SC-900Exam code

60Exam questions

700 / 1000Passing score

65 minExam duration

$165Exam fee (USD)

No prereqsRequirements

Study anywhere — CertQuests Podcast

Reinforce Zero Trust principles, Defender product differences, and Purview compliance tools while commuting or working out. Perfect supplement to this course.

▶ Listen on Spotify

About the exam

Why get SC-900?

SC-900 is Microsoft's entry-level security certification — one of the fastest fundamentals certs to earn and highly valued in any cloud or IT role. It validates that you understand how Microsoft approaches security, compliance, and identity across its entire ecosystem.

Validates foundational knowledge of Zero Trust, MFA, Conditional Access, and identity management
Covers the full Microsoft security stack: Entra ID, Defender XDR, Sentinel, Azure Key Vault, Purview
Beginner-friendly — no technical prerequisites, no prior cloud experience required
Pairs perfectly with AZ-900 and is a stepping stone to AZ-500 Security Engineer
Relevant to IT support, compliance, sales, project management, and developer roles
Exam is 65 minutes, $165, and can be taken online from home

Exam strategy: SC-900 is conceptual — it tests "what does X do" and "which Microsoft service handles Y scenario". You don't need to configure anything. Focus on understanding which product solves which problem (e.g., Sentinel = SIEM, Defender for Endpoint = EDR, Purview = compliance) and the three Zero Trust principles.

Exam blueprint

SC-900 exam domains

Four domains — the largest is Microsoft security solutions (Defender products, Sentinel, Firewall, Key Vault). Memorise the product-to-function mapping for that domain and you're most of the way there.

Domain 1 — Security, Compliance & Identity Concepts 10–15%

Domain 2 — Capabilities of Microsoft Entra 25–30%

Domain 3 — Capabilities of Microsoft Security Solutions 35–40%

Domain 4 — Capabilities of Microsoft Compliance Solutions 25–30%

Core concepts first

3 concepts that underpin everything

Before diving into products, understand these foundational models. Multiple SC-900 questions directly test these definitions.

Zero Trust — Three Principles

1. Verify explicitly — Always authenticate and authorise based on all available signals (identity, location, device, service, data). Never trust just because a request comes from inside the network.

2. Use least privilege access — Grant only the minimum permissions needed, just-in-time. Limit standing access and use Just-In-Time / Just-Enough-Access (JIT/JEA).

3. Assume breach — Design as if the attacker is already inside. Segment access, encrypt end-to-end, use analytics to detect anomalies, minimise blast radius.

Defense in Depth — Layered Security

Defense in depth uses multiple security layers so a breach of one doesn't compromise everything. Layers include: physical security → identity → perimeter → network → compute → application → data. SC-900 expects you to identify which layer a given control belongs to.

Shared Responsibility Model

In the cloud, Microsoft and the customer share security responsibilities. Microsoft always handles physical infrastructure. Customers always handle their own identities and data. The boundary shifts by service model: in IaaS customers manage OS and up; in SaaS Microsoft manages almost everything except identity and data.

Course Modules

Seven in-depth modules organised by exam domain. Each opens to a set of lessons — intro, key concepts, study notes, takeaways, and a linked mini-quiz drawn from the SC-900 question bank.

Security, Compliance & Identity Concepts

3 lessons · ~2h

SC-900 starts with vocabulary, not products. Before Entra ID or Defender ever appears, the exam checks that you can define the CIA triad, Zero Trust, defense in depth, and the shared responsibility model — and tell authentication apart from authorization. Domain 1 is small (10–15%) but its concepts reappear in every later question.

Lesson 1.1 — The Security & Threat Landscape

Key Concepts

CIA Triad: The three goals of information security. Confidentiality keeps data secret from unauthorised parties; Integrity ensures data is not altered improperly; Availability ensures authorised users can reach data when needed. Every control maps to at least one of these.
Defense in Depth: Layered controls — physical, identity, perimeter, network, compute, application, data — so one breached layer does not expose everything. The exam asks which layer a given control protects.
Common threats: Phishing (fraudulent messages to steal credentials), ransomware (encrypts data for extortion), supply-chain attacks (compromise a trusted vendor), DDoS (overwhelm a service), brute force and password spray (guessing attacks against accounts), and data breaches (unauthorised disclosure).
Encryption at rest vs in transit: At rest protects stored data (disks, databases, backups); in transit protects data moving across a network (TLS/HTTPS). Both are needed for end-to-end protection.
Encryption vs hashing: Encryption is reversible with a key (used for confidentiality); hashing is a one-way function (used for integrity and password storage). Microsoft never stores passwords in plaintext — it stores salted hashes.

Real-world frame: a hospital encrypts patient records at rest (disk encryption) and in transit (TLS to the records app), uses MFA against password spray, and keeps offline backups so a ransomware hit does not destroy availability. One scenario, all three CIA goals.

