Microsoft · 2026 Edition
A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
2–3 months
Prep time
Intermediate
Difficulty
50
Exam questions
700/1000
Pass mark
Exam code
SC-200
Full name
Microsoft Security Operations Analyst
Vendor
Microsoft
Duration
120 minutes
Questions
50 items
Passing score
700/1000 (scaled)
Domains covered
6 blueprint domains
Recommended experience
Familiarity with Microsoft 365 and Azure security services; Security+ or equivalent recommended
Typical prep time
2–3 months
SC-200 earns the Microsoft Security Operations Analyst Associate certification. It validates skills to reduce organisational risk using the Microsoft Defender suite and Microsoft Sentinel — skills in very high demand at enterprise SOC teams.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Microsoft Defender XDR: Defender for Endpoint, Office 365, Identity, Cloud Apps
Tip: Defender for Endpoint onboarding methods vary by OS and scale: Group Policy, Intune/MEM, Configuration Manager, and local script (testing only — not production at scale). Know which method is appropriate for which environment size.
Weeks 4–5
Microsoft Defender for Cloud: security posture, workload protection, regulatory compliance
Tip: Defender for Cloud alert types and what they indicate: brute force on SSH/RDP, unusual process execution, lateral movement, data exfiltration. These alerts are categorised by severity and MITRE ATT&CK tactic.
Weeks 6–9
Microsoft Sentinel: data connectors, analytics rules, incidents, Kusto Query Language (KQL)
Tip: KQL is tested on SC-200. Know the core operators: where, project, extend, summarize, count, bin, join, union. Analytics rules use KQL to define when an incident is created — you need to read and interpret KQL queries in exam questions.
Weeks 10–12
Threat hunting, UEBA, watchlists, workbooks, and automation playbooks
Tip: Know the difference between a hunting query (proactive investigation using KQL) and an analytics rule (automated alert generation). Both use KQL but serve different operational purposes.
KQL is the most important skill to develop for SC-200. Practice with the Log Analytics Demo environment (available free in the Azure portal) — write queries against real security event data before your exam.
Defender for Identity monitors Active Directory for attack patterns: pass-the-hash, Kerberoasting, DCSync, and lateral movement between domain controllers. Know what each attack technique does and how Defender for Identity detects it.
Microsoft Sentinel playbooks are Azure Logic Apps triggered by analytics rule alerts. Common automated responses: isolate a device, send a Teams notification, open a ServiceNow ticket, reset a user password. Know the correct automation trigger for each.
MITRE ATT&CK appears throughout SC-200. Know the high-level tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact.
Defender for Cloud Apps (MCAS) policy types tested on SC-200: activity policies (alert on suspicious actions), file policies (DLP for cloud storage), session policies (real-time control), and anomaly detection policies.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on SC-200 — with exam key points and common misconceptions.