SC-900 Complete Guide 2026: Microsoft Security, Compliance & Identity
Your gateway to Microsoft cloud security certifications.
Table of Contents
What is SC-900?
SC-900: Microsoft Security, Compliance, and Identity Fundamentals is an entry-level certification validating foundational knowledge of security, compliance, and identity (SCI) concepts across Microsoft cloud services. It's designed for business stakeholders, IT professionals, and students seeking to understand Microsoft's approach to cloud security.
This certification covers core concepts including Zero Trust, shared responsibility model, defense-in-depth, and how Microsoft 365 and Azure implement these principles. You'll learn about Microsoft Entra ID (formerly Azure AD), Microsoft Defender suite, Microsoft Purview, and Microsoft Sentinel.
SC-900 serves as the foundation for advanced security certifications like SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and SC-400 (Information Protection Administrator). Over 500,000 professionals have earned this certification since its 2020 launch.
Exam Details
| Aspect | Details |
|---|---|
| Questions | 40-60 questions |
| Duration | 45 minutes |
| Passing Score | 700/1000 |
| Cost | $99 USD |
| Format | Multiple choice, drag-drop, scenarios |
| Validity | Lifetime (no renewal) |
| Prerequisites | None |
Exam Domains
- Security, Compliance, Identity Concepts: 10-15%
- Microsoft Entra Capabilities: 25-30%
- Microsoft Security Solutions: 25-30%
- Microsoft Compliance Solutions: 25-30%
Security Concepts (10-15%)
This domain covers foundational security principles that apply across all Microsoft services.
Zero Trust Model
- Verify explicitly: Always authenticate and authorize based on all data points
- Least privilege access: Limit user access with JIT/JEA
- Assume breach: Minimize blast radius, segment access, verify end-to-end encryption
Shared Responsibility Model
- Microsoft responsible for physical security, network, hosts
- Customer responsible for data, identities, devices
- Responsibility varies by service type (IaaS, PaaS, SaaS)
Defense-in-Depth
- Physical security, identity/access, perimeter, network
- Compute, application, data layers
- Each layer provides protection if others fail
Microsoft Entra ID (25-30%)
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service.
Core Identity Concepts
- Authentication: Verifying identity (passwords, MFA, passwordless)
- Authorization: Determining access permissions
- Federation: Trusting identities from external providers
- Single Sign-On (SSO): One credential for multiple applications
Entra ID Features
- Conditional Access: Policies controlling access based on signals
- Multi-Factor Authentication: Something you know, have, or are
- Passwordless: Windows Hello, FIDO2 keys, Microsoft Authenticator
- Identity Protection: Risk-based conditional access
- Privileged Identity Management: Just-in-time privileged access
Microsoft Security Solutions (25-30%)
Microsoft provides comprehensive security solutions across endpoints, cloud, and identity.
Microsoft Defender Suite
- Defender for Endpoint: Endpoint detection and response (EDR)
- Defender for Office 365: Email and collaboration security
- Defender for Identity: On-premises identity threat detection
- Defender for Cloud Apps: CASB for SaaS security
- Defender for Cloud: Cloud workload protection (CWPP)
Microsoft Sentinel
- Cloud-native SIEM (Security Information Event Management)
- SOAR (Security Orchestration Automated Response) capabilities
- AI-powered threat detection and investigation
- Integration with Microsoft and third-party solutions
Microsoft Compliance Solutions (25-30%)
Microsoft Purview provides unified data governance and compliance capabilities.
Microsoft Purview Features
- Compliance Manager: Assess and manage compliance posture
- Information Protection: Classify and protect sensitive data
- Data Loss Prevention: Prevent accidental data exposure
- Insider Risk Management: Detect risky user activities
- eDiscovery: Legal holds and content search
- Audit: Comprehensive activity logging
Compliance Portal
- Compliance score based on recommended actions
- Assessment templates for regulations (GDPR, HIPAA, etc.)
- Improvement actions with implementation guidance
Study Strategy
SC-900 can be passed with 1-2 weeks of focused preparation.
Week 1: Learn
- Complete Microsoft Learn SC-900 learning path (free)
- Watch official Microsoft videos on YouTube
- Take notes on key concepts and services
- Explore Azure portal and Microsoft 365 admin centers
Week 2: Practice
- Take practice exams until consistently scoring 85%+
- Review incorrect answers with documentation
- Focus on service capabilities and use cases
- Memorize key features of each Microsoft solution
Study Resources
- Essential: Microsoft Learn SC-900 path (free)
- Practice: Microsoft official practice assessment
- Video: John Savill's SC-900 Study Cram
- Hands-on: Microsoft 365 Developer Program (free tenant)
Career Path & Salaries
SC-900 is the starting point for Microsoft security careers.
Certification Path
- SC-900: Fundamentals (entry)
- SC-200: Security Operations Analyst
- SC-300: Identity and Access Administrator
- SC-400: Information Protection Administrator
- SC-100: Cybersecurity Architect Expert
Salary Expectations
- Security Analyst (entry): $65,000 - $90,000 USD
- Identity Administrator: $80,000 - $120,000 USD
- Security Engineer: $100,000 - $150,000 USD
- Security Architect: $140,000 - $200,000+ USD
Start Your Security Journey
Explore Microsoft certification resources and practice exams
View All CertificationsPlan Your Study Journey
Use our free tools to optimize your preparation
Frequently Asked Questions
What is the SC-900 certification?
SC-900: Microsoft Security, Compliance, and Identity Fundamentals validates foundational knowledge of Microsoft cloud security services. It covers Zero Trust principles, Microsoft Entra ID, Microsoft Defender suite, Microsoft Sentinel, and Microsoft Purview compliance solutions.
Is SC-900 easy to pass?
SC-900 is considered one of the easier Microsoft certifications. It tests conceptual understanding rather than hands-on skills. With 1-2 weeks of study using Microsoft Learn (free), most candidates pass on their first attempt. The 700/1000 passing score is achievable with proper preparation.
Is SC-900 worth it?
SC-900 is valuable for anyone starting in cloud security or working with Microsoft 365/Azure. At $99, it's an affordable entry point that builds foundation for advanced certifications (SC-200, SC-300, SC-400). It demonstrates understanding of Microsoft's security approach to employers.
What is the SC-900 passing score?
SC-900 requires 700/1000 points to pass, standard for all Microsoft fundamentals exams. The exam contains 40-60 questions with 45 minutes to complete. Question types include multiple choice, drag-and-drop, and scenario-based questions.
