How to pass Microsoft Security, Compliance, and Identity Fundamentals (SC-900)
15 min read4 domains coveredFree practice, no sign-up
Microsoft Security, Compliance, and Identity Fundamentals (SC-900) tests whether you can describe the concepts behind security, compliance, and identity, and recognise which Microsoft service delivers each capability across Microsoft Entra, the Microsoft security stack, and Microsoft Purview. It is a fundamentals exam, so the questions ask you to identify and describe rather than to configure or design. The hard part is not difficulty of concept but breadth: you have to keep four large product families straight and know which tool owns which job.
It suits people early in a security or cloud career, business and sales staff who need fluency in the Microsoft security portfolio, and anyone using SC-900 as the on-ramp to role-based certifications such as SC-200, SC-300, or AZ-500. No technical background is required, but you do need to have read about each service rather than just heard its name, because the traps are built from services that sound similar.
The exam is pass-or-fail on recognition under pressure. Most questions hand you a short scenario or a definition and ask which capability, service, or principle matches. Two or three options are usually real Microsoft features that almost fit, and only one matches the exact wording of the requirement. The skill being tested is mapping a described need to the single correct service or term, which is why drilling the discriminators between similar tools beats memorising long feature lists.
SC-900 is a describe-and-identify exam: nearly every question maps a short scenario or definition onto the one Microsoft service, capability, or security principle that fits it, and the traps are built from features that sound almost right.
Difficulty
Foundational
Best for
People new to security, compliance, and identity: business stakeholders, sales and support staff, and aspiring IT professionals who need fluency in Microsoft Entra, Microsoft security solutions, and Microsoft Purview, often as the first step toward role-based SC and AZ certifications.
Prerequisites
None. General familiarity with networking and cloud computing concepts helps, and any exposure to Microsoft 365 or Azure makes the service names land faster, but no certification or hands-on experience is required.
Typically 40 to 60 questions
Questions
45 min
Time allowed
700 / 1000
Pass mark
$99
Exam cost (USD)
267
Practice questions
How this exam thinks
One habit decides this exam: read the requirement or definition, then pick the single Microsoft service, capability, or principle that matches it exactly. The questions are short and conceptual, so the work is recognition, not configuration. Several options will be genuine Microsoft features, but only one fits every word of the scenario, and the others are near-neighbours placed there to catch a vague memory.
The default move is to map the described job to the tool that owns it. Microsoft Entra owns identity and access; Microsoft Defender and Azure security services own threat protection and posture; Microsoft Purview owns compliance, information protection, and governance. When a stem describes finding and labelling sensitive data, think Purview; when it describes signing in or conditional access, think Entra; when it describes detecting threats across the estate, think Sentinel or Defender XDR. Naming the family first narrows four products to one, then the exact capability inside that family resolves the answer.
The rest is a set of clean distinctions the exam leans on, each driven by the wording: authentication versus authorisation, a network security group versus Azure Firewall, foundational free plans versus paid Defender plans, a sensitive information type versus a trainable classifier. When two answers both sound plausible, the discriminator is in the requirement itself, so re-read the stem for the one detail that only one option satisfies.
What each domain tests and how to study it
The SC-900 blueprint is split across 4 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Recognise and correctly name the core security, compliance, and identity concepts when a scenario describes one in plain language.
In one sentenceThe vocabulary layer: shared responsibility, Zero Trust, defence in depth, encryption, and authentication versus authorisation, each tied to its exact definition.
Recall check: answer these from memory first
Under the shared responsibility model, what does the customer always retain across on-premises, IaaS, PaaS, and SaaS?
State the simple idea Zero Trust is built on, and what gets verified before access is granted.
What is the difference between authentication and authorisation in one line each?
What it tests. Whether you can describe the foundational vocabulary that the rest of the exam builds on. The shared responsibility model and what the customer always owns; defence in depth and the Zero Trust model with its never trust, always verify principle; common threats and encryption of data at rest and in transit; and the core identity vocabulary of authentication versus authorisation, identity providers, federation, and the four pillars of identity infrastructure.
