Exam Prep Guide SC-900: Microsoft Security, Compliance, and Identity Fundamentals Exam

from the number of DMs I got when I posted about passing the SC-900 exam on LinkedIn, there are quite a few planning to take the SC-900 exam in the near future. So I thought I’d pull together some info that may help answer some of the questions I’ve been asked.

Studying for the SC 900 exam will familiarise you with the fundamentals of Security, Compliance, and Identity (SCI) across cloud-based and Microsoft-related services. And also by passing it’ll help to validate your ability to implement, monitor, and troubleshoot Microsoft cloud security technologies. 

This article will walk through the SC-900 exam objectives, How I studied for the exam, what resources I used, who this certification is aimed at and the syllabus. 

Who should take the SC-900

This certification is aimed at a wide range of people interested in learning about the fundamentals of security and compliance from a Microsoft angle. From this Id recommend this certification (or at least learning the concepts of it)

  • Senior Managers This cert is designed for non-technical professionals, managers, and business stakeholders. Id recommend this cert if your role involves decision-making related to cloud services or requires interacting with technical teams working on Azure projects; this certification can provide valuable insights.
  • Non-Security IT professionals, I’m talking about those looking for a change in direction but aren’t sure and those responsible for implementing and managing Microsoft technologies and cloud solutions.
  • Students interested in a cybersecurity career….it is a great place to start and looks good on a CV/LinkedIn.

The SC-900 certification is a good starting point for anyone who wants to learn more about Microsoft’s security offerings. Remember, it’s a foundational certification covering only basic concepts and terminology. It will provide a good overview of Microsoft’s SCI solutions, such as Azure Active Directory (Azure AD) and Microsoft Intune.

The SC-900 certification is not technical. It does not require any prior experience with cybersecurity or IT. However, it does require a basic understanding of IT concepts.

Why take the Microsoft Security, Compliance, and Identity Fundamentals exam?

Like any certification or exam, the key is what you can learn and take away that will help you in your current or future situations, rather than the certificate or badge to plaster on LinkedIn (although that is an excellent reason to do it.

You should take this exam to prove to yourself, more than anyone else, that you know your stuff and have tested your knowledge. However, it will also be useful to have on your CV, as with any Security Certification and if, like me, you had agreed i your PDP to do a certain number of certificates in the year, it ticks a box.

What will you learn from the SC-900

SC-900 is an entry-level cybersecurity exam explicitly addressing how Microsoft Windows and its products use security, compliance and identity to protect users. 

You can become familiar with core concepts foundational to security, compliance, and identity solutions, including shared responsibility, Zero Trust, data residency, the role of identity providers, and more. And you can learn more about authentication and authorization concepts and why identity is essential in securing corporate resources.

And also you can get to know the following concepts: SCI, the capabilities of Microsoft security tools and solutions, and how compliance solutions work in the Microsoft ecosystem.

SC-900 Study Materials I Used

I’m very fortunate to have worked with the Microsoft tech stack for a few years. However, despite several people suggesting the contrary, the imposter syndrome is still ingrained here. So I went about this as I always have done and planned out what I wanted to learn, how much time I would need and what resources I thought I would need.

Microsoft Security Virtual Training Days

Ok, so I have been working with the Microsoft Tech Stack for a few years, and I feel I have some knowledge. However, to see what the exam was about, I registered for a 6-hour (online) course with Microsoft themselves. This did two things, first, it covered all the subjects, and I could listen and watch while I worked. The tutors are all from Microsoft Security Solutions and describe security management capabilities, identity concepts and security methodologies. They talk you through and demonstrate things like azure security Center, azure active directory and related Microsoft services with demos It also gave me a free exam voucher for attending.

Microsoft Virtual Training Days – Microsoft UK


While many digital resources are available for studying for exams, such as online tutorials, video courses, and interactive learning platforms, I still enjoy and use books. Just the ability to bookmark pages, write notes or highlight text I feel I get more from….of course, that just be sentimental, lol.

The two books I used where

Exam Ref SC-900 Microsoft Security, Compliance, and Identity Fundamentals Certification – Microsoft Publishing

This official exam book covers areas such as Microsoft Azure active directory, Security management capabilities, access management capabilities, resource governance capabilities, essential identity services, insider risk capabilities and more. It is structured as most of the Microsoft security concept books are and doesn’t give much context but good at this level. When writing the book, the authors both worked for Microsoft Security for several years.

