Azure

SC-100 Complete Guide: Microsoft Cybersecurity Architect Expert — Exam Scope, Study Resources, and Pass Strategy

2026-05-24
NicheeLab Editorial Team

Microsoft Certified: Cybersecurity Architect Expert (SC-100) is an Expert-tier certification for security architects who design enterprise cybersecurity strategy, Zero Trust, and GRC (Governance, Risk, Compliance). It sits at the top of Microsoft's security certification stack and represents the destination point for engineers aiming to become senior security architects under a CISO, security consultants, or GRC leaders. In the 12-18 million JPY salary band for senior security architect and consulting roles, SC-100 alone is increasingly listed as a hard requirement.

This article walks through the SC-100 exam specs, prerequisites (any one of SC-200 / SC-300 / SC-400 / SC-500), the 4-domain structure, the core of Zero Trust strategy, how to use the Microsoft Cybersecurity Reference Architecture (MCRA) and Cloud Security Benchmark (MCSB), a 3-4 month pass roadmap, and dual-cert strategies with adjacent Expert exams (AZ-305 / AZ-400). The first step toward passing is internalizing that SC-100 is a strategy / architecture exam — it asks "why this architecture?" rather than testing implementation minutiae.

SC-100 Exam Specifications

SC-100 follows the standard Expert-tier exam specifications. 120 minutes, 40-60 questions, passing score 700 / 1000, 165 USD (~21,103 JPY), valid for 12 months (renewable via a free renewal assessment). You can take it through Pearson VUE online via OnVUE or at a test center, with multi-language support including Japanese. The format includes traditional multiple-choice plus case studies (fictional company requirements → propose an architecture), sequence/ordering questions (prioritize security design steps), and multi-select questions (pick the best combination of architecture components). The vast majority of items test strategic and architectural judgment.

Earning the Expert Badge Requires One SC Associate

To earn the Expert certification through SC-100, you must hold one of the following:

  • SC-200 (Security Operations Analyst Associate) — SOC perspective
  • SC-300 (Identity and Access Administrator Associate) — identity governance perspective
  • SC-400 (Information Protection and Compliance Administrator Associate) — information protection / compliance perspective
  • SC-500 (AZ-500 successor, GA scheduled for 2026-09, Azure Security Engineer Associate) — Azure security implementation perspective

All four prerequisites lead into SC-100, but SC-300 (Identity Admin) is considered the most natural pairing because identity is the foundation of Zero Trust. You can take SC-100 standalone, but the Expert badge isn't issued until you also hold an SC Associate — earn one later and the "Cybersecurity Architect Expert" badge appears on Credly at that point.

Domain 1: Design solutions that align with security best practices and priorities (20-25%)

This domain is the backbone of SC-100. It centers on the 6 pillars of Zero Trust strategy (Identities / Endpoints / Apps / Data / Infrastructure / Network) and how to deploy them across an organization, using the Microsoft Cybersecurity Reference Architecture (MCRA) (Microsoft's published reference security architecture blueprint), the Microsoft Cloud Security Benchmark (MCSB) for compliance checks (the former Azure Security Benchmark, mapped to CIS / NIST / PCI DSS), resiliency strategy (ransomware response, data-recovery design, business continuity), and the security maturity model (CMMI Security). The classic trap in this domain is the Zero Trust 6-pillar to Microsoft product mapping — you need to recall Conditional Access (Identities), Intune (Endpoints), Defender for Cloud Apps (Apps), Purview (Data), Defender for Cloud (Infrastructure), and Entra Private Access (Network) on demand.

Domain 2: Design security operations, identity, and compliance capabilities (30-35%, the heaviest domain)

The heaviest and most central domain. It covers SOC architecture design (Microsoft Sentinel + Defender XDR integration, Logic App Playbook automation, Threat Intelligence integration), Entra ID architecture (hybrid identity design, External Identity, PIM strategy, Entitlement Management, Identity Governance), Privileged Access Workstation (PAW) design (separating dedicated devices for privileged work), strategic adoption of Microsoft Defender for Cloud (formerly Azure Security Center), and compliance frameworks (NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR, APPI [Japan's Act on the Protection of Personal Information]) used together with Microsoft Purview Compliance Manager.

