SC-900 Study Guide · Security, Compliance & Identity Fundamentals

Orientation

What SC-900 actually is

SC-900 is an awareness-level exam. It does not test you on clicking buttons in a portal. It tests whether you can describe concepts and recognize which Microsoft tool does what. If you can explain it to a colleague, you can pass it.

TL;DR — the whole exam in 4 lines

1. Concepts → the vocabulary (Zero Trust, encryption, identity).
2. Entra → who are you & what can you access (identity & access).
3. Security → tools that protect & detect (Defender, Sentinel, Azure network).
4. Compliance → tools that govern data & prove you follow the rules (Purview).

The mental map

Three big questions, three pillars

Everything in this exam answers one of three questions. Hold this map in your head and every product suddenly has a "home":

Identity → "Entra"

Who are you?

Proving identity and deciding what each person can reach. Microsoft Entra ID lives here.

Security → "Defender / Sentinel"

Are we under attack?

Protecting resources and spotting/responding to threats across cloud and devices.

Compliance → "Purview"

Are we following the rules?

Classifying data, preventing leaks, keeping records, and proving regulatory compliance.

🔖

Memory hook: Entra = Entry (getting in). Defender = defend (attacks). Purview = review your data & rules.

How to use this guide (a focus plan)

You don't need a 2-month plan. SC-900 is realistically 1–2 weeks of light study. Try this:

Day 1–2: Read all TL;DR + analogy boxes only. Get the shape of it.
Day 3–4: Domain 1 + Domain 2 in full. Do the quizzes.
Day 5–6: Domain 3 (biggest domain — the Defender family). Build a product table.
Day 7: Domain 4 (Purview). It's small but easy marks people skip.
Day 8: Take Microsoft's free Practice Assessment, re-read whatever you miss.

Why this works for ADHDShort daily wins beat one giant cram session. Each quiz is a dopamine checkpoint. If a day feels heavy, just do the TL;DRs — partial progress still counts.

Domain 1

Concepts of Security, Compliance & Identity

10–15% of exam

This is the vocabulary domain. No products yet — just the ideas everything else is built on. Easy points if you nail the definitions.

TL;DR

Security = protect things. Two halves to learn: security/compliance concepts (Shared Responsibility, Defense-in-Depth, Zero Trust, encryption/hashing, GRC) and identity concepts (identity is the new perimeter; authentication vs authorization; identity providers; directory services; federation).

1.1 — Security & compliance concepts

Shared Responsibility Model

Who secures what in the cloud

In the cloud, security is split between you and Microsoft. The line moves depending on the service type. You always own: your data, your devices, your accounts & identities. Microsoft always owns: the physical datacenter, physical hosts, physical network.

The middle (OS, network controls, apps) shifts: with IaaS you handle more; with SaaS Microsoft handles almost everything.

🎯

Analogy: Renting an apartment. The landlord (Microsoft) secures the building, locks on the main door, foundations. You secure your apartment door, your stuff, who you give a key to. The more furnished the rental (SaaS), the less you manage.

IaaSPaaSSaaSOn-prem = you own all

Defense-in-Depth

Layers, not a single wall

Use multiple layers of protection so if one fails, the next still holds. The classic layers, outside-in: Physical → Identity & Access → Perimeter → Network → Compute → Application → Data.

🎯

Analogy: A castle. Moat, then walls, then guards, then a locked vault. An attacker has to beat every layer, not just one.

Zero Trust

Never trust, always verify

Old model: "inside the network = trusted." Zero Trust throws that out. Assume breach. Verify every request as if it came from an open network. Three principles:

① Verify explicitly (check identity, device, location, every time). ② Least privilege access (give the minimum needed, just-in-time). ③ Assume breach (segment, encrypt, monitor — act like attackers are already in).

🔖

Memory hook: "VLA" — Verify explicitly, Least privilege, Assume breach.

Encryption & Hashing

The most-confused pair on the exam

	Encryption	Hashing
Reversible?	Yes — decrypt with a key	No — one-way only
Uses a key?	Yes	No (but can add "salt")
Purpose	Keep data confidential	Verify integrity / store passwords
Types	Symmetric (1 key) / Asymmetric (public+private)	Same input = same hash, always

Symmetric = same key locks & unlocks (fast). Asymmetric = public key encrypts, private key decrypts (used in HTTPS/certificates).

