Microsoft SC-900: Security, Compliance, and Identity Fundamentals Practice Exams 2026

About the SC-900 Exam

The Microsoft SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is a foundational certification that validates your understanding of security, compliance, and identity concepts across cloud-based and related Microsoft services. Unlike the role-based SC-200, SC-300, or SC-401 certifications that test hands-on implementation skills, the SC-900 is a conceptual exam that tests your understanding of core principles—Zero Trust, shared responsibility, defense in depth—and how Microsoft implements those principles through services like Microsoft Entra ID, Microsoft Defender, Microsoft Sentinel, and Microsoft Purview.

The exam consists of 40-60 questions completed in 45 minutes, with a passing score of 700 out of 1000. Cost is approximately $99 USD. No formal prerequisites are required—this is designed as an entry point for anyone interested in Microsoft security, whether you're an IT professional, business stakeholder, student, or career changer. As a Fundamentals certification, the SC-900 does not expire and does not require renewal.

SC-900 Exam Domains and Weightings:

• Describe the concepts of security, compliance, and identity (10-15%) - Understanding the shared responsibility model across IaaS, PaaS, and SaaS, describing defense in depth and Zero Trust principles, understanding encryption and hashing concepts, and describing governance, risk, and compliance (GRC) concepts including data residency and data sovereignty
• Describe the capabilities of Microsoft Entra (25-30%) - Describing Microsoft Entra ID (formerly Azure AD) as an identity provider, understanding authentication methods (passwords, MFA, passwordless), describing conditional access policies, Microsoft Entra roles, and identity governance features including access reviews, entitlement management, and Privileged Identity Management (PIM)
• Describe the capabilities of Microsoft security solutions (35-40%) - Understanding Microsoft Defender for Cloud, Microsoft Defender XDR services (Defender for Endpoint, Office 365, Identity, Cloud Apps), Microsoft Sentinel as a SIEM/SOAR solution, Microsoft Secure Score, and Azure network security features including Network Security Groups, Azure Firewall, and Azure DDoS Protection
• Describe the capabilities of Microsoft compliance solutions (20-25%) - Understanding the Microsoft Purview compliance portal, Compliance Manager and compliance score, data classification capabilities, data loss prevention (DLP), retention policies, insider risk management, eDiscovery, and audit capabilities

The SC-900 serves as the recommended starting point for Microsoft's security certification path. It provides the conceptual foundation for pursuing role-based certifications like SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), SC-401 (Information Security Administrator), and ultimately SC-100 (Cybersecurity Architect Expert). It's also valuable for non-technical professionals who need to understand security and compliance concepts in their organizations.

Why Take This Certification?

• Ideal Entry Point for Microsoft Security Careers: The SC-900 is the recommended first step into Microsoft's security, compliance, and identity certification path. Unlike role-based exams that require hands-on implementation experience, the SC-900 focuses on conceptual understanding—making it accessible to IT professionals, career changers, students, and business stakeholders who need to understand security fundamentals before specializing. It provides the foundation for pursuing SC-200, SC-300, SC-401, and SC-100 certifications.
• Security Literacy is Essential Across All IT Roles: Security is no longer confined to dedicated security teams. Developers, project managers, IT administrators, and business analysts all need to understand security and compliance fundamentals to make informed decisions. The SC-900 validates this cross-functional security literacy—understanding Zero Trust, shared responsibility, identity concepts, and compliance requirements—making it valuable even for professionals who won't pursue specialized security roles.
• Never Expires—Lifetime Certification Value: Unlike Associate and Expert certifications that require annual renewal, Microsoft Fundamentals certifications are valid indefinitely. Once you pass the SC-900, your certification never expires. This makes it a low-risk, high-value investment—you demonstrate permanent foundational knowledge in security, compliance, and identity without ongoing renewal costs or assessments.
• Broad Coverage of the Microsoft Security Ecosystem: The SC-900 provides a comprehensive overview of Microsoft's entire security portfolio—Microsoft Entra ID for identity, Microsoft Defender for threat protection, Microsoft Sentinel for SIEM/SOAR, and Microsoft Purview for compliance. This breadth helps you understand how these services work together and where to focus your career development, whether that's security operations, identity management, or compliance administration.

What You'll Learn in the SC-900 Exam

The SC-900 exam covers foundational concepts across security, compliance, and identity in cloud-based and Microsoft services. This is a conceptual exam—you need to understand what services do and when to use them, not how to configure them step by step.

