Azure

SC-900 Complete Guide: Microsoft Security, Compliance, and Identity Fundamentals Exam Scope, Resources & Passing Strategy

2026-05-24
NicheeLab Editorial Team

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) is a Fundamentals-tier exam that covers Microsoft's security, compliance, and identity stack end-to-end. While AZ-900 covers Azure cloud broadly and DP-900 covers data, SC-900 targets the entire security stack across Microsoft 365 / Entra / Defender / Purview / Intune, making it a certification recommended for IT admins, aspiring SOC analysts, consultants, and even sales roles. This article organizes the 4 exam domains, the three Zero Trust principles, how to distinguish the 7 Defender products, and a roadmap to passing the exam — all in one place.

The value of SC-900 isn't just the exam itself — it's getting a "map" of the Microsoft security stack into your head. Microsoft has been aggressively expanding its security product line: 10+ products in the Entra (formerly Azure AD) family alone, 7+ in the Defender family, and 8+ in the Purview family — a massive ecosystem. SC-900 is the shortest path to learning the whole landscape at the "what does each product do and what threats does it handle" level, and it directly informs IT decision-making and RFP authoring.

SC-900 Exam Basics

SC-900 has the same exam specs as AZ-900 / DP-900. 45 minutes, 40-60 questions, passing score 700 / 1000, 99 USD / 13,200 JPY, available in 13 languages including Japanese, with no expiration. You can take it online via Pearson VUE OnVUE or at a test center. No coding is required — the exam is concept-focused.

Domain 1: Concepts of Security, Compliance, and Identity (10-15%)

The lowest-weighted introductory domain, but it's the foundation for everything that follows. The core topic is Zero Trust, and Microsoft's three principles — "1) Verify explicitly, 2) Use least privilege access, 3) Assume breach" — show up frequently. These three principles aren't just memorization items: they reappear in later scenario questions that ask which Defender / Entra / Purview product implements which principle, so you need to be able to explain them in your own words.

On top of that, the domain asks about the shared responsibility model (also on AZ-900), symmetric vs. asymmetric encryption, hashing and digital signatures, and the difference between authentication and authorization. Implementation-level algorithm names (AES / RSA) aren't drilled deeply, but you do need to be able to answer the simple principle that "with asymmetric keys, you encrypt with the public key and decrypt with the private key."

Domain 2: Microsoft Entra (25-30%)

Centered on Microsoft Entra ID (formerly Azure Active Directory). Since the rebrand in July 2023, the Entra naming has been the official one used on SC-900. Expect questions on tenants and initial / custom domain names, the four core objects (users, groups, devices, applications), the three user types (cloud-only, synced, guest), and the difference between Security Group and Microsoft 365 Group.

For authentication methods, the three main families are MFA (multi-factor authentication), Passwordless (Microsoft Authenticator / Windows Hello for Business / FIDO2 security keys). In addition, the conceptual mechanics of Conditional Access (conditions → actions), time-bound role elevation via Privileged Identity Management (PIM), sign-in risk assessment by Identity Protection, External Identities (B2B / B2C integration), and SaaS integration via SSO (single sign-on) are all tested at the conceptual level.

Entra ID licensing (Free / P1 / P2 / Entra Suite) is also covered in this domain. Locking in the feature boundaries — "Conditional Access needs P1 or higher; PIM needs P2 or higher" — lets you correctly narrow down the choices in scenario questions.

Domain 3: Microsoft Security Solutions (35-40%)

The highest-weighted domain, covering the entire Microsoft Defender suite. The 7 main Defender products you need to know:

ProductCoverage
Microsoft Defender for CloudMulti-cloud CSPM + CWPP across Azure / AWS / GCP
Microsoft SentinelCloud-native SIEM / SOAR
Microsoft Defender XDRUnified XDR console (formerly Microsoft 365 Defender)
Defender for EndpointEndpoint Detection and Response (EDR)
Defender for IdentityThreat monitoring for on-prem Active Directory
Defender for Office 365Phishing protection for email / Teams / SharePoint
Defender for Cloud AppsCASB for SaaS apps (formerly Microsoft Cloud App Security)

Common scenario questions in this domain include "which Defender handles abnormal sign-in detection?" and "which tool gives a SOC analyst a single pane of glass for all alerts?" Microsoft Sentinel is a cloud-native SIEM, with the distinguishing feature that it ingests logs from Azure, Microsoft 365, on-prem, and other clouds (AWS / GCP) alike. Defender XDR is the unified dashboard for the main Defender products. You need to be able to articulate the difference vs. Sentinel (Sentinel = log aggregation and analysis, XDR = unified operations).

