SC-900 Study Plan: Pass Microsoft Security Fundamentals in 3 Weeks (2026)

Why 3 Weeks is the Sweet Spot for SC-900

The Microsoft SC-900 (Security, Compliance, and Identity Fundamentals) is the gateway certification for everyone moving into the Microsoft security stack. It validates conceptual knowledge of security, compliance, and identity across Microsoft 365 and Azure. Because it's a fundamentals exam, the questions test recognition and high-level understanding, not deep configuration.

Three weeks works because the SC-900 blueprint has three natural "chunks" — concepts and Entra (week 1), security tools (week 2), compliance tools (week 3). Stretch the plan to 6 weeks and you'll forget what you learned in week 1 by the time you sit. Compress it to 1 week and you'll lack the spaced repetition needed for the trickier acronyms.

Week 1: Security/Compliance/Identity Concepts + Microsoft Entra (40%)

Week 1 builds the conceptual foundation everything else stands on. If you skip this week, the security and compliance product names won't make sense in context.

Day 1: Core Security Concepts

CIA triad (Confidentiality, Integrity, Availability), Zero Trust principles (verify explicitly, least privilege, assume breach), defense in depth, the shared responsibility model in cloud, encryption in transit vs. at rest. Read Microsoft Learn's "Describe security concepts" module. Be able to explain each concept in one sentence to a non-technical friend — that's roughly the level the SC-900 expects.

Day 2: Identity Concepts

Authentication vs. authorization, modern identity (federation, SSO, MFA, passwordless), identity providers, identity as the new security perimeter. Why identity-first security matters in cloud. Understand the difference between SAML, OAuth 2.0, OpenID Connect, and WS-Federation at a conceptual level — not the protocol details, just which one is for federated SSO (SAML / OIDC), which is for delegated authorization (OAuth), and how they compose together (OpenID Connect runs on top of OAuth 2.0).

Day 3-4: Microsoft Entra ID Basics

What Entra ID is (formerly Azure AD), tenants, users, groups (security vs. Microsoft 365), B2B and B2C, hybrid identity (Entra Connect), authentication methods (password, MFA, FIDO2, Windows Hello). Know the four Entra ID editions (Free, Office 365 apps, P1, P2) and the headline feature of each — P1 adds Conditional Access, dynamic groups, and self-service password reset for hybrid; P2 adds Identity Protection and Privileged Identity Management. Edition-to-feature mapping is one of the most-tested SC-900 topics.

Day 5: Entra ID Capabilities

Conditional Access policies, Entra Identity Protection, Privileged Identity Management (PIM), Identity Governance (entitlement management, access reviews, lifecycle workflows), External Identities, Entra Verified ID. For Conditional Access, memorize the signal-decision-control model: signals (user, group, location, device, app, real-time risk) feed a policy that decides to grant or block access, optionally requiring controls (MFA, compliant device, approved client app). Know that "report-only" mode lets you test policies without enforcing them.

Day 6-7: Hands-On + 50 Practice Questions

If you have an Azure subscription, click through Entra ID in the portal — create a test user, assign a group, set up a basic Conditional Access policy in report-only mode. Then take 50 mixed practice questions covering Week 1 topics.

Week 2: Microsoft Security Solutions (Defender, Sentinel, Intune) — 35-40%

The largest content area. Microsoft renames these products often — pay attention to the exact current names.

Day 8-9: Microsoft Defender XDR Family

Defender for Endpoint (workstations and servers), Defender for Office 365 (email, Teams, SharePoint), Defender for Identity (on-premises AD threats), Defender for Cloud Apps (formerly MCAS, the SaaS CASB), Defender for Cloud (multi-cloud posture management for Azure/AWS/GCP). Know which product solves which scenario. Cheatsheet to memorize: endpoints → Defender for Endpoint; mailbox + Teams → Defender for Office 365; on-prem AD anomalies → Defender for Identity; shadow IT in third-party SaaS → Defender for Cloud Apps; multi-cloud security posture and CSPM → Defender for Cloud; OT and IoT → Defender for IoT.

Day 10-11: Microsoft Sentinel

Cloud-native SIEM and SOAR. Data connectors, analytics rules, incidents, hunting queries (KQL), workbooks, playbooks (built on Logic Apps), UEBA, threat intelligence integration. Understand Sentinel sits ON TOP of Log Analytics workspaces. Know the difference between an "alert" and an "incident" — alerts are individual signals, incidents group related alerts into a single investigation case. Be able to articulate when you'd choose Sentinel vs. a third-party SIEM (Sentinel wins when you're already mostly Microsoft and want to avoid log-egress costs).

Day 12-13: Azure Network Security & Intune

Azure Firewall, Network Security Groups, Application Security Groups, DDoS Protection (Standard vs. IP Plans), Web Application Firewall on Application Gateway. Microsoft Intune for unified endpoint management: device enrollment, compliance policies, configuration profiles, app protection policies (MAM with or without enrollment). MDM (Mobile Device Management) controls the device, MAM (Mobile Application Management) controls the app data — SC-900 frequently asks "user has personal phone, company doesn't want to manage the device, but needs to protect Outlook data" (answer: MAM without enrollment / app protection policies).

Day 14: Mid-Plan Practice Test

Take a full-length 60-question timed practice test. Aim for 65%+. If you're below, slow down before moving to Week 3 and re-read the weakest area before continuing.