Lesson 1.2 — Identity & the Zero Trust Model

Key Concepts

Identity is the new perimeter: With cloud and remote work, the firewall is no longer the boundary. Who you are — verified by identity — decides what you can reach. This is why SC-900 weights identity so heavily.
Authentication (AuthN) vs Authorization (AuthZ): Authentication proves who you are (sign-in, MFA). Authorization decides what you can do (roles, permissions). AuthN always happens before AuthZ.
Four pillars of identity: Administration (creating and managing identities), Authentication (verifying identity), Authorization (granting access), and Auditing (logging and reviewing what happened).
Zero Trust principles: Verify explicitly (use all signals), use least-privilege access (JIT/JEA), and assume breach (segment, encrypt, monitor). Zero Trust replaces "trust the internal network" with "never trust, always verify".
Identity providers & federation: An identity provider (IdP) authenticates users and issues tokens. Single Sign-On (SSO) lets one authentication grant access to many apps. Federation establishes trust between two IdPs so users sign in once across organisations.

A common exam trap: "A user signs in successfully but cannot open a file" — that is an authorization failure, not authentication. The user proved who they are; they simply lack the permission.

Lesson 1.3 — Shared Responsibility & Compliance Concepts

Key Concepts

Shared responsibility model: Microsoft always secures the physical datacentre, host, and network. The customer always owns their data, accounts, and identities. The OS and application layers shift by model — customer-managed in IaaS, Microsoft-managed in SaaS.
Governance, Risk & Compliance (GRC): Governance sets the policies and rules; risk management identifies and mitigates threats; compliance proves you meet legal and regulatory obligations.
Data residency & sovereignty: Residency is the physical location where data is stored; sovereignty means data is subject to the laws of the country it sits in. Azure regions let customers control residency.
Privacy: The right of individuals to control how their personal data is collected and used — distinct from security, which protects data from attackers.
Regulatory standards: GDPR (EU data-protection law), ISO 27001 (information-security management standard), and NIST frameworks (US guidance). SC-900 expects recognition of these names, not deep detail.

Memorise the two constants of shared responsibility: the customer is always responsible for data and identities; Microsoft is always responsible for the physical infrastructure. Everything else depends on IaaS vs PaaS vs SaaS.

🛡 Scenario — mapping hospital controls to the CIA triad

Situation: A hospital stores patient records in a cloud application. The security architect needs to explain which CIA goal each control addresses to the board.

Control mapping: Disk encryption (data at rest) → Confidentiality. TLS/HTTPS (data in transit) → Confidentiality. Digital signatures on records → Integrity (proves data was not tampered with). Multi-region redundancy + auto-failover → Availability. Offline backups → Availability (ransomware cannot encrypt what it cannot reach).

Exam pattern: When the exam gives you a control ("enables HTTPS", "stores daily backups off-site") and asks which CIA goal it serves, map: encrypt / restrict access = C, checksums / audit logs / signing = I, redundancy / backups / DR = A. A single control often covers more than one.

Key takeaways

Every security control maps to confidentiality, integrity, or availability — and defense in depth layers them so one failure is not fatal.
Authentication answers "who?" and always precedes authorization, which answers "what can you do?". A successful sign-in that still blocks an action is an authZ problem.
In shared responsibility, the customer always owns data and identities; Microsoft always owns the physical layer — the middle shifts with IaaS / PaaS / SaaS.

⚡ Mini-quiz — Drill the CIA triad, Zero Trust principles, AuthN vs AuthZ, and the shared responsibility split.

Quick quiz →

Microsoft Entra ID — Authentication & Identity

3 lessons · ~3h

Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone of Microsoft 365 and Azure. This module covers what Entra ID actually is, the identity types it manages, the authentication methods it supports — from passwords to passwordless — and how SSO, SSPR, and external identities extend it to partners and consumers.

Lesson 2.1 — What Entra ID Is & Identity Types

Key Concepts

Entra ID is a cloud identity platform — not a lift-and-shift of on-premises Active Directory. AD uses Kerberos/LDAP for a corporate LAN; Entra ID uses modern web protocols (OAuth 2.0, OpenID Connect, SAML) for cloud and SaaS apps.
Users: The most common identity — a person with credentials. Can be cloud-only (created in Entra) or synchronised from on-premises AD.
Service principals: The identity an application uses to access resources — the app equivalent of a user account.
Managed identities: A service principal that Azure creates and rotates automatically, so developers never handle credentials. System-assigned is tied to one resource; user-assigned can be shared across many.
Devices & groups: Devices can be registered or joined to Entra ID so policies target them; groups bundle users for bulk access assignment.
Tenant: A dedicated, isolated instance of Entra ID for one organisation. Each Microsoft 365 or Azure subscription is backed by a tenant.

Exam framing: "A web app must read a secret from Azure Key Vault without storing credentials." The answer is a managed identity — Azure issues and rotates the credential invisibly, eliminating secrets in code.

