SC-900 is the Microsoft security cert designed for everyone who touches security — not just engineers.

Most security certifications in 2026 are written for practitioners: analysts who triage alerts, engineers who configure firewalls, architects who design zero-trust networks. SC-900 occupies a different space. It is Microsoft's foundational credential for anyone who needs to understand what Microsoft's security, compliance, and identity products do, why they matter, and how they relate to each other — without necessarily being the person who configures them day-to-day.

That scope makes SC-900 unusually broad in its intended audience. A junior IT administrator studying toward AZ-500 or SC-200 uses SC-900 as a structured introduction to the Microsoft security ecosystem. A compliance officer managing data governance in Microsoft Purview uses SC-900 to establish the vocabulary and framework for everything their organisation's security team is building. A project manager overseeing a Microsoft 365 deployment uses SC-900 to understand what Conditional Access, Microsoft Entra ID, and Defender for Office 365 actually do when the security architect recommends them. This breadth is by design — and it is why SC-900 is a consistently high-volume exam despite being an entry-level credential.

From a certification career standpoint, SC-900 is valuable because Microsoft's security certification landscape has expanded dramatically since 2020. Where once there was a single security-focused Microsoft track, there are now five active role-based security credentials: SC-200, SC-300, SC-400, AZ-500, and the expert-level SC-100 Cybersecurity Architect. SC-900 is the shared foundation that applies to all of them. Candidates who hold SC-900 arrive at each of the role-based exams having already covered the fundamental concepts, vocabulary, and product landscape those exams assume as background knowledge. It is not required for any of them — but it measurably reduces the conceptual ramp-up time for candidates who are newer to Microsoft's security products.

What SC-900 tests: the four domains

SC-900 was updated in 2022 and again in 2023 to reflect Microsoft's rebranding of Azure Active Directory to Microsoft Entra ID and the expansion of the Microsoft Purview compliance suite. The current exam objectives as of 2026 cover four domains with the following approximate weights.

Domain 1: Security, compliance, and identity concepts — 10–15%

The foundational domain that establishes the vocabulary for everything else in the exam. The lightest-weighted domain but the one you must understand before the others make sense.

  • Security concepts: The shared responsibility model defines which security responsibilities belong to the cloud provider and which belong to the customer — this boundary shifts depending on the service model. In SaaS, the provider handles physical, network, OS, and application security; the customer is responsible for identity, data, and access. In IaaS, the customer is responsible for everything above the hypervisor. Defense-in-depth layers multiple security controls (identity, network, endpoint, data, application) so a breach at one layer does not compromise the entire system. Zero trust means verify explicitly (authenticate and authorise every request regardless of network location), use least-privilege access (grant only the permissions required), and assume breach (segment access, encrypt data, detect anomalies). These three principles appear throughout the exam because they underpin Microsoft's entire security product strategy.
  • Identity concepts: Identity is the new security perimeter. Authentication (AuthN) proves who you are. Authorisation (AuthZ) determines what you can do after your identity is confirmed. Federation allows identities from one identity provider to be trusted in another domain — SAML, OIDC, and WS-Federation are the protocols that enable single sign-on across organisational boundaries. Modern authentication flows (OAuth 2.0, OpenID Connect) replaced older, weaker protocols like NTLM in cloud scenarios. The distinction between authentication and authorisation appears in multiple exam questions across all four domains.
  • Compliance concepts: Data residency (where data is physically stored), data sovereignty (which jurisdiction's laws apply), and data privacy (how personal data is handled) are the three compliance axes. GDPR grants EU residents rights over their personal data: access, rectification, erasure, and portability. Organisations demonstrate compliance through policies, technical controls, audits, and certifications. Microsoft provides compliance documentation through the Microsoft Service Trust Portal — know that this portal exists and what it contains.

Domain 2: Microsoft Entra capabilities — 25–30%

Microsoft Entra is the identity and access management product family. The second-largest domain tests your understanding of how Microsoft manages identity for users, devices, and applications — both inside and outside an organisation's boundary.

