This article will share how I successfully prepared for and passed the SC-200: Microsoft Security Operations Analyst certification exam.


Microsoft is continually updating its role-based certifications to keep up with the evolving business requirements. Microsofts Learn platform is constantly being developed, as seen in the already two changes made, to better offer what to skill up, prove your knowledge and skills to your employers…or as I prove to myself, I can do it.

In February 2021, Microsoft launched a new set of training paths and exams that focus on Security, Compliance, and Identity (SCI) solutions that focus mainly on the Microsoft Azure and Microsoft 365 cloud platforms. This is a clear indication of Microsoft’s importance in its security function.

The Security & Compliance Exams/pathways

SC-100 – Microsoft Cybersecurity Architect (Beta)

SC-200 – Microsoft Security Operations Analyst

SC-300 – Microsoft Identity and Access Administrator

SC-400 – Microsoft Information Protection Administrator

SC-900 – Microsoft Security, Compliance, and Identity Fundamentals

SC-200 Exam Overview

The Security Operations Analyst Associate certification will help you demonstrate knowledge of threat mitigation using Microsoft Security, Compliance and Identity Solutions, as well as performing proactive threat hunting activities using:

  • Microsoft 365 Defender
  • Microsoft Defender For Cloud (Azure Security Center)
  • Microsoft (Azure) Sentinel

The Microsoft Security Operations Analyst examination (SC-200) exam fee is $165 /£113/€165. However, you can get the exam free by doing the Cloud Skills Challenge here.

For the Microsoft Security Operations Analyst exam questions, there will be between 40-60 questions, and you will have roughly 120 minutes to complete them. The exam is available in the English language and Spanish at present. With more in the pipeline, I am hearing.

Like most Microsoft exams, the passing mark for Microsoft Security Operations Analyst is 700 on a scale of 1-1000. This doesn’t mean it’s 70%, as some questions are weighted more than others, but in my experience, it’s not far off.

  • Lastly, the SC-200 exam format is multiple choice and multiple response questions.

Who is the SC-200 Target Audience

The Microsoft Security Operations Analyst is aimed at those who collaborate with organizational stakeholders to secure information technology systems for the organization. These could be SOC Analysts or Cyber Security analysts, whose goal is to help reduce an organization’s risks by remediating active attacks in their environment, advising on improvements to threat protection practices, and referring policy violations of administrative policies to appropriate stakeholders.

Responsibilities of a Microsoft Security Operations Analyst include threat management, monitoring, and response by using a range of security solutions and processes in their environment. A SOC Analysts primary role is to investigate, respond to, and hunt for threats using Microsoft Azure Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender, and, if needed, other third-party security solutions. Since the security operations analyst manages the operational output of the Security tools, they should also be considered a critical stakeholder in the configuration and deployment of these technologies.

My Exam Preparation

I started preparing for this as part of the Microsofts Inspire conference (which id highly recommend going to) back in March 2021. As part of this conference, there was a Cloud Skills challenge. If you went through all of the free online training, you get a free exam voucher (They are running another cloud skills challenge at the minute here ). However, due to a combination of moving jobs, not having access to my old work email and general procrastination, I lost out on the free exam (which must be used within 90 days).

Therefore I repeated the cloud Skills Challenge Again in November 2021. This was a great refresher and in addition to the labs (below) and actually using the tech helped immensely.

I found this training, which I have links to below, a handy starting point and then added in a few other things that I found helpful.


At the time of my doing the SC-200 exam, there was only 1 book directly related to this exam.

The Microsoft Security Operations Analyst Exam Ref SC-200

This was the first book, written by Yuri Diogenes, Jake Mowrer & Sarah Young, published by Microsoft, about the SC-200 Exam. It’s essentially a collection of how-to and re-written articles from the Docs. Microsoft repository. However, I found it (and still do) helpful as a reference book that I can quickly flick through rather than googling.

I also used, mainly as I use it every day, the

Microsoft Sentinel in Action 2nd Edition

This is an excellent book that I am continually thumbing through to find out more info or answer questions that I may have. I highly recommend this book to anyone who is using Sentinel. While I bought the paperback book from Amazon, you can also subscribe to Packts subscription service and digitally access all of their books. The authors are highly experienced and both heavily involved in the community. I recommend giving Gary Bushy & Richard Diver a follow on LinkedIn.

