SC-100: Microsoft Cybersecurity Architect Study Guide
Microsoft SC-100 (Cybersecurity Architect) validates your ability to design and continuously evolve an enterprise cybersecurity strategy across Zero Trust, governance/risk/compliance, security operations, identity, and protection of data, applications, endpoints, and infrastructure. It is aimed at experienced security architects who translate business and regulatory requirements into Microsoft security capabilities such as Entra, Defender XDR, Sentinel, Defender for Cloud, and Purview. Expect scenario-based questions that ask you to choose the best-fit architecture rather than to configure a single feature.
Reviewed Jul 2026.
Domain 1: Design solutions that align with security best practices and priorities
- Microsoft Zero Trust is built on three guiding principles: verify explicitly (authenticate and authorize on all available signals), use least privilege access (just-in-time and just-enough-access with risk-based adaptive policies), and assume breach (segment access, minimize blast radius, and verify end-to-end encryption).
- Zero Trust is organized into six technology pillars - Identity, Endpoints, Data, Applications, Infrastructure, and Network - coordinated by cross-cutting visibility, automation, and orchestration. Identity is treated as the primary control plane.
- Microsoft Entra Conditional Access is the Zero Trust policy decision and enforcement point that implements verify explicitly, evaluating signals such as sign-in and user risk, device compliance, location, and app to enforce MFA, block, or session controls per request.
- Continuous Access Evaluation (CAE) revokes or challenges active sessions in near real time when risk or policy changes, rather than waiting for token expiry.
- The Microsoft Cybersecurity Reference Architectures (MCRA) are diagram-based guidance showing how Microsoft security capabilities integrate with each other and third-party platforms to implement Zero Trust and modernize security operations.
- The Microsoft Cloud Security Benchmark (MCSB) provides prescriptive, prioritized control baselines for Azure and multicloud, mapped to frameworks like CIS and NIST, and is surfaced in Defender for Cloud as the default compliance and secure-score baseline.
- Cloud Adoption Framework (CAF) enterprise-scale landing zones apply governance guardrails at the management group level using Azure Policy (compliance and auto-remediation) and RBAC (least privilege), inherited down the hierarchy for consistent enforcement.
- Scalable enterprise segmentation uses management groups, per-workload subscriptions, and hub-and-spoke (or Virtual WAN) networking to align organizational boundaries with security boundaries.
- Privileged Identity Management (PIM) provides just-in-time elevation, and scoped custom RBAC roles provide just-enough-access, together implementing least privilege for administrative accounts.
- Microsoft Purview sensitivity labels classify and persistently protect data based on its sensitivity, applying encryption and access controls that travel with the content.
- Intune device compliance signals feed Conditional Access so access can be gated on device health, satisfying the Endpoints pillar of Zero Trust.
- Defender for Cloud multicloud connectors extend MCSB posture assessment and secure score across Azure, AWS, and GCP for unified cross-cloud governance.
- The Rapid Modernization Plan (RaMP) and Microsoft security top tasks prioritize high-impact, quick-win protections to accelerate Zero Trust adoption against a modernization roadmap.
- The Well-Architected Framework (WAF) Security pillar centers on Zero Trust and defense in depth, including keeping secrets in Key Vault and using managed identities instead of embedded credentials.
Domain 2: Design security operations, identity, and compliance capabilities
- Onboarding Microsoft Sentinel into the unified Microsoft Defender portal gives analysts a single synchronized incident queue that correlates Sentinel analytics-rule alerts with Defender XDR alerts across endpoints, identities, email, SaaS apps, and servers.
- A single centralized Log Analytics workspace with Sentinel enabled is the recommended design when the goal is to correlate incidents and run cross-source analytics in one place, with the Azure Monitor Agent and data collection rules routing logs from any subscription or region.
- Multiple regional workspaces satisfy data residency and sovereignty requirements because Log Analytics data stays in its workspace region; cross-workspace KQL queries still let analysts correlate across them.
- Sentinel delivers SOAR through automation rules (which define when and how automated responses trigger) and playbooks (Azure Logic Apps workflows that perform enrichment and remediation such as disabling an account or isolating a device).
- Advanced hunting uses KQL against a shared schema spanning Defender XDR tables and Sentinel workspace tables; successful hunting queries can be promoted into custom detection rules.
- A hot interactive retention tier (commonly 90 days) supports fast investigation while a lower-cost archive/long-term retention tier with search jobs or data restore satisfies multi-year compliance mandates at far lower cost.
- The Auxiliary logs plan is intended for high-volume, low-value verbose data that must be retained cheaply but is queried infrequently.
- User and Entity Behavior Analytics (UEBA) builds behavioral baselines for users and entities to surface anomalous activity that static rules miss.