Lesson 2.2 — Authentication Methods & MFA

Key Concepts

Authentication factors: Something you know (password, PIN), something you have (phone, FIDO2 key), something you are (fingerprint, face). Combining two or more is multi-factor authentication.
Multi-Factor Authentication (MFA): Requires a second factor after the password. It is the single most effective control against stolen-credential attacks and is heavily tested.
Passwordless authentication: Removes the password entirely. The three Microsoft methods are Windows Hello for Business (biometric/PIN on a device), the Microsoft Authenticator app (phone sign-in approval), and FIDO2 security keys (hardware keys).
Authenticator app modes: It can deliver a push notification, a time-based one-time passcode (TOTP), or full passwordless phone sign-in.
Security defaults: A free baseline that enforces MFA for admins and risky sign-ins — suitable for small organisations that have not configured Conditional Access.

Passwordless is "more secure and more convenient" — there is no password to phish, reuse, or spray. If a scenario asks for the most secure method, FIDO2 / Windows Hello beats password + SMS.

Lesson 2.3 — SSO, SSPR & External Identities

Key Concepts

Single Sign-On (SSO): One authentication grants access to many applications. It reduces password fatigue and shrinks the attack surface — fewer passwords to steal.
Self-Service Password Reset (SSPR): Lets users reset or unlock their own accounts after verifying with registered methods, cutting helpdesk load. Admins can require multiple verification methods.
Microsoft Entra B2B: Invites external partners (guest users) into your tenant using their own credentials — they never get a password in your directory.
Microsoft Entra External ID / B2C: A customer-facing identity solution for consumer apps, supporting sign-up with social accounts (Google, Facebook) or local accounts.
Hybrid identity: Microsoft Entra Connect synchronises on-premises AD accounts into Entra ID so users have one identity across both worlds.

Tell B2B from B2C cleanly: B2B = partners/guests collaborating in your tenant; B2C = customers signing in to your public-facing apps. Both extend identity outside your employees.

🛡 Scenario — MFA stops a stolen-password attack

Situation: IT receives an alert: an employee's password appeared in a dark-web dump. Within minutes, an actor in an unfamiliar country starts attempting to sign in with that credential.

What happens with MFA enabled: The attacker provides the correct password but is immediately challenged for a second factor (phone app approval or TOTP code). Without the physical device, the authentication fails. Entra ID logs the failed attempts with location and IP. The employee is notified and changes their password.

What Conditional Access adds: A policy scoped to "sign-in risk = High" or "unfamiliar country" can block the attempt entirely, even before MFA is reached. The combination of MFA + Conditional Access is the SC-900 answer for "how do you protect against credential theft".

Key takeaways

Entra ID is a cloud identity platform using OAuth / OIDC / SAML — it is not on-premises Active Directory moved to the cloud.
MFA stops almost all stolen-credential attacks; passwordless (Windows Hello, Authenticator, FIDO2) is both more secure and more convenient.
B2B brings partners in as guests; B2C / External ID serves consumers; managed identities let apps authenticate with zero stored secrets.

⚡ Mini-quiz — Drill identity types, MFA factors, passwordless methods, and B2B vs B2C.

Quick quiz →

Microsoft Entra ID — Access Management & Governance

3 lessons · ~3h

Authentication proves who you are; this module is about what you are allowed to do and how access is governed over time. Conditional Access is the if-then engine, RBAC and PIM control privileged access, and Identity Protection plus Access Reviews keep access clean as people and risk change.

Lesson 3.1 — Conditional Access

Key Concepts

Conditional Access is an if-then policy engine: IF a set of signals is true, THEN apply a control. It is the practical implementation of "verify explicitly".
Signals (the "if"): user or group, application, device state, location/IP, and real-time sign-in risk. Policies evaluate these on every sign-in.
Controls (the "then"): grant access, block access, require MFA, require a compliant or hybrid-joined device, or require a password change.
Example policy: "If a user accesses the finance app from outside the corporate network, require MFA." A trusted-network sign-in passes silently; an outside one is challenged.
Report-only mode: Lets admins preview a policy's impact in sign-in logs before enforcing it — avoiding accidental lockouts.

Conditional Access requires a Microsoft Entra ID P1 (or higher) licence. Security defaults are the free, all-or-nothing alternative for organisations without P1.

Lesson 3.2 — Roles, RBAC & Privileged Identity Management

Key Concepts

Entra ID roles vs Azure RBAC roles: Entra ID roles (e.g. Global Administrator, User Administrator) manage identity-plane objects — users, groups, apps. Azure RBAC roles (e.g. Owner, Contributor, Reader) manage Azure resources — VMs, storage, networks. They are separate systems.
Least privilege: Assign the narrowest role that lets a person do their job. Avoid handing out Global Administrator or Owner broadly.
Privileged Identity Management (PIM): Provides just-in-time privileged access — an admin is eligible for a role and must activate it for a limited time, optionally with approval and MFA.
PIM benefits: Reduces standing privileged access (a smaller attack surface), creates an audit trail of every activation, and supports access expiry and review.
Microsoft Entra ID Governance: Adds entitlement management (access packages) and lifecycle workflows for joiner-mover-leaver scenarios.

Classic exam scenario: "Admins should not hold permanent Global Administrator rights." The answer is PIM — make them eligible, require time-bound activation with approval, and standing privilege drops to near zero.

