How to Pass Microsoft Security, Compliance, and Identity Fundamentals (SC-900) in 2026: Complete Study Guide

# How to Pass Microsoft Security, Compliance, and Identity Fundamentals (SC-900) in 2026: Complete Study Guide The SC-900 is Microsoft's entry-level security certification. It validates foundational knowledge of security, compliance, and identity concepts — and specifically, familiarity with Microsoft's security and compliance product portfolio. No prerequisites, no prior Azure experience required. If you are a business analyst, IT manager, compliance officer, sales engineer, or a student entering the cybersecurity field, the SC-900 is the right starting point. It signals literacy in modern security concepts and Microsoft's approach to them. --- ## Exam Format and Registration | Detail | Value | |---|---| | Exam code | SC-900 | | Full name | Microsoft Security, Compliance, and Identity Fundamentals | | Cost | $99 USD | | Number of questions | 40–60 questions | | Time limit | 45 minutes | | Passing score | 700 / 1000 | | Prerequisites | None — this is a fundamentals exam | | Audience | Non-technical and semi-technical roles, students, IT beginners | At 45 minutes, this is one of Microsoft's shortest exams. The questions are conceptual and product-recognition focused — you will not be configuring Conditional Access policies or writing PowerShell. You will be identifying which product solves which problem and understanding why security frameworks exist. --- ## Domain Breakdown | Domain | Weight | |---|---| | Domain 1: Describe the concepts of security, compliance, and identity | 10–15% | | Domain 2: Describe the capabilities of Microsoft Entra | 25–30% | | Domain 3: Describe the capabilities of Microsoft security solutions | 35–40% | | Domain 4: Describe the capabilities of Microsoft compliance solutions | 20–25% | Domain 3 carries the most weight. The Defender product portfolio and Microsoft Sentinel are the most tested topics. Domain 1 is the smallest but lays the conceptual vocabulary for the rest of the exam. --- ## Domain 1: Security, Compliance, and Identity Concepts (10–15%) ### The Zero Trust Model Zero Trust is the security philosophy that underlies every Microsoft product on this exam. The traditional security model assumed that everything inside the corporate network perimeter could be trusted. Zero Trust replaces that assumption with three principles: **The 3 Pillars of Zero Trust:** | Pillar | Principle | Example | |---|---|---| | Verify explicitly | Authenticate and authorize every request based on all available signals — identity, location, device, service, workload, data classification | Conditional Access evaluating sign-in risk, device compliance, and location before issuing a token | | Use least privilege access | Limit user access with just-in-time and just-enough-access | PIM for admin roles; RBAC scoped to specific resource groups | | Assume breach | Minimize blast radius, encrypt everything, use analytics to detect threats | Network micro-segmentation, Sentinel for threat detection, encryption at rest and in transit | ### Shared Responsibility Model Cloud security is a partnership between the cloud provider (Microsoft) and the customer. The split of responsibilities depends on the service model: | Responsibility | On-Premises | IaaS | PaaS | SaaS | |---|---|---|---|---| | Data | Customer | Customer | Customer | Customer | | Identity & Access | Customer | Customer | Customer | Shared | | Applications | Customer | Customer | Shared | Microsoft | | OS | Customer | Customer | Microsoft | Microsoft | | Physical infrastructure | Customer | Microsoft | Microsoft | Microsoft | 💡 **Exam Tip:** In all deployment models, the customer always retains responsibility for data and identity/access management. Microsoft never manages your user accounts or your data classification for you. ### Defense in Depth Defense in depth is a layered security strategy where multiple controls protect the same asset. If one layer fails, another layer provides protection. The 7 layers (from outer to inner): 1. Physical security (data center access controls) 2. Identity and access (MFA, Conditional Access) 3. Perimeter (DDoS protection, firewalls) 4. Network (NSGs, segmentation) 5. Compute (VM hardening, endpoint protection) 6. Application (secure coding, WAF) 7. Data (encryption, classification, access controls) --- ## Domain 2: Microsoft Entra Capabilities (25–30%) ### Microsoft Entra ID — Core Concepts **Authentication vs Authorization:** - Authentication: Proving who you are (sign-in, MFA) - Authorization: