Microsoft Security, Compliance, and Identity Fundamentals
175 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
Microsoft Security, Compliance, and Identity Fundamentals (SC-900) is a foundational credential that validates conceptual understanding of Microsoft's security, compliance, and identity (SCI) portfolio across Microsoft 365 and Azure. It is aimed at business stakeholders, IT generalists, sales and partner staff, compliance leads, and anyone new to security who needs a shared vocabulary for Microsoft Entra, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Intune. The exam is conceptual rather than hands-on: expect to recognize service capabilities, identify which product addresses a given scenario (Zero Trust, DLP, conditional access, insider risk), and explain core principles of identity, encryption, and shared responsibility in plain language.
Foundational vocabulary: Zero Trust, defense in depth, the shared responsibility model, encryption and hashing basics, and the four identity pillars (administration, authentication, authorization, auditing). Lowest weight (12%) but the conceptual scaffolding the rest of the exam builds on.
Microsoft Entra ID (formerly Azure AD), external identities (B2B/B2C), conditional access, multifactor authentication, passwordless, Identity Protection, Privileged Identity Management, and Entra Permissions Management / Verified ID. About 28% of the exam β second-largest domain.
Largest domain (38%). Covers Microsoft Sentinel (cloud-native SIEM/SOAR), the Microsoft Defender XDR family (Defender for Endpoint, Office 365, Identity, Cloud Apps), Defender for Cloud, Azure network security (NSGs, Azure Firewall, DDoS Protection), and Azure Bastion. Expect scenario questions that ask which product fits which threat.
Microsoft Purview (compliance portal, information protection, DLP, insider risk management, eDiscovery, audit), Service Trust Portal, Compliance Manager, and resource governance via Azure Policy and Microsoft Purview Data Governance. About 22% of the exam.
Services you'll encounter on the exam and why each one matters.
Cloud identity and access management service that authenticates users, devices, and workloads against directory accounts, B2B/B2C external identities, and federated providers.
Why it's on the exam: Domain 2 (Capabilities of Microsoft Entra) anchors on Entra ID as the identity provider β expect questions on authentication, SSO, MFA, and tenant types.
Risk-based identity protection that detects sign-in anomalies, leaked credentials, and impossible-travel patterns, then enforces risk policies.
Why it's on the exam: Domain 2 tests risk-based conditional access; ID Protection is the named source of sign-in and user risk signals.
Decentralized identity service that issues and verifies tamper-proof digital credentials based on open standards (W3C DIDs, Verifiable Credentials).
Why it's on the exam: Domain 2 surfaces Verified ID as the decentralized-identity scenario β distinguishing claims-based verification from traditional directory lookups.
Just-in-time elevation and approval workflows for privileged roles in Entra ID, Azure resources, and Microsoft 365, with time-bound access and audit trails.
Why it's on the exam: Domain 2 tests least-privilege patterns; PIM is the named answer for "how do you grant admin access on demand without standing permissions."
Unified pre- and post-breach defense suite that correlates signals across endpoints, identities, email, cloud apps, and data into a single incident view.
Why it's on the exam: Domain 3 (Microsoft Security solutions) hinges on Defender XDR as the cross-workload incident-investigation surface.
Cloud-native application protection platform (CNAPP) that provides security posture management (CSPM) and workload protection (CWP) across Azure, AWS, and GCP.
Why it's on the exam: Domain 3 expects Defender for Cloud as the multicloud posture and workload-protection answer β secure score, regulatory compliance, and CWP plans surface in questions.
Cloud-native SIEM and SOAR built on Azure that ingests signals across the estate, hunts threats with KQL, and automates response via playbooks.
Why it's on the exam: Domain 3 names Sentinel as the SIEM/SOAR answer β questions test the SIEM vs. SOAR distinction and data-connector architecture.
Enterprise endpoint detection and response (EDR) platform with attack-surface reduction, next-gen antimalware, and automated investigation across Windows, macOS, Linux, iOS, Android.
