SC-900 Study Guide 2026: Complete Security, Compliance & Identity Fundamentals Prep
Everything you need to pass the SC-900 exam — all 4 domains, a study plan, and what actually shows up on test day.
Quick Summary
- • SC-900 is a Fundamentals-level exam with 40–60 questions, 60 minutes, 700/1000 passing score
- • Covers 4 domains: security/compliance/identity concepts, Entra ID, Microsoft security solutions, compliance solutions
- • Most candidates need 2–4 weeks of preparation
- • Exam cost: $165 USD
What is the SC-900 Exam?
SC-900 is Microsoft's Fundamentals-level certification covering security, compliance, and identity (SCI). It validates conceptual understanding of Microsoft's security products, compliance solutions, and identity platform — without requiring hands-on configuration skills.
It's a strong entry point for anyone starting a career in Microsoft security, compliance, or identity — or for IT generalists who want to understand the security ecosystem before pursuing the SC-300 Identity Administrator or SC-200 Security Operations Analyst certifications.
| Detail | Information |
|---|---|
| Exam Code | SC-900 |
| Credential Earned | Security, Compliance, and Identity Fundamentals |
| Number of Questions | 40–60 questions |
| Time Limit | 60 minutes |
| Passing Score | 700 out of 1000 |
| Exam Price | $165 USD |
| Exam Level | Fundamentals |
| Prerequisites | None |
SC-900 Exam Domains & Weightings
SC-900 is split across four domains. Microsoft security solutions (Domain 3) is the largest and most product-diverse domain.
Domain 1: Security, Compliance, and Identity Concepts
10–15%- • Shared responsibility model in cloud environments
- • Defense-in-depth strategy — layered security approach
- • Zero Trust model — verify explicitly, use least privilege, assume breach
- • Encryption concepts — at rest, in transit, key management
- • Governance, risk, and compliance (GRC) concepts
Study tip: Zero Trust appears across multiple domains. Understand all three principles thoroughly.
Domain 2: Microsoft Entra Capabilities
25–30%- • Microsoft Entra ID — users, groups, devices, authentication
- • Authentication methods: password, MFA, passwordless (FIDO2, Windows Hello, Authenticator)
- • Conditional Access — policy conditions and access controls
- • Microsoft Entra External ID — B2B and B2C identity scenarios
- • Microsoft Entra ID Governance — access reviews, entitlement management, PIM (conceptual)
- • Microsoft Entra Permissions Management and Verified ID
Domain 3: Microsoft Security Solutions
35–40%- • Microsoft Defender for Cloud — cloud security posture management (CSPM), workload protection
- • Microsoft Sentinel — cloud-native SIEM and SOAR, threat detection and response
- • Microsoft Defender XDR — unified threat protection across email, endpoint, identity, cloud apps
- • Microsoft Defender for Endpoint — endpoint detection and response (EDR)
- • Microsoft Defender for Office 365 — email threat protection
- • Microsoft Defender for Identity — Active Directory threat detection
- • Microsoft Defender for Cloud Apps — cloud access security broker (CASB)
- • Microsoft Security Copilot — AI-powered security operations assistance
Study tip: This is the most product-dense domain. Know what each Defender product protects: Endpoint (devices), Office 365 (email), Identity (AD), Cloud Apps (SaaS apps).
Domain 4: Microsoft Compliance Solutions
20–25%- • Microsoft Purview compliance portal — unified compliance management
- • Information protection — sensitivity labels, data classification, DLP policies
- • Data lifecycle management — retention policies, retention labels, records management
- • Insider risk management and communication compliance (conceptual)
- • eDiscovery and Audit in Microsoft Purview
- • Compliance Manager — compliance score, assessments, regulatory templates
- • Microsoft Privacy — Privacy Management, data subject requests
Ready to test yourself?
Try 40 Free SC-900 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →How Hard is SC-900?
SC-900 is one of the more accessible Microsoft certifications. It tests conceptual understanding rather than hands-on configuration skills. Most IT professionals, business analysts, and compliance officers find it manageable with 2–3 weeks of focused preparation. The main challenge is the sheer number of Microsoft product names — particularly across the Defender family — that you need to map correctly.
Why candidates fail SC-900
- • Defender product confusion: Mixing up Defender for Endpoint, Office 365, Identity, and Cloud Apps is the most common source of errors
- • Purview vs. Defender: Microsoft Purview is compliance/data governance; Microsoft Defender is threat protection — these get confused frequently
- • Underestimating Domain 3: With 35–40% weighting, security solutions is the biggest domain and requires learning a lot of product names and capabilities
- • Not knowing Zero Trust deeply: Zero Trust principles appear across multiple questions in different contexts
3-Week SC-900 Study Plan
This plan assumes 1–1.5 hours per day. Candidates with existing IT or security background can often complete this in 2 weeks.