Lesson 3.3 — Identity Protection & Access Reviews

Key Concepts

Microsoft Entra ID Protection: Uses machine learning to detect risk. User risk reflects a possibly compromised account (e.g. leaked credentials found on the dark web); sign-in risk reflects a suspicious individual sign-in (impossible travel, anonymous IP).
Risk-based policies: Identity Protection feeds risk into Conditional Access — for example, "if sign-in risk is high, block" or "if user risk is medium, require a secure password change".
Access Reviews: Periodically ask owners or users to recertify who still needs access to a group, app, or role. Stale access is removed automatically when not recertified.
Why reviews matter: They directly support least privilege and "assume breach" — access granted for a project should not survive indefinitely.
Audit logs & sign-in logs: Entra ID records every directory change and every sign-in, giving the "auditing" pillar of identity its evidence trail.

Keep these straight: Identity Protection reacts to risk in real time; Access Reviews clean up stale access on a schedule; PIM limits privileged access to just-in-time windows.

🛡 Scenario — just-in-time admin access with PIM

Situation: A database administrator needs Global Admin rights for 30 minutes to complete a critical migration. After that they should have no elevated rights. Using standing Global Admin is too risky.

With Privileged Identity Management (PIM): The admin is made an eligible (not permanent) Global Admin in PIM. When the migration window arrives: 1) Admin opens PIM → My Roles → Activate "Global Administrator". 2) Enters a justification: "Completing prod DB migration ticket #4821". 3) Requests 30-minute activation → manager receives an approval request. 4) After approval, admin has Global Admin for exactly 30 minutes. 5) At the end of the window, the role expires automatically. 6) PIM logs the activation, justification, and approver for the audit trail.

Why this matters: No standing privilege = no opportunity for an attacker to exploit a dormant Global Admin account. The SC-900 exam pairs PIM with "least privilege" and "just-in-time access".

Key takeaways

Conditional Access is the if-then engine: signals (user, device, location, risk) in, controls (MFA, block, compliant device) out.
Entra ID roles govern identity objects; Azure RBAC roles govern Azure resources — never mix the two up.
PIM = just-in-time privileged access; Identity Protection = real-time risk detection; Access Reviews = scheduled cleanup of stale access.

⚡ Mini-quiz — Drill Conditional Access signals, Entra vs RBAC roles, PIM, and Identity Protection.

Quick quiz →

🎧

Halfway through the Entra ID modules? The CertQuests podcast has a dedicated episode on Zero Trust + Entra ID — great for cementing these concepts while you're away from the screen.

▶ Open Spotify

Microsoft Security Solutions — Defender & Azure

3 lessons · ~5h

Domain 3 is the largest slice of the exam (35–40%). It covers Microsoft's security product portfolio: Defender for Cloud for posture, the Defender XDR workload products for threats, the unified XDR portal, and Azure's built-in network defences. The exam tests "which product solves this problem" — so build the mapping table.

Lesson 4.1 — Defender for Cloud & Azure Network Security

Key Concepts

Microsoft Defender for Cloud: A Cloud Security Posture Management (CSPM) + Cloud Workload Protection (CWP) tool. CSPM finds misconfigurations; CWP detects threats against running workloads.
Secure Score: Defender for Cloud's headline metric — a percentage of how well your environment follows security recommendations, with prioritised remediation steps.
Just-in-Time VM access: Keeps management ports (RDP/SSH) closed until an approved request opens them briefly — shrinking the attack surface.
Azure Firewall: A managed, stateful network firewall filtering traffic at layers 3–7 with threat intelligence. NSGs (Network Security Groups) are simpler IP/port allow-deny rules at the subnet or NIC level.
WAF, DDoS Protection & Bastion: The Web Application Firewall blocks layer-7 attacks (SQL injection, XSS); DDoS Protection absorbs volumetric attacks; Azure Bastion gives browser-based RDP/SSH with no public IP on the VM.

Mapping cue: NSG = basic IP/port filter; Azure Firewall = full managed firewall with threat intel; WAF = web-app (layer 7) protection; DDoS = volumetric mitigation; Bastion = secure remote access without open ports.

Lesson 4.2 — The Defender XDR Workload Products

Key Concepts

Microsoft Defender for Endpoint: Endpoint Detection & Response (EDR) for devices — Windows, macOS, Linux, mobile. Detects, investigates, and responds to threats on endpoints.
Microsoft Defender for Office 365: Protects email and collaboration — Safe Links rewrites and checks URLs, Safe Attachments detonates files in a sandbox, plus anti-phishing and anti-malware.
Microsoft Defender for Identity: Detects attacks against on-premises Active Directory — pass-the-hash, pass-the-ticket, Kerberoasting, reconnaissance — using domain-controller signals.
Microsoft Defender for Cloud Apps: A Cloud Access Security Broker (CASB) — discovers shadow IT, gives visibility into SaaS usage, and applies controls across cloud apps.
Common confusion: Defender for Identity protects on-prem AD; Identity Protection (Module 3) protects cloud Entra ID sign-ins — different products, similar names.

Match the noun in the question to the product: "devices/laptops" → Defender for Endpoint; "email/phishing" → Defender for Office 365; "on-prem AD attack" → Defender for Identity; "shadow IT / SaaS visibility" → Defender for Cloud Apps.

