SC-900: Security, Compliance, and Identity Fundamentals
400 practice questions · Free 15-question demo available
The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) tests foundational knowledge of security concepts, identity management, and the Microsoft tools built around them. It covers Zero Trust principles, Microsoft Entra ID, the Defender product family, and the compliance solutions in Microsoft Purview. No hands-on security experience required: this is a conceptual exam focused on understanding what each tool does and when to use it.
Who is SC-900 for?
SC-900 suits a broad audience. Security analysts and IT administrators take it as a foundation before moving to associate-level security exams like SC-200 or SC-300. Compliance officers, risk managers, and legal professionals use it to build enough technical literacy to work alongside security teams. Developers and cloud engineers who want to understand the security layer of their Microsoft environment find it useful too.
If you have already passed AZ-900, the identity and security sections of SC-900 will feel familiar; Microsoft Entra ID and Defender for Cloud appear in both. SC-900 goes deeper into each product and adds the compliance and governance layer that AZ-900 only touches on.
Exam at a glance
| Passing score | 700 / 1000 |
| Number of questions | 40–60 |
| Duration | 60 minutes |
| Cost | $165 USD / ~€165 EUR |
| Exam code | SC-900 |
| Certification validity | Does not expire |
What does the SC-900 cover?
The exam has four domains. Microsoft security solutions is the largest, making up more than a third of the exam. The weightings below come from the official Microsoft study guide; verify the current version on Microsoft Learn before your sitting.
Security, compliance, and identity concepts
10–15%Zero Trust model (verify explicitly, use least privilege, assume breach), defense in depth, encryption at rest and in transit, the shared responsibility model, and governance, risk, and compliance (GRC) frameworks. Also covers why identity is the primary security perimeter in modern cloud environments.
Microsoft Entra capabilities
25–30%Microsoft Entra ID (formerly Azure Active Directory) as a cloud identity provider. Authentication methods including passwords, MFA, passwordless, and SSPR. Conditional Access policies, identity governance (Privileged Identity Management, access reviews, entitlement management), Entra ID Protection for risk-based sign-in detection, and external identities (B2B and B2C).
Microsoft security solutions
35–40%Microsoft Defender for Cloud (cloud security posture management and workload protection), Microsoft Sentinel (SIEM and SOAR for threat detection and response), and the Defender XDR suite: Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. Also covers Azure DDoS Protection, Azure Firewall, Azure Web Application Firewall, Azure Bastion, and Microsoft Intune for endpoint management.
Microsoft compliance solutions
20–25%Microsoft Purview as the unified data governance and compliance platform. The Microsoft Purview compliance portal, Compliance Manager, and Compliance Score. Data classification, sensitivity labels, retention policies, eDiscovery, and audit capabilities. The Service Trust Portal and Microsoft Privacy Principles.
How difficult is the SC-900?
SC-900 is a foundational exam with no hands-on experience required, but it is terminology-heavy. The Microsoft security product portfolio is large, and many products have similar names or overlapping functions. Knowing the difference between Microsoft Sentinel (SIEM/SOAR) and Defender for Cloud (CNAPP/CSPM) matters. So does knowing that Defender for Endpoint protects devices, while Defender for Identity protects on-premises Active Directory accounts.
The Microsoft Entra domain (25–30%) is the second-largest and catches candidates who treat identity as a minor topic. Conditional Access policies, Privileged Identity Management, and the difference between authentication and authorization come up repeatedly. Give this domain proper attention.
How to prepare for SC-900
Most candidates pass with 2–4 weeks of study at around one hour per day. Here is a study path that works:
- 1
Start with Microsoft Learn
Microsoft publishes a free official SC-900 learning path at learn.microsoft.com. It takes roughly 8–10 hours and covers all four domains. Start here to build vocabulary before moving to practice questions.
- 2
Master Zero Trust early
Zero Trust is not just a buzzword on this exam; it is the lens through which Microsoft frames every security decision. Understanding the three principles (verify explicitly, use least privilege, assume breach) makes the rest of the exam easier to reason through.
