Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC‑900) Practice Exams

About the Microsoft SC-900 exam

Exam at a glance

Microsoft's entry-level credential for security, compliance, and identity (SCI) across Microsoft Azure and Microsoft 365 — a fundamentals-tier exam that does not expire.

Skills measured (domain weighting)

• Describe the concepts of security, compliance, and identity — 10–15%
• Describe the capabilities of Microsoft Entra — 25–30%
• Describe the capabilities of Microsoft security solutions — 35–40%
• Describe the capabilities of Microsoft compliance solutions — 20–25%

What you'll be expected to recognize

• SCI concepts — zero-trust model, shared responsibility, defense-in-depth, encryption and hashing, common threats and the CIA triad.
• Microsoft Entra ID (formerly Azure AD) — identity types, hybrid identity, authentication methods (MFA, passwordless), Conditional Access, role-based access control.
• Microsoft Entra ID Governance — Privileged Identity Management (PIM), entitlement management, access reviews.
• Microsoft Defender suite — Defender for Cloud, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender XDR portal.
• Microsoft Sentinel — cloud-native SIEM/SOAR, data connectors, workbooks, hunting queries at a conceptual level.
• Microsoft Purview — information protection, data loss prevention (DLP), records management, eDiscovery, insider risk, communication compliance, Compliance Manager.
• Azure platform security — Azure Firewall, DDoS Protection, Network Security Groups, Azure Bastion, Key Vault, Azure security baselines.

Prerequisites

None required. Microsoft recommends general familiarity with Microsoft Azure and Microsoft 365 and an interest in how SCI solutions span the two clouds. SC-900 is explicitly designed for newcomers — business stakeholders, students, and IT professionals adding security context to their toolkit.

Why take this certification

• Strong fit for IT generalists adding security knowledge. SC-900 gives administrators, developers, and analysts the vocabulary and conceptual map to participate in security and compliance conversations without committing to a full role-based specialty path.
• Does not expire. Unlike Microsoft's role-based certifications (which require an annual free renewal assessment on Microsoft Learn), Fundamentals-tier credentials are awarded for life. Earn it once, list it forever.
• Foundation for the SC-200 / SC-300 / SC-400 / SC-100 path. SC-900 covers the entire SCI vocabulary you'll see referenced in the higher-tier security and identity exams. Many candidates use it as a low-risk warm-up before tackling SC-200 Security Operations Analyst or SC-300 Identity and Access Administrator.
• Affordable. At $99 USD, SC-900 is the cheapest Microsoft security credential and one of the lowest-risk ways to validate cloud security awareness for a job application or résumé refresh.

What you'll learn in the SC-900 exam

SC-900 validates conceptual understanding rather than hands-on configuration. Most questions describe a scenario — a company onboarding remote workers, an organization meeting a compliance obligation, an admin investigating a suspicious sign-in — and ask which Microsoft service or feature addresses it. The exam is broad rather than deep: you need to recognize what each tool does and when to reach for it.

Core Microsoft services you'll be tested on

• Security, compliance, identity foundations: zero-trust principles, shared responsibility model across IaaS / PaaS / SaaS, defense in depth, encryption at rest vs in transit, hashing vs encryption, common threat types (phishing, ransomware, DDoS), the CIA triad.
• Microsoft Entra ID (formerly Azure AD): identity types (cloud, hybrid, guest, workload identities), authentication methods (passwords, MFA, FIDO2, Windows Hello, Authenticator app, passwordless), Conditional Access policies, Entra ID Protection risk detection, single sign-on, external identities (B2B, B2C).
• Microsoft Entra ID Governance: Privileged Identity Management (PIM) just-in-time elevation, entitlement management for access packages, access reviews for periodic recertification, role-based access control (RBAC).
• Microsoft Defender suite: Defender for Cloud (CSPM + workload protection), Defender for Endpoint (EDR), Defender for Office 365 (email + collaboration), Defender for Identity (on-prem AD), Defender for Cloud Apps (CASB), Defender XDR portal as the unified investigation surface.
• Microsoft Sentinel: cloud-native SIEM and SOAR, data connectors, workbooks, analytics rules, playbooks at a conceptual level (no KQL deep dive on SC-900).
• Microsoft Purview compliance solutions: information protection (sensitivity labels, encryption), data loss prevention (DLP), records management, eDiscovery (standard + premium), insider risk management, communication compliance, Compliance Manager and Compliance Score, Service Trust Portal.
• Azure platform security: Azure Firewall, DDoS Protection, Network Security Groups, Azure Bastion, Azure Key Vault, Azure security baselines, security center recommendations.

Scenario patterns you'll need to recognize

• Choosing between Conditional Access, MFA, and PIM for a given access-control problem.
• Mapping a compliance obligation (GDPR, HIPAA, ISO 27001) to the Microsoft Purview solution that addresses it.
• Picking the correct Defender product for a specific surface — endpoint vs identity vs email vs cloud workload.
• Distinguishing between Microsoft Sentinel (SIEM/SOAR) and Microsoft Defender XDR (extended detection and response across Microsoft signal).
• Explaining shared responsibility for IaaS vs PaaS vs SaaS — which security controls Microsoft owns and which the customer must configure.

How the practice exams help

Each free question and every premium exam mirrors the scenario-style format Microsoft uses — short stem, four to six plausible options, one correct answer (occasional multi-select). Detailed explanations cover not just why the right answer is right but why the distractors are wrong, so you learn the trade-offs between Defender products, Purview solutions, and Entra capabilities rather than memorizing names.

How to prepare for the SC-900 exam

SC-900 is conceptual, so most candidates can prepare entirely from free Microsoft Learn material plus practice exams. Recommended path:

1. Microsoft Learn SC-900 learning path (1–2 weeks). Microsoft publishes a complete free training path on Microsoft Learn — search for "SC-900 learning path". It covers all four skill areas with self-paced modules, knowledge checks, and short interactive labs. Completing the full path is the single highest-leverage step.
2. Read the official Skills Measured document (1–2 hours). Microsoft publishes a versioned SC-900 study guide PDF listing every line-item the exam can test. Use it as a checklist after the learning path to find weak spots.
3. Explore the Microsoft 365 and Azure trial portals (optional, 2–3 hours). Microsoft offers free trial tenants for Microsoft 365 E5 and Azure. Logging in to the Entra admin center, Defender XDR portal, Purview compliance portal, and Microsoft Sentinel workspace cements the names and where things live — a big help on scenario questions even though SC-900 doesn't test hands-on configuration.
4. Practice exams (3–5 days). Take timed practice tests to identify weak skill areas. Detailed explanations on every answer option help you learn the reasoning, not just memorize answers. Aim for consistent 80%+ scores on practice before scheduling the live exam.

Recommended timeline

2–4 weeks of light study (5–8 hours per week) for IT generalists with general cloud familiarity. Complete beginners with no cloud background should allow 4–6 weeks.

Official resources

Download the official SC-900 Skills Measured study guide and complete the free Microsoft Learn SC-900 learning path before booking the exam. Microsoft also publishes a free official practice assessment on Microsoft Learn that uses the real exam interface — take it once you're feeling ready, then revisit weak areas.

Frequently asked questions