DISCLOSURE: This post may contain affiliate links, meaning when you click the links and make a purchase, we receive a commission. Thank you for your support!
Updated – 22/04/2023 – The exam study guide below shows the changes that will be implemented starting on May 5, 2023. This article has been updated to reflect the new exam objectives added by Microsoft.
Updated – 21/04/2023 – The exam study guide below includes a new Free practice assessment for the SC-900 certification.
In this article, we will share with you how to prepare and pass the SC-900 Microsoft Security, Compliance, and Identity Fundamentals certification exam successfully.
Table of Contents
Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. The new updated role-based certifications will help you to keep pace with today’s business requirements. Microsoft Learning is constantly evolving its learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities you’ve earned.
In February 2021, Microsoft announced a new portfolio of Security, Compliance, and Identity (SCI) certification exams that focus across the Azure platform (Microsoft Defender for Cloud and Microsoft Sentinel), as well as Microsoft 365 (Microsoft 365 Defender) security solutions.
|SC-200||Microsoft Security Operations Analyst|
|SC-300||Microsoft Identity and Access Administrator|
|SC-400||Microsoft Information Protection Administrator|
|SC-900||Microsoft Security, Compliance, and Identity Fundamentals|
The Security Operations Analyst Associate certification can help demonstrate knowledge of threat mitigation using Microsoft SCI Solutions, as well as performing proactive threat-hunting activities using:
Please check the following guide to learn more on how to prepare for the SC-200: Microsoft Security Operations Analyst certification exam successfully.
For people in identity roles, Identity & Access Administrator Associate certification can help prove knowledge of core identity governance principles, as well as ensure a proper identity lifecycle.
- Azure Active Directory (AAD)
- Azure AD Connect
- Azure Multifactor Authentication (MFA)
- Privileged Identity Management (PIM)
- Conditional Access
- Identity Governance
Please check the following guide to learn more on how to prepare for the SC-300: Microsoft Identity and Access Administrator certification exam successfully.
For people in compliance administrator roles, Information Protection Administrator Associate certification can help prove knowledge of core data concepts and how they’re implemented using Azure data services.
- Information Protection
- Data Loss Prevention
- Information Governance
Please check the following guide to learn more on how to prepare for the SC-400: Microsoft Information Protection Administrator certification exam successfully.
The Security, Compliance, and Identity Fundamentals certification is for people looking to familiarize themselves with the fundamentals of SCI across cloud-based and related Microsoft services, developed for a broad audience that may include business stakeholders, students starting in IT, or existing IT pros that have an interest in Microsoft SCI Solutions.
- Security, compliance, and identity
- Microsoft identity and access management solutions
- Microsoft security solutions
- Microsoft compliance solutions
While preparing to take this exam myself, I would like to share with you how to prepare and pass the SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification exam successfully.
This exam is not a prerequisite for any other exam nor is any other exam a prerequisite for this SC-900 exam. It is a standalone exam offering.
At the time of this writing, this exam is in the Beta phase. Beta exams are not scored immediately because Microsoft is gathering data on the quality of the questions and the exam. I will update this article as soon as I get the exam results from Microsoft.
I am so happy and grateful now that I received the final report for the SC-900 Microsoft Security, Compliance, and Identity Fundamentals with a high passing score!
Updated on 05/03/2021 – In this exam, I got 50 questions in total with NO case studies, and the total time for this exam is only 60 minutes (1 hour), so you have 1.2 minutes to answer all the questions. The questions do pretty much match the list of skills measured below.
Exam Target Audience
The audience for this course is looking to familiarize themselves with the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services.
This exam is suitable for a broad audience that may include business stakeholders, new or existing IT professionals, or students that have an interest in Microsoft security, compliance, and identity solutions.
The person taking this exam should be familiar with Microsoft Azure and Microsoft 365 and wants to understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.
Please note that to pass the certification test, studying outside the course may be required to ensure all the concepts are fully understood.