🎯

Analogy: Encryption is a lockbox — the right key opens it back up. Hashing is a blender — you can blend a smoothie but never un-blend it back into fruit.

Governance, Risk & Compliance (GRC)

The "follow the rules" trio

Governance = the rules & policies you set internally. Risk = identifying and managing what could go wrong. Compliance = meeting external laws & standards (GDPR, ISO 27001, etc.).

Data residencyData sovereigntyData privacy

1.2 — Identity concepts

Identity is the primary security perimeter

The single most important idea in this exam

The old perimeter was the network firewall. But with cloud, mobile, and remote work, people log in from everywhere. So the new control point is identity — who you are. Secure the identity and you secure access, wherever it comes from.

Identity covers four "pillars": users, devices, applications, and services — all of them can have an identity.

Authentication vs Authorization

AuthN vs AuthZ — know the difference cold

Authentication (AuthN)	Authorization (AuthZ)
Proves WHO you are	Decides WHAT you can do
"Show me your ID"	"You're allowed in room B, not room C"
Happens first	Happens after AuthN

🔖

Memory hook: AuthN = Name (who). AuthZ = Zones you can enter (what).

Identity Providers, Directory Services & Federation

How identities are stored & shared

Identity Provider (IdP): a trusted service that creates, manages & verifies identities and issues tokens (e.g. Microsoft Entra ID). Enables SSO — log in once, access many apps.

Directory service / Active Directory: a database of identities and resources. Traditional on-prem AD DS uses domains. Cloud uses Entra ID (flat, internet-based, no OUs/forests).

Federation: a trust relationship between two IdPs in different organizations, so users from one can access the other's resources without a new account.

🎯

Analogy: Federation is like a driver's license. Your home country issued it (your IdP), but other countries (other orgs) trust it and let you drive — no need to get a new license at each border.

SSOIdPAD DSFederation trust

Quick Scenario

The contractor who logs in from a café

A contractor opens a SaaS app from a coffee-shop Wi-Fi. Map it to the concepts:

Zero Trust kicks in — the café network is treated as hostile (assume breach).

Authentication proves the contractor is who they claim (identity = the perimeter now, not the network).

Authorization then limits them to only the project files they need (least privilege).

Takeaway: No "trusted network" exists. Identity + verification do the heavy lifting.

⚡ Quick check

Q1Which is the correct order of operations when accessing a resource?

First you prove who you are (AuthN), then the system checks what you're allowed to do (AuthZ).

Q2You need to store user passwords so they can be verified but never read back. Which do you use?

Hashing is one-way. You compare hashes to verify a password without ever storing the original.

Q3"Never trust, always verify; assume breach." This describes:

That's Zero Trust. Defense-in-Depth is about layers; Shared Responsibility is about who-secures-what.

Domain 2

Capabilities of Microsoft Entra

25–30% of exam

This is identity in practice. Entra ID is Microsoft's cloud identity provider — the front door to everything. Learn the four sub-areas: identity types, authentication, access management, and protection/governance.

TL;DR

Entra ID = cloud IdP. Identity types (users, groups, service principals, managed identities; hybrid). Authentication (methods, MFA, passwordless, SSPR). Access management (Conditional Access = the "if-then" brain; RBAC roles). Protection & governance (PIM, Access Reviews, ID Protection, Entra ID Governance).

2.1 — Function & identity types

What is Microsoft Entra ID?

Formerly Azure AD

A cloud-based identity & access management service. It authenticates users/devices and gives them SSO to Microsoft 365, Azure, and thousands of SaaS apps. It is not the same as on-prem Active Directory — it's flat, internet-first, and built for cloud apps.

Types of identities

Not everything that logs in is a human

Human

Users

Members (internal) and guests (B2B external collaborators).

Container

Groups

Bundle users to assign access at scale. Security & Microsoft 365 groups.

App identity

Service Principals

The identity an app/service uses to access resources.

App identity, auto-managed

Managed Identities

Entra-managed credentials for Azure resources — no secrets to handle. System- or user-assigned.