How to study it. Treat this as a definitions domain and drill the terms until each one is unambiguous. Learn the shared responsibility model by what stays with the customer in every deployment type: data and identities, always. Fix Zero Trust to its slogan, never trust always verify, and its principle of continuous verification. Separate authentication (proving who you are) from authorisation (what you are allowed to do) and practise spotting which one a stem describes. Know that encryption at rest, such as Azure Storage Service Encryption with 256-bit AES, differs from encryption in transit.
Easy to confuse
Authentication versus authorisation. Authentication proves who a user is by verifying credentials; authorisation decides what that verified user is allowed to do. The stem describing identity proof is authentication; the stem describing permissions or access rights is authorisation.
Encryption at rest versus encryption in transit. Encryption at rest protects data sitting in persistent storage, such as Azure Storage Service Encryption using 256-bit AES; encryption in transit protects data moving over the network, such as TLS. If the data is on disk it is at rest; if it is travelling it is in transit.
Worked example from the SC-900 bank
lock_openFree sampleSecurity, Compliance, and Identity Conceptseasy
An instructor is explaining the cloud shared responsibility model. Which responsibility area stays with the customer across on-premises, IaaS, PaaS, and SaaS deployments alike?
AData and identities, which the customer is responsible for protecting in every deployment type.check_circle Correct
BThe physical hosts, which the customer is responsible for maintaining in every deployment type.
CThe physical datacenter, which the customer is responsible for securing in every deployment type.
DThe hypervisor layer, which the customer is responsible for managing in every deployment type.
The customer always retains responsibility for their data and identities, no matter the cloud deployment type. The grounding states that for all cloud deployment types you own your data and identities, and that data and accounts and access management are responsibilities you always retain regardless of the deployment type.
Why A is correct: Correct. The grounding states that for all cloud deployment types you own your data and identities, and that data and accounts and access management are responsibilities you always retain regardless of the deployment type.
Why B is wrong: Physical hosts are a Microsoft responsibility in IaaS, PaaS, and SaaS; only on-premises leaves them with the customer, so they are not always retained.
Why C is wrong: Securing the physical datacenter shifts to Microsoft once you move to any cloud model, so it is not a responsibility the customer always retains.
Why D is wrong: The grounding lists the hypervisor as a Microsoft responsibility for the virtualization layer, so the customer does not retain it.
What you must be able to do. Identify the correct Microsoft Entra capability or governance principle that satisfies a described identity or access requirement.
In one sentenceThe identity layer: Entra ID, authentication methods, Conditional Access, and governance principles such as least privilege and just-in-time access.
Recall check: answer these from memory first
Which authentication method is both a primary sign-in method and phishing-resistant?
Define the principle of least privilege and contrast it with just-in-time access.
What kind of service is Microsoft Entra ID, in the cloud identity vocabulary?
What it tests. Whether you can describe what Microsoft Entra does across identity and access. The function and identity types of Microsoft Entra ID as the cloud identity and access management service; authentication methods including multifactor authentication, passwordless, and phishing-resistant options such as Windows Hello for Business; access management through Conditional Access and roles; and identity protection and governance through Privileged Identity Management, just-in-time access, least privilege, entitlement management, and access reviews.
How to study it. Sort Entra into its four jobs and learn one or two flagship features for each. For function and identity types, know Entra ID is the cloud-based, Identity-as-a-Service evolution of directory services. For authentication, learn which methods are primary versus secondary and which are phishing-resistant, with Windows Hello for Business being both primary and phishing-resistant. For access management, anchor Conditional Access as the policy engine that grants or blocks based on signals. For protection and governance, separate the principle of least privilege (only the minimum permissions) from just-in-time access (temporary permissions granted only when needed) under Privileged Identity Management.