  • Microsoft Entra ID (formerly Azure Active Directory): The cloud-based identity provider at the centre of Microsoft's security ecosystem. Every Microsoft 365, Azure, and Dynamics 365 tenant runs on Entra ID. Key concepts: tenant (a dedicated Entra ID instance for an organisation), users and groups, service principals (identities for applications and services), managed identities (Azure resources with their own identity for authenticating to other services without storing credentials in code). Entra Connect enables hybrid identity — on-premises Active Directory syncs to Entra ID so the same credentials work in both environments. Entra External Identities handles guest B2B access and customer B2C identity management.
  • Authentication features: Multi-factor authentication (MFA) requires a second factor beyond the password. Microsoft Authenticator, FIDO2 security keys, Windows Hello for Business, and phone sign-in are the MFA methods Entra ID supports. Passwordless authentication eliminates the password entirely — the user authenticates with a FIDO2 key, Windows Hello biometric, or the Authenticator app's number matching prompt. Self-Service Password Reset (SSPR) allows users to reset passwords without the help desk. Entra ID Protection analyses sign-in patterns to detect risky sign-ins and compromised accounts using machine learning, and can trigger Conditional Access policies in response.
  • Conditional Access: The policy engine that evaluates every authentication attempt and decides whether to allow access, require MFA, block access, or restrict the session. A Conditional Access policy has assignments (who it applies to; what apps it protects; which conditions trigger it — device platform, location, sign-in risk level) and access controls (what it does — grant with MFA requirement, require compliant device, block). Example: require MFA for all users accessing SharePoint from outside corporate network IPs. Conditional Access is an Entra ID Premium P1 feature.
  • Privileged Identity Management (PIM): Enables just-in-time privileged access — instead of holding Global Administrator permanently, a user requests elevation for a limited time window (1–8 hours), which is logged, requires approval, and expires automatically. PIM is an Entra ID Premium P2 feature and a key exam topic because it implements least-privilege access at the identity layer. Entra Permissions Management provides multi-cloud permissions analytics across AWS, Azure, and GCP, identifying over-permissioned identities and unused access across all three providers.

Domain 3: Microsoft security solutions — 35–40%

The heaviest domain. It covers Microsoft's security products across cloud, endpoint, email, and network — a broad product landscape tested at conceptual depth rather than configuration depth.

  • Microsoft Defender for Cloud: The unified cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, AWS, and GCP. Defender for Cloud provides a Secure Score — a percentage metric reflecting how many security recommendations have been implemented. Each recommendation addresses a specific misconfiguration (public storage blob, unencrypted disk, missing MFA enforcement). Workload protection plans extend Defender to specific services: Defender for Servers, Defender for Containers, Defender for SQL, Defender for App Service, Defender for Key Vault. The exam tests the distinction between CSPM (posture: are resources configured securely?) and CWPP (protection: are running workloads under active threat?).
  • Microsoft Sentinel: Microsoft's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform. Sentinel ingests logs via data connectors, uses KQL-based analytics rules to detect threats, and creates incidents when rules trigger. Automation rules and playbooks (Logic Apps) automate responses: isolate a compromised VM, block a suspicious IP, send a Teams notification, open a ServiceNow ticket. Know the distinction: SIEM = collect, analyse, alert. SOAR = respond, automate. Sentinel handles both in one platform.
  • Microsoft Defender XDR: The unified SOC portal integrating signals from Defender for Endpoint (device protection), Defender for Office 365 (email and collaboration), Defender for Identity (Active Directory attack detection), and Defender for Cloud Apps (SaaS shadow IT and data exfiltration). Defender XDR correlates alerts across all four products into unified incidents, reducing alert fatigue and providing end-to-end attack chain visibility. Know what each Defender product protects: Endpoint = Windows/macOS/Linux/iOS/Android devices; Office 365 = Exchange Online/Teams/SharePoint; Identity = on-premises Active Directory domain controllers; Cloud Apps = SaaS applications.
  • Microsoft Intune and device compliance: Intune is Microsoft's mobile device management (MDM) and mobile application management (MAM) platform. MDM enrolls entire devices — corporate-owned devices are fully managed. MAM manages only work apps on personal devices without touching personal data. Intune integrates with Conditional Access: a policy can require that a device is Intune-enrolled and compliant (no jailbreak, required OS version, encryption enabled) before granting access to corporate resources. Entra ID + Intune + Conditional Access is the three-product combination that enforces device-based zero-trust access control.
  • Azure network security: Network Security Groups (NSGs) filter traffic at the Azure Virtual Network level based on source IP, destination IP, port, and protocol. Azure Firewall is a managed stateful firewall with threat intelligence feed integration. Azure DDoS Protection defends against volumetric and protocol-level attacks — the Basic tier is built into the Azure platform at no charge; the Standard tier adds adaptive tuning and rapid response. Azure Bastion provides browser-based SSH/RDP access to VMs over TLS without exposing public IP addresses — the secure alternative to public RDP exposure and jump boxes.