Domain 3: Design security solutions for infrastructure (20-25%)

The multicloud and hybrid security domain. It covers integrated security design across Azure, on-prem, and multicloud (AWS / GCP), Microsoft Defender for Cloud's multicloud support (AWS Connector / GCP Connector for unified CSPM/CWPP), network security architecture (Hub-Spoke vs Virtual WAN, Zero Trust Network, Azure Firewall vs NVA, Web Application Firewall (WAF)), server security (Defender for Servers Plan 1/2, Endpoint Detection and Response, Just-in-Time VM Access), container security (Defender for Containers, AKS Pod Security, image vulnerability scanning), and serverless security (Defender for App Service, Functions security).

Domain 4: Design security solutions for applications and data (20-25%)

The application security and data protection domain. It covers DevSecOps architecture (Microsoft Defender for DevOps, GitHub Advanced Security, integrating SAST/DAST/SCA), API security (API Management, OAuth 2.0 + OIDC, OWASP API Top 10 mitigations), data protection (Microsoft Purview Information Protection, Data Loss Prevention (DLP), Sensitivity Labels, Insider Risk Management), data classification and labeling strategy, encryption strategy (Azure Key Vault, Managed HSM, Customer-Managed Key (CMK), Bring Your Own Key (BYOK), Hold Your Own Key (HYOK)), and Confidential Computing (Intel SGX, AMD SEV-SNP, Trusted Execution Environment). This domain covers the strategic layer of information protection and encryption, and overlaps heavily with SC-400 (Information Protection Administrator).

The Core of Zero Trust

Zero Trust is the backbone philosophy of SC-100 and sits at the heart of Microsoft's security strategy. Its three core principles: Verify explicitly, Use least privilege access, and Assume breach. These are decomposed into 6 pillars (Identities / Endpoints / Apps / Data / Infrastructure / Network), and SC-100's central theme is making design decisions about which Microsoft products to apply to each pillar.

For exam prep, fully digest the Microsoft Zero Trust Adoption Framework documentation (Zero Trust Guidance Center), understand each pillar's Maturity Level (Traditional / Advanced / Optimal), and be able to articulate the migration strategy from an organization's current state to the target state. The CISO Workshop video series (on Microsoft's official YouTube channel) is also extremely useful study material.

A 3-4 Month Pass Roadmap

A 3-month plan assuming you already hold SC-200 / SC-300 and have 3-5 years of security experience. Month 1: Work through the Microsoft Learn SC-100 learning path (Zero Trust / Identity sections), do a complete read of the Microsoft Cybersecurity Reference Architecture (MCRA) docs, and one pass through the Zero Trust Adoption Framework. Month 2: Cover the SOC / Infrastructure domains, understand the Microsoft Cloud Security Benchmark (MCSB) mapping to CIS / NIST, and start case-study practice problems. Month 3: Application / Data domains and final polishing. Watch the CISO Workshop video series, drill the official Practice Assessment until you reliably score 80%+, and simulate case-study attack patterns. If you don't hold a prerequisite Associate yet, add 3-4 months in front for a realistic total of 6-7 months.

What to Target After SC-100

SC-100 is the only Expert-tier security exam, so you broaden your value by expanding into adjacent Expert and Associate exams. Dual architect track: pair with AZ-305 (Solutions Architect Expert) for AZ-305 + SC-100 = full-stack architecture + security specialization, the senior-architect profile. DevSecOps: pair with AZ-400 (DevOps Engineer Expert) for SC-100 + AZ-400 = security × CI/CD, the senior DevSecOps engineer profile. Round out SC Associates: fill in any of SC-200 / SC-300 / SC-400 / SC-500 you don't already hold. Multi-vendor: the job market also rewards pairing SC-100 with CISSP, CCSP (Certified Cloud Security Professional), ISACA CISM / CISA / CRISC, or OffSec OSCP. In the 12-18 million JPY salary band for senior security architects and CISO-adjacent positions, SC-100 alone is increasingly listed as a hard requirement.

