The Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) is Microsoft's entry-level security certification. It is built for people who need a working understanding of modern Microsoft security language before moving into hands-on administrator, identity, compliance, or security-operations roles.
This is not a configuration-heavy exam. Microsoft is testing whether you can recognize the right security, compliance, or identity concept and map it to the correct Microsoft solution family. That means your preparation should focus on definitions, service positioning, and clear distinctions such as authentication vs authorization, protection vs detection, compliance vs governance, and Microsoft Entra vs Defender vs Purview.
SC-900 also matters because it creates the security vocabulary for the wider Microsoft path. If you later move into AZ-500, SC-200, or identity-heavy Azure administration work, the ideas in this guide keep returning.
Exam At a Glance
| Attribute | Value |
|---|---|
| Certification | Microsoft Certified: Security, Compliance, and Identity Fundamentals |
| Exam code | SC-900 |
| Level | Fundamentals |
| Duration | 45 minutes |
| Cost | $99 USD |
| Prerequisites | No formal prerequisite; Microsoft recommends familiarity with Azure and Microsoft 365 concepts |
| Target candidate | Beginners, students, business stakeholders, and IT professionals building foundational Microsoft security literacy |
| Primary focus | Security, compliance, and identity concepts across Microsoft cloud services |
- Official certification page: Microsoft Certified: Security, Compliance, and Identity Fundamentals
- Official exam page: Exam SC-900: Security, Compliance, and Identity Fundamentals
- Official study guide: SC-900 study guide
- Official course: Introduction to Microsoft Security, Compliance, and Identity
Official Assessed Areas
- Describe the concepts of security, compliance, and identity
- Describe the capabilities of Microsoft Entra
- Describe the capabilities of Microsoft security solutions
- Describe the capabilities of Microsoft compliance solutions
SC-900 feels broad because Microsoft intentionally spans Azure and Microsoft 365. The exam is not about mastering one console. It is about understanding how Microsoft's identity, security, and compliance services fit together into a complete control plane.
1. Describe the Concepts of Security, Compliance, and Identity
This section gives the conceptual frame for the rest of the exam. If you do not understand core security language, the later Microsoft-solution questions feel much harder than they really are.
- Security principles and the shared responsibility mindset - Start with the official concepts learning path. Microsoft expects you to understand confidentiality, integrity, availability, layered security, defense in depth, and why cloud security is shared between provider and customer. Official resources: Introduction to security, compliance, and identity concepts, SC-900 course.
- Zero Trust, identity, and modern access control - SC-900 repeatedly returns to the idea that identity is the new security perimeter. You should be comfortable with authentication, authorization, multifactor authentication, and conditional access at a high level. Official resource: Security, compliance, and identity concepts learning path.
- Compliance, governance, and privacy terminology - Microsoft wants you to know why data classification, auditing, insider-risk controls, and regulatory alignment exist, even if you are not implementing them yet. Official resource: Introduction to Microsoft Purview and Microsoft's privacy principles.
- Identity and access as a foundational control - The exam often uses identity concepts to bridge security and compliance questions. If you know who is requesting access, how they are verified, and what they are allowed to do, many scenarios become straightforward. Official resources: Concepts path, Introduction to Microsoft Entra.
- Concept questions are about definition first - In this domain, the right answer is usually the cleanest definition or principle, not the most advanced Microsoft product name. Official resources: Concepts path, SC-900 course.
Exam tip: If a question feels vendor-neutral, answer it as a security-fundamentals question first. Only after you identify the principle should you decide which Microsoft service family supports it.
2. Describe the Capabilities of Microsoft Entra
This section covers identity, authentication, access control, and the role Microsoft Entra plays across Microsoft cloud environments.
- Microsoft Entra fundamentals - Study what Microsoft Entra is, why cloud identity matters, and how directory services, user objects, groups, and app identities fit together. Official resources: Introduction to Microsoft Entra, What is Microsoft Entra?.
- Authentication and authorization - Be clear on the difference between proving identity and granting access. Microsoft likes to test multifactor authentication, SSO, conditional access, and role-based access as separate but related controls. Official resource: Microsoft Entra learning path.
- Identity governance and lifecycle thinking - SC-900 expects you to understand the high-level purpose of identity governance, privileged access controls, and access reviews, even if you are not configuring them. Official resource: Microsoft Entra learning path.
- Identity is where many security answers start - In Microsoft's ecosystem, identity is tightly connected to risk reduction. Many exam scenarios become simpler if you ask: how is the user authenticated, what policy controls access, and how is privilege constrained? Official resources: Microsoft Entra overview, Entra path.