Why it's on the exam: Domain 3 tests endpoint protection capabilities; Defender for Endpoint is the named EDR for device-level threat scenarios.
Protection for Microsoft 365 mailboxes, Teams, SharePoint, and OneDrive against phishing, business email compromise, and malicious attachments via Safe Links and Safe Attachments.
Why it's on the exam: Domain 3 includes email/collaboration threat scenarios; Defender for Office 365 is the named control for Safe Links / Safe Attachments / anti-phishing policies.
Cloud access security broker (CASB) that discovers shadow IT, applies session controls, and protects sanctioned SaaS apps via API connectors and reverse proxy.
Why it's on the exam: Domain 3 frames CASB scenarios β shadow-IT discovery, conditional access app control, and SaaS DLP all point to Defender for Cloud Apps.
On-premises Active Directory threat detection that surfaces reconnaissance, lateral movement, domain dominance, and Golden Ticket attacks from domain-controller traffic.
Why it's on the exam: Domain 3 covers hybrid identity threats β Defender for Identity is the named AD-focused detection layer distinct from cloud-only Entra ID Protection.
Unified endpoint management (UEM) for device enrollment, configuration, app deployment, and compliance evaluation across Windows, macOS, iOS, Android, and Linux.
Why it's on the exam: Domain 3 ties device compliance to Conditional Access β Intune supplies the compliance signal that gates resource access.
Sensitivity labels, encryption, and content-aware classification that travel with documents and emails across Microsoft 365 and approved third-party apps.
Why it's on the exam: Domain 4 (Microsoft compliance solutions) tests how labels classify and protect data at rest, in transit, and in use.
Policy engine that detects, blocks, or audits sensitive data in motion across Microsoft 365 services, endpoints, and on-premises SharePoint/OneDrive.
Why it's on the exam: Domain 4 names DLP as the canonical answer to "stop sensitive content from leaving the tenant" scenarios across email, Teams, and endpoints.
ML-driven detection of malicious or inadvertent insider activity β data exfiltration, departing-employee theft, policy violations β with pseudonymized investigation workflows.
Why it's on the exam: Domain 4 covers insider threat as a distinct compliance pillar; Insider Risk Management is the named workload.
Legal-hold, search, and export capabilities across Microsoft 365 content for litigation, investigation, and regulatory response, with eDiscovery (Premium) custodian workflows.
Why it's on the exam: Domain 4 tests legal/regulatory hold workflows β eDiscovery is the named tooling for preservation, search, and export.
Policy-as-code service that audits and enforces resource configuration across Azure subscriptions, with Blueprints packaging policies, role assignments, and ARM templates as a deployable unit.
Why it's on the exam: Domain 1 and Domain 4 reference policy enforcement as the mechanism behind governance baselines; Azure Policy + Blueprints is the named control.
Centralized portal for Microsoft cloud compliance documentation paired with Compliance Manager, which scores tenant compliance against frameworks like ISO 27001, NIST, and GDPR.
Why it's on the exam: Domain 4 explicitly tests Service Trust Portal and Compliance Manager as the surfaces customers use to evidence compliance posture.
Policy engine that evaluates signals β user, location, device state, app, risk β and enforces controls like MFA, compliant device, or session restrictions before granting access.
Why it's on the exam: Domain 2 treats Conditional Access as the central enforcement point for Zero Trust signals; expect scenario questions on policy assignment and exclusions.
Managed service for keys, secrets, and certificates with HSM-backed key protection, customer-managed key (CMK) integration, and access policies via RBAC or vault access policies.
Why it's on the exam: Domain 3 covers protecting secrets and CMK encryption scenarios β Key Vault is the named store across Azure workloads.
$65kβ$92kβ$130k USD annual
SC-900 is foundational and rarely the deciding factor in compensation β these ranges reflect early-career security and identity-adjacent roles in the US where SC-900 is one of several signals on the resume. Senior security roles (where SC-200, SC-100, AZ-500, or CISSP are expected) trend significantly higher.
