Microsoft SC-900 in 30 minutes: the security/compliance fundamentals primer
SC-900 is Microsoft's easiest security cert. Who actually needs it, who should skip it for SC-200 or AZ-500, and what the $99 buys you.
SC-900 β Microsoft Certified: Security, Compliance, and Identity Fundamentals β is the easiest of Microsoft's security certs, and that's both its selling point and its limitation. It costs $99, you can prep for it in roughly 10 hours if you've worked anywhere near Microsoft 365 or Azure, and the questions are conceptual: define this, match that, identify which Microsoft product solves which problem.
If you're a technical security person, you can probably stop reading and go take SC-200 or AZ-500 instead. SC-900 is not aimed at you. It's aimed at the auditors, compliance analysts, sales engineers, project managers, and account execs who need to talk credibly about Microsoft's security stack without being the ones implementing it.
What's actually on the exam
The current SC-900 blueprint covers four domains:
- Concepts of security, compliance, and identity (~10β15%): the basics β defense in depth, shared responsibility, Zero Trust, encryption at rest vs in transit, common compliance frameworks (GDPR, HIPAA, ISO 27001 at a name-recognition level).
- Microsoft Entra capabilities (~25β30%): Entra ID (the rebranded Azure AD), authentication methods, MFA, Conditional Access, identity governance, External Identities, PIM at a vocabulary level.
- Microsoft security solutions (~25β30%): Defender for Cloud, Defender for Endpoint, Defender for Office 365, Defender for Identity, Sentinel β what each one does, not how to configure it. Plus Azure DDoS protection, Azure Firewall, NSGs, and Key Vault as features-level material.
- Microsoft compliance solutions (~25β30%): Purview (the umbrella name for compliance tooling since 2022), Information Protection, Data Loss Prevention, Insider Risk Management, eDiscovery, Compliance Manager, the Service Trust Portal.
The exam is 40β60 questions, 60 minutes, multiple-choice and multi-select. No case studies, no labs, no drag-drop sequencing. Pass mark is 700/1000. Online via Pearson VUE OnVUE or in-person β your choice.
$99 USD list price (regional pricing drops it to ~$50 in some markets). Validity is 1 year, with free renewal via a 25-question online assessment. Microsoft's renewal flow for fundamentals certs is genuinely painless.
Who SC-900 is for
Three audiences where the cert pays off:
Non-technical roles in security-adjacent jobs. GRC analysts, compliance officers, internal auditors, and procurement people who need to validate vendor security claims. SC-900 gives you the vocabulary to read a Microsoft 365 security review and know whether the controls described are real or marketing.
Pre-sales and account teams at Microsoft partners. This is the biggest single bucket. Microsoft Solutions Partner status requires certified employees, and SC-900 counts toward partner tier minimums. Sales engineers who can answer "what's the difference between Defender for Endpoint and Defender for Cloud Apps?" close more deals than the ones who hand-wave.
Career switchers using it as a starting point. If you're moving into IT or security from an unrelated field, SC-900 is a low-stakes way to demonstrate seriousness without spending $165 on a role-based exam you're not ready for. Pair it with AZ-900 for $198 and you have a respectable two-cert "I'm new but not a tourist" signal.
Who should skip it
If you're already a security engineer, SOC analyst, identity admin, or cloud engineer with security responsibilities β skip SC-900. The content is the first chapter of the role-based exams. You'll learn nothing, you'll spend $99, and SC-900 on a senior security rΓ©sumΓ© reads as filler.
For technical paths, the alternatives:
- SOC analyst track: SC-200 (Security Operations Analyst Associate), $165, hands-on with Sentinel and Defender.
- Cloud security engineer track: AZ-500 (Azure Security Engineer Associate), $165, configuration-heavy across Azure.
- Identity admin track: SC-300 (Identity and Access Administrator Associate), $165, deep on Entra ID.
- Security architect track: SC-100 (Cybersecurity Architect Expert), $165, requires one of the above as a prereq.
The role-based exams cover everything SC-900 covers, plus the actual implementation. Skipping fundamentals when you have the experience for role-based isn't a shortcut β it's the right call.
Prep time, realistic numbers
| Background | Hours | Calendar |
|---|---|---|
| Already work with M365 / Azure security daily | 5β8 | One weekend |
| Generalist IT, occasional Microsoft exposure | 10β15 | 1β2 weeks |
| Brand new to Microsoft cloud | 20β30 | 3β4 weeks |
| Career switcher, no IT background | 40β60 | 6β8 weeks |
Microsoft Learn's official SC-900 path is free and current β that's the only resource most candidates need. John Savill's YouTube has an SC-900 study cram that's useful for the audio-learner crowd. Skip the paid Udemy courses unless they're under $15 β the official content is comprehensive enough.
The single biggest stumbling block is product naming. Microsoft renamed half their security products between 2020 and 2024. Azure AD became Entra ID. Microsoft Cloud App Security became Defender for Cloud Apps. The compliance tooling consolidated under Purview. The exam tests the current names, but a lot of older study material uses old names. If you're reading a 2022 SC-900 guide, cross-check every product name against learn.microsoft.com before the exam.
Salary impact
There isn't one. SC-900 doesn't move salaries directly. It's a vocabulary cert, not a skill cert. levels.fyi doesn't have a column for it. BLS doesn't track it. What it can do:
- Get you past an HR filter for an entry-level security or compliance role where "Microsoft cert preferred" appears in the listing.
- Strengthen a partner-side sales engineer rΓ©sumΓ© where Microsoft credentials directly affect commission tiers.
- Serve as a stepping stone toward SC-200 or AZ-500, where the salary signal is real (Information Security Analysts, BLS OEWS May 2024: median around $124k, 90th percentile around $182k β but that's for the role-based path, not SC-900).
If your goal is a paycheck bump, SC-900 alone won't deliver. If your goal is to participate intelligently in Microsoft security conversations, it absolutely will.
Should you take it?
Take SC-900 if:
- You're in a non-technical role that needs to talk about Microsoft security credibly.
- You're at a Microsoft partner and the cert affects partner tier or commission structure.
- You're brand new to IT/security and want a $99 starting credential before committing to a role-based path.
Skip SC-900 if:
- You're already technical enough for SC-200, AZ-500, or SC-300 β start there.
- You don't work in or sell to Microsoft shops. The cert is vendor-specific and means nothing in an AWS or Google Cloud organization.
- You're chasing salary. SC-900 doesn't deliver one.
If SC-900 is the right fit, browse the SC-900 practice questions on CertLabPro or start a timed exam. The exam pattern is heavy on "match the product to the problem" β drilling against realistic items is the fastest way to lock in the Microsoft naming taxonomy that actually trips most people up.