On top of that, expect representative features like Microsoft Defender for Cloud's Secure Score (the recommendation achievement metric), Microsoft Sentinel Playbooks (automated response), and Microsoft Defender for Cloud Apps' Shadow IT discovery.

Domain 4: Microsoft Compliance Solutions (20-25%)

The compliance domain centered on the Microsoft Purview family. Microsoft Purview (the consolidated brand formed by merging Azure Purview and the Microsoft 365 Compliance Center) has expanded rapidly, and SC-900 covers its 8 major capabilities.

The headline capabilities are Microsoft Purview Information Protection (formerly Azure Information Protection — classifies and protects data with sensitivity labels), Microsoft Purview Data Loss Prevention (DLP) (prevents leakage of sensitive information), Microsoft Purview Insider Risk Management (detects insider threats), Microsoft Purview Compliance Manager (compliance dashboard), Microsoft Purview eDiscovery (legal discovery), Microsoft Purview Audit (operation logs), Microsoft Purview Data Lifecycle Management (retention and deletion policies), and Microsoft Service Trust Portal (repository of compliance documentation).

Common scenario questions in this domain include "which feature prevents files containing sensitive information from being sent outside the organization?" (DLP), "which feature detects suspicious activity by employees about to leave?" (Insider Risk Management), and "which feature preserves internal data for litigation?" (eDiscovery). The Purview sub-brand names can be hard to remember, but if you memorize one corresponding scenario for each, you can reliably score points in this domain.

Can You Pass with Official Resources Alone?

Yes — SC-900 can also be passed with Microsoft official resources alone. Three things close the loop: the Microsoft Learn SC-900 learning path (about 10 hours), the free voucher available via Virtual Training Day: Security, Compliance, and Identity, and the official Practice Assessment. Virtual Training Day is also held regularly in Japanese, and completing both Part 1 and Part 2 gets the exam voucher (worth roughly 165 USD) issued within 5 business days — letting self-learners effectively take the exam for free.

4-Week Roadmap to Passing

Week 1: Cover Domain 1 (concepts) via Microsoft Learn and internalize the three Zero Trust principles plus the authentication / authorization distinction. Week 2: Study Domain 2 (Entra) and get hands-on practice in a free Entra ID tenant (the Microsoft 365 Developer Program sandbox). Week 3: Run Domain 3 (the Defender family) in parallel with Virtual Training Day Part 1 + 2 to earn the voucher. Week 4: Finish with Domain 4 (Purview) and drill the Practice Assessment to 80%+.

What to Aim for After SC-900

SC-900 is the entry point to the family of security certifications. For identity administrators, SC-300 (Identity and Access Administrator Associate) is the real Entra ID management certification. For SOC analysts / security operations, SC-200 (Security Operations Analyst Associate) centers on Sentinel and Defender XDR. For Azure security generalists, SC-500 (the successor to AZ-500 with strengthened Microsoft Defender for Cloud integration, GA expected August 2026) is the headline target. At the top is SC-100 (Cybersecurity Architect Expert), designed for roles that own organization-wide security strategy. SC-100 effectively requires holding one of SC-200 / SC-300 / AZ-500.

Frequently Asked Questions

What kind of exam is SC-900?

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) is a Fundamentals-level exam that covers Microsoft's security, compliance, and identity stack end-to-end. 45 minutes, 40-60 questions, 99 USD, passing score 700/1000, no expiration, available in 13 languages including Japanese. Because it spans Microsoft 365 / Entra / Defender / Purview / Intune rather than Azure alone, the scope differs from AZ-900. It's an entry-level certification recommended for security teams, IT admins, consultants, and even sales roles.

Should I take AZ-900 or SC-900 first?

Pick based on your target domain. If you need cloud fundamentals first, start with AZ-900. If you want to dive straight into security and identity, starting with SC-900 is also fine. If you plan to take both, taking AZ-900 first to lock in Entra ID and Azure RBAC basics makes SC-900 study more efficient. Conversely, IT admins or aspiring SOC analysts who already have on-prem AD or security product experience can jump straight into SC-900 and leverage their existing knowledge.

