Azure SC-900 Complete Guide 2026: Security Fundamentals Certification

What Is SC-900 and Who Should Take It

Microsoft SC-900, officially titled Security, Compliance, and Identity Fundamentals, is a foundational-level certification that validates your understanding of how Microsoft handles security across its cloud ecosystem. Unlike hands-on technical certifications, SC-900 is entirely conceptual. It tests whether you understand the principles, products, and services that form Microsoft's security stack.

Launched in 2021, SC-900 was Microsoft's response to a growing gap: organizations adopting Microsoft 365 and Azure had employees who understood the platforms but lacked baseline security literacy. The certification was built to close that gap, giving non-security professionals a structured way to learn how identity, compliance, and threat protection work in the Microsoft world.

In 2026, SC-900 remains one of the most popular fundamentals certifications in the Microsoft portfolio. Its popularity stems from three factors: no prerequisites, a relatively short study window, and direct relevance to virtually anyone who works with Microsoft products daily.

SC-900 is explicitly not designed for experienced security engineers. If you already hold certifications like CISSP, CompTIA Security+, or Azure AZ-500, the SC-900 content will feel elementary. It covers breadth, not depth, and prioritizes recognition over configuration.

That said, even seasoned professionals sometimes take SC-900 to fill Microsoft-specific knowledge gaps. Knowing general security concepts is different from understanding how Microsoft Entra ID implements conditional access or how Microsoft Purview handles data classification. SC-900 teaches the Microsoft lens on security.

SC-900 Exam Format and Details

Before diving into study strategies, you need to understand exactly what you are walking into on exam day. SC-900 has some quirks that differ from other Microsoft fundamentals exams.

One thing that surprises first-time candidates: the 65-minute time limit is generous. Most people finish SC-900 in 30-45 minutes. Unlike associate-level exams where you are racing the clock, SC-900 gives you breathing room. Use it to double-check drag-and-drop answers, which are the most common source of silly mistakes.

The scoring uses Microsoft's standard 1000-point scale. You will not see raw question counts in your score report; instead, you receive a scaled score that accounts for question difficulty. A 700 does not mean answering 70% correctly. Some questions are weighted more heavily than others, particularly case study scenarios.

Domain Breakdown: Key Topics Per Domain

SC-900 covers four domains with clearly defined weight ranges. Understanding what each domain tests, and where candidates commonly struggle, is the difference between efficient studying and wasting time on low-value material.

Domain 1: Security, Compliance, and Identity Concepts (10-15%)

This is the smallest domain by weight, but it provides the conceptual foundation for everything else. Think of it as the vocabulary domain. If you do not understand these principles, the remaining three domains will not make sense.

Core concepts you must know:

• Zero Trust model: The three principles (verify explicitly, use least privilege access, assume breach) and how they apply across Microsoft services. Expect questions that present scenarios and ask which Zero Trust principle applies.
• Shared responsibility model: What Microsoft manages vs. what customers manage in IaaS, PaaS, and SaaS deployments. This trips up candidates who assume the cloud provider handles everything.
• Defense-in-depth: The seven layers (physical, identity, perimeter, network, compute, application, data) and how Microsoft services map to each layer.
• Common threats: Phishing, credential attacks, ransomware, DDoS attacks. You will not need technical mitigation details, but you should understand attack categories and their targets.
• Encryption concepts: Symmetric vs. asymmetric encryption, hashing, digital signatures. High-level understanding only.

Domain 2: Microsoft Entra Capabilities (25-30%)

This is the identity domain, and it is where SC-900 gets interesting. Microsoft Entra ID (formerly Azure Active Directory) is the backbone of Microsoft's security model. Nearly every other Microsoft security service depends on it.

Key topics:

• Identity types: Users, groups, service principals, managed identities. Understand when each type is appropriate and how they differ.
• Authentication methods: Passwords, multi-factor authentication (MFA), passwordless options (Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator app). The exam loves asking about passwordless methods.
• Conditional Access: Policies that enforce access requirements based on signals like user location, device compliance, risk level, and application sensitivity. This is the most heavily tested topic in Domain 2.
• Entra ID Governance: Access reviews, entitlement management, Privileged Identity Management (PIM). These features control who has access to what and for how long.
• External identities: B2B collaboration and B2C identity management. How organizations share resources with external users securely.
• Entra ID Protection: Risk-based conditional access that detects risky sign-ins and risky users. Understand the difference between sign-in risk and user risk.

The Entra ID domain is the one most likely to appear in scenario questions. You might see something like: A company wants to ensure that users accessing sensitive financial applications from personal devices must complete MFA. Which feature should they configure? The answer is Conditional Access, and you need to know why other options (like just enabling MFA globally) are less appropriate.