Source: U.S. BLS OEWS May 2024 (15-1212 information security analysts, median ~$120k; 15-1232 computer user support, median ~$60k), levels.fyi 2025β2026 security and IT support roles. Figures are approximate; actual compensation depends on role, region, and experience.
Microsoft's security stack β Defender XDR, Sentinel, Purview, Entra, and Intune β is the default in a large share of enterprises that already run Microsoft 365 and Azure, which makes SC-900 one of the most widely-recognized entry-level security credentials. Recruiters use it as a screening signal that a candidate can speak the Microsoft security vocabulary in interviews even before they hold a hands-on role. It is especially common on resumes for help-desk, IT-generalist, compliance, and partner pre-sales staff who are pivoting toward security, and for non-technical stakeholders (project managers, account executives, GRC leads) who need credibility when discussing Zero Trust, conditional access, or DLP with security teams. By itself it does not qualify someone for analyst or engineer roles, but it pairs well with SC-200 or AZ-500 as the next step.
There are no formal prerequisites. Microsoft recommends familiarity with networking and cloud computing concepts, general IT literacy, and a basic understanding of Microsoft Azure and Microsoft 365 β but candidates with no Microsoft background regularly pass after working through the official Microsoft Learn path (~10β14 hours) and one practice assessment.
If you have never used Azure or Microsoft 365, completing AZ-900 (Azure Fundamentals) or MS-900 (Microsoft 365 Fundamentals) first will make SC-900 noticeably easier: many SC-900 questions assume you recognize core Azure resources and the M365 admin surface. The three "900-level" exams overlap meaningfully and are often taken together by candidates building a Microsoft cloud foundation. Hands-on labs are not strictly required, but a free Microsoft 365 developer tenant and an Azure free account let you click through Entra, Purview, and Defender portals, which sticks far better than reading alone.
SC-900 is rated foundational and is one of the more approachable Microsoft certifications. Plan for 20β40 hours of study over 2β4 weeks if you have no prior Microsoft cloud or security background, or 8β15 hours over a week if you already know AZ-900 / MS-900 territory. The exam runs about 45 minutes with roughly 40β60 multiple-choice and multiple-response questions; passing score is 700/1000 on a scaled scoring model.
The hardest part for most candidates is service-name recognition: the Microsoft security portfolio has been renamed and reorganized repeatedly (Azure AD became Entra ID, the Defender suite consolidated into Defender XDR, Microsoft 365 Compliance became Purview), and exam questions consistently test whether you can match the current product name to the right capability. Memorizing the role of each product β Defender for Endpoint vs. Defender for Cloud vs. Defender for Identity, Purview vs. Priva, Entra ID vs. Entra Permissions Management β is most of what separates passing from failing.
General availability April 2021 as part of the Microsoft Security, Compliance, and Identity Fundamentals track. Objectives are refreshed periodically (most recently to reflect the Azure AD β Entra rename and the Microsoft 365 Compliance β Purview rebrand); as a fundamentals exam it does not retire on a 1-year cycle and the credential does not expire.
SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is a considered an entry-level exam testing breadth of conceptual understanding rather than hands-on depth Foundational-level exam. Most candidates need 30β80 hours of study spread over 3β6 weeks for foundational-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 30β80 hours of study spread over 3β6 weeks for foundational-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SC-900 is a recognized credential in the Microsoft ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Microsoft day-to-day or want to move into roles that do.
The passing score for SC-900 is 700 / 1000. The exam contains 40 questions and lasts 45 min.
The SC-900 exam fee is $99 USD. Fees are set by Microsoft and may vary by region; always confirm the current price on the official Microsoft certification page before booking.
Microsoft fundamentals certifications never expire (AZ-900, AI-900, DP-900, SC-900).
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SC-900. The exam-simulation mode mirrors the real exam: 40 questions in 45 min, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.