Lesson 4.3 — Microsoft Defender XDR Portal

Key Concepts

Microsoft Defender XDR: The unified portal (security.microsoft.com) that correlates signals from all the Defender workload products into one view — Extended Detection & Response.
Incidents: XDR groups related alerts from endpoints, email, identity, and cloud apps into a single incident, so an analyst sees the whole attack story rather than scattered alerts.
Automated investigation & response (AIR): XDR can automatically investigate alerts and take remediation actions — isolating a device, quarantining an email — reducing analyst workload.
Microsoft Secure Score (Defender): A posture score across Microsoft 365 identity, devices, and apps — distinct from Defender for Cloud's Secure Score, which is for Azure resources.
XDR vs SIEM: Defender XDR correlates Microsoft security signals out of the box; Microsoft Sentinel (Module 5) is a SIEM that ingests any source, including third-party logs.

XDR's value is correlation: instead of an email alert, an endpoint alert, and an identity alert sitting separately, XDR stitches them into one incident — the analyst sees a single coherent attack.

🛡 Scenario — improving posture with Defender Secure Score

Situation: A new security manager wants to understand the current cloud security posture and produce a 90-day improvement plan.

Walk: 1) Open Microsoft Defender for Cloud → Secure Score. Current score: 42 / 100. 2) Click "Recommendations" → sorted by score impact. Top item: "Enable MFA for accounts with Owner permissions" (+12 pts). 3) Click the recommendation → see exactly which accounts lack MFA → go to Entra ID and enrol them. 4) Next: "Install endpoint protection on VMs" (+8 pts) → deploy Microsoft Defender for Endpoint via the portal. 5) After applying the top 5 recommendations, score rises to 67 / 100.

SC-900 pattern: "Which service shows your current security score and what to fix?" = Defender for Cloud. The score is a percentage of maximum, driven by applied vs available recommendations.

Key takeaways

Defender for Cloud = posture (CSPM, Secure Score) + workload protection for Azure resources; Defender XDR = unified threat portal for Microsoft 365.
Match the workload product to the noun: Endpoint → devices, Office 365 → email, Identity → on-prem AD, Cloud Apps → SaaS / shadow IT.
Azure network security stacks up: NSG (IP/port filter) → Azure Firewall (managed L3–7) → WAF (web apps) → DDoS (volumetric) → Bastion (no-open-port remote access).

⚡ Mini-quiz — Drill the Defender product map, Secure Score, and Azure network security controls.

Quick quiz →

Microsoft Sentinel & Azure Key Vault

3 lessons · ~3h

Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform — it collects security data at scale, detects threats, and automates the response. This module covers how Sentinel ingests, detects, and responds, then closes with Azure Key Vault, the managed home for secrets, keys, and certificates.

Lesson 5.1 — Sentinel as a SIEM: Ingest & Detect

Key Concepts

SIEM defined: Security Information and Event Management — a system that collects logs from across the estate, correlates them, and surfaces threats. Sentinel is a cloud-native SIEM with no infrastructure to manage.
Data connectors: Sentinel ingests data through connectors for Microsoft sources (Entra ID, Microsoft 365, Defender, Azure activity) and third-party sources (firewalls, other clouds, on-prem systems).
Log Analytics workspace: Sentinel stores ingested data in a Log Analytics workspace and queries it with KQL (Kusto Query Language).
Analytics rules: Scheduled queries that detect threats and raise alerts; related alerts are grouped into incidents for investigation.
Workbooks: Interactive dashboards that visualise ingested data — useful for monitoring trends and reporting to management.

Sentinel's advantage over a traditional SIEM is scale and zero infrastructure: it ingests cloud-scale data, scales automatically, and bills on consumption — no servers to size or patch.

Lesson 5.2 — Sentinel as a SOAR: Respond & Hunt

Key Concepts

SOAR defined: Security Orchestration, Automation and Response — automating the reaction to detected threats so analysts are not doing every step by hand.
Playbooks: Sentinel's automation, built on Azure Logic Apps. A playbook can be triggered by an incident to, for example, disable a user, isolate a device, or post a Teams message.
Automation rules: Govern how incidents are handled at scale — assigning, tagging, closing, or running playbooks based on conditions.
Threat hunting: Proactive, hypothesis-driven searching for threats that have not triggered an alert — using built-in hunting queries and bookmarks.
UEBA: User and Entity Behavior Analytics builds a baseline of normal behaviour and flags anomalies, helping detect compromised accounts and insider threats.

SIEM vs SOAR in one line: SIEM detects (collect and analyse logs), SOAR responds (automate the reaction with playbooks). Sentinel does both — that is why it is described as SIEM + SOAR.

Lesson 5.3 — Azure Key Vault

Key Concepts

Azure Key Vault: A managed service for safely storing and controlling access to secrets, keys, and certificates.
Secrets: Arbitrary sensitive values you store and retrieve — passwords, connection strings, API keys.
Keys: Cryptographic keys used by Key Vault to perform encryption, decryption, and signing — they are used inside the vault, not exported.
Certificates: TLS/SSL certificates Key Vault can store, manage, and auto-renew.
Access & auditing: Access is controlled with Azure RBAC (or access policies) and every operation is logged for audit. Combined with a managed identity, an application reads a secret without ever storing a credential.