Hybrid identity

Bridging on-prem AD and the cloud

Most companies still have on-prem AD. Microsoft Entra Connect syncs those identities to the cloud so users have one identity for both worlds.

🔖

Memory hook: Hybrid = two homes, one key. Entra Connect is the bridge that keeps the key working in both.

2.2 — Authentication capabilities

Authentication methods & MFA

Proving identity, stronger

MFA requires two or more of: something you know (password/PIN), something you have (phone, token), something you are (biometric). Two of the same category isn't MFA.

Passwordless options: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator app. More secure and more convenient.

SSPR (Self-Service Password Reset): users reset their own passwords safely, cutting helpdesk load.

🎯

Analogy: An ATM is MFA — your card (have) + your PIN (know). Stealing just one isn't enough.

Password protection & management

Password Protection blocks weak/banned passwords (global + custom banned lists) and can extend to on-prem AD. Combine with SSPR for the full lifecycle.

2.3 — Access management

Conditional Access — the "if-then" brain ⭐

Heavily tested — understand it well

Conditional Access enforces policies in real time based on signals. The logic: IF (signals) THEN (decision).

Signals = user/group, location/IP, device state, app, real-time risk. Decisions = block, allow, or allow with conditions (require MFA, require compliant device, etc.).

🎯

Analogy: A smart bouncer. "IF you're on a personal phone from a new country at 3am → THEN show extra ID (MFA) or you're not coming in."

Exam tipConditional Access is the practical engine of Zero Trust. If a question mentions "require MFA only when risky" or "block logins from this country," the answer is Conditional Access.

Entra roles & RBAC

Right access, right people, least privilege

RBAC (Role-Based Access Control) grants permissions via roles instead of one-by-one. Assign a role (e.g. Helpdesk Administrator) and the user inherits exactly those permissions — nothing more.

🔖

Memory hook: RBAC = give the job title, not the individual keys. Change jobs, change role.

2.4 — Identity protection & governance

The four "guardian" tools

Tool	What it does	One-liner
Entra ID Governance	Manages the identity lifecycle & entitlements (who gets access, for how long)	"Right access, right time"
Access Reviews	Periodic recertification — confirm people still need their access	"Spring cleaning for permissions"
PIM (Privileged Identity Management)	Just-in-time, time-bound elevation for admin roles + approval & audit	"Admin powers on demand, then gone"
Entra ID Protection	Detects risky users/sign-ins using ML; can auto-remediate (force MFA/reset)	"Risk radar for identities"

Exam tipConfusing PIM vs ID Protection? PIM = manage privileged/admin access (elevate just-in-time). ID Protection = detect risk on any identity (suspicious sign-ins).

Quick Scenario

The admin who only needs power for 2 hours

An engineer needs Global Admin rights to do a one-off task.

Instead of standing admin access, PIM lets them activate the role for 2 hours, with approval + justification.

After 2 hours the elevation expires automatically. Access Reviews later confirm they still need eligibility at all.

Takeaway: Least privilege in action — powerful roles exist only when needed, not 24/7.

⚡ Quick check

Q1You want to require MFA only when a sign-in is risky or from an unfamiliar location. Which feature?

Conditional Access evaluates signals (risk, location, device) and decides whether to require MFA, allow, or block.

Q2An Azure app needs to access a Key Vault with no stored credentials to manage. Best identity?

Managed identities give Azure resources an Entra identity with no secrets to handle.

Q3Which gives admins time-bound, just-in-time elevation with approval and audit?

PIM elevates privileged roles only when needed, then revokes them automatically.

Domain 3 · Biggest domain

Capabilities of Microsoft Security Solutions

35–40% of exam

The largest, most product-dense domain. Strategy: don't memorize features — memorize what each product protects. Four areas: Azure infra security, Azure security management, Microsoft Sentinel, and the Defender XDR family.

TL;DR

Azure infra = network walls (DDoS, Firewall, WAF, NSG, Bastion, Key Vault). Defender for Cloud = posture management (CSPM) + workload protection. Sentinel = cloud SIEM+SOAR (collect logs, detect, automate response). Defender XDR = a family where each product guards one thing: Endpoint→devices, Office 365→email, Identity→on-prem AD, Cloud Apps→SaaS.

