ExamworthyExamworthy
Open the appStart free
SC-900 practice questionsFull study guide
Examworthyexamworthy.com

Microsoft Security, Compliance, and Identity Fundamentals (SC-900) cheat sheet

Microsoft

Exam version 2026Reviewed 2026-06-06

Free to share. Examworthy is not affiliated with or endorsed by Microsoft; SC-900 and related marks belong to their respective owners.

At a glance

Typically 40 to 60 questions
Questions
45 min
Time allowed
700 / 1000
Pass mark
$99
Cost (USD)

Format: Multiple choice and multiple response, at a Pearson VUE testing center or online proctored

Domain weight map

Heaviest first - spend your time here
Microsoft Security Solutions38% · 99 Q
Microsoft Entra Capabilities27% · 73 Q
Microsoft Compliance Solutions22% · 60 Q
Security, Compliance, and Identity Concepts13% · 35 Q

How this exam thinks

SC-900 is a describe-and-identify exam: nearly every question maps a short scenario or definition onto the one Microsoft service, capability, or security principle that fits it, and the traps are built from features that sound almost right.

Spot the trap

Tempting wrong answers, and why they fail

Tempting but wrong

Defender CSPM is the posture plan that comes switched on for free on onboarded subscriptions.

Why it fails

Defender CSPM is the paid plan that adds advanced features such as attack path analysis and risk prioritisation, so it is not the free option enabled by default that a no-cost scenario requires.

Microsoft Security Solutions

Tempting but wrong

Microsoft Entra ID is a managed domain service that provides group policy, LDAP, and Kerberos for legacy applications.

Why it fails

Group policy, LDAP, and Kerberos for legacy apps describe Microsoft Entra Domain Services, a separate product in the family, not Microsoft Entra ID itself.

Microsoft Entra Capabilities

Tempting but wrong

A sensitive information type learns to recognise a content category by being shown example documents.

Why it fails

A sensitive information type matches known patterns of data, such as bank account numbers, and is an automated pattern-matching method. It is not trained from samples the way a trainable classifier is, so it cannot learn a fuzzy content category from examples.

Microsoft Compliance Solutions

Tempting but wrong

The customer is responsible for maintaining the physical hosts in every deployment type.

Why it fails

Physical hosts are a Microsoft responsibility in IaaS, PaaS, and SaaS; only on-premises leaves them with the customer, so they are not always retained.

Security, Compliance, and Identity Concepts

Tempting but wrong

Defender for Servers is the free CSPM plan that handles posture management by default.

Why it fails

Defender for Servers is a workload protection plan that provides threat detection for Windows and Linux machines, not a CSPM plan, and it is paid rather than the free posture option.

Microsoft Security Solutions

Tempting but wrong

Microsoft Entra ID is the service that issues decentralised verifiable credentials to users.

Why it fails

Issuing decentralised verifiable credentials describes Microsoft Entra Verified ID, a different product, not the foundational identity and access management service.

Microsoft Entra Capabilities

Tempting but wrong

The Classifiers page is where you go to review DLP activity events like label changes and rule matches.

Why it fails

The Classifiers page is where you build and manage trainable classifiers. It does not present the per-event DLP activity, such as label changes and rule matches, which is shown in Activity explorer.

Microsoft Compliance Solutions

Tempting but wrong

Transparent Data Encryption is what protects data while it travels between a client and a service.

Why it fails

Transparent Data Encryption protects database files at rest in real time, not data travelling between a client and a service, so it does not cover the transit case.

Security, Compliance, and Identity Concepts

Key terms

Azure DDoS ProtectionAzure Firewallweb application firewallnetwork security groupsAzure BastionAzure Key VaultMicrosoft Defender for Cloudcloud security posture managementsecurity policies and recommendationscloud workload protectionSIEMSOARthreat detection and mitigationDefender XDRDefender for Office 365Defender for Endpoint

Exam-day rules

  • Name the service family first. Decide whether the stem is about identity (Entra), threat protection and posture (Defender or Sentinel), or compliance and data (Purview) before you read the options; that narrows four products to one.
  • Re-read the requirement for the deciding word. When two options are real Microsoft features that both sound plausible, the discriminator is a single detail in the stem, such as no public IP, no extra cost, or learns from samples, that only one option satisfies.
  • Separate authentication from authorisation every time. Proving who you are is authentication; deciding what you can do is authorisation. Many traps swap these, so label the stem before you answer.
  • Watch the free-versus-paid distinction in Defender for Cloud. If a question stresses no additional cost or enabled by default, it points to Foundational CSPM, not a paid Defender plan.
  • Match the classification tool to how it is described. Predefined patterns mean a sensitive information type; shown sample documents to learn a category means a trainable classifier.

Revision schedule

  1. Day 1
    Read the blueprint and book a date
  2. Week 1
    Lock the concepts vocabulary
  3. Week 1 to 2
    Map the Microsoft Entra capabilities
  4. Week 2 to 3
    Go deep on Microsoft security solutions
  5. Week 3
    Cover Microsoft compliance solutions

Practise SC-900 free

Every question has a worked explanation and a per-distractor rationale. No sign-up.

750 audited flashcards in this deck.

Practise SC-900 free
Examworthy - Microsoft Security, Compliance, and Identity Fundamentals (SC-900) cheat sheet. Free to share.examworthy.com