Easy to confuse
Least privilege versus just-in-time access. Least privilege grants each user only the minimum standing permissions their role needs; just-in-time access grants temporary permissions only at the moment they are required and removes them after. One limits how much you have; the other limits how long you have it.
Microsoft Entra ID versus an on-premises directory. Microsoft Entra ID is a cloud-based Identity-as-a-Service that Microsoft operates for internet-scale modern authentication; an on-premises directory runs on domain controllers the organisation installs and maintains itself. If the scenario says no servers, no VPN, and SaaS sign-in, it is Entra ID.
A device administrator wants users to sign in to their Windows devices with a method that serves as primary authentication and is also phishing-resistant. Which Microsoft Entra authentication method fits both requirements?
AWindows Hello for Business, which is a primary sign-in method and is phishing-resistant.check_circle Correct
BA voice call to the user phone, which is a secondary method and is not phishing-resistant.
CAn SMS sign-in code, which is a primary method but is not listed as phishing-resistant.
DAn email one-time passcode, which is used for self-service password reset only.
Windows Hello for Business is a primary authentication method that is also phishing-resistant. The grounding's methods table marks Windows Hello for Business as usable for primary authentication, and the phishing-resistant section lists Windows Hello for Business among the phishing-resistant methods available in Microsoft Entra ID.
Why A is correct: Correct. The grounding's methods table marks Windows Hello for Business as usable for primary authentication, and the phishing-resistant section lists Windows Hello for Business among the phishing-resistant methods available in Microsoft Entra ID.
Why B is wrong: A voice call is a secondary MFA method, not a primary sign-in method, and the grounding does not list it as phishing-resistant.
Why C is wrong: SMS sign-in is a primary method, but the grounding groups SMS with methods prone to remote phishing, so it does not meet the phishing-resistant requirement.
Why D is wrong: Email one-time passcode is not a primary authentication method and is not phishing-resistant, so it fails both requirements in the scenario.
What you must be able to do. Select the correct Azure security service or Microsoft Defender capability that meets a described protection, posture, or detection requirement.
In one sentenceThe security layer: Azure infrastructure controls, Defender for Cloud posture and workload protection, Sentinel as SIEM and SOAR, and Defender XDR for threat protection.
Recall check: answer these from memory first
Which Azure service gives secure RDP and SSH to VMs over TLS without assigning them a public IP?
Which Defender for Cloud plan is free and enabled by default, and what does the paid plan add?
Which capability raises real-time alerts indicating the nature and severity of a threat to running workloads?
What it tests. Whether you can describe the Azure and Microsoft Defender security portfolio. Core Azure infrastructure security such as Azure Bastion, network security groups, Azure Firewall, Web Application Firewall, DDoS Protection, and Azure Key Vault; security management with Microsoft Defender for Cloud, including secure score, cloud security posture management, and cloud workload protection; the SIEM and SOAR capabilities of Microsoft Sentinel; and threat protection across the estate with Microsoft Defender XDR.
How to study it. This is the heaviest domain, so spend the most time mapping each Azure security service to its single job. Bastion gives secure RDP and SSH to VMs over TLS without a public IP; a network security group filters traffic by source, destination, port, and protocol; Azure Firewall is the stateful network firewall; Key Vault stores secrets and keys. In Defender for Cloud, separate the free Foundational CSPM (posture, enabled by default) from the paid Defender plans and from cloud workload protection (real-time threat alerts). Then place Sentinel as the cloud-native SIEM and SOAR for the whole estate, and Defender XDR as the integrated threat protection across endpoints, identities, email, and apps.
Easy to confuse
Network security group versus Azure Firewall. A network security group is a basic allow-or-deny filter on traffic to and from Azure resources by source, destination, port, and protocol; Azure Firewall is a managed, stateful network firewall service with richer policy and threat intelligence. If the stem just describes allow or deny rules on a subnet or NIC, it is a network security group.
