Microsoft Cybersecurity Architect
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
Microsoft Cybersecurity Architect (SC-100) is Microsoft's expert-level security credential, validating the ability to design enterprise-wide security strategies that align with Zero Trust, the Microsoft Cybersecurity Reference Architectures (MCRA), and the Cloud Adoption Framework (CAF). It is aimed at senior security architects, principal security engineers, CISO-track leads, and consultants who own end-to-end designs spanning identity, infrastructure, applications, data, and SecOps. The exam is scenario-driven and demands judgment, not recall: candidates must weigh tradeoffs across Microsoft Entra, Defender XDR, Defender for Cloud, Sentinel, Purview, and Intune, and recommend designs that satisfy regulatory, governance, and resiliency requirements alongside security controls.
Designing strategies aligned with Zero Trust principles, MCRA, MCSB (Microsoft Cloud Security Benchmark), CAF, and Well-Architected Framework. Resiliency planning, ransomware recovery strategy, and confidential-computing scenarios. About 22% of the exam β the most "architectural judgment" domain.
Largest domain (28%). Designs for SOC tooling and processes (Sentinel, Defender XDR, Security Copilot), identity and access architectures (Entra ID, conditional access, PIM, Entra Permissions Management, Verified ID), and compliance and data-governance designs in Microsoft Purview.
Equal-largest at 28%. Endpoint, server, IoT/OT, and hybrid-cloud security designs. Defender for Cloud across multi-cloud (Azure, AWS, GCP), Defender for Endpoint, Defender for Servers, network segmentation, and key/secret management with Azure Key Vault and HSMs.
Application threat modeling, secure DevOps and supply-chain controls (GitHub Advanced Security, Defender for DevOps), API security, data classification and protection across Purview Information Protection, and database/storage encryption strategies. About 22% of the exam.
Services you'll encounter on the exam and why each one matters.
Microsoft's reference framework that assumes breach and enforces explicit verification, least-privilege access, and assume-breach principles across identities, endpoints, apps, data, infrastructure, and networks.
Why it's on the exam: Domain 1 (Best practices and priorities) anchors every SC-100 design discussion on Zero Trust β expect questions on which pillars apply to a given scenario.
Microsoft's diagrammed reference architecture mapping security controls (Defender, Entra, Sentinel, Purview, Intune) onto Zero Trust pillars and the hybrid enterprise estate.
Why it's on the exam: Domain 1 explicitly cites MCRA as the lens for aligning solutions with Microsoft's recommended security architecture; questions reference specific MCRA layers.
Cloud identity provider with directory, B2B/B2C, federation, and risk signals, paired with PIM for just-in-time elevation, approval workflows, and time-bound role activation.
Why it's on the exam: Domain 2 (Security operations, identity, and compliance) makes Entra ID + PIM the architectural backbone for designing identity and privileged-access strategies.
Cloud-native SIEM and SOAR that aggregates signals across the estate, runs KQL hunting queries, and automates incident response via playbooks built on Logic Apps.
Why it's on the exam: Domain 2 tests SIEM/SOAR strategy at enterprise scale β Sentinel is the named platform for designing security-operations capabilities, data residency, and log-ingestion architecture.
Cross-workload extended detection and response surface that correlates Defender for Endpoint, Office 365, Identity, and Cloud Apps signals into a unified incident view.
Why it's on the exam: Domain 2 treats Defender XDR as the architectural answer for unified incident management spanning email, identity, endpoint, and cloud apps.
Cloud-native application protection platform that combines Cloud Security Posture Management with workload protection plans across Azure, AWS, and GCP resources.
Why it's on the exam: Domain 3 (Infrastructure security) hinges on Defender for Cloud β questions test multicloud posture, secure-score uplift, and which CWP plan covers which workload.
Unified data-governance and risk platform spanning information protection, data loss prevention, insider risk management, data lifecycle, and data-map lineage across Microsoft 365 and Azure.
Why it's on the exam: Domain 4 (Applications and data) frames Purview as the architectural answer for data classification, protection, and regulatory alignment across the estate.
