This chapter covers the core security concepts that underpin all other security, compliance, and identity topics in the SC-900 exam. You will learn the CIA triad (Confidentiality, Integrity, Availability), the AAA framework (Authentication, Authorization, Accounting), and foundational principles like least privilege, defense in depth, and the shared responsibility model. Approximately 15-20% of SC-900 exam questions directly test these concepts, and they are prerequisites for understanding every other domain. Mastering these fundamentals is essential for passing the exam and for building a career in Microsoft security.
Jump to a section
Imagine a bank vault. Confidentiality means only the account owner and authorized tellers can open the vault — the vault door has a complex lock that only authorized keys can open. Integrity means that when a deposit slip is placed inside, the amount is written in indelible ink and the slip is timestamped and signed by both the customer and teller; any attempt to alter the slip would be immediately detected because the ink cannot be erased and the signatures would not match. Availability means the vault is open during business hours — 9 AM to 5 PM — and there is a backup generator to ensure the vault can be accessed even during a power outage. If the vault is locked 24/7 (no availability) or if anyone can open it (no confidentiality) or if deposit slips can be altered without detection (no integrity), the system fails. The CIA triad works exactly like this: confidentiality ensures data is accessible only to authorized subjects, integrity ensures data has not been tampered with, and availability ensures data is accessible when needed. In security, these three principles are the foundation of every control, just as the vault's lock, ink, and business hours are the foundation of bank security.
What Are Core Security Concepts and Why Do They Exist?
Core security concepts are the foundational principles that guide the design, implementation, and evaluation of all security controls. They exist because information systems face constant threats — unauthorized access, data tampering, service disruption, and theft. Without a shared vocabulary and framework, security discussions become ambiguous and controls become inconsistent. The SC-900 exam expects you to understand these concepts as they apply to Microsoft 365, Azure, and other Microsoft cloud services.
The CIA Triad: Confidentiality, Integrity, Availability
The CIA triad is the most fundamental model in information security. Every security control you encounter — firewalls, encryption, access control lists, backups — maps to one or more of these three principles.
Confidentiality ensures that data is accessible only to authorized subjects. This is achieved through encryption (at rest, in transit, and in use), access control mechanisms (RBAC, ACLs), and data classification. In Microsoft 365, Confidentiality is enforced by Azure Information Protection (AIP) labels that encrypt emails and documents, and by Microsoft Purview Information Protection that applies sensitivity labels. The exam often tests that encryption protects confidentiality, not integrity or availability.
Integrity ensures that data has not been altered or destroyed in an unauthorized manner. Integrity controls include hashing (SHA-256, SHA-512), digital signatures, checksums, and versioning. In Azure, integrity is maintained through immutable storage (Blob storage with legal hold or time-based retention policies) and Azure SQL Database's built-in data integrity features. The exam expects you to know that hashing detects tampering, but does not provide confidentiality.
Availability ensures that data and services are accessible when needed. Availability is achieved through redundancy (RAID, geo-replication), failover clusters, backup and restore, and DDoS protection. In Microsoft 365, availability is guaranteed by the Service Level Agreement (SLA) — typically 99.9% uptime for core services. Azure Availability Zones and Availability Sets ensure that if one datacenter fails, another takes over. The exam may ask which principle is compromised when a DDoS attack takes down a website — that is Availability.
The AAA Framework: Authentication, Authorization, Accounting
AAA is a model for controlling access to resources. It is closely related to the CIA triad but focuses on the process of granting access.
Authentication verifies the identity of a subject (user, device, service). Factors include:
Something you know (password, PIN)
Something you have (smart card, phone, hardware token)
Something you are (biometric: fingerprint, facial recognition)
Somewhere you are (location-based)
Something you do (typing pattern, gait)
Microsoft Entra ID (formerly Azure AD) supports password-based, certificate-based, FIDO2, Windows Hello for Business, and Microsoft Authenticator for authentication. Multi-factor authentication (MFA) requires at least two factors. The exam tests that MFA uses two or more factors, not just two passwords.