3.1 — Core Azure infrastructure security

The network defense toolkit

Match each tool to its job

Tool	Protects against / does
DDoS Protection	Floods of traffic trying to overwhelm your service
Azure Firewall	Stateful, network-level traffic filtering across a virtual network
Web Application Firewall (WAF)	App-layer attacks (SQL injection, XSS) against web apps
Network segmentation (VNets)	Isolating resources into separate network zones
Network Security Groups (NSGs)	Allow/deny rules on traffic to/from specific resources (like a per-resource ACL)
Azure Bastion	Secure RDP/SSH to VMs through the browser — no public IP exposed
Azure Key Vault	Central, secure store for secrets, keys & certificates

🔖

Memory hook: WAF = Web apps. Firewall = whole network. NSG = per-resource. Bastion = safe doorway to VMs. Key Vault = the safe.

3.2 — Azure security management

Microsoft Defender for Cloud

Know your posture, protect your workloads

Two big jobs: CSPM (Cloud Security Posture Management) — continuously assesses your config against best practices and gives a Secure Score + recommendations. And CWP (Cloud Workload Protection) — threat protection for servers, containers, databases, storage (across Azure, on-prem, and other clouds).

🎯

Analogy: CSPM is the home inspection report ("your locks are weak, fix these"). CWP is the alarm system that catches a break-in happening.

3.3 — Microsoft Sentinel

SIEM + SOAR in the cloud

The security operations command center

SIEM (Security Information & Event Management) = collect & analyze logs from across your whole estate to detect threats. SOAR (Security Orchestration, Automated Response) = automatically respond with playbooks. Sentinel is Microsoft's cloud-native, scalable version of both.

🔖

Memory hook: SIEM = See everything (detect). SOAR = Soar into action (auto-respond). Sentinel = the watchtower doing both.

3.4 — Defender XDR family ⭐

One family, each member guards one thing

The #1 place candidates lose marks — learn the scopes

XDR = eXtended Detection & Response. The family correlates signals across all of these, managed from the Microsoft Defender portal:

Devices

Defender for Endpoint

Protects laptops, servers, phones (endpoints). EDR.

Email & collaboration

Defender for Office 365

Phishing, malicious links/attachments in email, Teams, SharePoint.

On-prem identities

Defender for Identity

Detects attacks against on-prem Active Directory (lateral movement, etc.).

SaaS apps

Defender for Cloud Apps

A CASB — visibility & control over cloud/SaaS app usage (shadow IT).

Weaknesses

Vulnerability Management

Finds & prioritizes unpatched vulnerabilities across assets.

Adversary intel

Defender Threat Intelligence

Maps attacker infrastructure, IOCs & threat actor profiles.

Exam tip — the classic trapWatch the scope word in the question. Endpoint=devices, Office 365=email, Identity=on-prem AD, Cloud Apps=SaaS. Note: Defender for Cloud (Azure workloads) ≠ Defender for Cloud Apps (SaaS/CASB). They sound alike — they're different.

Deep Case Study · Phishing → containment

"Finance got a fake invoice email"

A finance employee receives a convincing email with a malicious link. Watch the Microsoft security stack respond, layer by layer:

Defender for Office 365 scans the inbound email. Safe Links detonates the URL in a sandbox and flags it — some users are protected before they even click.

One user clicks anyway on their laptop. Defender for Endpoint spots the suspicious process the payload tries to spawn and isolates the device.

The malware tries to harvest credentials and move toward the domain controller. Defender for Identity detects the abnormal lateral-movement pattern in on-prem AD.

All these signals flow into Microsoft Defender XDR, which correlates them into a single incident (not four disconnected alerts).

Microsoft Sentinel ingests the incident plus firewall & sign-in logs (SIEM), then a SOAR playbook auto-disables the compromised account and opens a ticket.

Entra ID Protection marks the user as high-risk; Conditional Access forces a password reset + MFA before they regain access.

Takeaway: Each product owns a layer (email → device → identity), XDR correlates, Sentinel orchestrates the response. This is the exam's mental model of "how it all fits together."

⚡ Quick check

Q1Which product protects against threats in email and collaboration tools like Teams & SharePoint?

Defender for Office 365 handles phishing, malicious links & attachments across email and collaboration.