Frequently Asked Questions

What kind of exam is SC-100?

Microsoft Certified: Cybersecurity Architect Expert (SC-100) is an Expert-tier certification for security architects who design enterprise cybersecurity strategy, Zero Trust, and GRC (Governance, Risk, Compliance). It's 120 minutes, 40-60 questions, 165 USD, with a 700/1000 passing score, valid for 12 months, and offered in multiple languages including Japanese. To earn the Expert badge, you must hold one of SC-200 (SOC Analyst), SC-300 (Identity Admin), SC-400 (Information Protection), or SC-500 (the AZ-500 successor, GA scheduled for 2026-09). The exam focuses less on implementation detail and more on strategic/architectural judgment: why you pick a given architecture and how you roll Zero Trust out across an organization.

Which Associate certification is best as a prerequisite?

Pick based on your current role and direction. SOC analysts and incident responders should go SC-200 first (graduating from detection/response implementation to architecture). IT/identity admins should go SC-300 first (from identity governance implementation to Zero Trust architecture). Information protection and compliance staff should go SC-400 first (from DLP/Purview implementation to GRC). Azure security implementation engineers should go SC-500 (the AZ-500 successor, GA scheduled for 2026-09). Any prerequisite works for SC-100, and the standard path is to first earn whichever Associate is closest to your day job, then move to SC-100. SC-300 (Identity Admin) is widely considered the most natural pairing with SC-100, since identity is the foundation of Zero Trust.

What are the exam domains and weights?

There are 4 domains. Design solutions that align with security best practices and priorities (20-25%) covers Zero Trust strategy, the Microsoft Cybersecurity Reference Architecture (MCRA), and the Microsoft Cloud Security Benchmark (MCSB). Design security operations, identity, and compliance capabilities (30-35%, the heaviest domain) covers SOC architecture, Defender XDR / Sentinel integration design, Entra ID architecture, Privileged Access Workstations, and compliance (NIST / ISO 27001 / SOC 2). Design security solutions for infrastructure (20-25%) covers integrated security across Azure, on-prem, and multicloud (AWS / GCP), Defender for Cloud architecture, and network security (Hub-Spoke / Zero Trust Network). Design security solutions for applications and data (20-25%) covers application security (DevSecOps), data protection (Purview / DLP), encryption strategy (Key Vault / Managed HSM), and Confidential Computing.

What is Zero Trust, and why is it so central to SC-100?

Zero Trust is the security architecture philosophy of "never assume trust; verify every access request explicitly," and it sits at the heart of Microsoft's security strategy. Its three principles are Verify explicitly, Use least privilege access, and Assume breach. SC-100 decomposes Zero Trust into 6 pillars (Identities / Endpoints / Apps / Data / Infrastructure / Network) and tests design decisions against each. Concretely, you need to map Microsoft products onto those 6 pillars on the spot: Conditional Access for identity verification, Microsoft Intune for endpoint compliance, Microsoft Defender for Cloud Apps for SaaS app visibility, Microsoft Purview for data classification and protection, Defender for Cloud for infrastructure defense, and Microsoft Entra Private Access / Internet Access for network segmentation.

How much study time and what does the roadmap look like?

If you already hold SC-200 / SC-300 and have 3-5 years of security experience, plan on 100-150 hours. With SC-200 / SC-300 and 1-3 years of experience, plan on 150-250 hours. Beginners realistically cannot reach SC-100 without going through an SC Associate first. The proven path is the Microsoft Learn SC-100 learning path (~50 hours), the official Practice Assessment, a complete read-through of the Microsoft Cybersecurity Reference Architectures (MCRA), solid understanding of the Zero Trust Architecture Guide, and the CISO Workshop video series. 3-4 months of focused study is typical. If you don't yet hold a prerequisite Associate, add another 3-4 months in front, for a realistic total of 6-7 months.