Determining what you are allowed to do (RBAC, app permissions) Entra ID handles both. It authenticates users and issues tokens that carry authorization claims (roles, group memberships, app permissions). **Single Sign-On (SSO):** Users authenticate once to Entra ID and gain access to all connected applications without signing in again. Reduces password fatigue and improves security by concentrating authentication at a single audited point. **Multi-Factor Authentication (MFA):** Requires a second form of verification beyond password. Something you know (password) + something you have (phone app, hardware token) + something you are (biometric). MFA blocks the vast majority of account takeover attacks. **Self-Service Password Reset (SSPR):** Allows users to reset their passwords without contacting the helpdesk, using registered authentication methods (email, authenticator app, SMS). Reduces IT support costs. **Conditional Access:** Policy engine that evaluates conditions (user, device, location, risk) and enforces grant controls (require MFA, block access, require compliant device). The primary tool for implementing Zero Trust access policies. ### The Entra ID License Tiers | Feature | Free | P1 | P2 | |---|---|---|---| | SSO | Yes | Yes | Yes | | MFA (per-user) | Yes | Yes | Yes | | SSPR | Limited | Yes | Yes | | Conditional Access | No | Yes | Yes | | Identity Protection (risk policies) | No | No | Yes | | PIM | No | No | Yes | | Access Reviews | No | No | Yes | | Entitlement Management | No | No | Yes | --- ## Domain 3: Microsoft Security Solutions (35–40%) This is the most tested domain. You must know what each Defender product does and how to distinguish products with overlapping names. ### Microsoft Defender Products Overview | Product | What It Protects | Key Capability | |---|---|---| | Defender for Endpoint | Windows, macOS, Linux, iOS, Android devices | EDR (endpoint detection and response), threat & vulnerability management, attack surface reduction | | Defender for Identity | On-premises Active Directory | Detect lateral movement, pass-the-hash, DCSync, suspicious LDAP queries | | Defender for Office 365 | Exchange Online, Teams, SharePoint, OneDrive | Anti-phishing, safe links (URL scanning), safe attachments (sandboxing), attack simulation training | | Defender for Cloud Apps | SaaS applications (Shadow IT discovery, CASB) | Discover unsanctioned cloud apps, control data flow to cloud apps, session monitoring | | Defender for Cloud | Azure, AWS, GCP infrastructure | Cloud Security Posture Management (CSPM), workload protection (servers, SQL, containers, Key Vault) | | Defender XDR | Unified portal correlating all Defender signals | Cross-domain threat correlation, automatic attack disruption, unified incident queue | 💡 **Exam Tip:** Defender for Cloud and Defender for Cloud Apps are completely different products with confusingly similar names. Defender for Cloud = infrastructure security posture (Azure VMs, SQL, AKS). Defender for Cloud Apps = SaaS application governance and CASB (shadow IT, cloud app control). The exam will use both in the same scenario to see if you know the difference. ### Microsoft Sentinel Microsoft Sentinel is a cloud-native **SIEM (Security Information and Event Management)** and **SOAR (Security Orchestration, Automation, and Response)** solution. **SIEM function:** Collect security logs at scale from any source (Azure, on-premises, AWS, third-party devices), normalize data, detect threats using analytics rules, and correlate alerts into incidents. **SOAR function:** Automate responses to detected threats using **playbooks** (built on Azure Logic Apps). Example: when a high-severity incident is created, automatically isolate the affected device, post to Teams, and create a ServiceNow ticket. Key components: - **Data connectors:** Connect log sources to Sentinel. Microsoft first-party connectors (Azure AD, Defender products, Office 365) are included at no extra ingestion cost. Third-party connectors (Cisco, Palo Alto, AWS CloudTrail) incur data ingestion charges. - **Analytics rules:** Define detection logic — scheduled rules (run a KQL query on a schedule), Microsoft security rules (promote Defender alerts to Sentinel incidents), anomaly rules (ML-based). - **Incidents:** Correlated groups of related alerts representing a potential attack. Each incident has entities (users, IPs, devices) and a timeline. - **Playbooks:** Automated response workflows triggered by incidents or alerts. ### Microsoft Defender for Cloud Defender for Cloud serves two functions: 1. **CSPM (Cloud Security Posture Management):** Continuously assesses your Azure (and multi-cloud) configuration against security best practices. Produces a **Secure Score** — a percentage representing your configuration health. Provides actionable recommendations to improve your score. 