Domain 4: Microsoft compliance solutions — 20–25%

The compliance domain covers Microsoft Purview — the consolidated suite that absorbed the former Microsoft 365 compliance centre and Azure Purview data governance platform. This domain is lighter on technical depth and heavier on governance concepts and product awareness.

  • Microsoft Purview compliance portal and Compliance Manager: The unified dashboard for compliance management across Microsoft 365 and Azure. Compliance Manager provides a Compliance Score — analogous to Defender for Cloud's Secure Score — based on how many recommended improvement actions the organisation has implemented against frameworks like ISO 27001, SOC 2, NIST CSF, GDPR, and HIPAA. Each action is categorised as managed by Microsoft, managed by the customer, or shared responsibility. The Microsoft Service Trust Portal (STP) provides the compliance documentation, audit reports, and certifications that enterprise procurement teams request during vendor due diligence.
  • Microsoft Purview information protection: Sensitivity labels classify and protect documents and emails based on content sensitivity — Public, Internal, Confidential, and Highly Confidential are common tiers. Labels can apply visual markings (header, footer, watermark), encryption, and access restrictions. Data Loss Prevention (DLP) policies detect and prevent sensitive data from leaving the organisation — detecting credit card numbers in emails and blocking the send, preventing social security numbers from being uploaded to SharePoint. The key distinction: sensitivity labels define what the data is; DLP enforces what can happen to it. Both are configured in the Microsoft Purview compliance portal and apply across Microsoft 365 services.
  • Data lifecycle management and records: Retention policies automatically retain or delete content based on age, label, or criteria — a legal team might require all email retained for seven years; a regulation might mandate customer financial records deleted after five years. Retention labels can be applied manually or automatically by machine learning classifiers that detect content types (financial data, health records, legal documents). Records management locks content to prevent modification or deletion during a legally required hold — immutable storage for compliance with SEC Rule 17a-4 and similar regulations.
  • eDiscovery and audit: eDiscovery supports legal holds and case management — when litigation starts, an organisation places a hold on mailboxes, Teams conversations, and SharePoint content to prevent deletion, then searches and exports for legal review. Microsoft Purview Audit Log captures user and admin activity across Microsoft 365 — who accessed a file, who changed a permission, who sent an email — providing the forensic trail required for incident response and regulatory compliance. Purview Audit Standard is included in most Microsoft 365 plans; Purview Audit Premium adds longer log retention and higher-bandwidth search for investigations. Azure Policy enforces organisational standards at the Azure resource level — requiring storage account encryption, VM cost centre tags, or restricting deployments to approved regions.
SC-900 is conceptual rather than technical — the exam tests whether you understand what each product does and when to use it, not how to configure it. Candidates who struggle are those who try to memorise portal navigation paths or CLI syntax. The right preparation focus is product purpose, feature-to-capability mapping, and the relationships between products: Entra + Intune + Conditional Access; Defender for Cloud + Sentinel; sensitivity labels + DLP. Build that mental map and the exam questions become straightforward.

Exam format and logistics

SC-900 is a 60-minute exam delivered through Pearson VUE — at a test centre or via online proctoring. The exam contains approximately 40–60 questions, predominantly multiple-choice with some multi-select (choose two or three from a list). There are no lab tasks or simulation questions in SC-900 — it is fully multiple-choice. The passing score is 700 out of 1000. The exam costs $165 USD globally (country pricing through Pearson VUE may vary).