- Do not blur Azure resource access and identity concepts - SC-900 stays high level, but Microsoft still expects you to distinguish general identity capabilities from deeper Azure administration tasks. Official resource: Microsoft Entra learning path.
Exam tip: If the question mentions sign-in, MFA, SSO, role assignment, or access policy, suspect the identity domain before you think about endpoint or data-protection tooling.
3. Describe the Capabilities of Microsoft Security Solutions
This section is about protection, threat detection, posture visibility, and Microsoft's security product families.
- Know the major Microsoft security families - Use the official security-solutions learning path to understand the positioning of Defender, Sentinel, and related security tools. Microsoft is testing high-level capability recognition, not deep deployment skill. Official resources: Introduction to Microsoft security solutions, Microsoft Defender XDR documentation.
- Threat protection versus posture and visibility - Learn the difference between tools that help protect identities, endpoints, apps, and data, and tools that help monitor or investigate security events. Official resource: Microsoft security solutions learning path.
- Microsoft Defender and Microsoft Sentinel positioning - At fundamentals level, you should recognize that Microsoft Defender products focus on protection and detection across workloads, while Microsoft Sentinel plays the SIEM and SOAR role for security operations. Official resource: Security solutions path.
- Security answers are about outcome, not console detail - SC-900 usually asks which solution family best protects, detects, investigates, or centralizes security insight. Official resources: Microsoft Defender XDR documentation, Security solutions path.
- Think in layers - Identity, endpoint, workload, email, collaboration, and monitoring controls reinforce each other. Microsoft likes answers that reflect a layered defense rather than a single product acting alone. Official resource: Microsoft security solutions learning path.
Exam tip: If a question sounds like attack detection, incident visibility, endpoint protection, or threat response, map the requirement to the Microsoft security family first and ignore distracting implementation detail.
4. Describe the Capabilities of Microsoft Compliance Solutions
This section tests whether you understand how Microsoft approaches governance, retention, privacy, data protection, and compliance workflows.
- Microsoft Purview fundamentals - Microsoft Purview is the core compliance brand you need to understand for SC-900. Study how it relates to data protection, information governance, and compliance tasks across Microsoft services. Official resources: Introduction to Microsoft Purview and Microsoft's privacy principles, Microsoft Purview documentation.
- Data lifecycle, retention, and records concepts - Be comfortable with the purpose of retention labels, data lifecycle controls, and information governance. Microsoft wants you to recognize why an organization would use these capabilities. Official resource: Compliance solutions learning path.
- Information protection and privacy controls - SC-900 includes sensitivity classification, data protection, insider risk, and privacy principles at a high level. Official resources: Compliance path, Purview overview.
- Compliance is not just security with another name - The exam expects you to distinguish governance, auditability, legal retention, and privacy responsibilities from pure threat-prevention questions. Official resource: Compliance solutions path.
- Answer for control intent - When Microsoft asks compliance questions, the best answer usually aligns with classifying, retaining, protecting, or auditing organizational data correctly. Official resources: Purview documentation, Compliance path.
Exam tip: If the question is about records, classification, privacy, retention, or governance obligations, think compliance tooling before security tooling.
Recommended 4-Week Study Plan
| Week | Focus | Primary resources |
|---|---|---|
| 1 | Core security, compliance, and identity language | SC-900 course, security/compliance/identity concepts learning path |
| 2 | Microsoft Entra, MFA, SSO, conditional access, identity governance basics | Microsoft Entra learning path, Entra overview docs |
| 3 | Microsoft security solutions, Defender family, Sentinel positioning, protection and detection concepts | Microsoft security solutions learning path, Defender docs |
| 4 | Microsoft Purview, retention, information protection, privacy, review and practice | Compliance solutions learning path, Purview docs, official study guide, practice questions |
Last-Mile Exam Strategy
- Study by distinction. SC-900 is much easier when you clearly separate identity, security, and compliance responsibilities.
- Use the four official learning paths as your checklist. If it appears in the course structure, treat it as active exam material.
- Do not over-study product configuration. SC-900 rewards service recognition and conceptual accuracy more than hands-on admin detail.
- Memorize the high-level role of Microsoft Entra, Microsoft Defender, Microsoft Sentinel, and Microsoft Purview. Those names anchor a large share of the exam.
- Read each question for intent: identity problem, protection problem, detection problem, or compliance problem. That usually narrows the answer quickly.
If you want scenario-style reinforcement after the official docs, use our SC-900 practice questions. If you also want the broader Microsoft cloud base, pair this with our Azure Fundamentals study guide.
The fastest route to passing SC-900 is to treat it as a map of Microsoft's security stack. Learn the vocabulary, understand what each solution family is for, and practice choosing the simplest Microsoft control that matches the requirement. That is the reasoning the exam is designed to test.