Microsoft Study Guide

SC-900: Security, Compliance, and Identity Fundamentals Study Guide

SC-900: Security, Compliance, and Identity Fundamentals validates foundational knowledge of security, compliance, and identity (SCI) concepts and how related Microsoft services - Microsoft Entra, Microsoft Defender, Microsoft Sentinel, and Microsoft Purview - address them. It is aimed at people new to the field, including business stakeholders, students, and IT professionals who want a baseline understanding before pursuing role-based certifications. No deep technical experience is required, but familiarity with Azure and Microsoft 365 is helpful.

Domain 1 Domain 2 Domain 3 Domain 4

Practice SC-900 questions free Create free account

Domain 1: Describe Concepts of Security, Compliance, and Identity

Key concepts you must know · 181 practice questions

The CIA triad stands for Confidentiality (data is accessible only to authorized parties), Integrity (data is not altered without authorization), and Availability (data and systems are accessible to authorized users when needed).
The shared responsibility model divides duties between cloud provider and customer: in IaaS the customer manages OS, apps, and data; in PaaS the provider manages the OS while the customer manages apps and data; in SaaS the provider manages almost everything except data classification and identities.
Data, devices, accounts, and identities are ALWAYS the customer's responsibility across IaaS, PaaS, and SaaS - the cloud provider is never responsible for classifying or protecting your data.
Zero Trust operates on three principles: verify explicitly, use least-privilege access, and assume breach. Network location grants no implicit trust - being inside the corporate firewall provides no automatic privileges.
Defense in depth uses multiple independent layers of protection (physical, identity/access, perimeter, network, compute, application, data) so that if one layer is breached, others still protect the asset.
Encryption at rest protects stored data; encryption in transit protects data moving across networks. Encryption makes data unreadable without the correct decryption key.
Symmetric encryption uses the same key to encrypt and decrypt and is fast for large data volumes; asymmetric encryption uses a public/private key pair and is used for key exchange and digital signatures.
Hashing converts data into a fixed-length value and is one-way (cannot be reversed); it is used for storing passwords and verifying integrity, unlike encryption which is reversible.
Authentication (AuthN) proves who you are; authorization (AuthZ) determines what you are allowed to access. Authentication always happens before authorization.
Non-repudiation ensures a party cannot deny having performed an action - commonly achieved through digital signatures and audit logging.
Data sovereignty means data is subject to the laws and regulations of the country or region where it is physically stored, which influences where organizations choose to host data.
GDPR (General Data Protection Regulation) governs the protection and privacy of personal data for individuals in the EU and applies to any organization handling EU residents' data.
Common identity threats include phishing (impersonating a trusted entity to steal credentials), password spray (one common password tried against many accounts), brute force (many passwords against one account), and credential harvesting via network sniffing.
Federation establishes a trust relationship between separate identity providers so users authenticated in one organization can access resources in another without a separate account.

Domain 2: Describe Capabilities of Microsoft Entra

Key concepts you must know · 165 practice questions

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service providing authentication, single sign-on (SSO), MFA, and identity governance.
Identity types in Entra ID include users, service principals (an identity for an application or service), managed identities (automatically managed credentials for Azure resources), and devices.
Single sign-on (SSO) lets users authenticate once and access multiple applications without re-entering credentials, improving experience while reducing password fatigue.
Multi-factor authentication (MFA) requires two or more verification methods from different categories: something you know (password/PIN), something you have (authenticator app, FIDO2 key), or something you are (biometric).
Self-Service Password Reset (SSPR) lets users reset their own passwords using registered verification methods, reducing helpdesk load. Admins can require a number of registered methods before reset is allowed.
Passwordless authentication methods include Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app - all more phishing-resistant than passwords.
Conditional Access enforces access decisions (allow, block, or require additional controls like MFA) based on signals such as user, location, device state/compliance, application, and sign-in risk.
Microsoft Entra ID Protection uses machine learning to detect risky sign-ins (anonymous IP, atypical/impossible travel, leaked credentials) and can automatically trigger remediation such as requiring MFA or blocking access.
Microsoft Entra Privileged Identity Management (PIM) provides just-in-time, time-bound activation of privileged roles, requiring justification and approval to reduce standing administrative access.
Azure role-based access control (RBAC) provides fine-grained access management of Azure resources by assigning roles at management group, subscription, resource group, or resource scope.
Microsoft Entra B2B collaboration lets external guest users access resources using their own identities; B2C is a separate solution for customer-facing consumer identity management.
Microsoft Entra Connect (and Entra Connect cloud sync) synchronizes on-premises Active Directory identities to Entra ID, enabling hybrid identity.
Entra ID Governance includes entitlement management and access reviews, defining who can request access, approval workflows, and when access expires to enforce least privilege over time.
Microsoft Entra Verified ID is a decentralized, verifiable credential service that lets organizations issue and individuals own portable digital identity credentials; Permissions Management provides multicloud (Azure, AWS, GCP) visibility and right-sizing of permissions.