Microsoft certifications renew on a one-year cycle. Unlike AWS (three-year expiry with a full re-exam) or CompTIA (three-year cycle with CEs or renewal exam), Microsoft credentials expire after one year but renew free via an online assessment on Microsoft Learn. The SC-900 renewal assessment is approximately 26–35 questions, untimed, and can be taken from home without proctoring. Passing extends the credential for another year. Microsoft sends email reminders six months before expiry. This annual renewal model keeps the credential current — Microsoft regularly adds questions about new features (Entra Permissions Management, Purview updates, new Defender capabilities) to both the exam and renewal assessment.

SC-900 at a glance

Cost: $165 USD • Questions: ~45 multiple-choice • Duration: 60 minutes • Passing score: 700/1000 • Prerequisites: none • Validity: 1 year (free annual renewal via Microsoft Learn) • Delivery: Pearson VUE, test centre or online proctored • Languages: English, Japanese, Chinese Simplified, Korean, German, French, Spanish, Portuguese, Arabic, Indonesian, Russian, Italian

Where SC-900 leads: the Microsoft security certification map

Microsoft security certification paths from SC-900

  • SC-900 → SC-200 Security Operations Analyst — SC-200 tests Microsoft Sentinel, Microsoft Defender XDR, and Defender for Cloud at configuration depth. SC-900 covers these conceptually; SC-200 goes deeper into KQL query writing, playbook configuration, custom analytics rules, and incident response workflows. SC-200 holders work as SOC analysts and threat hunters in Microsoft-centric environments. Salary: $85k–$120k in security operations roles in 2026.
  • SC-900 → AZ-500 Azure Security Engineer Associate — AZ-500 is the cloud security engineering cert that pairs with the AZ-104 Administrator track. SC-900 covers Defender for Cloud, NSGs, and Azure Firewall at an introductory level; AZ-500 adds Key Vault management, storage encryption, network security policy, and container security at hands-on configuration depth. The natural next step for Azure administrators moving into a dedicated security role. Salary: $120k–$145k in Azure security engineering roles in 2026.
  • SC-900 → SC-300 Identity and Access Administrator Associate — SC-300 is the deep identity and access management cert for Microsoft Entra. SC-900 covers Entra ID, Conditional Access, and PIM conceptually; SC-300 tests the full identity lifecycle — user provisioning, hybrid identity configuration, application SSO integration, entitlement management, and access reviews. SC-300 holders manage identity infrastructure at Microsoft-heavy enterprises. Salary: $95k–$125k in IAM-focused roles in 2026.
  • SC-900 → SC-400 Information Protection Administrator Associate — SC-400 tests Microsoft Purview information protection, data lifecycle management, and eDiscovery at configuration depth. SC-900 covers sensitivity labels, DLP, and retention policies conceptually; SC-400 adds label policy configuration, DLP tuning, custodian management, and insider risk management. SC-400 holders work in compliance and data governance teams at regulated enterprises. Salary: $90k–$120k in compliance-focused roles in 2026.
  • SC-900 → SC-100 Cybersecurity Architect Expert — The expert-level credential that requires passing two exams (AZ-305 plus one of SC-200, SC-300, SC-400, or AZ-500) before attempting SC-100. SC-100 tests end-to-end security architecture across identity, networking, data, and application layers. SC-900 is the recommended first step for candidates on this long-range path because it establishes the product landscape before the role-based specialisations. Cybersecurity Architect Expert holders command $155k–$195k in architecture and advisory roles in 2026.
  • SC-900 alongside MS-900 Microsoft 365 Fundamentals — MS-900 covers Microsoft 365 productivity, cloud concepts, and management at a similar foundational level. Many candidates take both as entry-level Microsoft credentials before specialising. Business analysts and project managers working on Microsoft 365 deployments sometimes hold both — MS-900 for the productivity side, SC-900 for the security and compliance side — without pursuing the deeper role-based certifications.

How to prepare for SC-900

SC-900 is a conceptual exam, not a hands-on one. You will not be asked to write Conditional Access policies, configure DLP rules, or set up Microsoft Sentinel data connectors — you will be asked which product solves which problem, what a product does, and which licensing tier a feature requires. Preparation reflects this: understanding over memorisation, product mapping over CLI syntax.

Practice Microsoft security and IT certification concepts with CertQuests — scenario-based quizzing for AZ-500, SC-200, AWS, CompTIA, and more.

Browse Practice Packs →