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft:
Describe the Concepts of Security, Compliance, and Identity (10-15%)
Describe security and compliance concepts
- Describe the shared responsibility model
- Describe defense in depth
- Describe the Zero-Trust model
- Describe encryption and hashing
- Describe compliance concepts
Define identity concepts
- Define identity as the primary security perimeter
- Define authentication
- Define authorization
- Describe identity providers
- Describe Active Directory
- Describe the concept of the Federation
Learning Path: Describe the concepts of security, compliance, and identity
Describe the capabilities of Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra (25–30%)
Describe the basic identity services and identity types of Azure AD
- Describe Azure AD
- Describe Azure AD identities
- Describe hybrid identity
- Describe the different external identity types
Describe the authentication capabilities of Azure AD
- Describe the authentication methods available in Azure AD
- Describe Multi-factor Authentication
- Describe the self-service password reset
- Describe password protection and management capabilities available in Azure AD
Describe the access management capabilities of Azure AD
- Describe conditional access
- Describe the benefits of Azure AD roles
- Describe the benefits of Azure AD role-based access control
Describe the identity protection and governance capabilities of Azure AD
- Describe identity governance in Azure AD
- Describe entitlement management and access reviews
- Describe the capabilities of Azure AD Privileged Identity Management (PIM)
- Describe Azure AD Identity Protection
Learning Path: Describe the capabilities of Microsoft Azure Active Directory, part of Microsoft Entra
Describe the capabilities of Microsoft Security solutions (25–30%)
Describe basic security capabilities in Azure
- Describe Azure DDoS protection
- Describe Azure Firewall
- Describe the Web Application Firewall
- Describe Network Segmentation with Azure Virtual Networks
- Describe Azure Network Security groups
- Describe Azure Bastion and JIT Access
- Describe ways Azure encrypts data
Describe the security management capabilities of Azure
- Describe Cloud security posture management (CSPM)
- Describe Microsoft Defender for Cloud
- Describe the enhanced security features of Microsoft Defender for Cloud
- Describe security baselines for Azure
Describe the security capabilities of Microsoft Sentinel
- Define the concepts of SIEM and SOAR
- Describe how Microsoft Sentinel provides integrated threat management
Describe threat protection with Microsoft 365 Defender
- Describe Microsoft 365 Defender services
- Describe Microsoft Defender for Office 365
- Describe Microsoft Defender for Endpoint
- Describe Microsoft Defender for Cloud Apps
- Describe Microsoft Defender for Identity
- Describe the Microsoft 365 Defender portal
Learning Path: Describe the capabilities of Microsoft security solutions
Describe the capabilities of Microsoft compliance solutions (25–30%)
Describe Microsoft’s Service Trust Portal and privacy principles
- Describe the offerings of the Service Trust portal
- Describe Microsoft’s privacy principles
Describe the compliance management capabilities of Microsoft Purview
- Describe the Microsoft Purview compliance portal
- Describe compliance manager
- Describe the use and benefits of compliance score
Describe the information protection and data lifecycle management capabilities of Microsoft Purview
- Describe data classification capabilities
- Describe the benefits of content explorer and activity explorer
- Describe sensitivity labels and sensitivity label policies
- Describe Data Loss Prevention (DLP)
- Describe Records Management
- Describe Retention Policies, Retention Labels, and retention label policies
Describe insider risk capabilities in Microsoft Purview
- Describe Insider Risk Management
- Describe communication compliance
- Describe information barriers
Describe resource governance capabilities in Azure
- Describe Azure Policy
- Describe Azure Blueprints
- Describe the Microsoft Purview unified data governance solution
Learning Path: Describe the capabilities of Microsoft compliance solutions
MS-500 | Microsoft 365 Certified: Security Administrator Associate
I have included the MS-500 older exam here as an example of the overall skills measured in this exam. You can see that it measures your skills on a broad range of security solutions compared to the new exams which are more specific.
- Implement and manage identity and access
- Implement and manage threat protection
- Implement and manage information protection
- Manage governance and compliance features in Microsoft 365
If you are interested to take the MS-500 exam, please check my step-by-step guide on how to prepare and pass the MS-500 exam successfully.
Read, read, and read… I cannot stress enough that reading and understanding all the security concepts in general besides Microsoft 365 Defender, Azure Defender, and Azure Active Directory will help you to pass this exam. This is a fundamental exam, so you need to understand all the security services provided by Microsoft because you will see a lot of questions.
The biggest subject areas that I saw on the SC-900 exam are the following:
- General security concepts
- Zero-Trust methodology
- The shared responsibility model
- Confidentiality, Integrity, Availability (CIA)
- Microsoft Entra ID (Azure AD)
- Conditional Access
- Self-Service Password Reset (SSPR)
- Password Protection
- Azure Active Directory Identity Protection
- Azure Security
- Network Security Groups (NSGs)
- Azure Firewall
- Azure Bastion
- Resource Group (RG) Locks
- Azure Policy
- Microsoft Sentinel (a few basic questions)
- Security incident and event management (SIEM)
- Security orchestration automated response (SOAR)
- Extended detection and response (XDR)
- Microsoft Defender for Cloud (a few basic questions)
- Defender for Cloud plans
- Cloud Security Posture Management (CSPM)
- Azure Secure Score
- Microsoft 365 Defender services
- Microsoft Cloud App Security (MCAS)
- Microsoft 365 security center
- Microsoft Defender for Office 365
- Microsoft Intune (a few basic questions)
- Endpoint security with Intune
- Windows Hello for Business (a few basic questions)
- Microsoft 365 Compliance Center
- Sensitivity labels
- Data Loss Prevention (DLP)
- Microsoft 365
- Insider Risk Management
- Customer Lockbox
- Advanced Auditing (long-term retention of audit logs)
You can expect a lot of questions similar to this one:
For the following statements select Yes if the statement is true. Otherwise select No.
Overall, I think Microsoft Worldwide Learning is doing a good job of gradually shaping these exams to reflect real-world Azure security best practice scenarios. The SC-900 exam is logically organized and focused solely on Microsoft 365 Defender services, Azure Sentinel, Azure Security, Identity Protection, and Azure Security Center/Azure Defender.