How much implementation detail does the exam test?

SC-100 is an architect-perspective exam — design decisions matter much more than implementation minutiae. Where SC-200 asks "what does this Sentinel KQL query detect?", SC-100 asks "how should you design this company's SOC using Sentinel + Defender XDR?" or "why pick a Logic Apps Playbook here?" Step-by-step implementation (which button to click) does not appear. Instead, expect case-study formats (fictional company requirements → propose an architecture) and "pick the best design" multiple-choice questions. Think of SC-200 / SC-300 as building hands-on muscle, and SC-100 as the stage where you articulate the why.

How much does it cost, and how do you get a free voucher?

165 USD (about 21,103 JPY incl. tax), paid by credit card through Pearson VUE. Expert-tier exams don't get direct vouchers from Virtual Training Days, but you can still score a free voucher via Microsoft Build / Ignite / Secure, RSAC Conference-linked campaigns, security-focused Cloud Skills Challenges (completion vouchers), security hands-on events at Microsoft Reactor, or enterprise cert-reimbursement programs. Microsoft's security certifications (SC-100 / SC-200 / SC-300 / SC-400 / SC-500) tend to see relatively frequent campaigns, including ones designed around back-to-back SC-200 / SC-300 → SC-100 paths. Checking Microsoft Learn Cloud Skills Challenges regularly is the most repeatable route.

What should you target after SC-100?

SC-100 is the only Expert-tier security exam, so the next move is to broaden into adjacent Expert or Associate certifications. For a dual-architect track, pair with AZ-305 (Solutions Architect Expert) — AZ-305 + SC-100 = full-stack architecture + security specialization. For DevSecOps, pair with AZ-400 (DevOps Engineer Expert) — SC-100 + AZ-400 = security × CI/CD. Fill in any missing Microsoft security Associates (SC-200 / SC-300 / SC-400 / SC-500). For a multi-vendor security architect identity, the job market rewards combining SC-100 with CISSP, CCSP, ISACA CISM / CISA, or OffSec OSCP. In the 12-18 million JPY salary band for senior security architects and CISO-adjacent roles, SC-100 alone is increasingly listed as a hard requirement.

Related Articles and Exam Info

AZ-305 完全ガイド|Microsoft Azure Solutions Architect Expert 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Azure Solutions Architect Expert (AZ-305) の完全ガイド。4 ドメインの出題範囲、ケーススタディ形式の攻略法、Well-Architected Framework 5 つの柱、AZ-104 との連携学習、3-4 ヶ月の合格ロードマップ、AZ-400 / SC-100 などの隣接 Expert へのキャリアパスを日本語で網羅。

SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。

AZ-400 完全ガイド|Microsoft Azure DevOps Engineer Expert 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: DevOps Engineer Expert (AZ-400) の完全ガイド。5 ドメインの出題範囲、Azure DevOps と GitHub の両方を網羅、IaC (Bicep / ARM / Terraform)、CI/CD パイプライン設計、DevSecOps、SRE プラクティス、3-4 ヶ月の合格ロードマップ、AZ-305 / SC-100 との二刀流戦略を日本語で網羅。

SC-400 完全ガイド|Microsoft Information Protection and Compliance Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Information Protection and Compliance Administrator Associate (SC-400) の完全ガイド。4 ドメインの出題範囲、Microsoft Purview の Sensitivity Label / DLP / Insider Risk / Communication Compliance / eDiscovery / Retention の実装、3-4 ヶ月の合格ロードマップ、SC-100 / MS-102 への展開ルートを日本語で網羅。

Exam information in this article is based on the official Microsoft Learn SC-100 page and the Microsoft Zero Trust Guidance Center. This article is not an official Microsoft product and has no affiliation with or endorsement from Microsoft Corporation. Microsoft, Azure, Microsoft Sentinel, Microsoft Defender, Microsoft Entra, and Microsoft Purview are trademarks of the Microsoft group of companies. Information is current as of the official publicly available materials as of May 24, 2026. Always check the official page for the latest details.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit the Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.