Security and Identity Concepts

• Core Security Principles: Understanding the shared responsibility model and how security responsibilities shift between cloud provider and customer across IaaS, PaaS, and SaaS deployment models. Describing defense in depth as a layered security strategy (physical, identity, perimeter, network, compute, application, data). Understanding Zero Trust principles—verify explicitly, use least privilege access, assume breach—and how they apply to modern cloud security architectures
• Authentication and Identity: Understanding authentication vs. authorization, describing Microsoft Entra ID as a cloud identity provider, understanding authentication methods including passwords, multi-factor authentication (MFA), and passwordless options (Windows Hello, FIDO2 keys, Microsoft Authenticator). Describing conditional access policies that enforce access decisions based on signals like user location, device state, and risk level. Understanding federation and single sign-on (SSO) concepts
• Identity Governance: Describing Microsoft Entra identity governance capabilities including access reviews (periodic review of who has access to what), entitlement management (access packages for self-service access requests), and Privileged Identity Management (PIM) for just-in-time elevation of privileged roles. Understanding Microsoft Entra ID Protection for detecting identity-based risks

Microsoft Security Solutions

• Microsoft Defender Services: Understanding the Microsoft Defender XDR family—Defender for Endpoint (device protection), Defender for Office 365 (email and collaboration security), Defender for Identity (on-premises identity monitoring), and Defender for Cloud Apps (shadow IT discovery and cloud app governance). Describing Microsoft Defender for Cloud as a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, AWS, and GCP resources
• Microsoft Sentinel: Understanding Microsoft Sentinel as a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. Describing how Sentinel collects data from multiple sources using connectors, uses analytics rules to detect threats, and enables automated response through playbooks
• Network and Infrastructure Security: Understanding Azure network security capabilities including Network Security Groups (NSGs), Azure Firewall, Azure DDoS Protection, and Azure Bastion. Describing Microsoft Secure Score as a measurement of an organization's security posture with recommendations for improvement

Microsoft Compliance Solutions

• Compliance Management: Understanding the Microsoft Purview compliance portal and Compliance Manager, which provides a compliance score and pre-built assessments for regulatory standards (GDPR, HIPAA, ISO 27001). Describing data classification capabilities including sensitive information types, trainable classifiers, and content explorer for understanding what sensitive data exists in the organization
• Information Protection and Governance: Understanding data loss prevention (DLP) policies that detect and prevent sharing of sensitive information, sensitivity labels for classifying and protecting documents and emails, and retention policies for managing data lifecycle. Describing insider risk management capabilities for detecting potentially risky activities by users within the organization
• eDiscovery and Audit: Understanding eDiscovery capabilities for identifying, collecting, and preserving electronic information for legal or compliance purposes. Describing audit capabilities in Microsoft Purview for tracking and logging user and admin activities across Microsoft 365 services

How to Prepare for the SC-900 Exam

The SC-900 is a conceptual exam, not a hands-on configuration exam. Focus on understanding what each service does, when you would use it, and how services relate to each other—not on step-by-step configuration procedures. Most candidates with some IT background can prepare in 2-4 weeks.

1. Complete the Microsoft Learn SC-900 Learning Path (1-2 weeks): Follow the free official SC-900 learning path on Microsoft Learn. Modules cover security concepts (shared responsibility, Zero Trust, defense in depth), Microsoft Entra ID (authentication, conditional access, identity governance), Microsoft security solutions (Defender, Sentinel, Secure Score), and Microsoft compliance solutions (Purview, Compliance Manager, DLP, retention). The learning path is self-paced and includes knowledge checks after each module. This single resource covers the majority of what you need to know for the exam.
2. Focus on Microsoft Security Solutions (35-40% of the Exam): The security solutions domain is the heaviest-weighted section. Understand the differences between the Microsoft Defender services—what each one protects (endpoints, email, identity, cloud apps, cloud resources) and when you would use each. Know what Microsoft Sentinel does as a SIEM/SOAR solution and how it differs from Defender services. Understand Microsoft Secure Score and its role in measuring security posture. Being able to match a scenario to the correct Microsoft service is the key skill tested in this domain.
3. Understand Identity Concepts Thoroughly (25-30% of the Exam): Microsoft Entra ID is the second-heaviest domain. Know the difference between authentication and authorization, understand how conditional access policies work at a conceptual level (signals in, decisions out), describe the purpose of MFA and passwordless authentication methods, and understand identity governance features like PIM (just-in-time privileged access), access reviews, and entitlement management. You don't need to know how to configure these—just what they do and why they matter.
4. Take Practice Exams to Identify Gaps (ongoing): Use practice exams to test your understanding and identify areas where you need more study. Pay attention to questions that ask you to choose the correct service for a given scenario—this is the most common question format. If you consistently confuse Defender for Cloud with Defender for Cloud Apps, or mix up DLP with sensitivity labels, those are areas to review. The SC-900 has a 45-minute time limit, which is generous for 40-60 questions if you know the material.

Review the official Microsoft SC-900 certification page for the current skills measured document and study guide. Budget 20-40 hours of preparation time. The SC-900 is one of the most accessible Microsoft certifications—focus on understanding concepts and matching services to scenarios rather than memorizing configuration steps.

Frequently Asked Questions