Q2You need to securely connect to an Azure VM via RDP without giving it a public IP. Use:

Azure Bastion provides secure browser-based RDP/SSH with no public IP on the VM.

Q3A tool collects logs from across the org, detects threats, AND auto-runs response playbooks. That's:

Sentinel is the cloud-native SIEM + SOAR — detection plus automated response.

Q4Which gives you a Secure Score and config recommendations across your cloud resources?

Defender for Cloud's CSPM assesses your posture and produces a Secure Score with recommendations.

Domain 4 · Easy points people skip

Capabilities of Microsoft Compliance Solutions

20–25% of exam

Mostly Microsoft Purview. The theme: know your data, protect it, govern it, and prove you follow the rules. Four areas: Service Trust Portal & privacy, Purview compliance management, information protection & data lifecycle, and insider risk / eDiscovery / audit.

TL;DR

Service Trust Portal = Microsoft's compliance docs/audit reports + Priva for privacy. Compliance Manager = a Compliance Score + improvement actions. Information protection = classify data, apply sensitivity labels, DLP to stop leaks, retention to keep/delete records. Insider risk / eDiscovery / audit = catch internal risks, find data for legal cases, log who-did-what.

4.1 — Service Trust Portal & privacy

Service Trust Portal (STP) & privacy principles

Microsoft's "trust me, here's proof" hub

The STP publishes Microsoft's security/compliance audit reports, certifications (ISO, SOC), and trust documents. Microsoft's privacy principles guide how it handles customer data: you own & control your data; Microsoft uses it only to provide the service; strong security & encryption; transparency; legal protections.

Microsoft Priva = helps you manage privacy risk: find personal data, handle subject rights requests, reduce oversharing.

4.2 — Compliance management

Purview portal, Compliance Manager & Compliance Score

Measure and improve compliance

The Microsoft Purview portal is the single console for compliance & data governance. Compliance Manager assesses your posture against regulations (GDPR, ISO, etc.) via assessments and gives a Compliance Score + recommended improvement actions, split into Microsoft-managed and your-responsibility controls.

🎯

Analogy: Compliance Manager is a credit score for your compliance — it tells you the number and exactly which actions raise it.

4.3 — Information protection & data lifecycle

Know it → label it → protect it → keep/delete it

The data lifecycle, in order

Capability	What it does
Data classification	Identifies sensitive data (sensitive info types, trainable classifiers)
Content explorer / Activity explorer	See where sensitive data lives & what's happening to it
Sensitivity labels	Tag & protect data (encrypt, watermark, restrict) — travels with the file
Data Loss Prevention (DLP)	Stops sensitive data from leaving (blocks risky emails/uploads/copies)
Records management	Declare content as a formal record with retention/disposal rules
Retention policies & labels	Keep data for X (compliance) and/or delete after Y (reduce risk)

🔖

Memory hook: Label = tag + protect (sticks to the file). DLP = the bouncer stopping data at the exit. Retention = the timer for keep vs delete.

4.4 — Insider risk, eDiscovery & audit

The internal-threat & investigation trio

Threats from within

Insider Risk Management

Detects risky internal activity (data theft before resignation, leaks) using policies & signals.

Legal / investigation

eDiscovery

Find, hold, review & export content for legal cases or investigations (Standard & Premium).

Who did what

Audit

Logs user & admin activity for investigations & compliance (Standard & Premium).

Exam tipInsider Risk = internal people being risky. eDiscovery = gather evidence for a legal case. Audit = the activity log of who-did-what. Don't mix them up.

Deep Case Study · Protecting a leaked salary file

"HR's salary spreadsheet keeps getting emailed out"

Data classification recognizes the spreadsheet contains salary + national ID numbers (sensitive info types).

A sensitivity label "Confidential – HR" auto-applies, encrypting the file so only HR can open it — protection travels with the file, even outside the org.

A DLP policy blocks any attempt to email or upload that labeled content externally, warning the user why.

Content explorer shows admins everywhere this data currently lives; Activity explorer shows recent attempts to move it.

An employee about to resign tries copying it to a USB — Insider Risk Management flags the pattern for review.

If it ends in a dispute, eDiscovery collects the relevant files & emails, and the Audit log proves exactly who touched what, when.