Domain 3: Describe Capabilities of Microsoft Security Solutions

Key concepts you must know · 163 practice questions

A Network Security Group (NSG) filters inbound and outbound traffic to Azure virtual network resources using allow/deny rules based on source/destination IP, port, and protocol; rules are processed by priority and can apply at subnet or NIC level.
Azure Firewall is a managed, cloud-based, stateful network security service offering centralized filtering with network and application rules, built-in high availability, and threat intelligence-based filtering.
Azure DDoS Protection detects and mitigates distributed denial-of-service attacks against Azure Virtual Network resources, with an enhanced (Network/IP) tier offering tuned, application-specific mitigation.
Microsoft Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP) across Azure, on-premises, AWS, and GCP environments.
Microsoft Secure Score (in Defender for Cloud and the Defender portal) expresses an organization's security posture as a percentage; a higher score reflects more recommended controls implemented and lower risk.
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that collects data enterprise-wide, detects threats with built-in analytics, and automates response with playbooks.
Microsoft Defender for Endpoint provides endpoint detection and response (EDR), threat and vulnerability management, and automated investigation for laptops, desktops, servers, and mobile devices.
Microsoft Defender for Office 365 protects against email and collaboration threats such as phishing, malicious links (Safe Links), and malicious attachments (Safe Attachments).
Microsoft Defender for Identity is a cloud solution that uses on-premises Active Directory signals to detect identity-based threats, lateral movement, and compromised accounts.
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) providing visibility into cloud app usage (shadow IT), data control policies, and threat detection across SaaS apps.
Microsoft Defender XDR (formerly Microsoft 365 Defender) is a unified pre- and post-breach defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications.
The Microsoft Defender portal is the unified management console for Defender XDR services, where analysts view incidents, alerts, hunting queries, and Secure Score.
NSGs are stateful: if inbound traffic is allowed, the return outbound traffic is automatically permitted without an explicit matching rule.
SIEM aggregates and correlates security log data for detection and investigation, while SOAR automates and orchestrates response actions - Microsoft Sentinel combines both capabilities in one platform.

Domain 4: Describe Capabilities of Microsoft Compliance Solutions

Key concepts you must know · 167 practice questions

The Microsoft Purview compliance portal is the central hub for data protection, compliance assessment, and governance solutions across Microsoft 365 and connected data.
Microsoft Purview Compliance Manager calculates a compliance score reflecting progress on recommended improvement actions, mapped to regulatory standards and assessments, to help reduce compliance risk.
Improvement actions in Compliance Manager are split into those the customer controls and those Microsoft manages; the score increases as recommended controls are implemented.
Sensitivity labels in Microsoft Purview Information Protection classify content and enforce protection that travels with the item, including encryption, content markings (headers, footers, watermarks), and access restrictions.
Auto-labeling can automatically apply sensitivity labels to content based on detected sensitive information, either client-side (in Office apps) or service-side (for data at rest).
Microsoft Purview Data Loss Prevention (DLP) detects sensitive information such as credit card numbers and government IDs and can block, restrict, or warn on its sharing across email, Teams, endpoints, and SharePoint.
Sensitive information types are built-in or custom patterns (e.g., credit card numbers, SSNs) that DLP and labeling use to identify regulated data.
Microsoft Purview data lifecycle management uses retention policies and retention labels to keep content for a minimum period and/or delete it after a set period, supporting legal hold and data minimization.
Microsoft Purview eDiscovery (Standard and Premium) identifies, holds, collects, reviews, and exports electronically stored information for legal investigations and litigation.
Microsoft Purview Insider Risk Management uses machine learning to detect risky internal activities such as mass downloads, unauthorized sharing, or data exfiltration by departing employees.
Microsoft Purview Communication Compliance detects inappropriate or non-compliant messages (harassment, sensitive data sharing, regulatory violations) across communication channels like Exchange, Teams, and Viva Engage.
Microsoft Purview Information Barriers restrict communication and collaboration between specific groups of users to prevent conflicts of interest or maintain ethical walls.
Microsoft Purview Audit maintains a unified audit log capturing user and admin activity across Microsoft 365, searchable for security investigations and compliance (Premium adds longer retention and high-value events).
Microsoft Purview Data Map and Data Catalog (part of the unified data governance capabilities) automatically discover, classify, and map data assets across on-premises, multicloud, and SaaS sources.

SC-900 exam tips

SC-900 is conceptual, not hands-on - focus on what each service does and which problem it solves, not on configuration steps or portal navigation.
Master the shared responsibility model and be able to instantly state who owns OS patching, applications, and data in IaaS vs PaaS vs SaaS; remember data and identities are always the customer's responsibility.
Memorize which product belongs to which family: Entra = identity, Defender = threat protection, Sentinel = SIEM/SOAR, Purview = compliance/governance. Mapping a scenario to the right family answers many questions.
Watch for renamed products - Azure AD is now Microsoft Entra ID and Microsoft 365 Defender is now Microsoft Defender XDR; the exam may use either name.
The exam includes true/false and 'which capability' style questions; read whether a statement is asking about a feature (e.g., sensitivity labels) versus a separate solution (e.g., DLP), since several Purview tools overlap.

Study guide FAQ

How long is the SC-900 exam and what score do I need to pass?

You have about 45 minutes of testing time, and you need a scaled score of 700 or higher (out of 1000) to pass. The exam typically contains roughly 40-60 questions in formats such as multiple choice and true/false.

Do I need hands-on Azure or Microsoft 365 experience to pass SC-900?

No. SC-900 is a fundamentals-level certification focused on concepts and the purpose of services rather than configuration. Some familiarity with Azure and Microsoft 365 helps, but the exam does not require you to perform tasks in any portal.

What is the difference between Microsoft Defender, Microsoft Sentinel, and Microsoft Purview?

Microsoft Defender products provide threat protection across endpoints, identities, email, and cloud apps. Microsoft Sentinel is a cloud-native SIEM/SOAR that collects and correlates security data enterprise-wide and automates response. Microsoft Purview delivers compliance and data governance, including sensitivity labels, DLP, eDiscovery, and Compliance Manager.

Is SC-900 a good starting point, and what can I take next?

Yes, SC-900 is an ideal entry point for security, compliance, and identity topics. After passing, common next steps include role-based certifications such as SC-300 (Identity and Access Administrator), SC-200 (Security Operations Analyst), or SC-400 (Information Protection Administrator), as well as AZ-900 for broader Azure fundamentals.

Test yourself: 676 SC-900 practice questions