection to the exact surface, when two options would work, is the half the exam actually tests. The case studies raise the bar further by stacking several of these decisions on one organisation. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, including a full case study, not scraping a single pass on the marked pass score.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free SC-100 questions with worked explanations. No sign-up.
Read the scenario for its constraint first. The resilience, identity, compliance, infrastructure, or data requirement named in the question is what picks the design, so find it before you judge the options.
Apply assume-breach to every resilience and identity question. When the scenario names a compromised admin or privileged identity, choose the control the attacker cannot defeat with the access they hold, such as immutable backups or continuous access evaluation, not one that relies on the access they already have.
Prefer preventive enforcement over detection. A grant-time separation-of-duties rule, a scoped role assignment, or platform-enforced immutability beats an option that only notices, reviews, or limits the problem after it has formed.
Match the framework to the requirement. MCRA for reference patterns, MCSB for control baselines, CAF for the operating model and DevSecOps, WAF for the security pillar and trade-offs, and the Rapid Modernization Plan when the scenario asks where to start.
Separate posture from runtime and match protection to the surface. Configuration posture management does not detect active threats; pick the Defender workload plan built for the exact surface, from endpoints and servers to passive IoT sensors and the device builder micro-agent for shipped hardware.
Place data and application controls at the right layer and lifecycle stage. Threat modelling at design, presentation-layer masking versus encryption at rest, least-privilege scoping over rotation, and app protection without enrolment each win only when the requirement names that layer.
Budget time for the case studies. They stack several linked decisions on one organisation, so read the whole scenario once, then answer each question on its own constraint, and flag and return rather than stalling on one item.
Frequently asked questions
Is the Microsoft Cybersecurity Architect (SC-100) hard?
It is an expert-level exam and the difficulty is design judgement rather than recall. Most questions are scenarios where several Microsoft capabilities could work and only one is the best architectural fit once you weigh the stated resilience, identity, compliance, infrastructure, or data constraint. Case studies stack several such decisions on one organisation, so scenario practice with worked explanations matters far more than memorising what each product does.
Do I need an associate certification before SC-100?
None is enforced, but this is expert level and Microsoft assumes advanced experience across identity, security operations, and platform protection. Most candidates hold an associate certification first, such as SC-200, SC-300, or AZ-500, and bring real design exposure to Microsoft Entra, Microsoft Defender, and Microsoft Purview. Without that depth, plan more time.
How long should I study for the SC-100?
Most candidates who already hold an associate certification and have hands-on Microsoft security experience are ready in five to seven weeks of steady study. The heaviest time goes to the two largest domains, Security Operations, Identity, and Compliance and Infrastructure Security, and to rehearsing the case-study format.
Which domains should I focus on?
Security Operations, Identity, and Compliance carries the most marks, with Infrastructure Security close behind, so together they deserve the most time. Best Practices and Priorities and Applications and Data Security share the rest and reward clean framework and layer-selection decisions, so do not leave them short.
How does Zero Trust actually shape the answers?
SC-100 frames everything through assume breach, verify explicitly, and least privilege. In practice that means choosing the design that still holds after a privileged identity is compromised: immutable backups over a second region copy, continuous access evaluation over a shorter token lifetime, a preventive separation-of-duties rule over a manual approver, and a scoped workload identity over a vaulted or rotated secret.
What is the difference between posture management and workload protection on this exam?
Posture management, with Defender for Cloud and Secure Score, assesses how resources are configured and recommends hardening, but it cannot see malicious behaviour executing. Workload protection plans such as Defender for Servers add runtime threat detection that alerts on activity such as crypto-mining and suspicious shells. When the scenario names active threats running on a machine, the answer is the workload plan, not a stronger configuration baseline.
How should I approach the case-study questions?
Read the whole organisation scenario once to hold its constraints, then answer each linked question on its own requirement rather than carrying an assumption across. They consume time fast, so flag and return, collect the clear marks first, and watch for questions where the right design is the one that enforces a control at the platform or grant-time level rather than relying on access the attacker may already hold.
Is SC-100 mostly about Azure, or does it cover hybrid and multicloud?
It explicitly spans Microsoft, hybrid, and multicloud estates. Expect Active Directory Domain Services alongside Microsoft Entra ID, Arc-enabled and multicloud servers in Defender for Cloud, agentless network onboarding through Security Service Edge, and shipped IoT and operational-technology devices, not just native Azure resources.
Is the Microsoft Cybersecurity Architect certification worth it?
SC-100 is worth it for security architects and senior security engineers who design security posture across Microsoft and hybrid environments, particularly those whose work involves translating regulatory or organisational requirements into Zero Trust controls. It is an expert-level credential that requires strong prior knowledge - typically from the associate-level security certifications - so the preparation itself reinforces architectural thinking rather than just adding new facts. Those already working in a hands-on security architecture role will find it validates skills they exercise daily.
Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. SC-100 and related marks belong to their respective owners.