Takeaway: Purview is a pipeline — classify → label → prevent loss (DLP) → monitor → investigate. Each exam term is one stage of protecting that one file.

Deep Case Study · Zero Trust end-to-end

"New hire's first secure day" — tying all 4 domains together

(D1) Identity is the perimeter: the new hire's account is created in Entra ID — their identity, not the office network, controls access.

(D2) Access: they're added to groups via RBAC; Conditional Access requires MFA on their managed laptop. Entra ID Governance sets their access to expire when the project ends.

(D3) Security: the laptop is protected by Defender for Endpoint; their email by Defender for Office 365; all signals feed Sentinel.

(D4) Compliance: documents they create get sensitivity labels; DLP stops accidental leaks; Audit logs their activity; retention policies govern how long files live.

Takeaway: SC-900 isn't four separate topics — it's one Zero Trust story. Concepts define it, Entra controls access, Security defends, Compliance governs the data. If you can narrate this flow, you understand the exam.

⚡ Quick check

Q1Which stops sensitive data from being emailed or uploaded outside the organization?

DLP enforces rules that block sensitive content from leaving via email, upload, or copy.

Q2You want a score showing how well you meet GDPR, plus actions to improve. Which tool?

Compliance Manager gives a Compliance Score and recommended improvement actions per regulation.

Q3A departing employee may be exfiltrating data. Which Purview capability flags this?

Insider Risk Management detects risky internal behaviour like pre-resignation data theft.

Final stretch

Exam-Day Strategy

SC-900 is ~45 questions in 60 minutes, passing score 700/1000. Single choice, multiple response, true/false, and short scenarios. Here's how to walk in calm.

TL;DR strategy

① Read the scope word in every question (Endpoint? Office 365? Identity?). ② Don't overthink — it's fundamentals, the obvious answer is usually right. ③ Flag & move on; never burn 3 minutes on one item. ④ Match product → job, not product → feature list.

🪤 The traps that catch people

Most common confusions — settle these now

These two sound alike…	…but remember
Defender for Cloud vs Defender for Cloud Apps	for Cloud = Azure workloads/posture. for Cloud Apps = SaaS/CASB.
Authentication vs Authorization	AuthN = who (Name). AuthZ = what (Zones).
Encryption vs Hashing	Encryption reversible (key). Hashing one-way.
PIM vs ID Protection	PIM = elevate admin access JIT. ID Protection = detect risky sign-ins.
Sensitivity labels vs DLP	Labels tag & protect the file. DLP blocks data leaving.
Insider Risk vs eDiscovery vs Audit	Risky insiders / legal evidence / activity log.
Defender for Endpoint vs Defender for Identity	Endpoint = devices. Identity = on-prem AD.

✅ Final-week checklist

Tick these off (tap to check)

I can explain Zero Trust's 3 principles (VLA) without notes
I can split Shared Responsibility by IaaS/PaaS/SaaS
I know AuthN vs AuthZ and encryption vs hashing cold
I can name the 4 Entra identity types
I can describe Conditional Access as "IF signals THEN decision"
I know PIM vs Access Reviews vs ID Protection vs Governance
I can map every Defender product to what it protects
I know Defender for Cloud ≠ Defender for Cloud Apps
I can define SIEM vs SOAR and what Sentinel does
I know the Purview data lifecycle: classify → label → DLP → retention
I can tell apart Insider Risk, eDiscovery & Audit
I took Microsoft's free Practice Assessment & reviewed misses

Official resources (free)

Microsoft Learn — SC-900 study guide & skills outline: the source of truth. Use the bullet list as your checklist.

Free Practice Assessment on Microsoft Learn — closest thing to the real question style.

SC-900 Learning Path — ~5–7 hours of interactive modules covering all four domains.

Exam sandbox — try the exam interface before the real thing so it's not a surprise.

ReminderThe official skills outline was last updated November 7, 2025. This guide follows that version. Always glance at Microsoft Learn for any change-log updates before booking.

🎯

You've got this, Larissa. SC-900 is the most learnable of the SC/MS family — and it pairs perfectly with the SC-300 and MD-102 work you've already done. Walk in, read the scope word, trust your prep. Boa sorte!