Domain 3 of 4

Microsoft Security Solutions

Domain · 35–40% of the SC-900 exam

Four altitudes over one estate

This is the largest domain on the exam, and the one where Microsoft's shared "Defender" brand does the most to mislead. The way through is a single idea: the four pages here are four different altitudes over the same estate, and each answers a different security question. Read them as one progression, prevent, then assess posture, then detect and respond, then correlate and automate. Azure Infrastructure Security is the prevent layer, the controls you place directly in the network path so a bad request is stopped before it reaches a resource. Azure Security Management is the posture layer, checking whether everything is configured securely before anything goes wrong. Microsoft Defender XDR (extended detection and response) is the detection-and-response layer, watching each attack surface for an attack already in progress. Microsoft Sentinel is the correlate-and-automate layer, the estate-wide system that ingests from all of the above and acts on it. The classic trap is treating these four pages, and the many services named "Defender", as one interchangeable pile; the altitude each occupies is exactly what tells them apart.

The domain unfolds in four steps

Read the four subtopics as a pipeline that a request, and then an attacker, travels through. First, Azure Infrastructure Security places preventive controls in the network path: Azure DDoS (distributed denial-of-service) Protection scrubs volumetric floods at the edge, Azure Firewall filters across your virtual networks while a network security group (NSG) filters within one, a web application firewall (WAF) catches layer-7 exploits, virtual network segmentation keeps workloads apart, Azure Bastion gives admins remote access without a public IP, and Azure Key Vault holds the secrets. Second, Azure Security Management steps back to posture: Microsoft Defender for Cloud runs cloud security posture management (CSPM), scoring how securely everything is configured and listing what to fix, with paid cloud workload protection (CWPP) plans layered on top. Third, Microsoft Defender XDR moves to live detection and response, one service per attack surface (endpoints, email and collaboration, on-premises identities, and SaaS apps), correlated into incidents in the Microsoft Defender portal. Fourth, Microsoft Sentinel sits above everything as the estate-wide SIEM (security information and event management) and SOAR (security orchestration, automation, and response), ingesting signals from every layer below plus third-party and on-premises sources and automating the response. In Zero Trust terms Sentinel is the seventh of the seven pillars, visibility, automation, and orchestration, where the signals from the other six are aggregated and acted on (Zero Trust depth). Reach for each in that order and every service on the page has one obvious home.

When the Defender name collides, ask what it protects

The instinct the exam rewards: when the "Defender" name appears and two answers both look plausible, ask what the thing protects and at what altitude, not which brand it carries. Two boundaries follow from that, and each is easy to miss because its subtopic teaches it from only one side. First, Microsoft Defender for Cloud is not part of Microsoft Defender XDR: Defender for Cloud protects Azure, hybrid, and multicloud resources and workloads (posture and workload protection for infrastructure), while Defender XDR protects endpoints, email, on-premises identities, and SaaS apps. They integrate but do not overlap, so a question about securing a subscription, a virtual machine, or overall cloud posture points to Defender for Cloud, and one about a compromised laptop or mailbox points to Defender XDR. Second, Microsoft Sentinel is not "the XDR portal", and Defender XDR is not a SIEM: Defender XDR detects and responds on specific surfaces, while Sentinel sits on top as the estate-wide SIEM and SOAR, ingesting XDR's incidents alongside everything else. The two can share one console in the Microsoft Defender portal (the unified security operations platform), but they answer different questions: XDR protects surfaces, Sentinel correlates the whole estate.

The domain's four stages, and which subtopic owns each

StageThe question it answersKey Microsoft servicesDrill into
PreventIs the request stopped before it reaches a resource?Azure DDoS Protection, Azure Firewall, WAF, virtual network and NSG segmentation, Azure Bastion, Azure Key VaultAzure Infrastructure Security
Assess postureIs this configured securely, before anything happens?Microsoft Defender for Cloud (CSPM, secure score) plus paid workload-protection plansAzure Security Management
Detect and respondIs an attack under way on this surface, and can we follow it across others?Microsoft Defender XDR: Defender for Endpoint, Office 365, Identity, Cloud AppsMicrosoft Defender XDR
Correlate and automateCan we see and act on the whole estate at once?Microsoft Sentinel (SIEM plus SOAR)Microsoft Sentinel

Subtopics in this domain