Microsoft · 2026 Edition
A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 4 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–5 weeks
Prep time
Beginner
Difficulty
50
Exam questions
700/1000
Pass mark
Exam code
SC-900
Full name
Microsoft Security, Compliance, and Identity Fundamentals
Vendor
Microsoft
Duration
60 minutes
Questions
50 items
Passing score
700/1000 (scaled)
Domains covered
4 blueprint domains
Recommended experience
No prerequisites — basic familiarity with IT concepts is helpful
Typical prep time
3–5 weeks
SC-900 provides foundational knowledge of Microsoft's security, compliance, and identity offerings. It is a useful entry point for anyone moving into security or compliance roles in Microsoft-centric organisations.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Week 1
Security, Compliance and Identity Concepts: Zero Trust, shared responsibility, encryption basics
Tip: Zero Trust is a foundational model in SC-900. Know the three principles: verify explicitly (always authenticate/authorise), use least privilege access, and assume breach. These underpin almost all Microsoft security service design choices.
Week 2
Microsoft Entra: identity types, authentication methods, Conditional Access
Tip: Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone of all M365 and Azure services. Know the difference between authentication (proving who you are) and authorisation (what you are allowed to do), and how MFA and Conditional Access enforce both.
Week 3
Microsoft Security Solutions: Defender suite, Sentinel, Azure Firewall, DDoS Protection
Tip: The Defender suite covers multiple protection areas: Defender for Endpoint (device protection), Defender for Office 365 (email/collaboration), Defender for Cloud Apps (CASB), Defender XDR (extended detection and response). Know what each product protects.
Weeks 4–5
Microsoft Compliance Solutions: Purview, eDiscovery, Information Protection, Priva
Tip: Microsoft Purview covers compliance: data classification, sensitivity labels, retention policies, eDiscovery, audit logs, and communication compliance. The exam asks 'which Purview feature would prevent employees from emailing credit card numbers?'
SC-900 is conceptual — you will not configure any security policies. Questions describe a scenario and ask which Microsoft product or feature applies.
The CIA triad (Confidentiality, Integrity, Availability) is the lens for many SC-900 scenario questions. When a question describes a breach, identify which CIA component was violated before looking at the answers.
Know the difference between authentication methods: password (something you know), token/authenticator app (something you have), biometric (something you are). MFA requires at least two of these three factors.
Microsoft Sentinel is a cloud-native SIEM and SOAR platform. Know the difference: SIEM (collects/analyses logs for threat detection) vs SOAR (automates response to detected threats). Sentinel does both.
Data residency and sovereignty are SC-900 topics: know that Microsoft has committed to storing EU customer data within the EU, and that data residency commitments are documented in the Microsoft Products and Services Data Protection Addendum.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on SC-900 — with exam key points and common misconceptions.
Security, Compliance & Identity
The SC-900 exam exists because security, compliance, and identity are not just features of Microsoft products: they are disciplines with their own principles, frameworks, and vocabulary.
Microsoft Security Solutions
Microsoft has built a sprawling security product portfolio across endpoints, identities, cloud workloads, and SIEM.