SC-900 Cheat Sheet 2026
Everything you need on one page before exam day: domain weights, Zero Trust concepts, what every Microsoft Entra, Defender, Sentinel and Purview product actually does, where to manage it, and the look-alike products that trip up first-timers.
01 Domain weights
SC-900 has four domains. Microsoft security solutions and Entra together are more than half the exam — if your time is short, that is where it should go. The first domain is small but foundational: its vocabulary (Zero Trust, the CIA triad, shared responsibility) underpins how every product question is framed, so do not skip it just because it is only 10–15%.
02 Security & identity concepts
The foundational vocabulary the first domain rests on. Know these definitions cold — they reappear inside the product questions too.
Zero Trust
verify · least privilege · assume breach
Three principles: verify explicitly, use least-privilege access, and assume breach. Never trust by network location alone.
Defense in depth
layered security
Multiple independent layers (physical, identity, perimeter, network, compute, app, data) so one failure does not expose everything.
CIA triad
confidentiality · integrity · availability
The three goals of security: keep data secret, unaltered, and accessible to the right people.
Shared responsibility
cloud vs customer
The provider secures the cloud (hardware, host); you secure what you put in it (data, identities, access). Split shifts by IaaS/PaaS/SaaS.
Encryption & hashing
at rest · in transit
Encryption is reversible with a key (symmetric/asymmetric); hashing is one-way and fixed-length, used for integrity and passwords.
AuthN vs AuthZ
who you are · what you can do
Authentication (AuthN) proves identity; authorization (AuthZ) grants access. AuthN always comes first.
Identity as the perimeter
the new control plane
With cloud and remote work the firewall is no longer the boundary — identity is. This is why Entra and Conditional Access matter so much.
03 Microsoft Entra ID capabilities
Entra is Microsoft's cloud identity platform (formerly Azure AD) and the single largest product area on the exam. Identity is now the primary security boundary, so know what each capability is for and which tier it needs — several of these are premium (P1/P2) features rather than free-tier.
Entra ID
tenants · identity types
The directory itself: a tenant holds users, groups, devices, and apps. Identity types include users, service principals, and managed identities.
Authentication methods
MFA · passwordless
Password, MFA, and passwordless options: Windows Hello, FIDO2 keys, and the Microsoft Authenticator app.
Conditional Access
if-then access policy
Signals (user, device, location, risk) drive a decision: allow, block, or require MFA. The engine of Zero Trust in Entra.
Self-Service Password Reset
SSPR
Lets users reset or unlock their own accounts after verifying with registered methods — cuts helpdesk load.
Identity Protection
risky users & sign-ins
Detects and flags risky sign-ins and risky users, and can feed risk into Conditional Access for automated response.
Privileged Identity Management
PIM
Just-in-time, time-bound, approval-gated activation of privileged roles, with access reviews and audit.
Entra ID Governance
access reviews · entitlement mgmt
Manages the identity lifecycle: access reviews recertify who needs access; entitlement management bundles access into request-able packages.
External identities
B2B · B2C
B2B invites partners as guests into your tenant; B2C is a customer identity platform for consumer-facing apps.
04 Microsoft security solutions
The heaviest domain. The exam rarely asks how these work internally — it asks which one solves a given problem, so anchor each to a single job and keep Sentinel and Defender from blurring together.
| Product | What it is | One-liner |
|---|---|---|
| Defender for Cloud | CSPM + CWP | Posture management and workload protection across Azure, hybrid and multicloud; tracks Secure Score. |
| Microsoft Sentinel | SIEM + SOAR | Cloud-native SIEM that collects logs at scale, hunts threats, and automates response with playbooks. |
| Defender XDR | Extended detection & response | Unifies Defender for Endpoint, Office 365, Identity, and Cloud Apps into one correlated incident view. |
| Security Copilot | Generative-AI assistant | Natural-language analyst help for investigation, summarising incidents and guiding response. |
05 Microsoft compliance solutions
Almost all of these live under Microsoft Purview, the unified compliance portal. Group them by job: classify and protect data, prevent loss, govern retention, support investigations, and measure regulatory posture.
| Capability | What it does |
|---|---|
| Microsoft Purview | The unified compliance portal — home for data governance, protection and risk solutions. |
| Sensitivity labels & Information Protection | Classify and protect data (encryption, watermarks, access) that travels with the file. |
| Data Loss Prevention (DLP) | Detects and blocks sharing of sensitive data (credit cards, IDs) across apps and endpoints. |
| Records management & retention | Retention labels and policies keep or delete content for a defined period to meet regulations. |
| eDiscovery & Audit | Find, hold and export content for legal cases; audit logs record who did what. |
| Insider Risk Management | Spots risky internal activity (data theft, leaks) using policy-driven signals. |
| Compliance Manager & Score | Maps your controls to regulations and gives a Compliance Score of your posture. |
| Service Trust Portal | Microsoft's public hub for audit reports, certifications and compliance documentation. |
06 Key portals — where things live
The exam often asks where you would manage something. Match the task to the right admin centre.
Microsoft Entra admin center
Identity and access: users, groups, Conditional Access, MFA, PIM, Identity Protection, external identities.
Microsoft Defender portal
Security operations: XDR incidents and alerts, Defender for Endpoint/Office/Identity, threat hunting, Secure Score.
Microsoft Purview portal
Compliance: sensitivity labels, DLP, retention, eDiscovery, Insider Risk, Compliance Manager.
Microsoft 365 admin center
Tenant and licence administration: users, subscriptions, service health, and the gateway to other admin centres.
Azure portal
Azure resources and security: Defender for Cloud, Microsoft Sentinel, Key Vault, and network security.
07 Must-know distinctions
- MFA vs Conditional Access: MFA is a single verification requirement; Conditional Access is the policy engine that decides when to require MFA (or block) based on signals.
- SIEM vs SOAR vs XDR: SIEM (Sentinel) aggregates and analyses logs; SOAR automates the response (playbooks); XDR (Defender) correlates detections across Microsoft workloads.
- Sensitivity labels vs retention labels: sensitivity labels protect data (encryption, access); retention labels control how long data is kept or when it is deleted.
- Secure Score vs Compliance Score: Secure Score (Defender for Cloud) measures your security posture; Compliance Score (Compliance Manager) measures your regulatory compliance posture.
- Entra roles vs Azure RBAC: Entra roles govern access to identity and Microsoft 365 resources (the directory); Azure RBAC governs access to Azure resources (subscriptions, resource groups).
08 Common traps
09 FAQ
Is SC-900 worth it?
Yes, if you are new to Microsoft security or work in a sales, support, or compliance role that touches the Microsoft cloud. SC-900 gives you a shared vocabulary for Zero Trust, Entra, Defender, Sentinel, and Purview, and it is a clean launch point before the role-based SC-200, SC-300, or AZ-500 certifications.
Is SC-900 hard?
No. SC-900 is a fundamentals exam that tests concepts and product capabilities, not hands-on configuration. Most candidates pass with a few hours of focused study using Microsoft Learn and practice questions. The main difficulty is keeping the many similarly named products straight.
Does SC-900 expire?
No. Like other Microsoft fundamentals certifications, SC-900 does not expire and never needs renewal. Once you pass, it stays on your transcript permanently, though the underlying products keep evolving.
What should I take after SC-900?
It depends on your role. For security operations take SC-200, for identity and access administration take SC-300, for Azure security engineering take AZ-500, and for security architecture take the SC-100 expert exam once you have hands-on experience.