2. **CWP (Cloud Workload Protection):** Defender plans for specific Azure resources — Defender for Servers, Defender for SQL, Defender for Containers, Defender for Key Vault, etc. Each plan adds threat detection and advanced protections for that resource type. --- ## Domain 4: Microsoft Compliance Solutions (20–25%) ### Microsoft Purview Microsoft Purview is the unified data governance and compliance platform. It was rebranded from Azure Purview (data governance) + Microsoft 365 Compliance Center in 2022. **Sensitivity Labels:** Classify and protect content in Microsoft 365 (documents, emails, Teams messages). Labels can apply encryption, content marking (watermarks, headers, footers), and access restrictions. Labels persist with the content wherever it travels. **Retention Policies and Labels:** Control the lifecycle of content — preserve it for a required period, then optionally delete it. Used to meet regulatory requirements (HIPAA 7-year retention, financial regulations). Retention labels can be applied to specific items; retention policies apply broadly to locations (SharePoint sites, mailboxes, Teams channels). **Data Loss Prevention (DLP):** Detect and prevent sharing of sensitive information (credit card numbers, Social Security Numbers, health data) outside the organization. DLP policies evaluate content in Exchange, SharePoint, OneDrive, Teams, and endpoints. **eDiscovery:** Tools for legal hold and content search to support litigation and compliance investigations. Microsoft Purview eDiscovery (Standard) and eDiscovery (Premium) provide different levels of capability. ### Compliance Manager Compliance Manager helps organizations assess and improve their compliance posture against regulatory frameworks. **Compliance Score:** A percentage indicating how well your Microsoft 365 environment meets the requirements of selected regulatory frameworks (GDPR, HIPAA, ISO 27001, SOC 2, NIST). Higher score = better compliance posture. **Improvement Actions:** Specific technical or procedural actions you can take to increase your score. Each action is mapped to one or more regulatory controls. **Assessments:** Evaluations against a specific regulatory framework. Compliance Manager includes pre-built assessments for dozens of regulations. 💡 **Exam Tip:** Compliance Score (in Compliance Manager) measures regulatory framework adherence. Secure Score (in Defender for Cloud and Entra ID) measures security configuration hardening. They are completely separate metrics with different purposes. The exam will present scenarios where knowing which score to check is the question. --- ## 2-Week Study Plan | Day | Focus | Activities | |---|---|---| | Day 1–2 | Domain 1: Concepts | Zero Trust pillars, shared responsibility model, defense in depth layers | | Day 3–4 | Domain 2: Entra ID | SSO, MFA, SSPR, Conditional Access basics, Entra ID license tiers | | Day 5–6 | Domain 3: Defender products | Memorize the Defender product table — what each product protects | | Day 7 | Domain 3: Sentinel | SIEM vs SOAR, data connectors, analytics rules, incidents, playbooks | | Day 8 | Domain 3: Defender for Cloud | CSPM vs CWP, Secure Score, regulatory compliance dashboard | | Day 9–10 | Domain 4: Purview | Sensitivity labels vs retention labels, DLP, Compliance Manager vs Secure Score | | Day 11–12 | Full practice exam | Take a practice exam, identify weak topics | | Day 13 | Review weak areas | Re-read relevant sections, watch Microsoft Learn videos | | Day 14 | Final light review | Review key tables and distinctions, rest before exam day | --- ## Essential Resources - Microsoft Learn SC-900 learning path (free, official, maps directly to exam domains) - Microsoft Security product documentation (Sentinel, Defender for Cloud, Purview) - CertLand SC-900 practice exam (340 questions with full explanations) --- ## Ready to Start? The SC-900 is achievable in two weeks of focused study. The key is understanding the product portfolio — knowing which Microsoft tool solves which security or compliance problem. Rote memorization of product names is not enough; you need to understand the purpose and positioning of each product. Begin with the [SC-900 practice exam on CertLand](https://certland.net) to establish your baseline before diving into study materials.