Since completing the exam myself, I have since received a copy of the

Microsoft SC-200 Exam Guide from Packt

This book is written by two very experienced guys from Microsoft (Trevor Stuart & Joe Anich). This book is written from their experience and is not as restrained as the official Microsoft book. The authors have used their knowledge to write about real-world situations and how to deal with them. I’ve really enjoyed reading this, and it sits on my desk at hand’s reach.

Must Learn KQL – Rod Trent

Although not a “proper” book, this GitHub repository is possibly the most important book to read on this list, at least from my own experience of the exam. A large percentage of the questions I got had at least some related or relied on KQL to work out.

Online Platforms

While Microsoft provides a vast range of online learning materials, such as videos and labs. I like to watch people and see their work through this, and I found these videos Useful.

Microsoft SC-200 CERT Exam prep – Mark Grimes

This video gives an excellent overview of the topics that need to be covered and some insights.

Microsoft Security Operations Analyst Training Day 1

Microsoft Security Operations Analyst Training Day 2

Microsoft Security Operations Analyst Training Day 3

Microsoft Security Operations Analyst Training Day 4

These appear to be official training days that have been produced by Microsoft and published on this channel.

Skills measured on this exam

As a SOC Analyst, this exam measures your ability to have knowledge of the technical topics below based on the latest updates from Microsoft.

I have added the links to relevant reading from the official Microsoft Learn site for each skill to help you prepare:

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the production environment by using Microsoft Defender for Office 365

  • Detect, investigate, respond, and remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
  • Detect, investigate, respond, and remediate threats to email by using Defender for Office 365
  • Manage data loss prevention policy alerts
  • Assess and recommend sensitivity labels
  • Assess and recommend insider risk policies

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

  • Manage data retention, alert notification, and advanced features
  • Configure device attack surface reduction rules
  • Configure and manage custom detections and alerts
  • Respond to incidents and alerts
  • Manage automated investigations and remediations. Assess and recommend endpoint configurations to reduce and remediate vulnerabilities using Microsoft’s Threat and Vulnerability Management solution.
  • Manage Microsoft Defender for Endpoint threat indicators
  • Analyze Microsoft Defender for Endpoint threat analytics

Detect, investigate, respond, and remediate identity threats

  • Identify and remediate security risks related to sign-in risk policies.
  • Identify and remediate security risks pertaining to Conditional Access events.
  • Identify and remediate security risks associated with Azure Active Directory.
  • Identify and remediate security risks using Secure Score.
  • Identify, investigate, and remediate security risks associated with privileged identities.
  • Configure detection alerts in Azure AD Identity Protection
  • Identify and remediate security risks associated with Active Directory Domain Services using Microsoft Defender for Identity.
  • Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps (old MCAS)
  • Configure MDCA to generate alerts and reports to detect threats

Manage cross-domain investigations in Microsoft 365 Defender Portal

  • Manage incidents across Microsoft 365 Defender products
  • Manage actions pending approval across products
  • Perform advanced threat hunting

Learning Path: Mitigate threats using Microsoft 365 Defender

Mitigate threats using Microsoft Defender for Cloud (25-30%)

Design and configure a Microsoft Defender for Cloud implementation

  • Plan and configure a Microsoft Defender for Cloud workspace
  • Configure Microsoft Defender for Cloud roles
  • Configure data retention policies
  • Assess and recommend cloud workload protection

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender For Cloud

  • Identify data sources to be ingested for Microsoft Defender for Cloud
  • Configure Automated Onboarding for Azure resources
  • Connect non-Azure machine onboarding
  • Connect AWS cloud resources
  • Connect GCP cloud resources
  • Configure data collection

Manage Microsoft Defender For Cloud alert rules

  • Validate alert configuration
  • Setup email notifications
  • Create and manage alert suppression rules

Configure automation and remediation

  • Configure automated responses in Az
  • Design and configure playbook in Azure Defender
  • Remediate incidents by using Azure Defender recommendations
  • Create an automatic response using an Azure Resource Manager template

Investigate Azure Defender alerts and incidents

  • Describe alert types for Azure workloads
  • Manage security alerts
  • Manage security incidents
  • Analyze Azure Defender threat intelligence
  • Respond to Azure Defender for Key Vault alerts
  • Manage user data discovered during an investigation

Learning Path: Mitigate threats using Azure Defender

Mitigate threats using Azure Sentinel (40-45%)

Design and configure an Azure Sentinel workspace

  • Plan an Azure Sentinel workspace
  • Configure Azure Sentinel roles
  • Design Azure Sentinel data storage
  • Configure Azure Sentinel service security

