Who should take the SC-900 exam?
The SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam is designed for anyone wanting to demonstrate foundational knowledge of Microsoft security services, regardless of technical background. It is appropriate for business stakeholders, compliance officers, IT professionals new to security, and students entering the security field. No prior technical experience is required and the exam costs $99 USD.
The SC-900 Microsoft Security, Compliance, and Identity Fundamentals certification provides a foundational understanding of security, compliance, and identity concepts across Microsoft's cloud platforms. It covers Microsoft Azure, Microsoft 365, and the broader Microsoft security ecosystem.
Unlike more technical security certifications like AZ-500, SC-900 is genuinely accessible to non-technical professionals. It has become a popular certification for compliance officers, legal professionals, auditors, and business analysts who need to understand the security and compliance landscape of Microsoft services. The exam costs $99 USD and requires a passing score of 700 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | SC-900 |
| Full Name | Microsoft Security, Compliance, and Identity Fundamentals |
| Number of Questions | 40-60 |
| Time Limit | 45 minutes |
| Passing Score | 700/1000 |
| Cost | $99 USD |
| Prerequisites | None |
| Related Advanced Exams | SC-200, SC-300, SC-400 |
The exam covers four domains:
- Describe security and compliance concepts (10-15%)
- Describe Microsoft Entra capabilities (25-30%)
- Describe Microsoft security solutions (35-40%)
- Describe Microsoft compliance solutions (20-25%)
"SC-900 is the security equivalent of AZ-900. It gives organizations a common vocabulary for discussing security, compliance, and identity with stakeholders across technical and non-technical functions. A compliance team that has passed SC-900 can have much more productive conversations with their Azure administrators about risk management." -- Microsoft Security community
Domain 1: Security and Compliance Concepts (10-15%)
Zero Trust Principles
Zero Trust is a security model based on three guiding principles:
- Verify explicitly: Always authenticate and authorize based on all available data points, including identity, location, device, service, workload, and data classification
- Use least privilege access: Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection
- Assume breach: Minimize blast radius, segment access, verify end-to-end encryption, and use analytics to gain visibility
Shared Responsibility Model
The shared responsibility model divides security obligations between Microsoft and the customer based on service model:
| Security Area | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data governance and rights | Customer | Customer | Customer |
| Application security | Customer | Customer | Shared |
| Identity and access management | Customer | Shared | Shared |
| Operating system security | Customer | Microsoft | Microsoft |
| Physical infrastructure | Microsoft | Microsoft | Microsoft |
Defense in Depth
Defense in depth is a layered security strategy where multiple security controls protect against threats at each layer:
- Physical security (datacenter access controls)
- Identity and access (MFA, Conditional Access)
- Perimeter (DDoS protection, firewall)
- Network (network segmentation, NSGs)
- Compute (endpoint protection, patch management)
- Application (secure development practices, WAF)
- Data (encryption, access control)
Domain 2: Microsoft Entra Capabilities (25-30%)
Microsoft Entra ID Features
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity platform. SC-900 covers:
- Single Sign-On (SSO): One set of credentials providing access to multiple applications
- Multi-Factor Authentication (MFA): Requiring something you know (password) + something you have (phone) + something you are (biometric)
- Self-Service Password Reset (SSPR): Allowing users to reset passwords without helpdesk involvement, reducing IT support costs
- Passwordless authentication: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator phone sign-in
Identity Protection and Governance
- Conditional Access: Policies that grant or block access based on signals (user, location, device, application, risk)
- Privileged Identity Management (PIM): Just-in-time access to privileged roles with approval workflows
- Access Reviews: Periodic reviews ensuring users retain only the access they need
- Entitlement Management: Automated access packages for managing group memberships and application assignments
Domain 3: Microsoft Security Solutions (35-40%)
Microsoft Defender Products
Microsoft's Defender product family provides threat protection across different environments:
| Product | Protects | Key Capability |
|---|---|---|
| Microsoft Defender for Endpoint | Devices | EDR, threat and vulnerability management |
| Microsoft Defender for Office 365 | Email and collaboration | Anti-phishing, safe links, safe attachments |
| Microsoft Defender for Cloud Apps | Cloud applications | CASB, shadow IT discovery, session policies |
| Microsoft Defender for Identity | On-premises AD | Lateral movement detection, credential theft alerts |
| Microsoft Defender for Cloud | Azure resources | Security posture, threat protection, CSPM |
Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It:
- Collects security data across the enterprise from Microsoft and non-Microsoft sources
- Detects threats using built-in and custom analytics rules
- Investigates incidents using AI-assisted investigation tools
- Responds automatically to common threats using playbooks
Microsoft 365 Defender
Microsoft 365 Defender unifies endpoint, email, identity, and cloud app security in a single portal, providing correlated incident view across the entire Microsoft security ecosystem.
"The Microsoft security product portfolio is the most confusing area of SC-900 for candidates because there are many overlapping product names. The key is to associate each Defender product with the specific environment it protects and the specific threat it addresses, rather than trying to memorize every feature." -- Microsoft Learn module guidance
Domain 4: Microsoft Compliance Solutions (20-25%)
Microsoft Purview
Microsoft Purview is the compliance and data governance platform. Key capabilities:
- Compliance Manager: Risk assessment and compliance tracking dashboard with pre-built assessments for regulations like GDPR, ISO 27001, and HIPAA
- Information Protection: Sensitivity labels for classifying and protecting documents and emails
- Data Lifecycle Management: Retention policies and retention labels for governing data throughout its lifecycle
- eDiscovery: Legal hold and content search capabilities for litigation and investigations
- Audit: Comprehensive audit log of user and admin activities across Microsoft 365
Service Trust Portal
The Service Trust Portal is Microsoft's public resource center providing:
- Third-party audit reports (SOC 2, ISO 27001, FedRAMP)
- Compliance documentation
- Data protection information
- Region-specific compliance resources
Frequently Asked Questions
How long should I study for SC-900? Most candidates need 1-2 weeks of focused study for SC-900. The exam is conceptual and does not require technical hands-on experience. Microsoft Learn's free SC-900 learning path covers all exam objectives and typically takes 6-8 hours to complete. Supplement with the practice assessments in Microsoft Learn and you should be well-prepared.
Is SC-900 a good certification for non-technical professionals? Yes, SC-900 is one of the most accessible Microsoft certifications for non-technical professionals. It is particularly valuable for compliance officers, auditors, legal staff, risk managers, and business analysts who work with Microsoft cloud services. The concepts are explained at a conceptual level without requiring programming or system administration experience.
What is the difference between SC-900 and AZ-500? SC-900 is a fundamentals-level certification testing conceptual understanding of Microsoft security, compliance, and identity services -- no technical experience required. AZ-500 is a role-based certification testing hands-on ability to implement and manage Azure security configurations. They target very different audiences: SC-900 for anyone wanting security literacy, AZ-500 for technical security engineers.
References
- Microsoft. (2025). Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals. https://learn.microsoft.com/en-us/credentials/certifications/exams/sc-900/
- Microsoft. (2025). Zero Trust Guidance Center. https://learn.microsoft.com/en-us/security/zero-trust/
- Microsoft. (2025). Microsoft Purview Compliance Documentation. https://learn.microsoft.com/en-us/purview/purview
- Microsoft. (2025). Microsoft Defender Product Documentation. https://learn.microsoft.com/en-us/microsoft-365/security/
- NIST. (2020). Zero Trust Architecture. NIST Special Publication 800-207. https://doi.org/10.6028/NIST.SP.800-207
- Microsoft. (2025). Service Trust Portal. https://servicetrust.microsoft.com/