Authorization determines what an authenticated subject is allowed to do. This is enforced through Role-Based Access Control (RBAC) in Azure and Microsoft 365. RBAC assigns roles (e.g., Global Administrator, User Administrator) that grant specific permissions. The principle of least privilege dictates that subjects should have only the permissions necessary to perform their job. In Azure, you can create custom roles with specific actions (e.g., Microsoft.Compute/virtualMachines/start/action). The exam expects you to know that authorization always follows authentication — you cannot authorize an unauthenticated user.
Accounting (also called Auditing) tracks what subjects did after authentication and authorization. Logs from Azure Monitor, Microsoft 365 audit logs, and Microsoft Purview Audit capture who accessed what, when, from where, and what actions they performed. Accounting enables non-repudiation and forensic analysis. The exam may ask which component of AAA provides evidence of user actions — that is Accounting.
Least Privilege and Zero Trust
Least Privilege means granting the minimum permissions needed to perform a task. This reduces the blast radius of a compromised account. In Azure, you can implement least privilege by assigning built-in roles with least permissions (e.g., Reader instead of Contributor) and by using Privileged Identity Management (PIM) to grant just-in-time (JIT) access. The exam tests that PIM reduces standing access.
Zero Trust is a security model that assumes breach and verifies each access request as though it originates from an untrusted network. Three core principles:
Verify explicitly: Always authenticate and authorize based on all available signals (user identity, device health, location, risk).
Use least privilege: Limit access with JIT and JEA (Just Enough Administration).
Assume breach: Segment networks, use encryption, and monitor for anomalies.
Microsoft implements Zero Trust through Microsoft Entra ID Conditional Access, Microsoft Defender for Cloud, and Microsoft Sentinel. The exam expects you to recognize that Zero Trust is not a product but a framework, and that it includes micro-segmentation and continuous verification.
Defense in Depth
Defense in depth is a layered security approach where multiple controls protect the same asset. If one layer fails, another still provides protection. Layers include:
Physical security (guards, locks, biometric scanners)
Network security (firewalls, NSGs, DDoS protection)
Host security (antivirus, endpoint detection and response, patch management)
Application security (secure coding, web application firewalls)
Data security (encryption, access controls, data loss prevention)
In Azure, defense in depth is implemented by combining Azure Firewall, Network Security Groups (NSGs), Azure DDoS Protection, Microsoft Defender for Cloud, and Azure Information Protection. The exam may ask which layer a specific control belongs to — for example, a firewall is a network security control.
Shared Responsibility Model
In the cloud, security is a shared responsibility between the cloud provider and the customer. The division of responsibility depends on the service model: - On-premises: Customer handles all security. - IaaS (Infrastructure as a Service, e.g., Azure VMs): Customer secures the OS, applications, and data; Microsoft secures the physical host, network, and datacenter. - PaaS (Platform as a Service, e.g., Azure SQL Database): Customer secures data and access; Microsoft secures the platform. - SaaS (Software as a Service, e.g., Microsoft 365): Customer secures data and user identities; Microsoft secures the application and infrastructure.
The exam often presents scenarios where you must identify who is responsible for a specific control. For example, patching the guest OS in an IaaS VM is the customer's responsibility; patching the hypervisor is Microsoft's responsibility.
Key Terms and Defaults
MFA: Requires two or more authentication factors. Default in Microsoft Entra ID is to require MFA for all global administrators, but Conditional Access policies can enforce it for all users.
Conditional Access: Uses signals (user, device, location, risk) to enforce access policies. For example, block access from untrusted IPs or require MFA when signing in from a new device.
PIM (Privileged Identity Management): Provides JIT activation of privileged roles with time-bound approval and audit. Default activation maximum is 8 hours.
Azure RBAC: Roles are defined with actions and not actions. Example: Contributor role allows read/write but cannot assign permissions. Owner role can assign permissions.
Microsoft Defender for Cloud: Provides unified security management and advanced threat protection across hybrid clouds. It assesses compliance with regulatory standards like SOC 2, ISO 27001, and NIST.
How Core Concepts Interact with Related Technologies
Core concepts are not isolated; they are implemented through specific Microsoft technologies. For example:
Confidentiality is enforced by Azure Information Protection and Microsoft Purview Information Protection.
Integrity is ensured by Azure SQL Database's built-in data integrity checks and Azure Storage's immutable blobs.
Availability is guaranteed by Azure SLAs and Availability Zones.
Authentication is handled by Microsoft Entra ID.
Authorization is managed by Azure RBAC.