Foundational CSPM versus Defender CSPM. Foundational CSPM is the free posture-management plan enabled by default on onboarded subscriptions; Defender CSPM is the paid plan that adds capabilities such as attack path analysis and risk prioritisation. If the requirement says no extra cost, it is Foundational CSPM.
An administrator wants to open an RDP or SSH session to virtual machines from the Azure portal without giving those VMs a public IP address. Which Azure service is designed to provide this connectivity?
AAzure Bastion, which connects to VMs over TLS using their private IP address.check_circle Correct
BAzure Firewall, which is a stateful network firewall service for filtering network traffic.
CAzure DDoS Protection, which defends virtual network resources against denial-of-service attacks.
DAzure Web Application Firewall, which protects web applications from common exploits.
Azure Bastion provides secure RDP and SSH connectivity to VMs over TLS using their private IP addresses, so the VMs need no public IP. The grounding states Azure Bastion is a fully managed PaaS service that provides secure RDP and SSH connectivity to virtual machines directly over TLS, supports all VMs in the virtual network using private IP addresses, and that VMs do not need a public IP address when you connect through it.
Why A is correct: Correct. The grounding states Azure Bastion is a fully managed PaaS service that provides secure RDP and SSH connectivity to virtual machines directly over TLS, supports all VMs in the virtual network using private IP addresses, and that VMs do not need a public IP address when you connect through it.
Why B is wrong: Azure Firewall filters network traffic to and from workloads, but it does not provide RDP or SSH connectivity to virtual machines, so it does not fit this scenario.
Why C is wrong: Azure DDoS Protection mitigates denial-of-service attacks at the network layer; it does not establish RDP or SSH sessions to VMs.
Why D is wrong: Web Application Firewall protects web apps from exploits such as SQL injection; it is not a service for connecting to VMs over RDP or SSH.
What you must be able to do. Identify the correct Microsoft Purview solution, Compliance Manager element, or privacy principle that satisfies a described compliance requirement.
In one sentenceThe compliance layer: Purview classification and protection, Compliance Manager templates and action types, the privacy principles, and the eDiscovery and audit solutions.
Recall check: answer these from memory first
Which classification tool do you train on sample content, and which one matches predefined patterns?
What are regulatory templates in Compliance Manager, and what do you use them for?
What distinguishes a mandatory action from a discretionary action in Compliance Manager scoring?
What it tests. Whether you can describe Microsoft Purview and Microsoft's compliance offerings. The Service Trust Portal and Microsoft privacy principles, including how subprocessors are bound; compliance management in Compliance Manager with its regulatory templates, improvement actions, and mandatory versus discretionary actions; information protection, data lifecycle management, and data governance, including sensitivity labels, sensitive information types, and trainable classifiers; and insider risk management, eDiscovery, and audit.
How to study it. Learn Purview as a set of solutions, each answering one compliance need. For classification, separate a sensitive information type (matches predefined patterns such as bank account numbers) from a trainable classifier (learns a content category from sample documents) from exact data match and document fingerprinting. In Compliance Manager, fix regulatory templates as the prebuilt starting points for assessments, and learn the action types: a mandatory action cannot be bypassed, a discretionary action relies on users to follow policy. For privacy, know that Microsoft subprocessors may perform only their hired function and are bound by Microsoft's privacy commitments. Place insider risk, eDiscovery, and audit as the investigation solutions.
Easy to confuse
Sensitive information type versus trainable classifier. A sensitive information type matches predefined patterns such as credit card or bank account numbers; a trainable classifier is taught a content category by example so it can recognise material that no simple pattern reliably catches. If the stem says you show it samples to learn from, it is a trainable classifier.
Mandatory action versus discretionary action. A mandatory action cannot be bypassed intentionally or accidentally, such as a centrally enforced password policy; a discretionary action relies on users understanding and choosing to follow a policy. If users could ignore it, it is discretionary.