- 3
Build a product map
The hardest part of SC-900 is keeping the Microsoft security product portfolio straight. Make a simple reference: product name, what it protects (identity, endpoint, email, cloud workloads, data), and its category (SIEM, CSPM, EDR, DLP). Review this regularly.
- 4
Know Entra ID deeply
Identity is the largest single domain and appears in security questions too. Understand authentication vs authorisation, Conditional Access logic (what triggers it, what it can enforce), and the difference between PIM (just-in-time role assignment) and standard RBAC.
- 5
Do a full timed mock exam
Before your sitting, complete a full mock under timed conditions. Sky Cloud Prep includes 50 SC-900 mock questions. Review every wrong answer; the explanation tells you the exact distinction the exam is testing.
Common pitfalls on the SC-900
These are the distinctions candidates most often get wrong:
- arrow_rightDefender for Cloud vs Microsoft Sentinel: Defender for Cloud manages your cloud security posture — it assesses your Azure resources against security benchmarks and protects workloads (VMs, databases, containers). Microsoft Sentinel is a SIEM: it collects security events from across your environment and detects threats through analytics rules and AI. Different tools, different jobs.
- arrow_rightConditional Access vs MFA: MFA is an authentication factor. Conditional Access is a policy engine that decides what conditions trigger MFA (or block access entirely). You can require MFA through a Conditional Access policy — but Conditional Access can also enforce compliant devices, restrict access by location, or block risky sign-ins. They are not the same thing.
- arrow_rightPIM vs RBAC: RBAC (Role-Based Access Control) assigns standing permissions — a user always has the role. Privileged Identity Management (PIM) makes role assignments just-in-time: the user activates the role when needed and it expires after a set time. PIM reduces the attack surface of standing privileged access.
- arrow_rightMicrosoft Purview vs Microsoft Defender: Purview handles data governance and compliance: classifying data, applying sensitivity labels, managing retention, and running eDiscovery. Defender products handle threat protection: detecting attacks, investigating incidents, and responding to breaches. The exam distinguishes these clearly.
- arrow_rightDDoS Protection Basic vs Standard: Basic DDoS Protection is always on and free for all Azure resources — it handles volumetric attacks automatically. Standard (now called Network Protection in Defender for Cloud) adds ML-based traffic profiling, attack analytics, SLA guarantees, and cost protection for scaled-out resources during an attack. Know when Standard is needed.
Frequently asked questions
▶What score do I need to pass the SC-900?
You need a scaled score of 700 out of 1000. Microsoft uses adaptive scoring, so the exact number of correct answers required varies by question difficulty, but 700/1000 is the consistent passing threshold.
▶How many questions are on the SC-900 exam?
Between 40 and 60 questions. Most candidates see around 40–45. Question types include multiple choice, drag-and-drop matching, and scenario-based multiple select.
▶How long is the SC-900 exam?
You have 60 minutes, which works out to roughly 60–90 seconds per question. Time is rarely the constraint; preparation is.
▶How much does the SC-900 cost?
The standard price is $165 USD, with regional equivalents in other currencies (around €165 in Europe). Microsoft offers free vouchers through Virtual Training Days on Microsoft Learn, worth checking before you pay full price.
▶Is SC-900 harder than AZ-900?
They are roughly the same difficulty level, but SC-900 requires more precise terminology. The security domain has a large number of Microsoft-specific product names (Defender for Endpoint, Defender for Cloud, Microsoft Sentinel, Purview) and you need to know what each one does and how they differ. If you have already passed AZ-900, the concepts around identity and Azure security will feel familiar.
▶What jobs does SC-900 help with?
SC-900 is relevant for security analyst roles, compliance officers, IT administrators working with Microsoft 365 and Azure, and anyone involved in governance or risk management. It is also a common stepping stone to the SC-200 (Security Operations Analyst) and SC-300 (Identity and Access Administrator) associate exams.
For the full skill outline and current domain percentages, visit the official SC-900 page on Microsoft Learn. Microsoft updates the exam objectives periodically; always verify before your sitting.
Ready to start practising?
15 questions free · no account needed.