Accounting is provided by Azure Monitor and Microsoft Purview Audit.
Least privilege is operationalized via PIM and custom roles.
Zero Trust is implemented with Conditional Access and Microsoft 365 Defender.
Defense in depth combines all these technologies.
The exam will test your ability to map a scenario to the correct principle or technology. For example, if a question describes a company that wants to ensure that only authorized users can read financial reports, the principle is Confidentiality, and the technology could be Azure Information Protection with a sensitivity label that restricts read access.
Identify the Security Principle
When given a security requirement, first determine which CIA or AAA principle it addresses. For example, 'prevent unauthorized reading' is Confidentiality; 'detect data tampering' is Integrity; 'ensure system is up during business hours' is Availability; 'verify user identity' is Authentication; 'control what user can do' is Authorization; 'log user actions' is Accounting. This step is critical because many exam questions ask you to classify a requirement or control.
Map to a Microsoft Technology
Once the principle is identified, map it to the appropriate Microsoft security technology. For example, Confidentiality maps to Azure Information Protection (AIP) or Microsoft Purview Information Protection. Integrity maps to Azure Storage immutability or Azure SQL Database's built-in integrity. Availability maps to Availability Zones or Azure Backup. Authentication maps to Microsoft Entra ID with MFA. Authorization maps to Azure RBAC. Accounting maps to Azure Monitor or Microsoft Purview Audit. The exam expects you to know which technology implements which principle.
Apply the Shared Responsibility Model
Determine whether the control is the customer's responsibility or Microsoft's. For IaaS, the customer is responsible for securing the OS, applications, and data. For PaaS, the customer is responsible for data and access. For SaaS, the customer is responsible for data and identity. The exam often presents a scenario where you must identify who is responsible for patching a virtual machine (customer) versus patching the hypervisor (Microsoft).
Apply Least Privilege and Zero Trust
For any access scenario, apply the principle of least privilege by granting only the minimum permissions needed. Use PIM for just-in-time access. Apply Zero Trust by verifying every access request with Conditional Access policies that check user, device, location, and risk. The exam tests that you should always start with least privilege and then layer additional controls.
Implement Defense in Depth
Layer multiple controls to protect the same asset. For example, to protect a database: use network security groups (network layer), database firewall (application layer), encryption at rest and in transit (data layer), and role-based access control (access layer). The exam may ask which additional control would improve security for a given setup — the answer is usually a control from a different layer.
Enterprise Scenario 1: Financial Services Company Adopting Zero Trust
A large bank wants to move its trading applications to Azure while ensuring that only authorized employees can access sensitive financial data. They implement Microsoft Entra ID with Conditional Access policies that require MFA and device compliance (Intune managed) for any access to the trading app. They use PIM to grant administrators just-in-time access to the Azure subscription, with approval from a manager and a maximum activation time of 4 hours. They also deploy Azure Information Protection to label and encrypt all financial reports with the 'Highly Confidential' label, which prevents forwarding and printing. The bank achieves defense in depth: Confidentiality via AIP, Authentication via MFA, Authorization via RBAC and PIM, and Accounting via Azure Monitor. A common pitfall is forgetting to configure Conditional Access for non-corporate devices — without it, employees could access the app from personal devices without MFA, violating Zero Trust.
Enterprise Scenario 2: Healthcare Provider Ensuring Data Integrity
A hospital uses Azure SQL Database to store patient records. They must ensure that medical records cannot be altered without detection (integrity). They enable Azure SQL Database's built-in temporal tables to track historical changes, and they use immutable storage for backup files with a time-based retention policy of 7 years (regulatory requirement). They also configure audit logging to capture all data modifications. The hospital's security team regularly reviews logs using Azure Sentinel to detect unauthorized changes. A common mistake is relying solely on backups for integrity — backups protect availability, not integrity, because a tampered record would be backed up as well. They also learn that hashing the records and storing the hash separately provides integrity, but they must ensure the hash storage is also secured.
