Microsoft Azure9 min read10 May 2024

SC-900 Study Guide: Pass Microsoft Security, Compliance and Identity Fundamentals

Complete SC-900 study guide covering Zero Trust, Microsoft Entra ID, Defender, Sentinel, and Purview. Everything you need to pass on your first attempt.

SC-900Microsoft SecurityZero TrustEntra IDCertification Guide

What is the SC-900 Certification?

Microsoft Security, Compliance, and Identity Fundamentals (SC-900) is Microsoft's entry-level security certification. It validates foundational knowledge of security, compliance, and identity concepts across Microsoft services.

It's an excellent first security credential and a natural companion to AZ-900. No hands-on security experience is required to pass.

Exam facts: - Cost: $165 USD - Passing score: 700 out of 1000 - Format: 40 to 60 questions - Duration: 45 minutes - Valid for: Lifetime (no expiry)

Exam Domains

DomainWeight
Security, Compliance and Identity Concepts10 to 15%
Microsoft Entra (Identity and Access)25 to 30%
Microsoft Security Solutions35 to 40%
Microsoft Compliance Solutions20 to 25%

Domain 1: Core Concepts

Zero Trust Model (most important concept): Zero Trust is a security model that assumes no user or system should be trusted by default — even inside the corporate network. Every access request must be verified.

Zero Trust has three guiding principles: 1. Verify explicitly: Always authenticate and authorise based on all available data (identity, location, device, service, data classification) 2. Use least privilege access: Limit access rights to only what is needed — no more 3. Assume breach: Design systems as if a breach has already occurred

Shared Responsibility Model: In cloud environments, security responsibilities are shared: - Microsoft manages: physical security, hardware, network infrastructure, virtualisation - Customer manages: data, identities, applications, operating systems, and access configuration

Defence in Depth: A layered security approach where multiple controls protect resources: Physical > Identity > Perimeter > Network > Compute > Application > Data

Domain 2: Microsoft Entra ID and Identity

What is Microsoft Entra ID? Formerly called Azure Active Directory (Azure AD), Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It controls who can access what across Microsoft 365, Azure, and thousands of third-party applications.

Key identity concepts

  • Authentication (AuthN): Proving who you are — username, password, biometrics, MFA
  • Authorisation (AuthZ): What you're allowed to do after being authenticated — RBAC roles, permissions
  • Multi-Factor Authentication (MFA): Requiring two or more verification methods (something you know + something you have + something you are)
  • Single Sign-On (SSO): Log in once, access multiple applications without re-authenticating

Conditional Access: Conditional Access policies control access based on conditions. Examples: - Block access from countries you don't operate in - Require MFA for all access from outside the corporate network - Require a compliant device to access sensitive data

Microsoft Entra Identity Protection: Automatically detects risky sign-in attempts and can: - Require MFA for risky sign-ins - Block access for high-risk users - Generate risk reports for security teams

Privileged Identity Management (PIM): Controls how admin roles are assigned. Key principle: just-in-time access — admins only have elevated permissions when they explicitly activate them, not permanently.

Domain 3: Microsoft Security Solutions

Microsoft Defender Products

  • Microsoft Defender for Cloud: Monitors security posture across Azure, AWS, and on-premises. Provides Secure Score (a percentage showing how well you follow security best practices)
  • Microsoft Defender for Endpoint: Endpoint detection and response (EDR) for devices — laptops, servers, mobile
  • Microsoft Defender for Office 365: Protects email and collaboration tools from phishing and malware
  • Microsoft Defender for Identity: Monitors Active Directory for suspicious identity-related behaviour
  • Microsoft Defender XDR: Unified security operations across all Defender products

Microsoft Sentinel: Microsoft's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform. - SIEM: Collects and analyses security data from across your organisation - SOAR: Automates responses to detected threats (e.g. blocking an IP, disabling a user account)

Azure Network Security: - Azure Firewall: Managed firewall service with threat intelligence - Azure DDoS Protection: Defends against distributed denial-of-service attacks - Network Security Groups (NSGs): Filter network traffic to Azure resources - Azure Bastion: Secure RDP/SSH access to VMs without exposing them to the internet

Domain 4: Microsoft Compliance Solutions

Microsoft Purview: Microsoft's unified data governance and compliance platform, covering:

  • Compliance Manager: Assess your compliance posture against regulations (GDPR, ISO 27001, etc.) with a compliance score
  • Sensitivity Labels: Classify and protect documents based on their sensitivity (Public, Internal, Confidential, Highly Confidential)
  • Data Loss Prevention (DLP): Policies that prevent sensitive data from being shared externally — e.g. blocking emails containing credit card numbers
  • Retention Policies: Keep data for the required period, delete it when retention expires
  • Microsoft Priva: Privacy management — identifies personal data and helps you respond to privacy requests
  • Insider Risk Management: Detects risky behaviour by users within the organisation (e.g. bulk file downloads before resignation)
  • eDiscovery: Legal hold and search capabilities for investigations

Best Free Resources for SC-900

  • Microsoft Learn SC-900 learning path (free, official) — the most important resource
  • John Christopher on YouTube — SC-900 crash course, very clear explanations
  • Microsoft Security documentation — good for deep dives on specific services
  • SC-900 official practice assessment — free on Microsoft's site, closely matches the real exam

Exam Strategy

The SC-900 is organised around three themes: identity, security, and compliance. Every question is about one of these three. Build a mental map:

  • Identity question? Entra ID, MFA, Conditional Access, PIM
  • Security question? Defender products, Sentinel, Azure Firewall, NSG
  • Compliance question? Purview, Sensitivity Labels, DLP, Compliance Manager

Scenario question tip: If the scenario involves protecting user accounts, it is identity. If it involves detecting or responding to threats, it is security. If it involves data classification, regulations, or privacy, it is compliance.

Next Steps After SC-900

  • AZ-500: Azure Security Engineer Associate (technical, hands-on)
  • SC-200: Microsoft Security Operations Analyst (SOC-focused)
  • SC-300: Microsoft Identity and Access Administrator
  • SC-400: Microsoft Information Protection and Compliance Administrator
Previous article

Power BI vs Tableau: Which Certification is Worth Your Time in 2024?

Next article

PL-300 Power BI Data Analyst Study Guide: Pass the Microsoft Certification