Domain 3: Microsoft Security Solutions (25-30%)

This domain covers how Microsoft detects and responds to threats across endpoints, cloud workloads, email, and applications. It is product-heavy, which means you need to know what each service does and when to use it.

Key topics:

• Microsoft Defender for Endpoint: Endpoint detection and response (EDR) for laptops, desktops, servers, and mobile devices. Understands attack surface reduction, automated investigation, and threat analytics.
• Microsoft Defender for Office 365: Protection against phishing, malware, and business email compromise in Exchange Online, Teams, and SharePoint. Know the difference between Safe Attachments and Safe Links.
• Microsoft Defender for Identity: Detects identity-based threats in on-premises Active Directory environments. Focuses on lateral movement, reconnaissance, and compromised credentials.
• Microsoft Defender for Cloud Apps: A cloud access security broker (CASB) that provides visibility into SaaS application usage, detects shadow IT, and enforces data governance policies.
• Microsoft Defender for Cloud: Cloud security posture management (CSPM) and cloud workload protection (CWP) for Azure, AWS, and Google Cloud. Understand Secure Score and security recommendations.
• Microsoft Sentinel: Cloud-native SIEM and SOAR platform. Know that it collects logs from across the organization, uses analytics rules to detect threats, and can automate response through playbooks.
• Microsoft Defender XDR: The unified security operations platform that correlates signals across all Defender products. Formerly called Microsoft 365 Defender.

Domain 4: Microsoft Compliance Solutions (25-30%)

Compliance is the domain that candidates underestimate. It covers Microsoft Purview (formerly Microsoft Compliance), which provides data governance, information protection, and regulatory compliance capabilities.

Key topics:

• Microsoft Purview Compliance Portal: The central dashboard for managing compliance posture. Understand Compliance Manager, Compliance Score, and how improvement actions work.
• Information Protection: Sensitivity labels, label policies, and how they classify and protect documents and emails. Know that labels can encrypt content, add watermarks, and restrict access.
• Data Loss Prevention (DLP): Policies that detect and prevent accidental sharing of sensitive data (credit card numbers, social security numbers, etc.) across email, Teams, SharePoint, and endpoints.
• Data Lifecycle Management: Retention labels and retention policies that control how long content is kept and when it is deleted. Important for regulatory compliance.
• Insider Risk Management: Detects potentially risky activities by employees, such as data theft, security policy violations, and confidential data leaks.
• eDiscovery: Legal holds, content searches, and review sets used for legal proceedings and internal investigations.
• Audit: Audit Standard and Audit Premium capabilities for tracking user and admin activities across Microsoft 365 services.

The compliance domain is the most heavily tested area that candidates skip during preparation. Many IT professionals focus on the security and identity domains because they feel familiar, then lose critical points on compliance questions. Do not make this mistake. Give Domain 4 equal study time.

SC-900 vs AZ-900: Quick Comparison

This is the most common question from people considering Microsoft fundamentals certifications: should I take AZ-900 (Azure Fundamentals) or SC-900 first? Here is how they compare.

Take AZ-900 first if: You are new to cloud computing entirely. AZ-900 covers foundational cloud concepts (IaaS, PaaS, SaaS, regions, availability zones, pricing models) that SC-900 assumes you already know. If terms like virtual machine or resource group are unfamiliar, start with AZ-900.

Take SC-900 first if: You already understand basic cloud concepts and want to specialize in security. SC-900 dives deeper into one area rather than covering Azure broadly. It is also the better choice if your current or desired role involves compliance, identity management, or security operations.

Take both if: You have time and budget. They complement each other well. AZ-900 gives you the platform knowledge, and SC-900 gives you the security layer on top. Many hiring managers view both fundamentals certs together favorably for entry-level cloud positions.

For a deeper comparison, read our article on SC-900 vs AZ-900: Which Should You Take First.

Study Resources

The good news about SC-900 preparation: nearly all the resources you need are free. Microsoft provides comprehensive learning paths, and the community has produced excellent supplementary content.

Free Resources

• Microsoft Learn SC-900 Learning Path: This is your primary study resource. Four modules covering all four exam domains. Takes approximately 8-10 hours to complete. Includes knowledge checks after each module.
• Microsoft Learn Practice Assessment: Free official practice assessment available on the SC-900 certification page. Contains questions in the same format as the real exam. Take it multiple times until you consistently score above 85%.
• ExamCert SC-900 Free Practice Test: Community-built practice questions that test your understanding of real exam scenarios. Good for identifying weak areas after completing Microsoft Learn.
• John Savill's SC-900 Study Cram (YouTube): A condensed video walkthrough of all exam domains. Excellent for visual learners and last-day review.
• Microsoft 365 Developer Program: Free Microsoft 365 E5 developer subscription. While SC-900 is conceptual, exploring the actual admin portals (Entra ID, Purview, Defender) helps concepts stick.

