Microsoft · SC-900
Validates foundational knowledge on security, compliance, and identity concepts across cloud-based and related Microsoft services.
Questions
230
Duration
45 minutes
Passing Score
700/1000
Difficulty
FoundationalLast Updated
Jun 2026
This SC-900 practice exam helps you prepare for Microsoft Security, Compliance, and Identity Fundamentals, a beginner-level certification that, unlike role-based credentials, never expires. The questions follow how the real exam is weighted, with the heaviest focus on Microsoft security solutions (35 to 40 percent) and Microsoft Entra identity capabilities (25 to 30 percent).
Because SC-900 uses describe-style objectives and no hands-on configuration, success comes from understanding what each Microsoft security, compliance, and identity service does and when it applies. The explanations are written to build that conceptual map across Entra, security, and compliance solutions so you can tell similar services apart under exam pressure.
You have 45 minutes on test day and need a scaled score of 700 out of 1000. Start with the free preview, then practice in short sessions until your accuracy is steady. SC-900 is a common first step toward role-based security certs such as SC-200, SC-300, and AZ-500.
The Microsoft Certified: Security, Compliance, and Identity Fundamentals certification (SC-900) validates foundational knowledge of security, compliance, and identity concepts across Microsoft cloud-based services, including Azure and Microsoft 365. The exam covers core security principles such as Zero Trust, defense-in-depth, the shared responsibility model, encryption, and Governance Risk and Compliance (GRC) concepts, alongside practical knowledge of Microsoft-specific solutions like Microsoft Entra ID, Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview. Last updated in November 2025, the exam reflects the current Microsoft SCI product landscape including Microsoft Entra's role-based access control, Conditional Access, Privileged Identity Management, and Microsoft Purview's data classification and compliance management tools.
This is a Fundamentals-level credential, positioned as the entry point into Microsoft's security certification path. It bridges conceptual security knowledge with hands-on familiarity with Microsoft's identity, threat protection, and compliance platforms, making it particularly valuable for professionals operating in Microsoft-heavy environments. The certification does not expire and is awarded upon passing the single required exam.
SC-900 is designed for a broad audience that includes business stakeholders, students, and new or experienced IT professionals who want to demonstrate baseline fluency in security, compliance, and identity concepts. It is especially relevant for those in roles such as IT administrator, compliance officer, business analyst, or junior security analyst who work within organizations using Microsoft Azure and Microsoft 365 but do not yet hold a specialized security role.
The exam is also well-suited for professionals transitioning into cybersecurity or cloud security from adjacent IT disciplines, as it provides foundational grounding before pursuing role-based certifications like SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or SC-400 (Information Protection and Compliance Administrator). Students in IT or cybersecurity programs use it as an early credential to signal cloud security awareness to employers.
There are no formal prerequisites to register for SC-900. However, Microsoft recommends that candidates have a general familiarity with Microsoft Azure and Microsoft 365 before attempting the exam, as many questions reference services and features within those platforms. No prior security, compliance, or identity experience is required — the exam is explicitly designed to be accessible to those new to these domains.
In practical terms, candidates benefit most from having completed the free Microsoft Learn learning path 'Introduction to security, compliance, and identity concepts' (SC-900T00 course content) and from some exposure to navigating the Azure portal and Microsoft 365 admin center. Candidates with a basic understanding of networking concepts, cloud service models (IaaS, PaaS, SaaS), and general IT terminology will find the material easier to absorb.
SC-900 is a single exam delivered through Pearson VUE (for general candidates) or Certiport (for students and educators). The exam is proctored and may be taken online or at a testing center. Candidates are given 45 minutes to complete the assessment. The exam may include interactive components in addition to traditional question types such as multiple choice and multi-select. A scaled score of 700 out of 1000 is required to pass.
The exam is available in 13 languages including English, Japanese, Chinese (Simplified and Traditional), Korean, French, Spanish, Portuguese (Brazil), Russian, Arabic (Saudi Arabia), Indonesian, German, and Italian. Candidates taking a localized version that lags behind the current English version may request an additional 30 minutes. If a candidate fails the exam, they may retake it after 24 hours; subsequent retake waiting periods vary per Microsoft's retake policy. Microsoft strongly recommends registering with a personal MSA account rather than a work or school account to ensure certification records are retained.
SC-900 serves as a recognized entry credential in Microsoft's security certification path and provides a foundation for advancing to role-based certifications such as SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and SC-400 (Information Protection and Compliance Administrator). It is particularly valued in organizations heavily invested in Microsoft 365 and Azure, where demonstrating fluency in Microsoft's security and compliance toolset — including Microsoft Sentinel, Defender XDR, and Microsoft Purview — is directly applicable to day-to-day job functions. The certification is relevant to roles including IT administrator, compliance officer, cloud security analyst, and junior security engineer.