Unified endpoint management that enrolls and configures Windows, macOS, iOS, Android, and Linux devices and emits compliance signals consumed by Conditional Access.
Why it's on the exam: Domain 3 cites Intune as the architectural source of device-compliance posture that gates Zero Trust resource access decisions.
Internet-scale discovery of an organization's external attack surface β exposed domains, certificates, IPs, and shadow assets β with prioritized remediation guidance.
Why it's on the exam: Domain 3 architecture work covers attack-surface reduction; EASM is the named tool for inventorying internet-exposed assets the org may not realize it owns.
Threat intelligence platform combining Microsoft's telemetry with RiskIQ acquisitions to surface IOCs, threat actor profiles, and infrastructure linkages.
Why it's on the exam: Domain 2 SOC-architecture scenarios reference Defender TI as the threat-context layer that enriches Sentinel and XDR incident triage.
Decentralized identity service that issues and verifies tamper-proof verifiable credentials based on W3C DID and Verifiable Credential standards.
Why it's on the exam: Domain 2 identity-architecture questions distinguish federated and decentralized identity patterns; Verified ID is the named decentralized option.
Cloud infrastructure entitlement management (CIEM) that maps and right-sizes permissions across Azure, AWS, and GCP identities to reduce permission creep.
Why it's on the exam: Domain 2 multicloud-identity scenarios cite Permissions Management as the CIEM control for designing least-privilege across cloud providers.
Managed stateful network firewall service with centralized policy via Firewall Manager β Premium tier adds TLS inspection, IDPS, and URL filtering.
Why it's on the exam: Domain 3 perimeter-design questions reference Azure Firewall + Firewall Manager as the centralized network-security plane for hub-spoke topologies and Secured Virtual Hubs.
Cloud access security broker (CASB) that discovers shadow IT, governs sanctioned SaaS through API connectors, and enforces session controls via Conditional Access App Control.
Why it's on the exam: Domain 4 SaaS-security architecture cites Defender for Cloud Apps as the CASB layer that complements DLP and Conditional Access in the application tier.
ML-driven detection of risky insider activity β exfiltration, departing-employee theft, policy violations β with pseudonymized investigation and HR-aligned workflows.
Why it's on the exam: Domain 4 explicitly tests insider-threat strategy as a separate pillar from external threat; Insider Risk Management is the named workload in compliance architecture.
Sensitivity labels with encryption, content-marking, and rights enforcement that travel with documents and emails across Microsoft 365, endpoints, and partner SaaS.
Why it's on the exam: Domain 4 data-architecture scenarios position Information Protection as the canonical control for classifying and protecting data at rest, in transit, and in use.
Policy-as-code enforcement combined with Blueprints (deprecated but tested) and Cloud Adoption Framework landing zones for enterprise-scale governance baselines.
Why it's on the exam: Domain 1 enterprise-design questions reference landing zones and Azure Policy as the foundation for governance, compliance, and security baselines at scale.
Compliance Manager scores tenant posture against frameworks like ISO 27001, NIST 800-53, and GDPR; Service Trust Portal hosts Microsoft's third-party audit reports and compliance documentation.
Why it's on the exam: Domain 2 compliance-architecture scenarios cite Compliance Manager (improvement actions, score) and Service Trust Portal (audit reports) as the evidence sources for regulatory alignment.
Signal-based policy engine that evaluates user, device, location, app, and risk inputs to enforce controls β MFA, compliant device, session restriction β before granting access.
Why it's on the exam: Domain 2 makes Conditional Access the central Zero Trust enforcement point β every identity-architecture answer routes through it.
Quantified posture score and prioritized recommendations across Azure, AWS, and GCP, mapped to regulatory compliance frameworks (Azure Security Benchmark, CIS, PCI, ISO).
Why it's on the exam: Domain 3 posture-architecture scenarios use Secure Score as the metric for tracking and reporting cloud-security improvement to stakeholders.