Paid Resources (Optional)

• ExamCert SC-900 Premium Practice Questions: Extended question bank with detailed explanations and mobile app access. Useful if you want more practice beyond the free tier.
• Udemy/Coursera courses: Several instructors offer SC-900 courses for $15-30. Look for courses updated in 2025 or later, as older courses may reference Azure AD instead of Microsoft Entra ID.
• MeasureUp SC-900 Practice Test: Microsoft's official practice test partner. Higher quality questions but costs $99.

4-Week Study Plan

This plan assumes 1-2 hours of daily study time. If you can dedicate more time, you can compress this into 2 weeks. If you have no IT background, consider extending to 5-6 weeks.

Tips from People Who Passed

We collected feedback from candidates who passed SC-900 in late 2025 and early 2026. Here are the patterns that emerged consistently.

Microsoft Learn Was Enough

The most common piece of advice: do not overcomplicate your preparation. Multiple candidates reported passing with a 820-900 score using only the free Microsoft Learn path and the official practice assessment. SC-900 is a fundamentals exam. It is designed to be accessible.

That said, candidates who used practice tests in addition to Microsoft Learn reported higher confidence on exam day. Practice questions train you to recognize how Microsoft phrases questions, which reduces anxiety during the real exam.

Learn the Product Names, Not the Details

SC-900 does not test deep configuration knowledge. You do not need to know how to create a Conditional Access policy step by step. You need to know that Conditional Access is the feature that enforces access decisions based on signals like location, device compliance, and user risk.

Several candidates recommended creating a simple mapping: Problem X is solved by Product Y. For example: Detecting risky sign-ins = Entra ID Protection. Preventing accidental data sharing = Data Loss Prevention. Monitoring SaaS application usage = Defender for Cloud Apps.

Do Not Skip Compliance

Three out of five candidates we spoke with said compliance questions were harder than expected. They studied security and identity heavily but underinvested in Domain 4. The compliance domain includes nuanced topics like the difference between retention labels and retention policies, or when to use eDiscovery vs. Content Search.

Watch Out for Entra ID Rebranding

Microsoft rebranded Azure Active Directory to Microsoft Entra ID in 2023, but many study materials still use the old terminology. The exam uses current naming (Entra ID, Entra External ID, Entra Permissions Management). One candidate reported losing points because they confused Azure AD B2C terminology with the current Entra External ID naming.

The Exam Felt Shorter Than Expected

Most candidates finished in 30-40 minutes despite having 65 minutes. If you are well-prepared, the questions are straightforward. Use the remaining time to review flagged questions, particularly drag-and-drop items where ordering matters.

Frequently Asked Questions

How hard is the SC-900 exam?

SC-900 is one of Microsoft's easiest certifications. It tests conceptual knowledge, not hands-on skills. With 2-4 weeks of study using Microsoft Learn and practice tests, most candidates pass on their first attempt. The pass rate is approximately 80%, making it significantly more approachable than associate-level exams like AZ-900 or technical security certifications.

Should I take SC-900 or AZ-900 first?

It depends on your career goals. AZ-900 covers broad Azure fundamentals (compute, networking, storage, pricing), while SC-900 focuses specifically on security, compliance, and identity. If you want a general cloud foundation, start with AZ-900. If you are heading into security roles, SC-900 is the better starting point. For a detailed comparison, read our SC-900 vs AZ-900 guide.

Does SC-900 expire?

No. Microsoft fundamentals certifications including SC-900 do not expire and never require renewal. Once you pass, the certification is valid for life. This is different from associate and expert-level Microsoft certifications, which require annual renewal through a free online assessment.

What score do I need to pass SC-900?

You need 700 out of 1000 to pass SC-900. The exam contains 40-60 questions and you have 65 minutes to complete it. Question types include multiple choice, drag-and-drop, hot area, and scenario-based questions. The exam costs $165 USD and can be taken at Pearson VUE test centers or via online proctoring.

Can I take SC-900 with no IT experience?

Yes. SC-900 has no formal prerequisites and is designed for beginners. It is suitable for business stakeholders, students, IT professionals new to security, and anyone wanting to understand Microsoft's security ecosystem. No prior Azure or Microsoft 365 experience is required, though basic computer literacy is assumed.

What jobs can I get with SC-900?

SC-900 alone will not qualify you for dedicated security roles, but it demonstrates foundational knowledge that employers value. It is a stepping stone to associate-level certs like SC-200 (Security Operations Analyst) and SC-300 (Identity and Access Administrator), which do lead directly to security positions paying $80,000-$130,000+ USD. SC-900 on a resume signals security awareness, which is valued in IT support, cloud administration, and compliance roles.

ExamCert Team

Our team of certified professionals creates comprehensive study guides to help you pass your certification exams on the first attempt.