SC-900 Study Guide 2026 — Pass Microsoft SCI Fundamentals
SC-900 is Microsoft's entry point into security, compliance, and identity. Here's the exam structure, the four skills-measured domains, the highest-yield product families, and a study plan that gets you to a 700 in one to two weeks.
The SC-900 (Microsoft Certified: Security, Compliance, and Identity Fundamentals) is the on-ramp to Microsoft's entire security certification track. It tests whether you can describe the core concepts of security, compliance, and identity (SCI) and the Microsoft products that deliver them — Microsoft Entra, Defender, Sentinel, and Purview. It's concept- and terminology-focused, not hands-on. You won't configure anything; you'll identify what each tool does and when it applies.
That makes SC-900 one of the most passable Microsoft certs out there — if you study the right things. This guide covers exactly what's tested, the product-family distinctions that trip people up, and a one-to-two-week plan to get you across the line.
What SC-900 is (and isn't)
SC-900 is a Fundamentals-level exam. It assumes no prior experience and has no prerequisites. The verbs on the exam objectives are "describe" and "identify" — never "configure" or "deploy." If you can explain what Conditional Access does and when you'd reach for Microsoft Sentinel versus Microsoft Defender for Cloud, you're on track.
It's aimed at people building shared security vocabulary: new and aspiring security pros, IT generalists, help-desk and sysadmins moving toward security, business and compliance stakeholders, and students.
What it is not is a technical deep-dive. Don't burn time learning to write KQL queries or build Sentinel playbooks. The exam wants the concepts.
Exam structure
- Passing score: 700 on a scale of 1–1000 (this is a scaled score, not a percentage — you don't need 70% correct)
- ~40–60 questions
- ~45 minutes
- Mostly multiple-choice and multi-select
- Cost: ~$99 USD
- Prerequisites: none
- Validity: does not expire. As a Fundamentals certification, there's no renewal requirement — pass once and it's yours.
The four skills-measured domains
Microsoft weights the exam across four domains. Memorize these weights — they tell you where to spend your hours.
| Domain | Weight |
|---|---|
| Describe the concepts of security, compliance, and identity | 10–15% |
| Describe the capabilities of Microsoft Entra (identity & access) | 25–30% |
| Describe the capabilities of Microsoft security solutions | 35–40% |
| Describe the capabilities of Microsoft compliance solutions | 20–25% |
Security solutions is the single heaviest domain at 35–40%. Combined with Entra at 25–30%, those two domains are roughly two-thirds of the exam. If you nail identity and security solutions, the rest is upside.
Domain 1: SCI concepts (10–15%)
The foundational vocabulary. Know these cold because they underpin every other domain:
- Shared responsibility model — what the cloud provider secures vs. what you secure
- Defense in depth — layered controls
- Zero Trust — the modern security model (more below)
- Encryption vs. hashing — encryption is reversible; hashing is one-way
- Authentication vs. authorization — who you are vs. what you can access
- Identity as the primary security perimeter — the network is no longer the boundary
Domain 2: Microsoft Entra (25–30%)
Entra is Microsoft's identity and access platform (formerly Azure AD). Know:
- Entra ID and identity types — including the new "agent ID" for AI agents
- Multi-factor authentication (MFA)
- Conditional Access — policies that grant or block access based on signals
- Role-based access control (RBAC)
- Privileged Identity Management (PIM) — just-in-time elevated access
- Access reviews, Identity Protection, and Entra ID Governance
Domain 3: Microsoft security solutions (35–40%)
The biggest domain. This is where the product-family confusion lives (see the highest-yield section). Coverage includes:
- Azure network security — DDoS Protection, Azure Firewall, Web Application Firewall (WAF), network security groups (NSGs), Azure Bastion, Key Vault
- Microsoft Defender for Cloud — cloud security posture management (CSPM)
- Microsoft Sentinel — SIEM and SOAR
- Microsoft Defender XDR — Defender for Office 365, Endpoint, Cloud Apps, and Identity
Domain 4: Microsoft compliance solutions (20–25%)
Centered on Microsoft Purview:
- Compliance Manager and the compliance score
- Sensitivity labels
- Data loss prevention (DLP)
- Retention and records management
- Insider risk and eDiscovery
- Plus the Service Trust Portal
Highest-yield: know the product families cold
The single biggest point-swing on SC-900 is being able to tell the Microsoft security and compliance products apart. Anchor each one to what it protects or does:
- Microsoft Defender for Cloud → cloud posture (CSPM). "Is my cloud configured securely?"