Check the following step-by-step hands-on labs that will help you to explore and gain fundamentals experience with Microsoft Security, Compliance, and Identity:
1) LAB 1 – Explore Azure Active Directory.
5) LAB 5 – Explore Azure Network Security Groups (NSGs).
6) LAB 6 – Explore Microsoft Defender for Cloud.
7) LAB 7 – Explore Microsoft Sentinel.
8) LAB 8 – Explore Microsoft Defender for Cloud Apps.
9) LAB 9 – Explore the Microsoft 365 Defender portal.
10) LAB 10 – Explore Microsoft Intune.
11) LAB 11 – Explore the Service Trust Portal.
13) LAB 13 – Explore sensitivity labels in Microsoft 365.
14) LAB 14 – Explore Insider Risk Management in Microsoft 365.
15) LAB 15 – Explore the Core eDiscovery workflow.
16) LAB 16 – Explore Azure Policy.
At the time of this writing, there are two books that you can use to prepare for this exam.
Microsoft Press released the Exam Reference SC-900 Book – Microsoft Security, Compliance, and Identity Fundamentals by December 2021, you can place the order here.
This book will help you to prepare for Microsoft Exam SC-900 and help demonstrate your real-world knowledge of the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services.
This book is designed for business stakeholders, new and existing IT professionals, functional consultants, and students, this Exam Ref focuses on the critical thinking and decision-making acumen needed for success at the Microsoft Certified: Security, Compliance, and Identity Fundamentals level.
The second book is Microsoft Security, Compliance, and Identity Fundamentals Exam Ref SC-900 by Dwayne Natwick, and Sonia Cuff, released in May 2022.
Validate your skills
If you wish to validate your skills before taking the real exam, I highly encourage you to purchase the following practice tests:
SC-900: Microsoft Security, Compliance, and Identity Fundamentals Microsoft Official Practice Test (130 questions). The MeasureUp SC-900: Microsoft Security, Compliance, and Identity Fundamentals practice test from mind hub is designed to help you prepare for and pass the Microsoft SC-900 exam.
The SC-900 exam is aimed at business stakeholders and IT professionals who want to improve their understanding of security and compliance fundamentals in cloud-based and Microsoft services.
SC-900 Free Practice Assessment
Are you preparing for the SC-900 certification exam? Microsoft just announced Practice Assessments on Microsoft Learn, the newest free exam preparation resource that allows you to assess your knowledge and fill knowledge gaps so that you are better prepared the take the SC-900 certification exam.
The following assessment provides you with an overview of the style, wording, and difficulty of the questions you’re likely to experience on the exam. Through this assessment, you’re able to assess your readiness, determine where additional preparation is needed, and fill knowledge gaps bringing you one step closer to the likelihood of passing your SC-900 exam.
> Take now the Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals Practice Assessment (50 questions).
Prepare for your certification exam by assessing your knowledge through Practice Assessments, which are free and can be attempted multiple times. These assessments are created and regularly updated by the same team that develops the official certification exams.
You can access practice assessments on Microsoft Learn by signing in or creating an account. The score report for each question includes the answer, rationale, and links to additional information.
Instructor-led virtual training
Last but certainly not least, if you prefer instructor-led virtual training, Microsoft released SC-900T00-A 1-day course. This course is for candidates that are looking to familiarize themselves with the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services. The content for this course aligns with the SC-900 exam objective domain. Candidates should be familiar with Microsoft Azure and Microsoft 365 and understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.
Schedule SC-900 Exam
At the time of this writing, Microsoft launched the SC-900 exam in beta mode, if you would like to take the beta exam and receive the 80% discount*, use the code below when prompted for payment.
This exam is out of the Beta phase now and it’s Public. The beta code above is NOT available anymore.
Once you are ready to take the exam, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.
Other Microsoft Azure Exam Study Guides
Are you interested in another Azure certification exam? I highly encourage you to check out the following Azure exam study guides:
- Exam AZ-900: Microsoft Azure Fundamentals Exam Study Guide
- Exam AZ-104: Microsoft Azure Administrator Exam Study Guide
- Exam AZ-140: Microsoft Azure Virtual Desktop Exam Study Guide
- Exam AZ-204: Developing Solutions for Microsoft Azure Exam Study Guide
- Exam AZ-305: Designing Microsoft Azure Infrastructure Solutions Study Guide
- Exam AZ-500: Microsoft Azure Security Technologies Exam Study Guide
- Exam AZ-700: Microsoft Azure Network Engineer Associate Study Guide
- Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals Exam Study Guide
- Exam SC-200: Microsoft Security Operations Analyst Exam Study Guide
- Exam SC-300: Microsoft Identity and Access Administrator Exam Study Guide
- Exam SC-400: Microsoft Information Protection Administrator Exam Study Guide
- Exam AZ-800: Administering Windows Server Hybrid Core Infrastructure Study Guide
- Exam AZ-801: Configuring Windows Server Hybrid Advanced Services Study Guide
If you are planning to take the SC-900 exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.