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel

  • Identify data sources to be ingested for Azure Sentinel
  • Identify the prerequisites for a data connector
  • Configure and use Azure Sentinel data connectors
  • Design Syslog and CEF collections
  • Design and Configure Windows Events collections
  • Configure custom threat intelligence connectors
  • Create custom logs in Azure Log Analytics to store custom data

Manage Azure Sentinel analytics rules

  • Design and configure analytics rules
  • Create custom analytics rules to detect threats
  • Activate Microsoft security analytical rules
  • Configure connector provided scheduled queries
  • Configure custom scheduled queries
  • Define incident creation logic

Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel

  • Create Azure Sentinel playbooks
  • Configure rules and incidents to trigger playbooks
  • Use playbooks to remediate threats
  • Use playbooks to manage incidents
  • Use playbooks across Microsoft Defender solutions

Manage Azure Sentinel Incidents

  • Investigate incidents in Azure Sentinel
  • Triage incidents in Azure Sentinel
  • Respond to incidents in Azure Sentinel
  • Investigate multi-workspace incidents
  • Identify advanced threats with User and Entity Behavior Analytics (UEBA)

Use Azure Sentinel workbooks to analyze and interpret data

  • Activate and customize Azure Sentinel workbook templates
  • Create custom workbooks
  • Configure advanced visualizations
  • View and analyze Azure Sentinel data using workbooks
  • Track incident metrics using the security operations efficiency workbook

Hunt for threats using the Azure Sentinel portal

  • Create custom hunting queries
  • Run hunting queries manually
  • Monitor hunting queries by using Livestream
  • Perform advanced hunting with notebooks
  • Track query results with bookmarks
  • Use hunting bookmarks for data investigations
  • Convert a hunting query to an analytical rule

Learning Path: Mitigate threats using Azure Sentinel

Training Labs

Microsoft has uploaded the following hands-on labs that will guide you step by step in various areas to gain more practical experience. They are continually being updated (so if a link is broken, let me know):

Lessons Learned

Practice, practice, and read… I don’t think I can stress enough that hands-on experience and understanding of all the security concepts in Microsoft 365 Defender, Microsoft Sentinel and Microsoft Defender for Cloud will help you pass this exam. The critical success of passing this exam is working with Azure Security services daily, especially Microsoft Sentinel, Microsoft 365 Defender, and KQL.

The most extensive subject areas that I saw on the SC-200 exam are the following:

  • Azure Active Directory (Azure AD)
    • Conditional Access
  • Azure Information Protection
  • Azure Sentinel (a lot of questions, a lot)
    • KQL queries
    • Logic Apps
    • Common Event Format (CEF)
    • Notebooks
    • Hunting
    • Analytics rules
  • Microsoft 365 Defender
  • Microsoft Cloud App Security (MCAS)
  • Microsoft Defender for Endpoint
    • KQL queries
  • Azure Security Center
    • Secure Score
    • Security Alerts
    • Workflow automation
    • Cloud connectors
    • Email notifications

Overall, I think Microsoft Learn is doing an excellent job of continually developing these exams to reflect real-world security scenarios that you will come across using the Microsoft Security Tech stack. The SC-200 exam, I felt, was logically organized and focused primarily on Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Defender for Cloud.

Validateing your skills

If you are looking to validate your skills and knowledge before taking the actual exam, I highly encourage you to do a practice test such as:

SC-200: Microsoft Security Operations Analyst Microsoft Official Practice Test. 

The Whizzlabs SC-200 Practise Exam – Free 20 questions

Udemy SC-200 exam Practice Tests 

Cloud Academy Becoming and Microsoft Sentinel Expert

All of these SC-200 Practise exams are designed to help you prep for and pass the Microsoft SC-200 exam. 

The sc-200 exam is aimed at Security Operations Analysts who want to validate their skills, although there is nothing to stop prospective SOC analysts from doing the exam. You should know how to investigate, respond, and hunt for threats to the organization’s information technology systems. They reduce organizational risk, advise improving threat protection practices and refer to violations of policies.

Schedule SC-200 Exam

Once you are ready, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.

If you are planning to take this exam… I wish you all the best and good luck.

Thank you for reading NI Cyber Guys Blogs.

If you have any questions or feedback on this article, please get in touch

NI Cyber Guy

Don’t Stop Here

More To Explore