This cheat sheet is a fast, exam-focused review of everything on SC-900 (Microsoft Security, Compliance, and Identity Fundamentals). It is built for your final days of prep — skim it, test yourself, and drill anything that feels unfamiliar. It is a memory aid, not a replacement for understanding: SC-900 questions are scenario-based, so know which Microsoft tool solves a described problem.
Exam Snapshot
Passing Score
700 / 1000
Cost
$99 USD
Questions
40–60
Time
60 minutes
SCI Concepts
10–15%
Microsoft Entra
25–30%
Security Solutions
25–30%
Compliance (Purview)
25–30%
1. Security, Compliance & Identity Concepts
Core security models
| Zero Trust | Verify explicitly, use least privilege, assume breach. Never trust by location alone. |
| Defense in depth | Layered controls: physical, identity, perimeter, network, compute, app, data. |
| Shared responsibility | Provider secures the cloud; customer secures data, identities, and devices. |
| CIA triad | Confidentiality, Integrity, Availability — the goals of security. |
Identity terms — know the exact difference
| Authentication (AuthN) | Proving who you are. |
| Authorization (AuthZ) | What you're allowed to do once authenticated. |
| Identity as the perimeter | Identity is the primary security boundary in the cloud. |
| Identity provider (IdP) | Service that creates, maintains, and verifies identities (Entra ID). |
| Federation | Trust between IdPs so users sign in across organizations. |
Encryption & hashing: Symmetric uses one shared key; asymmetric uses a public/private key pair. Encryption is reversible with a key; hashing is one-way (used for passwords/integrity). Data states: at rest, in transit, in use.
2. Microsoft Entra (Identity)
| Feature | What it does |
|---|---|
| Microsoft Entra ID | Cloud identity and access management (formerly Azure AD). |
| Identity types | Users, service principals, managed identities, devices. |
| Hybrid identity | Sync on-prem AD to Entra ID via Entra Connect. |
| External identities | B2B collaboration (guests) and B2C (customers). |
| SSO | Sign in once, access many apps. |
| MFA | Two or more verification methods (something you know/have/are). |
| Passwordless | Windows Hello, FIDO2 keys, Microsoft Authenticator. |
| SSPR | Self-service password reset. |
Test the concepts you just reviewed
Try 40 Free SC-900 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →3. Access Management & Protection
| Capability | What it does |
|---|---|
| Conditional Access | Grant/block access based on signals (user, device, location, risk). |
| RBAC | Assign permissions via roles at a defined scope. |
| PIM | Privileged Identity Management: just-in-time, time-bound admin access. |
| Identity Protection | Detect risky users and sign-ins; automate responses. |
| Access reviews | Periodically recertify who has access (governance). |
| Entitlement management | Access packages for automated request/approval/expiry. |
| Terms of use | Require users to accept policies before access. |
Most-tested distinction: Conditional Access decides access at sign-in based on conditions. RBAC grants standing permissions. PIM makes privileged roles eligible and time-bound rather than always-on.
4. Microsoft Security Solutions
| Tool | Purpose |
|---|---|
| Microsoft Defender XDR | Unified threat protection across endpoints, email, apps, identity. |
| Defender for Endpoint | Endpoint detection and response (EDR) for devices. |
| Defender for Office 365 | Protect email and collaboration from phishing/malware. |
| Defender for Identity | Detect identity threats using on-prem AD signals. |
| Defender for Cloud Apps | CASB — visibility and control over cloud app usage. |
| Defender for Cloud | Cloud security posture management (CSPM) + workload protection. |
| Microsoft Sentinel | Cloud-native SIEM/SOAR for threat detection and response. |
| Secure Score | Measure and improve your security posture. |
SIEM vs SOAR: SIEM (Sentinel) collects and analyzes signals to detect threats; SOAR automates the response. CSPM = posture/recommendations; CWP = workload threat protection.
5. Microsoft Purview (Compliance)
| Capability | What it does |
|---|---|
| Sensitivity labels | Classify and protect data (encryption, watermarks) that travels with the file. |
| Data Loss Prevention (DLP) | Prevent oversharing of sensitive info across apps and endpoints. |
| Records management / retention | Keep or delete content for a required period (retention labels/policies). |
| Insider Risk Management | Detect risky internal activity like data theft before departure. |
| eDiscovery | Find and export content for legal/investigation cases. |
| Audit | Log and search user/admin activity (standard vs premium). |
| Compliance Manager | Assess regulatory compliance; produces a Compliance Score. |
| Communication Compliance | Detect policy violations in messages (harassment, leaks). |
Governance portals: Microsoft Purview portal for compliance and data governance; Service Trust Portal for Microsoft's audit reports and certifications; Microsoft Priva for privacy risk and subject-rights requests.
6. Acronym Quick List
SCI — Security, Compliance & Identity
AuthN / AuthZ — Authentication / Authorization
MFA — Multi-Factor Authentication
SSO — Single Sign-On
SSPR — Self-Service Password Reset
RBAC — Role-Based Access Control
PIM — Privileged Identity Management
CA — Conditional Access
XDR — Extended Detection & Response
EDR — Endpoint Detection & Response
SIEM / SOAR — Security Info & Event Mgmt / Orchestration
CASB — Cloud Access Security Broker
CSPM — Cloud Security Posture Management
DLP — Data Loss Prevention
IdP — Identity Provider
CIA — Confidentiality, Integrity, Availability
Reviewed the cheat sheet? Now prove you're ready.
Take the free 5-minute SC-900 readiness quiz — no signup required — or jump into 40 free practice questions calibrated harder than the real exam.
Common Questions
Is a cheat sheet enough to pass SC-900?
A cheat sheet is a fast review and memory aid, not a substitute for understanding. SC-900 questions are scenario-based, so you need to match the right Microsoft security, identity, or compliance tool to a described need — not just recognize its name. Use it to consolidate after Microsoft Learn and practice questions.
What is the difference between authentication and authorization?
Authentication (AuthN) proves who you are. Authorization (AuthZ) determines what you're allowed to do once authenticated. Microsoft Entra ID handles authentication; RBAC and Conditional Access govern authorization.
What is the difference between Microsoft Defender for Cloud and Microsoft Sentinel?
Defender for Cloud is a cloud security posture and workload protection tool focused on securing Azure, hybrid, and multicloud resources. Microsoft Sentinel is a SIEM/SOAR that collects signals across your whole environment to detect, investigate, and automate response to threats.
What is the passing score for SC-900?
700 out of 1000 on a scaled scoring system (roughly 70%). The exam has around 40–60 questions, a 60-minute time limit, and costs $99 USD.
About MSCertQuiz
MSCertQuiz provides 500 practice questions per certification, calibrated harder than the real exam so test day feels easier. Questions are built by certified professionals and updated for 2026 exam objectives. Start with 40 free questions — no credit card required.