Enterprise Scenario 3: E-commerce Company Ensuring Availability
An online retailer runs its website on Azure VMs. They configure an Availability Set with two VMs in different update domains and fault domains to ensure that planned maintenance or a hardware failure does not take down the site. They also enable Azure DDoS Protection Standard to mitigate volumetric attacks. They set up Azure Traffic Manager to distribute traffic across multiple regions. Despite these measures, a misconfigured Network Security Group (NSG) that blocks all inbound traffic except from a specific IP range causes an availability outage when the office IP changes. This highlights that availability controls must be tested regularly. The exam may ask which combination of services ensures high availability — the answer is often Availability Sets plus Azure Load Balancer or Traffic Manager.
What SC-900 Tests on Core Security Concepts
The SC-900 exam objectives explicitly list:
Describe the concepts of confidentiality, integrity, and availability (CIA) (SC-900 objective 1.1.1)
Describe the concept of least privilege (1.1.2)
Describe the concept of defense in depth (1.1.3)
Describe the shared responsibility model (1.1.4)
Describe the concept of Zero Trust (1.1.5)
Common Wrong Answers and Why Candidates Choose Them
Confusing Integrity with Confidentiality: Many candidates see 'data tampering' and choose 'confidentiality' because they think tampering is about unauthorized access. In reality, tampering is about unauthorized modification, which is an integrity issue. The exam often presents a scenario where data is changed without authorization — the correct answer is integrity.
Thinking MFA is Two Passwords: Candidates often choose 'two passwords' as an example of MFA. But MFA requires two different factors — something you know (password) and something you have (phone) or something you are (fingerprint). Two passwords are still just one factor (something you know). The exam explicitly tests this distinction.
Assigning Shared Responsibility Incorrectly: In a PaaS scenario, candidates think the customer is responsible for patching the OS. However, in PaaS, the OS is managed by Microsoft. The customer is only responsible for data and access. The exam loves to ask 'who is responsible for patching the database server in Azure SQL Database?' — the answer is Microsoft.
Believing Zero Trust is a Product: Many candidates think Zero Trust is a Microsoft product they can buy. The exam tests that Zero Trust is a security framework, not a specific technology. Microsoft offers products that implement Zero Trust (Conditional Access, Defender for Cloud), but Zero Trust itself is a guiding principle.
Specific Numbers and Terms That Appear Verbatim
99.9% is the standard SLA for most Microsoft 365 services.
Maximum PIM activation time is 8 hours by default.
Three layers of defense in depth are often listed as physical, network, and data (but there are more).
Three principles of Zero Trust: Verify explicitly, use least privilege, assume breach.
Three factors of authentication: Something you know, something you have, something you are.
Edge Cases and Exceptions
Defense in depth vs. single control: If a question asks 'what is the best approach to security,' the answer is almost always defense in depth, not a single control.
Availability vs. Disaster Recovery: Availability ensures uptime; disaster recovery ensures recovery after a major incident. The exam may ask which is more important for a critical application — both are, but availability is tested more.
Least privilege vs. need-to-know: Least privilege is about permissions; need-to-know is about data access. They are related but distinct. The exam may ask you to choose the correct term for a given scenario.
How to Eliminate Wrong Answers
If the scenario involves preventing unauthorized reading, eliminate any answer that mentions integrity or availability.
If the scenario involves detecting changes, eliminate confidentiality and availability.
If the scenario involves keeping services running, eliminate confidentiality and integrity.
If the scenario involves verifying identity, eliminate authorization and accounting.
If the scenario involves what a user can do after login, eliminate authentication.
If the scenario involves logs, eliminate authentication and authorization.
The CIA triad consists of Confidentiality (prevent unauthorized reading), Integrity (prevent unauthorized modification), and Availability (ensure access when needed).
Authentication verifies identity; Authorization controls what an authenticated user can do; Accounting logs user actions.
MFA requires at least two different authentication factors (e.g., password + phone).
Least privilege means granting only the permissions necessary to perform a job.
Defense in depth uses multiple layers of security controls (physical, network, host, app, data).
Zero Trust is a framework with three principles: verify explicitly, use least privilege, assume breach.
Shared responsibility: in IaaS, customer secures OS and data; in PaaS, customer secures data and access; in SaaS, customer secures data and identities.
PIM provides just-in-time privileged access with a default max activation of 8 hours.
Conditional Access policies enforce access based on user, device, location, and risk signals.
Azure RBAC uses roles with specific actions (e.g., Reader, Contributor, Owner).
Availability is often measured by SLAs (e.g., 99.9% uptime for Microsoft 365).