What are the exam domains and their weights?

The exam has 4 domains. Concepts of security, compliance, and identity (10-15%) covers Zero Trust, the shared responsibility model, and encryption basics. Capabilities of Microsoft Entra (25-30%) covers Entra ID tenants, authentication methods, Conditional Access, and PIM. Capabilities of Microsoft security solutions (35-40%) covers Microsoft Defender for Cloud, Sentinel, Defender XDR, Defender for Office 365, Endpoint, Identity, and Cloud Apps. Capabilities of Microsoft compliance solutions (20-25%) covers Microsoft Purview, Information Protection, Insider Risk Management, Compliance Manager, and eDiscovery.

What is Zero Trust?

Zero Trust is a security design philosophy that says "don't assume anything inside the network perimeter is safe; always verify every access." Microsoft's three Zero Trust principles are: 1) Verify explicitly, 2) Use least privilege access, and 3) Assume breach. SC-900 frequently tests these three principles and the role of Microsoft products that implement Zero Trust (Entra ID Conditional Access, Defender XDR, Microsoft Purview, etc.).

How deep does the exam go on Microsoft Entra ID?

Conceptual level only. The exam asks about core objects (tenants, users, groups, devices, applications), authentication methods (MFA, Passwordless, FIDO2), how Conditional Access works, and the concepts behind SSO and External Identities. It does not ask for hands-on configuration commands or PowerShell scripts. Deep administrator-level implementation is tested by SC-300 (Identity and Access Administrator Associate). SC-900 is scoped to what decision-makers need to understand.

How many Microsoft Defender products do I need to learn?

Being able to distinguish the 7 main products is enough. Microsoft Defender for Cloud (multi-cloud protection for Azure / AWS / GCP), Microsoft Sentinel (SIEM/SOAR), Microsoft Defender XDR (unified XDR console), Defender for Endpoint (EDR), Defender for Identity (on-prem AD monitoring), Defender for Office 365 (email protection), and Defender for Cloud Apps (formerly MCAS, CASB). If you can describe each one's coverage in a single sentence (what threats it handles), you'll be able to pick the right product in scenario questions.

What's the exam fee and how much study time is needed?

99 USD / 13,200 JPY (tax included). Completing both Part 1 and Part 2 of Microsoft Azure Virtual Training Day: Security, Compliance, and Identity earns you a free exam voucher (worth roughly 165 USD). Typical study time ranges are 25-40 hours for IT beginners, 15-25 hours for those with IT experience, and 5-15 hours for security practitioners. Self-study is more than enough to pass when you center your prep on the Microsoft Learn SC-900 learning path and the official Practice Assessment.

What certification should I take after SC-900?

Three paths depending on your direction. For identity administrators, SC-300 (Identity and Access Administrator) is the serious certification for Entra ID management. For SOC analysts or security operations, SC-200 (Security Operations Analyst) centers on Sentinel and Defender XDR. For Azure security generalists, SC-500 (the successor to AZ-500, GA expected August 2026) is the headline target. At the top is SC-100 (Cybersecurity Architect Expert) for roles that own organization-wide security strategy.

Related articles and exam info

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。

MS-900 完全ガイド|Microsoft 365 Fundamentals 出題範囲・学習リソース・合格戦略【Copilot 対応版】

Microsoft Certified: Microsoft 365 Fundamentals (MS-900) の完全ガイド。4 ドメインの出題範囲、Teams / Exchange / SharePoint / Intune / Microsoft 365 Copilot、ライセンス SKU の使い分け、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、MS-102 / SC-401 / MD-102 へのキャリアパスを日本語で網羅。

DP-900 完全ガイド|Azure Data Fundamentals 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Azure Data Fundamentals (DP-900) の完全ガイド。4 ドメインの出題範囲、SQL / NoSQL / 分析ワークロードの位置付け、Microsoft Fabric 出題対応、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、DP-203 / DP-700 / DP-300 へのキャリアパスを日本語で網羅。

The exam information in this article is based on the official Microsoft Learn SC-900 page and the official Study Guide. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft, Microsoft Entra, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Azure are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.