Week 3: Compliance Solutions (Purview, eDiscovery) + Practice Exams + Final Review

Day 15-16: Microsoft Purview Information Protection

Sensitivity labels (encrypt, watermark, restrict access), Data Loss Prevention (DLP) policies, retention policies and labels, records management, the unified Purview Compliance portal vs. Microsoft Defender portal. Sensitivity labels classify and protect content. DLP policies prevent oversharing. Retention policies decide how long content is kept. Records management adds immutable, regulatory-grade retention. Be ready for "I want to prevent users from emailing credit card numbers externally" (answer: Endpoint DLP / DLP for Exchange) and "I want emails older than 7 years deleted automatically" (answer: retention policy with delete action).

Day 17: eDiscovery and Audit

eDiscovery Standard vs. Premium (case management, legal hold, custodian management, machine-learning review), Audit Standard vs. Audit Premium (longer retention, high-value events, intelligent insights), Communication Compliance. eDiscovery Premium adds custodian management, communication notices, advanced indexing, and ML-based review — usually required for large legal cases. Audit Standard retains 180 days; Audit Premium extends to 1 year (10 years with add-on) and surfaces high-value events like MailItemsAccessed.

Day 18: Insider Risk & Service Trust

Insider Risk Management policies (data theft by departing employees, sensitive data leaks), Customer Lockbox, Privacy Management (formerly Priva), the Service Trust Portal, Compliance Manager and Compliance Score. Insider Risk uses HR data + activity signals to surface risky behavior anonymously to investigators. Customer Lockbox forces explicit customer approval before a Microsoft engineer can access tenant data. The Service Trust Portal hosts audit reports (SOC, ISO, FedRAMP) downloadable for your own compliance evidence.

Day 19-20: Two Full-Length Practice Tests

One per day, timed at 60 minutes. After each test, review every question you got wrong and every question you guessed correctly on. Add anything new to your notes.

Day 21: Light Review & Exam-Day Prep

Re-read your one-page summary of acronyms (Conditional Access, PIM, MFA, RBAC, DLP, DLP-CA, CASB, SIEM, SOAR, UEBA, MAM, MDM, IRM). Confirm exam logistics. Do NOT cram.

SC-900 Exam Logistics

• Exam fee: USD $99 globally (some country promotions reduce this; students pay $49)
• Format: 40-60 questions, 60 minutes (plus a few minutes for NDA and survey)
• Passing score: 700 / 1000 (Microsoft uses scaled scoring, not raw percentage)
• Question types: Multiple choice, multi-select, drag-and-drop, hot-area, build-list. No case studies and no labs — the most candidate-friendly Microsoft format.
• Delivery: Pearson VUE online proctored or test center
• Reschedule: Free up to 24 hours before, fee-charged within 24 hours
• Validity: Permanent — no recertification required for fundamentals

Common Mistakes and How to Avoid Them

1. Memorizing without understanding scenarios. SC-900 questions often present a business problem and ask which Microsoft product solves it. If you only memorized product names, you'll guess. If you understood "What does this product do and which problem does it solve?", you'll get it right.
2. Confusing Defender products. There are six Defender products. Make a one-page cheat sheet mapping each Defender to its target (Endpoint → workstations, Identity → on-prem AD, Cloud Apps → SaaS, Office 365 → email, Cloud → multi-cloud posture, IoT → OT/IoT).
3. Skipping Conditional Access details. Conditional Access is the most-tested single feature on SC-900. You need to know signals (user, location, device, app, risk), controls (block, MFA, compliant device), and report-only mode.
4. Trusting outdated practice tests. Validate every "wrong" practice answer against Microsoft Learn before assuming you got it wrong — product names and capabilities change quickly.
5. Cramming the night before. SC-900 fatigue questions are notably tricky. Sleep matters more than 3 extra hours of review.

After SC-900: AZ-900, MS-900, or SC-200?

SC-900 is a stepping stone. The next certification depends on your career direction.

Frequently Asked Questions

How hard is the SC-900 exam?

SC-900 is a fundamentals-level exam, considered one of the easiest Microsoft certifications. The questions test recognition and high-level concepts rather than deep technical implementation. With 3 weeks of focused study (around 30-45 hours total) most candidates with basic IT awareness pass on the first try. Pass rates are estimated above 80% for candidates who finish a structured study plan.

Are free SC-900 resources enough or should I pay for a course?

Free Microsoft Learn paths plus a single set of high-quality practice questions are usually enough to pass SC-900. Microsoft Learn covers every objective in the official blueprint. Add John Savill's free YouTube SC-900 playlist for visual reinforcement and a paid practice test for exam-style validation in the final week. Most candidates spend $0-50 total.

Should I take SC-900 online or at a test center?

Both options work and the price is the same. Online proctored exams via Pearson VUE OnVUE are convenient but require a quiet private room, a clear desk, and a webcam check that takes 15-20 minutes. Test centers eliminate technical risk and proctor friction. If you have unstable internet or noisy housemates, choose a test center.

Does SC-900 require recertification?

No, the SC-900 fundamentals certification does not expire. Once you pass, it stays on your transcript permanently. This makes SC-900 different from role-based associate-level certs (like SC-200 or AZ-104) which require an annual free renewal assessment via Microsoft Learn to remain active.

ExamCert Team

Microsoft-certified security professionals dedicated to helping you pass SC-900 and other Microsoft security certifications. Content updated as Microsoft renames products and updates blueprints.