Don't confuse the three: a secret is a value you retrieve; a key is a crypto object used inside the vault; a certificate is an X.509 cert. All three are protected and audited by Key Vault.

🛡 Scenario — investigating a password-spray alert in Sentinel

Situation: Microsoft Sentinel raised a high-severity incident at 3 AM: "Password spray attack detected" — 47 failed sign-in attempts against 12 accounts in 8 minutes, all from the same IP.

Investigation in Sentinel: 1) Open Sentinel → Incidents → select the alert. 2) View the investigation graph: one source IP, multiple targeted accounts, all failed except one (the IT service account). 3) That account successfully authenticated → the attacker has access. 4) Automated playbook triggers: revokes the session, resets the password, blocks the IP in Conditional Access Named Locations, and pages on-call via Teams webhook. 5) Analyst reviews KQL query in Log Analytics: SigninLogs | where ResultType != 0 | summarize count() by IPAddress, bin(TimeGenerated, 5m) — confirms the pattern. 6) Close incident as "True Positive — Compromised Account".

Exam shorthand: Sentinel = SIEM (collect + detect) + SOAR (automate + respond). Key Vault = store secrets. Know both by what they do, not just their names.

Key takeaways

Microsoft Sentinel is a cloud-native SIEM + SOAR — it ingests via data connectors, detects with analytics rules, and responds with playbooks.
SIEM detects, SOAR responds — analytics rules raise incidents; playbooks (Logic Apps) automate the reaction; hunting is proactive search.
Azure Key Vault safeguards secrets, keys, and certificates; paired with a managed identity an app authenticates with zero stored credentials.

⚡ Mini-quiz — Drill SIEM vs SOAR, data connectors, playbooks, and Key Vault secrets/keys/certs.

Quick quiz →

Microsoft Purview — Information Protection & DLP

3 lessons · ~2h

Microsoft Purview is the compliance umbrella. This module covers the information protection half: classifying and protecting data with sensitivity labels, stopping leaks with Data Loss Prevention, governing the data lifecycle with retention, and catching risky behaviour with Insider Risk Management.

Lesson 6.1 — Data Classification & Sensitivity Labels

Key Concepts

Data classification: The first step of protection — knowing what data you have and how sensitive it is. Purview offers built-in sensitive-information types (credit card, passport, national ID) and trainable classifiers.
Sensitivity labels: Tags applied to documents and emails (e.g. Public, General, Confidential, Highly Confidential) that travel with the file wherever it goes.
Label actions: A label can encrypt content, add visual markings (headers, footers, watermarks), and restrict who can open or edit it.
Automatic vs manual labelling: Labels can be applied manually by users or automatically when content matches a sensitive-information type.
Content Explorer & Activity Explorer: Purview tools that show where sensitive data lives and how labelled content is being used.

The power of a sensitivity label is persistence: encryption and access restrictions stay attached to the file even after it is emailed outside the organisation or copied to a USB drive.

Lesson 6.2 — Data Loss Prevention (DLP)

Key Concepts

Data Loss Prevention: Policies that detect and prevent the sharing of sensitive content — credit card numbers, national IDs, health records — across email, Teams, SharePoint, OneDrive, and endpoints.
How DLP acts: When a policy matches, it can block the action, warn the user, allow with a business justification, or silently audit — and notify administrators.
Endpoint DLP: Extends DLP to actions on managed Windows and macOS devices — copying to USB, printing, or uploading to unsanctioned cloud apps.
Policy tips: User-facing prompts that educate people in the moment ("this email contains a credit card number") rather than only blocking silently.
DLP vs sensitivity labels: Labels classify and protect content; DLP watches actions and stops sensitive data from leaving — labels are an input DLP policies can use.

Scenario cue: "Stop staff from emailing customer credit-card numbers outside the company" → that is a DLP policy. DLP governs the action of sharing, not the file's classification.

Lesson 6.3 — Retention & Insider Risk Management

Key Concepts

Retention policies and labels: Govern the data lifecycle — keep content for a required period, delete it after a period, or both. They satisfy "keep records for 7 years" regulations and reduce stale-data risk.
Retention vs deletion: A retention setting can ensure data is not deleted too early (for compliance) and/or is deleted when no longer needed (to limit liability).
Insider Risk Management: Detects risky internal behaviour — data theft before an employee leaves, leaking confidential information, policy violations — by correlating signals across Microsoft 365.
Privacy by design: Insider Risk Management pseudonymises users by default and uses role-based access so investigations respect employee privacy.
Insider Risk vs DLP: DLP blocks a specific data transfer; Insider Risk Management spots a pattern of risky behaviour over time — different problems, complementary tools.

Retention is two-sided: it can force data to be kept (regulatory hold) and force it to be deleted (minimise liability). The exam may test either direction.