- The Fusion engine correlates multiple low-fidelity alerts into high-fidelity, multistage attack incidents, reducing alert noise.
- Microsoft Defender for Identity detects on-premises Active Directory attacks such as reconnaissance, lateral movement, and domain dominance, feeding signals into the unified SecOps experience.
- Data collection rule (DCR) ingestion-time transformations filter, drop, or reshape data before storage to control cost and normalize schema, while the Entra ID connector ingests sign-in and audit logs into Sentinel.
- Mapping detections to the MITRE ATT&CK framework and using Sentinel's MITRE coverage view reveals gaps in detection across tactics and techniques.
- Threat intelligence is ingested via the TAXII connector and matched against telemetry using built-in threat-intelligence matching analytics rules to raise indicator-based detections.
- Microsoft Security Copilot is the embedded generative-AI SOC assistant that accelerates investigation, summarization, and response, and Sentinel built-in RBAC roles should be scoped to job function for least privilege.
Domain 3: Design security solutions for infrastructure
- Azure Private Link projects a PaaS resource into a VNet as a private endpoint NIC with a private IP; linking the matching privatelink Private DNS zone makes the service FQDN resolve privately, and disabling public network access removes internet exposure with no connection-string changes.
- Disabling public network access on a resource blocks all public-endpoint access, including from within the VNet, so only private endpoints and explicitly allowed networks can reach it - enforcing least-privilege connectivity at the resource itself.
- Virtual WAN with a Secured Virtual Hub provides Microsoft-managed transitive routing plus integrated Azure Firewall (or partner NVA); routing intent policies automatically steer internet and private traffic through the hub firewall with minimal per-hub configuration.
- Azure Firewall Premium uniquely adds TLS inspection and an intrusion detection and prevention system (IDPS) on top of FQDN and threat-intelligence filtering; a default route (0.0.0.0/0) in each spoke pointing to the firewall forces all egress through inspection.
- NSGs still handle granular Layer 3/4 segmentation while Azure Firewall handles FQDN filtering, threat-intel filtering, and centralized logging, so both are typically deployed together in a defense-in-depth design.
- Application Security Groups (ASGs) let NSG rules reference logical tiers as sources and destinations, so newly scaled VMs inherit policy by joining the ASG; combining ASGs with explicit inter-tier allows and a default deny delivers maintainable east-west segmentation.
- Azure Front Door is the global anycast Layer 7 entry point with edge TLS termination; its integrated WAF in Prevention mode actively blocks OWASP attacks (SQL injection, XSS) and supports custom rules including geo-match filtering.
- Front Door provides the global WAF-protected edge while Application Gateway v2 provides regional in-VNet Layer 7 load balancing with WAF to private backends, and Front Door Premium adds bot management, geo-filtering, and caching.
- Azure DDoS Network Protection (and the IP Protection SKU) delivers adaptive traffic profiling, tuned mitigation, attack telemetry and alerting, cost protection, and access to the DDoS Rapid Response team, exceeding the always-on platform baseline.
- Azure Bastion is a managed PaaS service providing browser-based RDP/SSH over TLS to VMs that have no public IP, removing the need for a self-managed jump host or public management ports.
- Private Link Service lets a provider publish a service behind a Standard internal load balancer that consumers reach through their own private endpoints, with no VNet peering or internet exposure.
- Centralizing Private DNS zones in the hub, linking them to all VNets, and using an Azure DNS Private Resolver with Azure Policy for auto-registration gives consistent, scalable private-endpoint name resolution.
- Microsoft Entra Private Access publishes internal apps through an outbound connector governed by Conditional Access, verifying identity and device with no inbound ports opened, and ExpressRoute private peering keeps cross-premises traffic off the public internet with UDRs routing it through the hub firewall.
- Non-overlapping address-space planning with right-sized per-tier subnets lets NSG/ASG segmentation policy scale independently of subnet boundaries, and adding public IPs or a public IP prefix to Azure Firewall expands the SNAT port pool while preserving centralized inspection.
Domain 4: Design security solutions for applications and data
- GitHub Advanced Security is the native shift-left toolset for GitHub repos: Dependabot flags and blocks vulnerable dependencies, CodeQL performs static analysis (SAST), and secret scanning with push protection prevents hardcoded credentials from being pushed.
- Shift-left places checks progressively earlier in the lifecycle: IDE/pre-commit, PR-time SAST and software composition analysis (SCA), build-time image scanning, staging DAST, and runtime monitoring.
- Managed identities eliminate stored credentials: a system- or user-assigned identity gets an Entra token, RBAC grants data-plane access, and a contained database user mapped to the identity lets Azure SQL authenticate it via Entra without secrets.