$150kβ$200kβ$280k USD annual
Range reflects US-based senior and principal security architect roles where the candidate is expected to own enterprise designs across the Microsoft security stack. Non-coastal markets and consulting-firm staff levels trend lower; FAANG/large-bank principal architect total comp regularly exceeds $300k. SC-100 by itself does not unlock these salaries β it complements years of architecture experience and typically a stack of prior certs.
Source: levels.fyi 2025β2026 security-architecture and principal-security-engineer roles, U.S. BLS OEWS May 2024 (15-1241 computer network architects, median ~$130k; 15-1212 information security analysts, median ~$120k), (ISC)Β² Cybersecurity Workforce Study 2024. Figures are approximate; actual compensation depends on role, region, and experience.
Demand for cybersecurity architects has stayed structurally tight through 2024β2026 β (ISC)Β² workforce data continues to show a multi-million-role global gap, concentrated at the senior and architect end. SC-100 is one of the few credentials specifically positioned for that level and is widely listed as preferred on enterprise security-architect and Microsoft-practice-lead postings, especially at organizations whose security stack is anchored on Defender, Sentinel, Entra, and Purview. Microsoft consulting partners use it as a credential gate for senior delivery roles and architecture-track promotions. It pairs naturally with AZ-305 (Azure solutions architect) or AWS/GCP architect credentials for candidates owning multi-cloud designs, and with CISSP for candidates moving toward CISO-track roles.
SC-100 has the strongest prerequisite expectations of any Microsoft security exam. Microsoft recommends β and effectively assumes β that candidates already hold one of AZ-500 (Azure Security Engineer), SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or the retired MS-500 (Microsoft 365 Security Administrator) before attempting SC-100. While the prerequisite is not enforced at registration, the exam is calibrated against candidates who arrive with that level of operator-side knowledge.
Beyond the cert prerequisite, Microsoft expects advanced experience and knowledge of identity and access, platform protection, security operations, and securing data and applications, plus experience with hybrid and cloud implementations. In practice, successful candidates are senior security engineers or architects with several years of hands-on time across Microsoft 365 and Azure, working knowledge of Zero Trust principles, and exposure to enterprise governance frameworks. Treat the recommended prereqs as a real floor, not a suggestion.
SC-100 is widely regarded as one of the harder Microsoft exams β comparable in difficulty to AZ-305 or AWS Solutions Architect Professional, and notably harder than the associate-level SC-200 or SC-300. Plan for 80β150 hours of focused study over 8β14 weeks even if you already hold the prerequisite cert, and significantly more if your hands-on architecture experience is thin. The exam runs 100β120 minutes with 40β60 questions including multiple-choice, multiple-response, drag-and-drop, build-list, and one or more case studies; passing score is 700/1000.
The defining challenge is that SC-100 questions rarely have a single objectively correct answer β they ask which design best fits a stated set of business, regulatory, and technical constraints. Candidates who study by memorizing service capabilities tend to fail; those who internalize Zero Trust, MCRA, MCSB, and CAF as decision frameworks, then practice applying them to ambiguous case studies, tend to pass. Time pressure on the case studies is real.
General availability May 2022 as Microsoft's first expert-level security credential. Objectives have since been updated to reflect the Azure AD β Entra rename, the Defender XDR consolidation, the Microsoft Cloud Security Benchmark (replacing the Azure Security Benchmark), and the addition of Microsoft Security Copilot guidance. Role-based credentials expire one year after passing; renewal is free via an unproctored online assessment on Microsoft Learn.
SC-100 (Microsoft Cybersecurity Architect) is a a challenging, scenario-heavy exam that requires deep hands-on experience and the ability to make architectural trade-off decisions Expert-level exam. Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SC-100 is a recognized credential in the Microsoft ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Microsoft day-to-day or want to move into roles that do.
The passing score for SC-100 is 700 / 1000. The exam contains 50 questions and lasts 2 hr.
The SC-100 exam fee is $165 USD. Fees are set by Microsoft and may vary by region; always confirm the current price on the official Microsoft certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SC-100. The exam-simulation mode mirrors the real exam: 50 questions in 2 hr, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.