Hashing provides integrity, not confidentiality; encryption provides confidentiality, not integrity.
These come up on the exam all the time. Here's how to tell them apart.
Confidentiality
Prevents unauthorized reading of data
Implemented via encryption (AES, TLS)
Example: Azure Information Protection labels
Compromised by data breach or eavesdropping
Tested by attempting to access data without authorization
Integrity
Prevents unauthorized modification of data
Implemented via hashing (SHA-256) or digital signatures
Example: Azure Storage immutable blobs
Compromised by data tampering or corruption
Tested by verifying checksums or signatures
Mistake
MFA means using two different passwords.
Correct
MFA requires two or more different authentication factors: something you know (password), something you have (phone), something you are (biometric). Two passwords are still only one factor.
Mistake
Encryption provides integrity.
Correct
Encryption provides confidentiality by preventing unauthorized reading. Integrity is provided by hashing or digital signatures, which detect tampering.
Mistake
In the cloud, the provider is responsible for everything.
Correct
Security is shared. The provider secures the infrastructure; the customer secures their data, identities, and configurations. The exact split depends on the service model (IaaS, PaaS, SaaS).
Mistake
Zero Trust means you trust nothing at all.
Correct
Zero Trust means 'never trust, always verify.' It assumes breach and verifies every access request based on signals like identity, device, location, and risk. It does not mean blocking all access.
Mistake
Least privilege means giving everyone the minimum access they need, but it's okay to give more if it's convenient.
Correct
Least privilege is a strict principle: grant only the minimum permissions necessary. Convenience should not override security. Over-privileged accounts increase the blast radius of a compromise.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The CIA triad stands for Confidentiality, Integrity, and Availability. It is the foundational model for information security. For SC-900, you must be able to identify which principle is affected by a given scenario. For example, a data breach compromises confidentiality; ransomware that encrypts files compromises availability; unauthorized modification of a record compromises integrity. The exam often asks you to classify a security control (e.g., encryption protects confidentiality, hashing protects integrity).
Authentication verifies who you are (e.g., logging in with a username and password). Authorization determines what you are allowed to do after authentication (e.g., read a file, write to a database). In Microsoft Entra ID, authentication is handled by the identity provider, and authorization is managed through RBAC roles. A common exam scenario: a user can log in (authentication succeeds) but cannot access a resource (authorization fails).
The shared responsibility model divides security responsibilities between Microsoft and the customer. For IaaS (e.g., Azure VMs), Microsoft secures the physical host, network, and datacenter; the customer secures the OS, applications, and data. For PaaS (e.g., Azure SQL Database), Microsoft secures the platform; the customer secures data and access. For SaaS (e.g., Microsoft 365), Microsoft secures the application; the customer secures data and identities. The exam tests who is responsible for specific tasks, like patching the OS (customer in IaaS, Microsoft in PaaS).
Zero Trust is a security framework based on 'never trust, always verify.' It has three principles: verify explicitly, use least privilege, and assume breach. Microsoft implements Zero Trust through technologies like Microsoft Entra ID Conditional Access (verifies access based on signals), Microsoft Defender for Cloud (monitors threats), and Microsoft Sentinel (detects breaches). The exam expects you to know that Zero Trust is not a product but a model, and that it requires continuous verification.
Least privilege means granting users only the permissions they need to perform their job and no more. This reduces the risk of accidental or malicious misuse of privileges. In Azure, you implement least privilege by assigning the most restrictive RBAC role (e.g., Reader instead of Contributor) and using PIM for just-in-time access. The exam may ask which role to assign to a user who only needs to view resources — the answer is Reader.
Defense in depth is a layered security approach where multiple controls protect the same asset. Layers include physical, network, host, application, and data. If one layer fails, others still provide protection. For example, to protect a database, you might use a firewall (network layer), database encryption (data layer), and RBAC (access layer). The exam tests that you should not rely on a single control.
MFA (Multi-Factor Authentication) requires two or more different authentication factors. Two-step verification could use two instances of the same factor (e.g., two passwords), which is not true MFA. Microsoft's MFA implementation always uses different factors, such as a password (something you know) plus a code from the Authenticator app (something you have). The exam distinguishes between MFA and two-step verification.
You've just covered Core Security Concepts — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?