An organisation wants Microsoft Purview to recognise a category of business content that simple keyword or pattern rules cannot reliably identify, by showing it examples to learn from. Which classification capability fits this need?
AA sensitive information type, which matches predefined patterns such as bank account numbers.
BA trainable classifier, which you train to recognise content by giving it samples.check_circle Correct
CDocument fingerprinting, which recognises an item because it is a variation on a template.
DExact data match, which detects the presence of specific exact strings.
A trainable classifier is trained on sample content so Microsoft Purview can recognise that type of content automatically. The grounding defines a Microsoft Purview trainable classifier as a tool you can train to recognise various types of content by giving it samples to evaluate, after which it can identify items for use in solutions such as Office sensitivity labels and retention label policies.
Why A is wrong: A sensitive information type matches known patterns of data and is an automated pattern-matching method; it is not trained from samples the way a trainable classifier is.
Why B is correct: Correct. The grounding defines a Microsoft Purview trainable classifier as a tool you can train to recognise various types of content by giving it samples to evaluate, after which it can identify items for use in solutions such as Office sensitivity labels and retention label policies.
Why C is wrong: Document fingerprinting is an automated pattern-matching technique tied to a template; it does not learn a content category from sample documents.
Why D is wrong: Exact data match looks for specific exact strings and is a pattern-matching method, not a classifier you train by evaluating samples.
A study plan that works
Read the blueprint and book a date
Day 1
Read the four domains and their weights, then book a provisional date now, because a fixed date turns open-ended study into a plan. Note where the marks are: Microsoft Security Solutions and Microsoft Entra Capabilities together are nearly two-thirds of the exam, so they earn the most attention.
Lock the concepts vocabulary
Week 1
Start with the concepts domain because every later question reuses its terms. Drill shared responsibility, Zero Trust, defence in depth, encryption at rest versus in transit, and authentication versus authorisation until each definition is automatic. Use this guide's recall prompts: cover the answer, name the concept from the description, then reveal.
Map the Microsoft Entra capabilities
Week 1 to 2
Sort Entra into its four jobs: identity types, authentication, access management, and protection and governance. Memorise which authentication methods are primary and which are phishing-resistant, and separate least privilege from just-in-time access. Practise reading a sign-in or access scenario and naming the single Entra feature that fits.
Go deep on Microsoft security solutions
Week 2 to 3
This is the largest domain, so give it the most time. Build a one-line job description for each Azure security service (Bastion, network security group, Firewall, Key Vault, DDoS, WAF) and for each Defender for Cloud plan, then place Sentinel as SIEM and SOAR and Defender XDR as cross-estate threat protection. Drill the near-neighbour pairs until the wording alone decides them.
Cover Microsoft compliance solutions
Week 3
Learn Purview as discrete solutions: classification (sensitive information types, trainable classifiers), information protection and labels, data lifecycle, and the investigation tools of insider risk, eDiscovery, and audit. Add Compliance Manager regulatory templates and the mandatory versus discretionary action distinction, and the privacy principles around subprocessors.
Drill weak domains and space the review
Week 4
Use your per-domain accuracy on practice questions to attack the two domains dragging you down, not to re-read what you already know. Then revisit each domain's recall prompts after a few days and again a week later, because spacing roughly doubles what sticks compared with cramming.
Sit a timed mock and calibrate
Week 4 to 5
Take at least one full timed practice run to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal rather than a single number, and review every missed question, naming the discriminator you misread, before you book or sit.
Know when you're ready
Readiness for SC-900 is a measured score on practice questions you have not seen before, not a feeling that the service names are familiar. Those are different things, and the gap is where people slip on a fundamentals exam: re-reading descriptions builds recognition of words, but the exam tests whether you can map a fresh requirement to the one correct service while rejecting the near-neighbours placed beside it.
