Microsoft · 2026 Edition
A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 9 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
50
Exam questions
700/1000
Pass mark
Exam code
SC-100
Full name
Microsoft Cybersecurity Architect
Vendor
Microsoft
Duration
120 minutes
Questions
50 items
Passing score
700/1000 (scaled)
Domains covered
9 blueprint domains
Recommended experience
SC-200 or AZ-500 or MS-500 required; 5+ years of security experience recommended
Typical prep time
4–6 months
SC-100 earns the Cybersecurity Architect Expert designation — Microsoft's top security credential. It validates the ability to design end-to-end Zero Trust security strategies across identity, infrastructure, data, and applications at the enterprise level.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Zero Trust Strategy: principles, access, network segmentation, application security
Tip: SC-100 is a strategy and architecture exam. Questions describe an enterprise with complex requirements and ask you to select the architectural approach that best meets them. Think at the systems level from day one — never at the individual resource configuration level.
Weeks 4–6
Governance, Risk and Compliance: NIST, ISO, CIS frameworks, Defender for Cloud regulatory compliance
Tip: Know how Microsoft Defender for Cloud maps its recommendations to compliance frameworks: NIST SP 800-53, ISO 27001, CIS Benchmarks, PCI DSS. Questions describe a compliance requirement and ask how to demonstrate or enforce it in Azure.
Weeks 7–9
Security for Infrastructure: hybrid cloud, multi-cloud, Azure Arc, Defender for Cloud plans
Tip: Azure Arc extends Azure management (Policy, Defender for Cloud, RBAC) to on-premises servers and other cloud VMs. Know when to recommend Arc vs a lift-and-shift migration vs a cloud-native rebuild.
Weeks 10–14
Security for Data, Applications and DevSecOps: data classification, SAST/DAST, secure SDLC
Tip: Data protection strategy covers data in motion (TLS), at rest (encryption with customer-managed keys in Key Vault), and in use (Azure Confidential Computing). Know when each layer of protection is required.
SC-100 requires holding at least one of: SC-200, AZ-500, MS-500, or SC-300 as a prerequisite for the expert designation.
Zero Trust network access (ZTNA) vs VPN: ZTNA grants access to specific applications based on identity and device posture without placing users on the network; VPN places users on the network and relies on perimeter security. SC-100 scenarios ask when to recommend each.
Microsoft Secure Future Initiative and design principles (assume breach, explicit verification, least privilege) frame many SC-100 answer options. When in doubt, choose the option that most reduces implicit trust or lateral movement risk.
Supply chain and software security: know what a software bill of materials (SBOM) is, why dependency scanning matters, and what Microsoft Defender for DevOps provides across GitHub and Azure DevOps pipelines.
SC-100 is one of the hardest Microsoft exams. All answer options are technically viable — the distinguishing factor is usually scale, cost-effectiveness, or architectural best practice. Read every option fully before selecting.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.