This book is available on Amazon Here – https://amzn.to/45gujYt

Microsoft Security, Compliance, and Identity Fundamentals Exam Ref SC-900: Familiarize yourself with security, identity, and compliance in Microsoft 365 and Azure – Packt Publishing

This is my book of preference, as not only is the author, Dwayne Natwick, an expert in the area (worth a follow on Linkedin & Twitter/X) he also goes into more detail and gives, I feel, a better range of scenarios than the Microsoft Book above. This is probably due to Microsoft Editorial Guidelines, but either way, Id recommend this book to have close by to refer to for the forceable future.

The other benefit of this book is that it has some mock test questions and exam resources at the back, which came in handy.

This book is available on Amazon Here – https://amzn.to/3DGeq1r

Youtube Videos

In the week or so leading up to the exam itself, I watched a number of videos on youtube about some of the topics that would be covered in the exam. Out of these, id recommend

John Savills – SC-900 Microsoft Security, Compliance, and Identity Fundamentals Study Cram

Mark Grimes – SC-900 C.E.R.T (Presented by David Branscome)

FreeCodeCamp – Microsoft Security Compliance and Identity (SC-900)

Each video will describe basic security capabilities, compliance management capabilities, access management solutions, Governance capabilities, Identity Protection, threat protection and other security concepts from Microsoft technologies.

How To Prepare for the SC-900 Microsoft security compliance exam

What are the prerequisites for the SC-900 Certification?

There are no prerequisites for the SC-900 certification exam, even though before starting the SC-900 certification exam, you should have prior knowledge before appearing for this exam, including:

  • Should have a general understanding of the concepts around cloud computing and networking.
  • Should have a basic knowledge of the industry or any experience in a technology environment.
  • Should be familiar with the basics of Microsoft 365 and Microsoft Azure.

The SC-900 Exam Format

Like all Microsoft exams, they are typically comprised of 4-6 question types. These are case studies, multiple-choice, drag and drop, true/false, drop-down fill-in, and best answer scenarios as follows:

  • Case study questions provide a hypothetical company setting within the current environment, the proposed future environment, and the technical and business requirements. From this scenario, 6-8 questions may cover multiple objective areas of the exam. You could see 1-3 of these case studies in most associate-level exams.
  • Multiple-choice questions are straightforward questions. Some multiple-choice questions may have more than one answer. Microsoft is generally transparent on how many correct answers need to be chosen for the question, and you will be alerted if you do not select the correct number of selections.
  • Drag-and-drop questions are usually based on the steps of a process to test your knowledge of the order of operations to deploy a service. You are given more selections than needed and need to move the steps that apply to the question to the right-hand column in the proper sequence.
  • The next type of question is a modified type of true/false question. In these questions, you are usually provided with exhibits or screenshots from within the Microsoft portals, azure sentinel or tables that show what has been configured. There are then 3-4 statements about this information, where you need to select yes or no for each statement based on whether the statement is correct based on the information provided.
  • Drop-down fill-in questions are usually where you will find KQL, PowerShell or Azure CLI code. You will be asked to complete specific steps within a string of code where the blank sections provide drop-down selections.
  • The best answer scenario questions test your understanding of an objective area. Microsoft will warn you when you get to this section, as you will no longer have the option to navigate back to the other questions. You will be provided a specific scenario that needs to be solved, along with a proposed solution. The requirement is to determine whether that is the best solution for the scenario. After selecting yes or no, you may see the same scenario again with a different solution where you must choose yes or no again.

Exam Format Domains

Describing the concepts of security, compliance, and identity (10–15%) 

Describe security and compliance concepts 

  • Describe the shared responsibility model
  • Describe defence in depth
  • Describe the Zero-Trust model
  • Describe encryption and hashing
  • Describe compliance concepts 

Describing the capabilities of Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra (25–30%) 

Describing the basic identity services and identity types of Azure AD

  • Defining Azure AD
  • Defining Azure AD identities
  • Defining hybrid identity 
  • Defining the different external identity types

Describing the authentication capabilities of Azure AD

  • Defining the authentication methods available in Azure AD
  • Defining Multi-factor Authentication
  • Defining self-service password reset 
  • Defining password protection and management capabilities available in Azure AD

Describing access management capabilities of Azure AD

  •  Defining conditional access 
  • Defining the benefits of Azure AD roles
  • Defining the benefits of Azure AD role-based access control 