The honest test is this: read a new scenario, name the service family it belongs to (Entra, the security stack, or Purview), pick the exact capability inside it, and explain why each other option is the wrong tool. If you can do that across unseen questions in more than one session, you are ready. If you can only nod along when an explanation is shown to you, you are not there yet.
Set the bar at clearing every domain comfortably on unseen questions, not scraping a single pass, and trust your per-domain accuracy over your gut. The weighting means a weak run on Microsoft Security Solutions hurts most, so do not call yourself ready until that domain is solid alongside the rest.
Ready to put this into practice?
Free SC-900 questions with worked explanations. No sign-up.
Name the service family first. Decide whether the stem is about identity (Entra), threat protection and posture (Defender or Sentinel), or compliance and data (Purview) before you read the options; that narrows four products to one.
Re-read the requirement for the deciding word. When two options are real Microsoft features that both sound plausible, the discriminator is a single detail in the stem, such as no public IP, no extra cost, or learns from samples, that only one option satisfies.
Separate authentication from authorisation every time. Proving who you are is authentication; deciding what you can do is authorisation. Many traps swap these, so label the stem before you answer.
Watch the free-versus-paid distinction in Defender for Cloud. If a question stresses no additional cost or enabled by default, it points to Foundational CSPM, not a paid Defender plan.
Match the classification tool to how it is described. Predefined patterns mean a sensitive information type; shown sample documents to learn a category means a trainable classifier.
Flag and move on. With a short time limit, cover every question once and collect the clear marks first, then return to the few that need more thought, so an easy question late in the paper is never left unanswered.
Frequently asked questions
Is SC-900 hard?
It is a foundational exam, so the concepts are not deep, but the breadth catches people out. You have to keep Microsoft Entra, the security stack, and Microsoft Purview straight and tell apart services that sound similar. Drilling the discriminators between near-neighbour features matters far more than memorising long feature lists.
Do I need a technical background or hands-on experience?
No. SC-900 is designed for business stakeholders, sales and support staff, and people new to security, as well as aspiring IT professionals. General familiarity with networking and cloud helps, and any exposure to Microsoft 365 or Azure makes the names land faster, but no prior certification or hands-on work is required.
How long should I study for SC-900?
Most candidates are ready in three to five weeks of steady study. Spend the most time on Microsoft Security Solutions and Microsoft Entra Capabilities, since together they are nearly two-thirds of the exam, and on the discriminators between similar services that the traps are built from.
Which domains carry the most weight?
Microsoft Security Solutions is the largest single domain, with Microsoft Entra Capabilities and Microsoft Compliance Solutions close behind, and the Security, Compliance, and Identity Concepts domain the smallest. The concepts domain is still worth nailing early because every other question reuses its vocabulary.
Is SC-900 a good first Microsoft certification?
Yes. It is a common on-ramp to role-based certifications such as SC-200, SC-300, and AZ-500, giving you the shared vocabulary and the map of the Microsoft security portfolio before you go deeper into any one role.
Does the exam test how to configure these services?
No. Every objective is to describe or identify a capability, not to configure or deploy it. The questions hand you a scenario or definition and ask which service, capability, or principle matches, so recognition and clean distinctions are what you are graded on.
How many practice questions should I do before booking?
Enough that every domain clears comfortably on questions you have not seen, and a timed run feels comfortable on pacing. Quality of review beats raw volume: on each question, read the explanation and name the discriminator that picked the answer, including on the ones you got right.
Is the Microsoft Security Fundamentals certification worth it?
SC-900 is worth it for IT generalists, business stakeholders, and anyone entering a Microsoft security role who needs a credible, structured introduction to security, compliance, and identity concepts across the Microsoft portfolio. It builds the shared vocabulary that the role-based certifications such as SC-200, SC-300, and AZ-500 assume, so it pays off most for those who plan to continue rather than stop here. For experienced security professionals already comfortable with Microsoft Entra and Defender, it is likely too introductory to be worth the preparation time.
Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. SC-900 and related marks belong to their respective owners.