From a compensation perspective, entry-level cybersecurity roles requiring foundational cloud and security knowledge carry salaries in the $72,000–$92,000 range, with the higher end reflecting combined cloud and security skills. The SC-900 is frequently paired with AZ-900 (Azure Fundamentals) or CompTIA Security+ to round out a candidate's credential profile — SC-900 demonstrates Microsoft-specific knowledge while Security+ provides broader vendor-neutral recognition. The cybersecurity market continues to expand, with significant demand for professionals who can navigate Microsoft's integrated security ecosystem across identity, threat protection, and compliance.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 230 questions.
Preview — answers shown1. AuditSolutions Corp needs comprehensive logging and monitoring of user activities, administrative actions, and data access across their Microsoft 365 environment for security monitoring and compliance reporting. What capability provides this extensive audit trail functionality?
Explanation
Microsoft Purview audit solutions provide comprehensive audit logging across Microsoft 365 services including user activities, administrative actions, data access, and security events with long-term retention and advanced search capabilities. Basic event logging provides limited data, simple access logs lack comprehensive coverage, and network monitoring focuses on traffic rather than user and administrative activities across cloud services.
2. A company is hit with a large-scale, volumetric Distributed Denial of Service (DDoS) attack that is overwhelming their public-facing web servers with traffic, making them unavailable to legitimate customers. They have subscribed to the Azure DDoS Protection Standard plan. What is a key benefit of the Standard plan over the free Basic plan during this attack?
Explanation
The Standard tier of DDoS Protection offers advanced features and insights. Why this is correct: While both Basic and Standard plans protect against common network-layer DDoS attacks, the Standard plan provides significant added value. This includes near real-time telemetry, which you can view through Azure Monitor, detailed post-attack mitigation reports, and access to the DDoS Rapid Response team for help during an attack. These analytics are crucial for understanding the attack vector and improving your defenses. Why others are incorrect: Both plans protect public IP addresses on Azure resources. The Basic plan absolutely does mitigate attacks, it just lacks the advanced features of Standard. Blocking traffic by country is a feature of a Web Application Firewall (WAF), not DDoS Protection.
3. At 'Global Logistics Inc.', a new junior analyst successfully signs into the company's internal portal. The system has confirmed their identity. The next step for the system is to check what this specific analyst is allowed to do: for example, can they only view shipping manifests, or are they also permitted to approve new shipping routes? Which security concept is responsible for defining this level of access?
Explanation
Authorization is the process of determining what an authenticated user is permitted to do. Why this is correct: Authorization happens after authentication. Once the system knows who you are, authorization policies define your permissions, such as read, write, or delete access to specific resources like files or applications. It answers the question, What is this user allowed to do?. Why others are incorrect: Authentication is the process of proving you are who you say you are, like with a password. Auditing is the process of logging and reviewing actions for security and compliance. Administration involves managing user accounts and their settings.
4. The security team at 'InnovaTech' has discovered that many employees are using an unsanctioned, high-risk file-sharing web application. Using Microsoft Defender for Cloud Apps, they want to prevent users from being able to upload files to this specific application, while still allowing them to use other, sanctioned cloud apps. What action can they take within Defender for Cloud Apps?
Explanation
Defender for Cloud Apps, as a CASB, can not only discover apps but also enforce controls over them. Why this is correct: In Defender for Cloud Apps, you can maintain a catalog of discovered applications and tag them as 'Sanctioned' or 'Unsanctioned'. By marking the risky file-sharing app as 'Unsanctioned', you can then create an access or session policy that integrates with Microsoft Defender for Endpoint or other network proxies to block access to that specific application, thereby enforcing corporate policy. Why others are incorrect: Marking it as 'Sanctioned' would do the opposite. An alert-only policy would not block it. Sensitivity labels apply to data, not to controlling access to applications.
5. DataClassification Corp needs to automatically identify and categorize sensitive information like credit card numbers, social security numbers, and medical records across their Microsoft 365 environment. What capability enables this automatic sensitive data identification?
Explanation
Data classification capabilities in Microsoft Purview automatically identify and categorize sensitive information using built-in and custom sensitive information types, trainable classifiers, and exact data match. This enables automatic discovery of sensitive data across the environment. Manual labeling requires human intervention, basic file organization doesn't identify content, and folder structures only provide organizational hierarchy without content analysis.
No. Microsoft Fundamentals certifications, including SC-900, do not expire and require no renewal.
No, it is one of the easier Microsoft exams. It is a beginner, concept-focused exam with describe-style objectives and no hands-on configuration.
SC-900 costs USD $99 in the United States. The price varies by the country or region where you take the exam.
You need 700 on a scale of 100 to 1000.
You get 45 minutes. Microsoft does not publish a fixed count, but it is typically around 40 to 60 questions.
Yes. It is an official beginner-level Fundamentals exam with no prerequisites, aimed at business stakeholders, new or existing IT professionals, and students.
Security, compliance, and identity concepts (10-15%), Microsoft Entra capabilities (25-30%), Microsoft security solutions (35-40%), and Microsoft compliance solutions (20-25%).
Most candidates spend about 2 to 4 weeks part-time using Microsoft free learning paths. This is a typical estimate, not an official figure.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam