Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) Practice Test

SC-900 is designed for a broad audience that includes business stakeholders, students, and new or experienced IT professionals who want to demonstrate baseline fluency in security, compliance, and identity concepts. It is especially relevant for those in roles such as IT administrator, compliance officer, business analyst, or junior security analyst who work within organizations using Microsoft Azure and Microsoft 365 but do not yet hold a specialized security role.

The exam is also well-suited for professionals transitioning into cybersecurity or cloud security from adjacent IT disciplines, as it provides foundational grounding before pursuing role-based certifications like SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or SC-400 (Information Protection and Compliance Administrator). Students in IT or cybersecurity programs use it as an early credential to signal cloud security awareness to employers.

There are no formal prerequisites to register for SC-900. However, Microsoft recommends that candidates have a general familiarity with Microsoft Azure and Microsoft 365 before attempting the exam, as many questions reference services and features within those platforms. No prior security, compliance, or identity experience is required — the exam is explicitly designed to be accessible to those new to these domains.

In practical terms, candidates benefit most from having completed the free Microsoft Learn learning path 'Introduction to security, compliance, and identity concepts' (SC-900T00 course content) and from some exposure to navigating the Azure portal and Microsoft 365 admin center. Candidates with a basic understanding of networking concepts, cloud service models (IaaS, PaaS, SaaS), and general IT terminology will find the material easier to absorb.

SC-900 is a single exam delivered through Pearson VUE (for general candidates) or Certiport (for students and educators). The exam is proctored and may be taken online or at a testing center. Candidates are given 45 minutes to complete the assessment. The exam may include interactive components in addition to traditional question types such as multiple choice and multi-select. A scaled score of 700 out of 1000 is required to pass.

The exam is available in 13 languages including English, Japanese, Chinese (Simplified and Traditional), Korean, French, Spanish, Portuguese (Brazil), Russian, Arabic (Saudi Arabia), Indonesian, German, and Italian. Candidates taking a localized version that lags behind the current English version may request an additional 30 minutes. If a candidate fails the exam, they may retake it after 24 hours; subsequent retake waiting periods vary per Microsoft's retake policy. Microsoft strongly recommends registering with a personal MSA account rather than a work or school account to ensure certification records are retained.

• 1.Describe the concepts of security, compliance, and identity (10–15%): Covers foundational security principles including the shared responsibility model, defense-in-depth, the Zero Trust model, encryption and hashing, and Governance, Risk, and Compliance (GRC) concepts. Also defines core identity concepts such as authentication, authorization, identity providers, directory services, Active Directory, and federation.
• 2.Describe the capabilities of Microsoft Entra (25–30%): Covers Microsoft Entra ID (formerly Azure AD) including types of identities, hybrid identity, and authentication methods such as MFA and password protection. Also includes Conditional Access, role-based access control (RBAC), Microsoft Entra ID Governance, access reviews, Privileged Identity Management (PIM), and Microsoft Entra ID Protection.
• 3.Describe the capabilities of Microsoft security solutions (35–40%): Covers core Azure infrastructure security services including Azure DDoS Protection, Azure Firewall, Web Application Firewall (WAF), virtual network segmentation, Network Security Groups (NSGs), Azure Bastion, and Azure Key Vault. Also includes Microsoft Defender for Cloud, Cloud Security Posture Management (CSPM), Microsoft Sentinel (SIEM/SOAR), and the full Microsoft Defender XDR suite covering Defender for Office 365, Defender for Endpoint, Defender for Cloud Apps, Defender for Identity, Defender Vulnerability Management, and Defender Threat Intelligence.
• 4.Describe the capabilities of Microsoft compliance solutions (20–25%): Covers the Microsoft Service Trust Portal and Microsoft's privacy principles including Microsoft Priva. Includes Microsoft Purview capabilities such as the Purview portal, Compliance Manager, compliance score, data classification, Content Explorer, Activity Explorer, sensitivity labels, data loss prevention (DLP), records management, retention policies, insider risk management, eDiscovery, and audit solutions.

• Use the official Microsoft Learn SC-900 study guide (aka.ms/sc900-StudyGuide) as your syllabus — it lists every testable objective with percentage weights, allowing you to prioritize the highest-weighted domains like Microsoft security solutions (35–40%) first.
• Complete the free Microsoft Learn learning path 'SC-900T00: Introduction to Microsoft Security, Compliance, and Identity' in its entirety, as it was designed to map directly to the exam objectives and includes interactive knowledge checks after each module.
• Take the free official Practice Assessment available on the SC-900 certification page on Microsoft Learn before scheduling your exam — it mirrors the wording and difficulty of real exam questions and pinpoints knowledge gaps by domain.
• Use the Exam Sandbox (go.microsoft.com/fwlink/?linkid=2226877) to familiarize yourself with the exam interface and interactive question types before exam day, so you are not slowed down by unfamiliar UI during the timed assessment.
• Focus special attention on Microsoft Entra ID capabilities and Microsoft Defender XDR services, as these two areas together account for up to 70% of the exam. Build a mental map of how each Defender product (for Office 365, Endpoint, Cloud Apps, Identity) addresses different threat vectors.
• Review the Microsoft Purview product family as a group — understanding how Compliance Manager, sensitivity labels, DLP, records management, and eDiscovery relate to each other helps answer scenario-based questions that test conceptual understanding rather than memorization.
• Consult the Microsoft Security and Compliance Tech Community hub for exam readiness videos and the Exam Readiness Zone on Microsoft Learn, which offers short video walkthroughs of each domain aligned to the current exam version.

SC-900 serves as a recognized entry credential in Microsoft's security certification path and provides a foundation for advancing to role-based certifications such as SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and SC-400 (Information Protection and Compliance Administrator). It is particularly valued in organizations heavily invested in Microsoft 365 and Azure, where demonstrating fluency in Microsoft's security and compliance toolset — including Microsoft Sentinel, Defender XDR, and Microsoft Purview — is directly applicable to day-to-day job functions. The certification is relevant to roles including IT administrator, compliance officer, cloud security analyst, and junior security engineer.

From a compensation perspective, entry-level cybersecurity roles requiring foundational cloud and security knowledge carry salaries in the $72,000–$92,000 range, with the higher end reflecting combined cloud and security skills. The SC-900 is frequently paired with AZ-900 (Azure Fundamentals) or CompTIA Security+ to round out a candidate's credential profile — SC-900 demonstrates Microsoft-specific knowledge while Security+ provides broader vendor-neutral recognition. The cybersecurity market continues to expand, with significant demand for professionals who can navigate Microsoft's integrated security ecosystem across identity, threat protection, and compliance.