Week 1: Concepts & Identity (Domains 1 & 2)
- Days 1–2: Security fundamentals — Zero Trust, shared responsibility, defense in depth, encryption
- Days 3–4: Microsoft Entra ID — authentication methods, MFA, Conditional Access, SSO
- Days 5–6: Identity governance — PIM concepts, access reviews, entitlement management
- Day 7: Domain 1 & 2 practice questions — review all incorrect answers
Week 2: Microsoft Security & Compliance Solutions (Domains 3 & 4)
- Days 1–2: Microsoft Defender suite — map each Defender product to what it protects
- Days 3–4: Microsoft Sentinel (SIEM/SOAR) and Defender for Cloud (CSPM/CWPP)
- Days 5–6: Microsoft Purview — sensitivity labels, DLP, retention, Compliance Manager
- Day 7: Domain 3 & 4 practice questions — review all incorrect answers
Week 3: Full Review & Mock Exams
- Days 1–2: Review notes, create a product cheat sheet (Defender family + Purview tools)
- Day 3: Full 60-minute timed mock exam
- Days 4–5: Targeted review of any domain below 70%
- Day 6: Second full timed mock exam — aim for 80%+
- Day 7: Light review. Book exam if scoring 80%+.
Best SC-900 Study Resources
1. Microsoft Learn SC-900 Learning Path (Free)
The official learning path covers all four domains with interactive modules. Well-structured and regularly updated. Estimated completion time: 5–7 hours. Complete every module — the compliance domain in particular is underrepresented in other resources.
2. MSCertQuiz Practice Tests
500 SC-900 practice questions covering all four domains with detailed explanations for every answer. Strong coverage of Defender product differentiation questions and Purview compliance scenarios — the areas where most candidates lose marks.
Start free SC-900 practice →3. Microsoft Security Documentation
For any Defender product or Purview feature you find confusing, go straight to the official Microsoft documentation. The "What is..." overview pages for each product are concise and exam-accurate. Build a product comparison table as you read.
4. SC-900 Exam Skills Outline (Official)
Download the official exam skills outline from Microsoft. Use it as a checklist to verify you understand every bullet point. The SC-900 outline is detailed enough to use as a study guide on its own for the final week before the exam.
SC-900 Exam Day Tips
Do
- • Map each Defender product to its protection scope before the exam — endpoint, email, identity, cloud apps
- • For Purview questions, ask: is this about data protection (sensitivity/DLP) or data lifecycle (retention/records)?
- • Flag uncertain questions and move on — 60 minutes is enough time if you don't dwell
- • Remember Sentinel is SIEM+SOAR; Defender for Cloud is CSPM — they're often tested together
Don't
- • Don't confuse Compliance Manager (score/assessments) with Compliance portal (policies/tools)
- • Don't mix up PIM (privileged role management) with PAM (privileged access workstations)
- • Don't ignore Security Copilot — it appears in recent exam versions as a new topic
- • Don't rush Domain 3 — it's 35–40% of your score
Ready to Practice SC-900?
500 questions across all 4 domains. Practice mode with explanations + timed exam simulation.
Start Free Practice →Frequently Asked Questions
Should I take SC-900 before SC-300?
Not necessarily. SC-900 is a Fundamentals exam — it is not a prerequisite for SC-300. If you already have IT security experience, you can skip SC-900 and go directly to SC-300. SC-900 is valuable for beginners, non-technical professionals, or anyone who wants a quick conceptual foundation before diving into associate-level security certifications.
Is SC-900 harder than AZ-900?
They are comparable in difficulty. SC-900 has more product names to learn (Defender family, Purview tools) but AZ-900 has more Azure services to understand. Most candidates find whichever one aligns with their daily work easier. If you work in IT security, SC-900 will feel more natural.
What comes after SC-900?
The two natural next steps are SC-300 (Identity and Access Administrator) for identity/access deep-dives, or SC-200 (Security Operations Analyst) for security operations and threat hunting. SC-900 is also excellent context before pursuing MS-500 (Microsoft 365 Security Administration).
How long is SC-900 valid?
SC-900 is valid for one year. Like all Microsoft Fundamentals certifications, it can be renewed annually for free through a Microsoft Learn renewal assessment — no exam center visit required.