🛡 Scenario — stopping credit card numbers from leaving via email

Situation: A compliance officer is concerned that customer payment data might be accidentally emailed outside the organisation. No incidents have been confirmed yet, but a regulatory audit is coming.

With Microsoft Purview DLP: 1) Microsoft Purview → Data Loss Prevention → Create policy. 2) Choose template: "Financial — PCI DSS" (pre-built, detects credit card number patterns). 3) Scope: Exchange email + Teams messages. 4) Action: if a message matches and the recipient is external, block sending and display a policy tip to the sender ("This message appears to contain payment card data. Sending to external addresses is not permitted."). 5) First run in simulation mode (audit only, no blocking) for 7 days to tune false positives. 6) After tuning, set to enforce. Incidents appear in the compliance dashboard.

Exam note: Simulation mode (test mode) is the SC-900 answer for "how do you deploy a DLP policy without disrupting users while you tune it".

Key takeaways

Sensitivity labels classify and protect content — encryption and markings travel with the file anywhere it goes.
DLP watches the action of sharing and blocks sensitive data from leaving; it can use labels as a signal.
Retention governs the keep/delete lifecycle; Insider Risk Management spots patterns of risky behaviour — not single transfers.

⚡ Mini-quiz — Drill sensitivity labels, DLP policies, retention, and Insider Risk Management.

Quick quiz →

Microsoft Purview — Compliance Management & eDiscovery

3 lessons · ~2h

The second half of Purview is about proving and managing compliance: measuring posture with Compliance Manager, finding and preserving data for legal cases with Audit and eDiscovery, and applying organisational controls with Communication Compliance, Information Barriers, and Priva.

Lesson 7.1 — Compliance Manager & Compliance Score

Key Concepts

Microsoft Purview Compliance Manager: A tool that assesses your environment against regulations and standards — GDPR, ISO 27001, NIST, HIPAA — and recommends improvement actions.
Compliance score: A measurement of progress toward compliance, calculated from completed improvement actions. Microsoft-managed actions and customer-managed actions both contribute.
Assessments and templates: Pre-built templates for hundreds of regulations let you start an assessment without building controls from scratch.
Improvement actions: Each carries a points value and guidance; completing them raises the score and reduces risk.
Why it matters: Compliance Manager turns "are we compliant?" into a concrete, trackable score with a prioritised to-do list.

Exam trap: Compliance Manager (and its score) is about your compliance posture against regulations. It is not an activity log — that is Audit (next lesson). Mixing these two is a classic SC-900 mistake.

Lesson 7.2 — Audit & eDiscovery

Key Concepts

Microsoft Purview Audit: An immutable log of user and admin activity across Microsoft 365. Audit (Standard) provides basic logging; Audit (Premium) adds longer retention (up to a year or more) and high-value events.
eDiscovery: The process of identifying, holding, and exporting electronic content for legal cases or investigations.
eDiscovery tiers: Content Search finds content across M365; eDiscovery (Standard) adds case management and legal hold; eDiscovery (Premium) adds review sets, custodian management, and advanced analytics.
Legal hold: Preserves content so it cannot be deleted or altered while litigation is pending — even if a user tries to delete it.
Audit vs eDiscovery: Audit answers "what did people do?"; eDiscovery answers "find and preserve the content relevant to this case".

Keep the pair distinct: Audit is the activity log (who did what, when); eDiscovery locates and preserves the actual documents and messages for legal review.

Lesson 7.3 — Communication Compliance, Information Barriers & Priva

Key Concepts

Communication Compliance: Detects inappropriate or risky messages — harassment, threats, sharing of sensitive data, regulatory violations — across Teams, Exchange, and other channels.
Information Barriers: Policies that block communication and collaboration between defined user segments — for example, preventing an investment-banking team from chatting with a trading team to avoid conflicts of interest.
Microsoft Priva: A privacy-management solution. Priva Privacy Risk Management finds privacy risks in stored personal data; Priva Subject Rights Requests automates GDPR data-subject requests (access, deletion).
Customer Lockbox: Requires explicit customer approval before a Microsoft engineer can access customer content during a support case.
How they fit: These are the organisational-control tools — they govern how people communicate and how privacy obligations are met, completing the Purview picture.

Scenario cue: "GDPR data-subject access requests must be handled efficiently" → Microsoft Priva Subject Rights Requests. "Two departments must not communicate" → Information Barriers.

🛡 Scenario — legal hold and eDiscovery for litigation

Situation: Legal counsel notifies IT: the company is being sued over a contract dispute. All emails and Teams messages referencing "Project Falcon" from the past 18 months must be preserved and produced for discovery. Users involved must not be able to delete relevant messages.

With Microsoft Purview eDiscovery: 1) Purview → eDiscovery → Create case: "Falcon Contract Litigation". 2) Add custodians (the four employees named by legal) → place their mailboxes and OneDrive on Legal Hold. Hold overrides user deletes — deleted items are retained in a hidden recoverable-items folder. 3) Run a content search: keyword "Project Falcon" across Exchange + Teams + SharePoint. 4) Review the results set — 3,200 items found. 5) Export the results in PST format for the legal team's review tool. 6) Hold remains active until legal instructs removal.

