Study guide for Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals
Article
Purpose of this document
This study guide should help you understand what to expect on the exam
and includes a summary of the topics the exam might cover and links to
additional resources. The information and materials in this document
should help you focus your studies as you prepare for the exam.
Test your skills with practice questions to help you prepare for the exam.
Updates to the exam
Our exams are updated periodically to reflect skills that are required
to perform a role. We have included two versions of the Skills Measured
objectives depending on when you are taking the exam.
We always update the English language version of the exam first. Some
exams are localized into other languages, and those are updated
approximately eight weeks after the English version is updated. While
Microsoft makes every effort to update localized versions as noted,
there may be times when the localized versions of an exam are not
updated on this schedule. Other available languages are listed in the
Schedule Exam section of the Exam Details webpage. If the exam
isn't available in your preferred language, you can request an
additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to
illustrate how we are assessing that skill. Related topics may be
covered in the exam.
Note
Most questions cover features that are general availability (GA). The
exam may contain questions on Preview features if those features are
commonly used.
Skills measured as of July 26, 2024
Audience profile
This exam is targeted to you, if you’re looking to familiarize yourself
with the fundamentals of security, compliance, and identity (SCI) across
cloud-based and related Microsoft services.
If you have an interest in Microsoft SCI solutions, this exam is for
you, whether you’re a:
Business stakeholder
New or existing IT professional
Student
You should be familiar with Microsoft Azure and Microsoft 365 and want
to understand how Microsoft SCI solutions can span across these solution
areas to provide a holistic and end-to-end solution.
Skills at a glance
Describe the concepts of security, compliance, and identity (10–15%)
Describe the capabilities of Microsoft Entra (25–30%)
Describe the capabilities of Microsoft security solutions (35–40%)
Describe the capabilities of Microsoft compliance solutions (20–25%)
Describe the concepts of security, compliance, and identity (10–15%)
Describe security and compliance concepts
Describe the shared responsibility model
Describe defense-in-depth
Describe the Zero Trust model
Describe encryption and hashing
Describe Governance, Risk, and Compliance (GRC) concepts
Define identity concepts
Define identity as the primary security perimeter
Define authentication
Define authorization
Describe identity providers
Describe the concept of directory services and Active Directory
Describe the concept of federation
Describe the capabilities of Microsoft Entra (25–30%)
Describe function and identity types of Microsoft Entra ID
Describe Microsoft Entra ID
Describe types of identities
Describe hybrid identity
Describe authentication capabilities of Microsoft Entra ID
Describe the authentication methods
Describe multi-factor authentication (MFA)
Describe password protection and management capabilities
Describe access management capabilities of Microsoft Entra ID
Describe Conditional Access
Describe Microsoft Entra roles and role-based access control (RBAC)
Describe identity protection and governance capabilities of Microsoft Entra
Describe Microsoft Entra ID Governance
Describe access reviews
Describe the capabilities of Microsoft Entra Privileged Identity
Management
Describe Microsoft Entra ID Protection
Describe Microsoft Entra Permissions Management
Describe the capabilities of Microsoft security solutions (35–40%)
Describe core infrastructure security services in Azure
Describe network segmentation with Azure virtual networks
Describe network security groups (NSGs)
Describe Azure Bastion
Describe Azure Key Vault
Describe security management capabilities of Azure
Describe Microsoft Defender for Cloud
Describe Cloud Security Posture Management (CSPM)
Describe how security policies and initiatives improve the cloud
security posture
Describe enhanced security features provided by cloud workload
protection
Describe capabilities of Microsoft Sentinel
Define the concepts of security information and event management
(SIEM) and security orchestration automated response (SOAR)
Describe threat detection and mitigation capabilities in Microsoft
Sentinel
Describe threat protection with Microsoft Defender XDR
Describe Microsoft Defender XDR services
Describe Microsoft Defender for Office 365
Describe Microsoft Defender for Endpoint
Describe Microsoft Defender for Cloud Apps
Describe Microsoft Defender for Identity
Describe Microsoft Defender Vulnerability Management
Describe Microsoft Defender Threat Intelligence (Defender TI)
Describe the Microsoft Defender portal
Describe the capabilities of Microsoft compliance solutions (20–25%)
Describe Microsoft Service Trust Portal and privacy principles
Describe the Service Trust Portal offerings
Describe the privacy principles of Microsoft
Describe Microsoft Priva
Describe compliance management capabilities of Microsoft Purview
Describe the Microsoft Purview compliance portal
Describe Compliance Manager
Describe the uses and benefits of compliance score
Describe information protection, data lifecycle management, and data governance capabilities of Microsoft Purview
Describe the data classification capabilities
Describe the benefits of Content explorer and Activity explorer
Describe sensitivity labels and sensitivity label policies
Describe data loss prevention (DLP)
Describe records management
Describe retention policies, retention labels, and retention label
policies
Describe unified data governance solutions in Microsoft Purview
Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview
Describe insider risk management
Describe eDiscovery solutions in Microsoft Purview
Describe audit solutions in Microsoft Purview
Study resources
We recommend that you train and get hands-on experience before you take
the exam. We offer self-study options and classroom training as well as
links to documentation, community sites, and videos.
Key to understanding the table: The topic groups (also known as
functional groups) are in bold typeface followed by the objectives
within each group. The table is a comparison between the two versions of
the exam skills measured and the third column describes the extent of
the changes.
Skill area prior to July 26, 2024
Skill area as of July 26, 2024
Change
Audience profile
No change
Describe the concepts of security, compliance, and identity
Describe the concepts of security, compliance, and identity
No change
Describe security and compliance concepts
Describe security and compliance concepts
No change
Define identity concepts
Define identity concepts
No change
Describe the capabilities of Microsoft Entra
Describe the capabilities of Microsoft Entra
No change
Describe function and identity types of Microsoft Entra ID
Describe function and identity types of Microsoft Entra ID
No change
Describe authentication capabilities of Microsoft Entra ID
Describe authentication capabilities of Microsoft Entra ID
No change
Describe access management capabilities of Microsoft Entra ID
Describe access management capabilities of Microsoft Entra ID
No change
Describe identity protection and governance capabilities of Microsoft Entra
Describe identity protection and governance capabilities of Microsoft Entra
Minor
Describe the capabilities of Microsoft security solutions
Describe the capabilities of Microsoft security solutions
No change
Describe core infrastructure security services in Azure
Describe core infrastructure security services in Azure
No change
Describe security management capabilities of Azure
Describe security management capabilities of Azure
No change
Describe capabilities of Microsoft Sentinel
Describe capabilities of Microsoft Sentinel
No change
Describe threat protection with Microsoft Defender XDR
Describe threat protection with Microsoft Defender XDR
No change
Describe the capabilities of Microsoft compliance solutions
Describe the capabilities of Microsoft compliance solutions
No change
Describe Microsoft Service Trust Portal and privacy principles
Describe Microsoft Service Trust Portal and privacy principles
No change
Describe compliance management capabilities of Microsoft Purview
Describe compliance management capabilities of Microsoft Purview
No change
Describe information protection, data lifecycle management, and data governance capabilities in Microsoft Purview
Describe information protection, data lifecycle management, and data governance capabilities in Microsoft Purview
No change
Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview
Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview
No change
Skills measured prior to July 26, 2024
Audience profile
This exam is targeted to you, if you’re looking to familiarize yourself
with the fundamentals of security, compliance, and identity (SCI) across
cloud-based and related Microsoft services.
If you have an interest in Microsoft SCI solutions, this exam is for
you, whether you’re a:
Business stakeholder
New or existing IT professional
Student
You should be familiar with Microsoft Azure and Microsoft 365 and want
to understand how Microsoft SCI solutions can span across these solution
areas to provide a holistic and end-to-end solution.
Skills at a glance
Describe the concepts of security, compliance, and identity (10–15%)
Describe the capabilities of Microsoft Entra (25–30%)
Describe the capabilities of Microsoft security solutions (35–40%)
Describe the capabilities of Microsoft compliance solutions (20–25%)
Describe the concepts of security, compliance, and identity (10–15%)
Describe security and compliance concepts
Describe the shared responsibility model
Describe defense-in-depth
Describe the Zero Trust model
Describe encryption and hashing
Describe Governance, Risk, and Compliance (GRC) concepts
Define identity concepts
Define identity as the primary security perimeter
Define authentication
Define authorization
Describe identity providers
Describe the concept of directory services and Active Directory
Describe the concept of federation
Describe the capabilities of Microsoft Entra (25–30%)
Describe function and identity types of Microsoft Entra ID
Describe Microsoft Entra ID
Describe types of identities
Describe hybrid identity
Describe authentication capabilities of Microsoft Entra ID
Describe the authentication methods
Describe multi-factor authentication (MFA)
Describe password protection and management capabilities
Describe access management capabilities of Microsoft Entra ID
Describe Conditional Access
Describe Microsoft Entra roles and role-based access control (RBAC)
Describe identity protection and governance capabilities of Microsoft Entra
Describe Microsoft Entra ID Governance
Describe access reviews
Describe the capabilities of Microsoft Entra Privileged Identity
Management
Describe Entra ID Protection
Describe Microsoft Entra Permissions Management
Describe the capabilities of Microsoft security solutions (35–40%)
Describe core infrastructure security services in Azure