- User-assigned managed identities have an independent lifecycle, so they can be pre-provisioned, shared, and are revocable without being orphaned when a single app is deleted.
- OIDC workload identity federation lets a GitHub Actions or workload present a short-lived token exchanged for an Azure token at runtime; scoping the federated credential subject to specific branches or environments removes long-lived secrets and constrains who can obtain tokens.
- Azure API Management is the API gateway that centralizes concerns: validate-jwt verifies Entra tokens at the gateway, rate-limit-by-key and quota policies throttle abuse, content/size validation guards payloads, and the backend topology is abstracted from callers.
- API Management internal VNet mode exposes a private-only endpoint reachable from the VNet and connected on-premises networks, and Defender for APIs adds inventory, posture insights, and threat detection for published APIs.
- Azure Key Vault is the enterprise secret and certificate store, hardened with RBAC, private endpoints, purge protection, and managed-identity access; apps fetch secrets and certificates at runtime rather than storing them.
- For AKS, Entra Workload ID federates pod service accounts to Entra identities so pods get tokens without stored secrets, Azure Policy restricts admission to an approved registry, and image signature/attestation verification ensures only signed images run.
- The Key Vault provider for the Secrets Store CSI Driver mounts secrets into pods (authenticated by Workload ID) without app code changes or storing plaintext in etcd.
- An SBOM plus Dependabot dependency-graph alerts inventories software components and flags new CVEs against them, while dependency review on pull requests can fail builds for disallowed licenses or critical vulnerabilities.
- Always Encrypted encrypts sensitive columns client-side so database administrators never see plaintext, while the application decrypts using keys it controls, and OAuth 2.0 tokens validated by validate-jwt replace weak subscription-key auth for high-value operations.
- Managed identities issuing Entra tokens that the callee validates provide secret-free service-to-service authentication and per-service authorization for internal APIs and microservices.
- For public web apps, Front Door Premium with the managed WAF ruleset blocks OWASP-style attacks globally and logs to Log Analytics, while regional VNet integration routes egress through a firewall and access restrictions lock inbound access to the Front Door service tag.
SC-100 exam tips
- SC-100 questions are scenario-driven and ask for the best design, not just a working one - weigh requirements like least privilege, no stored secrets, data residency, and no public exposure, then pick the option that satisfies all of them.
- Anchor answers to the three Zero Trust principles (verify explicitly, least privilege, assume breach) and the six pillars; when in doubt, the option that verifies identity and device and segments to limit blast radius is usually correct.
- Know when to choose a single centralized Log Analytics/Sentinel workspace (correlation and unified analytics) versus multiple regional workspaces (data residency and sovereignty), since this is a recurring decision point.
- For infrastructure questions, distinguish the tools precisely: private endpoints plus disabling public access for resource isolation, Azure Firewall Premium for TLS inspection and IDPS, Front Door WAF for global Layer 7, and Bastion for portless admin access.
- For credentials and secrets, default to managed identities and OIDC workload identity federation over stored secrets, and to Key Vault with RBAC and private endpoints for anything that must be stored.
Study guide FAQ
How is SC-100 different from SC-200, SC-300, and AZ-500?
SC-100 is a design and strategy exam for security architects: it assumes you already understand the operations (SC-200), identity (SC-300), and Azure security (AZ-500) technologies and tests whether you can combine them into an end-to-end architecture that meets business, risk, and compliance requirements. Microsoft recommends prior experience or certification in one of those areas before attempting SC-100.
Do I need to memorize portal steps and exact policy syntax?
No. SC-100 focuses on choosing the right capability and design pattern for a scenario rather than click-by-click configuration. You should recognize what each service does (for example that Azure Firewall Premium provides TLS inspection and IDPS, or that validate-jwt enforces token validation in API Management) and when to use it, not the precise steps to configure it.
What frameworks and reference materials should I be comfortable with?
Know the Microsoft Cybersecurity Reference Architectures (MCRA), the Microsoft Cloud Security Benchmark (MCSB) as the Defender for Cloud default baseline, the Cloud Adoption Framework (CAF) landing zones with Azure Policy and RBAC guardrails, the Well-Architected Framework Security pillar, and how detections map to MITRE ATT&CK. These frame most best-practice questions.
How current is the exam, and does it cover the unified Defender and Sentinel experience?
Yes. The current SC-100 reflects the 2025 unified security operations experience where Microsoft Sentinel is onboarded into the Microsoft Defender portal for a single correlated incident queue, and it includes modern capabilities such as Security Copilot, Entra Private Access, and multicloud posture management through Defender for Cloud. Study the latest Microsoft Learn content rather than older material.