Describing the identity protection and governance capabilities of Azure AD

  • Defining identity governance in Azure AD
  • Defining entitlement management and access reviews
  •  Defining the capabilities of Azure AD Privileged Identity Management (PIM) 

Describing Azure AD Identity Protection Describe the capabilities of Microsoft Security solutions (25–30%)

Defining basic security capabilities in Azure

  • Defining Azure DDoS protection
  • Defining Azure Firewall 
  • Defining Web Application Firewall
  • Defining Network Segmentation with Azure Virtual Networks 
  • Defining Azure Network Security groups 
  • Defining Azure Bastion and JIT Access 
  •  Defining ways Azure encrypts data 

Defining security management capabilities of Azure

  •  Defining Cloud security posture management (CSPM) 
  •  Defining Microsoft Defender for Cloud 
  • Defining the enhanced security features of Microsoft Defender for Cloud 
  • Defining security baselines for Azure

 Defining security capabilities of Microsoft Sentinel 

  •  Defining the concepts of SIEM and SOAR
  •  Defining how Microsoft Sentinel provides integrated threat management

 Defining threat protection with Microsoft 365 Defender 

  •  Defining Microsoft 365 Defender services  
  • Describe Microsoft Defender for Office 365  
  • Describe Microsoft Defender for Endpoint 
  •  Describe Microsoft Defender for Cloud Apps  
  • Describe Microsoft Defender for Identity 
  • Describe the Microsoft 365 Defender portal 

Describing the capabilities of Microsoft compliance solutions (25–30%) 

Describing Microsoft’s Service Trust Portal and privacy principles 

  •  Defining the offerings of the Service Trust portal 
  •  Defining Microsoft’s privacy principles 

Describing the compliance management capabilities of Microsoft Purview 

  •  Defining the Microsoft Purview compliance portal 
  • Defining compliance manager 
  • Defining the usage and benefits of compliance score

Describing information protection and data lifecycle management capabilities of Microsoft Purview 

  •  Defining data classification capabilities 
  •  Defining the uses of content explorer and activity explorer 
  •  Defining sensitivity labels 
  •  Defining Data Loss Prevention (DLP) 
  • Defining Records Management 
  • Defining Retention Policies and Retention Labels 

Describe insider risk capabilities in Microsoft Purview 

  • Defining Insider Risk Management 
  • Defining communication compliance 
  • Defining information barriers 

Describing resource governance capabilities in Azure 

  • Describe Azure Policy 
  • Describe Azure Blueprints 
  •  Describe the Microsoft Purview unified data governance solution


Q: Why should I go for SC-900:Microsoft Security, Compliance, and Identity Fundamentals Exam?

A: The top reasons to go for Azure Certifications are:

  • Flexibility and Development in Career.
  • High Salary Package.
  • Improves your technical skills on the Azure Cloud platform.
  • Top-paying info-Tech certifications in the world.
  • Adds a credential to your resume.

Q: Can I get a job with Azure 900 certification?

A: By passing the SC-900 exam, you can get jobs in the following roles as Information security, Security operations and Identity & access management sectors.

Q: What skills are measured in SC-900:Microsoft Security, Compliance, and Identity Fundamentals Exam?

A: Here are a few abilities which are measured with the SC-900 exam and certification 

  • Concepts of security, compliance, and identity
  • Capabilities of Microsoft identity and access management solutions
  • Capabilities of Microsoft security solutions
  • Capabilities of Microsoft compliance solutions

Q: Can a fresher take the SC-900:Microsoft Security, Compliance, and Identity Fundamentals Exam?

A: You should understand the fundamentals of Microsoft Azure and Microsoft 365. Also, a basic understanding of how Microsoft security, compliance, and identity solutions function across different solution areas to provide a holistic and end-to-end solution.


I think this blog provides a good overview of how to prepare for the SC-900: Microsoft Security, Compliance, and Identity Fundamentals Exam and adhering to the above preparation tips can help to ace the challenges faced in the exam.

It is essential to rely on reliable and authentic study resources while preparing for exams. 

If you have any queries, please feel free to comment us!

Don’t Stop Here

More To Explore

sc-200 Microsoft Security Operations Analyst Exam Guide

SC-200 Exam Guide

Sc-200 This article will share how I successfully prepared for and passed the SC-200: Microsoft Security Operations Analyst certification exam. It has been two years

Read More »