- Microsoft Defender XDR → threats across endpoint, email, apps, and identity. The XDR umbrella covers Defender for Office 365, Endpoint, Cloud Apps, and Identity.
- Microsoft Sentinel → logs and response (SIEM + SOAR). Collects and analyzes signals, and automates response.
- Microsoft Purview → data and compliance. Labels, DLP, retention, eDiscovery.
For Entra, drill the access controls: Conditional Access, MFA, RBAC, and PIM — what each one is and when you'd use it.
And know Zero Trust's three principles:
- Verify explicitly — always authenticate and authorize on all available signals
- Use least-privilege access — give only the access needed
- Assume breach — segment, minimize blast radius, verify end-to-end
The gotchas that sink first-timers
These are the recurring traps. Get them straight before test day:
- Defender for Cloud vs. Defender XDR vs. Defender for Endpoint/Identity is the #1 miss. They all say "Defender." Anchor each to what it protects: Cloud = posture/CSPM; XDR = the threat-protection umbrella over endpoint/email/apps/identity; Defender for Endpoint and Defender for Identity are members inside XDR.
- SIEM vs. SOAR. SIEM collects and analyzes logs; SOAR automates response. Microsoft Sentinel does both.
- Authentication vs. authorization. Authentication proves who you are; authorization decides what you can access.
- Encryption vs. hashing. Encryption is reversible (you can decrypt); hashing is one-way (you can't un-hash).
- Current names. "Azure AD" is now Microsoft Entra ID. "Microsoft 365 Defender" is now Microsoft Defender XDR. The exam uses current names — old names in an answer choice are often the wrong pick.
Memory aids
Two anchors carry a surprising amount of the exam:
Zero Trust = "Never trust, always verify." Unpack it into the three principles: Verify explicitly / Least privilege / Assume breach.
Four buckets for the products:
- Cloud posture → Defender for Cloud
- Threats → Defender XDR
- Logs / response → Sentinel
- Data / compliance → Purview
If you can recite those four buckets under pressure, you've locked down the hardest-scoring part of the exam.
A one-to-two-week study plan
SC-900 is a fundamentals exam. Most candidates with some IT exposure can prepare in one to two weeks. Scale it to your background.
Days 1–2: Concepts + Zero Trust
Domain 1 in full — shared responsibility, defense in depth, encryption vs. hashing, authentication vs. authorization, identity as the perimeter. Lock in the three Zero Trust principles.
Days 3–5: Microsoft Entra
The identity domain (25–30%). Entra ID and identity types (including agent ID), MFA, Conditional Access, RBAC, PIM, access reviews, Identity Protection, and Entra ID Governance. Drill when you'd use each access control.
Days 6–9: Security solutions (the heavy block)
The 35–40% domain. Azure network security tools (DDoS Protection, Firewall, WAF, NSGs, Bastion, Key Vault), then the product families. Spend most of your effort separating Defender for Cloud vs. Defender XDR vs. Sentinel. Memorize the four buckets.
Days 10–12: Compliance solutions
Microsoft Purview end to end — Compliance Manager and compliance score, sensitivity labels, DLP, retention, insider risk, eDiscovery — plus the Service Trust Portal.
Days 13–14: Mixed practice + review
Run full practice sets across all four domains. Score consistently above passing before you book. Review every wrong answer until you can explain why the right product or concept applies.
If you have solid IT background, compress this into a single week by pairing Days 3–5 with Days 6–9.
Frequently asked questions
How much does SC-900 cost in 2026?
About $99 USD.
What's the passing score?
700 on a 1–1000 scale. It's a scaled score — not a straight 70% of questions correct.
How many questions are on SC-900?
Roughly 40–60 questions, mostly multiple-choice and multi-select, in about 45 minutes.
Does SC-900 expire?
No. As a Fundamentals certification, it does not require renewal and does not expire.
Are there prerequisites?
None. SC-900 is designed as an entry point with no experience required.
Is SC-900 changing in 2026?
A content update on July 28, 2026 adds AI "agent ID" identity content under the Entra domain. The domain weights are unchanged, and the exam is not being retired. (The separate AZ-500 → SC-500 change affects the engineer-level exam, not SC-900.)
Test yourself. Run 30 free SC-900 questions on the SC-900 exam page — no card, no email-trap. And if you're still deciding whether the cert is worth your time, read Is SC-900 Worth It? first.