SC-900 exam shorthand: Legal Hold = preserve (can't delete even if user tries). Content Search = find. eDiscovery = the full workflow (hold + search + review + export).

Key takeaways

Compliance Manager measures posture against regulations and produces a compliance score — it is not an activity log.
Audit is the immutable activity log; eDiscovery finds and preserves content (with legal hold) for legal cases.
Communication Compliance, Information Barriers, and Priva govern how people communicate and how privacy obligations like GDPR requests are met.

⚡ Mini-quiz — Drill Compliance Manager vs Audit, eDiscovery tiers, Information Barriers, and Priva.

Quick quiz →

Quick reference

Product → Function cheat sheet

SC-900 heavily tests "which product does X". Memorise this mapping before your exam.

Identity & Access: Entra ID = cloud identity platform. Conditional Access = if-then access policies. PIM = just-in-time admin access. Identity Protection = risk-based sign-in detection. SSPR = users reset their own passwords. B2B = partner access. B2C = consumer app auth.

Endpoint & Email Security: Defender for Endpoint = EDR for Windows/Mac/Linux devices. Defender for Office 365 = Safe Links, Safe Attachments, anti-phishing for email. Intune = MDM/MAM for device compliance.

Cloud & Network Security: Defender for Cloud = CSPM (posture / Secure Score) + CWP (threat detection on workloads). Azure Firewall = layer 4/7 managed firewall. NSG = network-layer IP/port filter. WAF = layer 7 OWASP protection. DDoS Protection = volumetric attack mitigation. Azure Bastion = browser-based RDP/SSH without open ports.

SIEM / SOAR / CASB: Microsoft Sentinel = SIEM (log collection + analytics) + SOAR (playbooks). Defender for Cloud Apps = CASB (shadow IT, SaaS visibility). Defender for Identity = on-prem AD attack detection (pass-the-hash, Kerberoasting).

Secrets & Crypto: Azure Key Vault = store secrets (passwords/keys/certs). Keys = used BY Key Vault for crypto operations. Secrets = arbitrary values you retrieve. Managed Identity = no-credential app auth to Azure services.

Compliance: Purview = compliance umbrella. Sensitivity labels = classify + protect documents. DLP = block sharing sensitive data. Retention = lifecycle (keep / delete). Insider Risk = detect anomalous data exfiltration. Compliance Manager = score vs GDPR/ISO/NIST. Audit = immutable activity log. eDiscovery = legal hold + content search. Information Barriers = block communication between segments. Priva = GDPR subject rights requests.

Study plan

Pass SC-900 in 2 weeks

SC-900 is a beginner exam — 10–12 hours of focused study is enough for most candidates. Here's a realistic plan.

Days 1–2: Module 1 (Concepts) + Module 2 (Entra ID Authentication). Focus on Zero Trust principles — at least 3–5 questions directly test this.
Days 3–4: Module 3 (Entra ID Access Management). Master Conditional Access, PIM, and Identity Protection — these appear frequently.
Days 5–7: Module 4 (Defender products). Build the product-to-function mapping table. This is the largest domain — don't rush it.
Day 8: Module 5 (Sentinel + Key Vault). Understand SIEM vs SOAR, data connectors, playbooks. Key Vault: secrets vs keys vs certificates.
Days 9–10: Modules 6 & 7 (Purview). Learn the difference between sensitivity labels, DLP, and retention. Know Compliance Manager vs Compliance Score.
Days 11–14: Full practice test × 2. Review every incorrect answer. Listen to the CertQuests podcast for reinforcement. Book your exam.

Top 3 common mistakes on SC-900:
1. Confusing Compliance Manager (tracks your compliance posture score) with Audit (immutable activity log).
2. Mixing up Defender for Cloud (CSPM for Azure resources) with Microsoft Sentinel (SIEM for security events).
3. Forgetting that Insider Risk Management detects patterns of risky behaviour while DLP blocks specific data transfers — they solve different problems.

Study smarter, not just harder

The CertQuests podcast covers Microsoft Defender product comparisons, Zero Trust use cases, and Purview compliance scenarios — all mapped to SC-900 objectives. Perfect for revision on the go.

▶ Listen on Spotify

What to study next

Continue the Microsoft path

SC-900 opens the door to Microsoft's security and cloud certification tracks.

BEGINNER

Azure AZ-900

Azure Fundamentals — perfect companion to SC-900

INTERMEDIATE

Azure AZ-104

Azure Administrator — next step for cloud ops roles

INTERMEDIATE

CompTIA Security+

Vendor-neutral security cert — great alongside SC-900

ADVANCED

CompTIA CySA+

Cybersecurity Analyst — deeper SIEM & threat analysis

Microsoft SC-900 Security, Compliance & Identity

Why get SC-900?

SC-900 exam domains

3 concepts that underpin everything

Course Modules

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Key Concepts

Product → Function cheat sheet

Ready to test your SC-900 knowledge?

Pass SC-900 in 2 weeks

Continue the Microsoft path