Last reviewed: May 2026
Build the AWS services on the SC-900 exam with plain Terraform — one block at a time, each tied back to an exam domain. The same code works on OpenTofu.
By the end of this lab you'll have provisioned, with plain Terraform, the SC-900 foundational security baseline — a Microsoft Entra security group (the identity primitive), a Key Vault with RBAC authorization, Microsoft Defender for Cloud Foundational CSPM enabled at subscription scope, and a Log Analytics workspace receiving the security telemetry. Four blocks; the smallest realistic Microsoft Security-and-Identity surface.
Drop the snippets into a single main.tf, run terraform init, then terraform apply step-by-step.
>= 1.5 or OpenTofu >= 1.6.az login) — your signed-in identity must have permission to create Entra groups.azuread Terraform provider is required (separate from azurerm). It authenticates to Microsoft Entra ID (the Microsoft Graph) using the same az login session.All free at this scope:
Whole stack idles at ~$0/month. The SC-900 lab is the cheapest in this whole pass — the goal is conceptual fluency, not expensive infrastructure.
SC-900 requires interaction with Microsoft Entra ID — separate from Azure RBAC, separate Terraform provider. We pin both azurerm and azuread. The latter manages Entra users, groups, app registrations, and service principals; the former manages Azure subscriptions and resources.
terraform {
required_version = ">= 1.5"
required_providers {
azurerm = { source = "hashicorp/azurerm", version = "~> 4.0" }
azuread = { source = "hashicorp/azuread", version = "~> 3.0" }
}
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
}
}
}
provider "azuread" {}
data "azurerm_client_config" "current" {}
data "azuread_client_config" "current" {}
locals {
tags = {
Project = "certlabpro-sc-900"
ManagedBy = "terraform"
}
}
resource "azurerm_resource_group" "main" {
name = "certlabpro-sc-900-rg"
location = "eastus"
tags = local.tags
}Microsoft Entra ID (formerly Azure AD) is the identity-and-access service every Microsoft cloud product hooks into. SC-900's first domain — Describe the concepts of security, compliance, and identity — leans on Entra ID as the identity foundation.
A security group is the canonical container for granting RBAC roles to many users at once. The exam tests this group-based RBAC pattern as the right answer to scaling permissions across hundreds of users: assign roles to groups, not to individuals.
The security_enabled = true and mail_enabled = false combo creates a security-only group (no shared mailbox). Adding the current user as owner means you can manage membership via the Entra portal after terraform apply.
resource "azuread_group" "security_admins" {
display_name = "certlabpro-sc-900-security-admins"
description = "Lab security admins group for the SC-900 walkthrough."
security_enabled = true
mail_enabled = false
owners = [
data.azuread_client_config.current.object_id,
]
}SC-900 tests the separation of concerns pattern: secrets live in Key Vault; access is granted to Entra groups (not users); group membership is managed at the identity layer. We provision a Key Vault with RBAC authorization, then assign Key Vault Secrets Officer to the security group from Step 2.
Anyone added to the security-admins group inherits the secrets-management permission automatically. Compare to the older access policy model where each user was named individually on the vault — the SC-900 Identify the basic identity services and identity types of Microsoft Entra ID domain calls this out as the RBAC-modern-better-than-policy contrast.
resource "azurerm_key_vault" "main" {
name = "kv-sc900-${substr(replace(uuid(), "-", ""), 0, 6)}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
enable_rbac_authorization = true
soft_delete_retention_days = 7
tags = local.tags
lifecycle {
ignore_changes = [name] # name uses uuid() — keep the original on subsequent applies
}
}
resource "azurerm_role_assignment" "kv_admin_self" {
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_role_assignment" "kv_secrets_group" {
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Secrets Officer"
principal_id = azuread_group.security_admins.object_id
}Defender for Cloud's Foundational CSPM tier is always free and includes the Microsoft Cloud Security Benchmark assessment — automated checks against the CIS / NIST controls Microsoft has ported into Azure. SC-900's Describe the capabilities of Microsoft security solutions domain points at this as the day-one posture-visibility primitive.
We enable it at subscription scope and provision a Log Analytics workspace where any security alerts / recommendations land for KQL querying. With the four primitives in place (Entra group, Key Vault with RBAC, Defender CSPM, Log Analytics), the SC-900 foundational stack is complete — group-based identity → secrets management → posture monitoring → audit fabric.
resource "azurerm_log_analytics_workspace" "main" {
name = "log-sc900"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
sku = "PerGB2018"
retention_in_days = 30
tags = local.tags
}
resource "azurerm_security_center_subscription_pricing" "cspm" {
tier = "Free"
resource_type = "CloudPosture"
}terraform destroy tears down everything. The Entra group destroys instantly; any RBAC assignments referencing it must already be removed (Terraform handles the dependency graph). Key Vault has 7-day soft-delete; purge_soft_delete_on_destroy = true in the provider features actually purges it.
SC-900 covers many Microsoft Security surfaces this lab touches only conceptually — Conditional Access (covered in SC-100), Privileged Identity Management (PIM), Identity Protection, Multi-Factor Authentication enforcement policies, Microsoft Sentinel (covered in SC-200), Microsoft Defender XDR (the unified incident view across Defender for Identity / Endpoint / Office / Cloud Apps), Microsoft Purview (data governance + risk + compliance manager), Insider Risk Management, eDiscovery, Communication Compliance, and the entire Microsoft 365 compliance center.
We stick to the Entra group + Key Vault RBAC + Defender CSPM + Log Analytics primitives because they're the foundation every more-advanced Microsoft Security service composes on top of. Sentinel reads from Log Analytics workspaces. Conditional Access uses Entra groups for policy assignment. Defender XDR enriches Defender for Cloud alerts. PIM elevates Entra group memberships.
For service-by-service coverage, see the Browse, Playbook, and Editorial sections of this cert page.