🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Security Compliance Identity Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SC-900Microsoft AzureFoundationalComing Soon

Security Compliance Identity Fundamentals

The Microsoft Security, Compliance, and Identity Fundamentals (SC-900) certification validates foundational knowledge of Microsoft security, compliance, and identity services across the Microsoft cloud ecosystem. The exam covers essential security concepts including Zero Trust, defense-in-depth, and the shared responsibility model; Microsoft Entra ID authentication, access management, and identity governance; Microsoft security solutions including Defender for Cloud, Microsoft Sentinel, Defender XDR, and endpoint management with Intune; and Microsoft Purview compliance capabilities including Information Protection, Data Loss Prevention, eDiscovery, and Compliance Manager. SC-900 is the ideal starting point for non-technical professionals, business stakeholders, and IT generalists seeking foundational security literacy in the Microsoft platform.

60
Minutes
50
Questions
700/1000
Passing Score
$99
Exam Cost
10
Languages

Who Should Take This

SC-900 is designed for learners who are new to security, compliance, and identity including business stakeholders, compliance officers, IT support professionals, and students beginning a cloud career. No hands-on technical experience is required. The exam provides a recognized baseline credential and a foundation for the SC-200, SC-300, SC-400, or AZ-500 associate certifications.

What's Covered

1Foundational security concepts including Zero Trust model, defense-in-depth, shared responsibility model, common cyberthreat types, encryption and hashing, and basic compliance and identity concepts.
2Microsoft Entra ID identity types, authentication methods including MFA and passwordless, Conditional Access, Identity Protection, entitlement management, access reviews, Privileged Identity Management, and Permissions Management.
3Azure infrastructure security including DDoS Protection, Azure Firewall, WAF, NSGs, Bastion; Microsoft Defender for Cloud; Microsoft Sentinel SIEM/SOAR; Microsoft Defender XDR workloads; and Microsoft Intune endpoint management.
4Microsoft Purview compliance portal, Compliance Manager, Information Protection sensitivity labels, Data Loss Prevention, Data Lifecycle Management, Insider Risk Management, Communication Compliance, eDiscovery, and Audit capabilities.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response
  • Drag-And-Drop

Scoring Method

Scaled score 100-1000, passing score 700

Delivery Method

Proctored exam, 40-60 questions, 60 minutes

Recertification

Fundamentals certifications do not expire

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Domain 1: Describe the Concepts of Security, Compliance, and Identity
3 topics

Describe basic security concepts

  • Describe the Zero Trust model and its guiding principles of verify explicitly, use least privilege access, and assume breach and explain how it differs from perimeter-based security in modern cloud environments.
  • Describe defense-in-depth and identify the security layers including physical, identity, perimeter, network, compute, application, and data and explain how layered controls reduce the risk of a single point of failure.
  • Describe the shared responsibility model and explain how responsibility for security is divided between Microsoft and the customer across IaaS, PaaS, and SaaS service deployment models.
  • Identify common cyberthreat types including phishing, ransomware, identity theft, denial-of-service attacks, and supply chain attacks and describe their attack vectors and potential business impact.
  • Describe encryption and hashing concepts including symmetric encryption, asymmetric encryption, digital signatures, certificates, and TLS and explain how each protects data in transit and at rest.
  • Apply the Zero Trust principle of least privilege access to a given scenario and determine which combination of identity verification, device compliance, and data protection controls aligns with Zero Trust objectives.

Describe compliance concepts

  • Describe data residency and data sovereignty concepts and explain how regulatory requirements for where data is stored and processed affect cloud deployment decisions in regulated industries.
  • Identify common compliance frameworks and regulations including GDPR, HIPAA, ISO 27001, SOC 2, and NIST and describe what types of data or organizations they govern.
  • Describe the Microsoft Privacy Principles and explain how Microsoft's commitments to privacy, control, transparency, security, and legal protection inform the design of Microsoft cloud services.

Describe identity concepts

  • Describe authentication and authorization and explain the difference between verifying who a user is (authentication) and determining what they are allowed to do (authorization) in identity security.
  • Describe the concept of identity as the primary security perimeter and explain how user identities, device identities, and service identities replace the network perimeter in Zero Trust architectures.
  • Describe federated identity and single sign-on and explain how they allow users to authenticate once with a trusted identity provider and access multiple applications without re-entering credentials.
2Domain 2: Describe the Capabilities of Microsoft Entra
4 topics

Describe function and identity types in Microsoft Entra ID

  • Describe Microsoft Entra ID and explain how it provides cloud-based identity and access management services including authentication, authorization, single sign-on, and application management for Microsoft and third-party applications.
  • Identify Microsoft Entra ID identity types including users, service principals, managed identities, and devices and describe how each type provides distinct identity and access capabilities for people, applications, and resources.
  • Describe external identities in Microsoft Entra including B2B collaboration and Azure AD B2C and explain how they enable secure access for partner users and external customers without requiring separate account creation.
  • Describe the concept of hybrid identity and explain how Microsoft Entra Connect synchronizes on-premises Active Directory identities to Microsoft Entra ID to enable single sign-on across cloud and on-premises resources.
  • Apply knowledge of Microsoft Entra ID identity types to identify the appropriate identity type for a given scenario including human users, automation scripts, Azure resources, and external partners.

Describe authentication capabilities of Microsoft Entra ID

  • Describe multi-factor authentication and identify the three authentication factor categories of something you know, something you have, and something you are and explain how combining factors strengthens identity verification.
  • Describe passwordless authentication methods in Microsoft Entra including FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator and explain how they eliminate password-related attack surfaces.
  • Describe Microsoft Entra self-service password reset and explain how it allows users to reset passwords without IT helpdesk intervention using registered authentication methods including phone, email, and authenticator app.
  • Describe Microsoft Entra password protection and explain how it detects and blocks weak passwords, banned password lists, and custom banned terms to improve password strength across cloud and on-premises environments.
  • Apply knowledge of Microsoft Entra authentication methods to determine which method is most appropriate for a given scenario requiring phishing resistance, user convenience, or compliance with government identity standards.

Describe access management capabilities of Microsoft Entra

  • Describe Microsoft Entra Conditional Access and explain how it evaluates signals including user, location, device, application, and real-time risk to enforce dynamic access decisions before granting access.
  • Describe Microsoft Entra roles and role-based access control and explain how built-in and custom roles implement least privilege access to Microsoft Entra ID administrative functions.
  • Describe Microsoft Entra Identity Protection and explain how it automatically detects compromised user accounts and risky sign-ins using machine learning and behavioral analytics to trigger remediation.
  • Apply knowledge of Conditional Access and Identity Protection to describe how they work together to enforce risk-based access controls that automatically require additional verification or block access for compromised identities.

Describe identity governance capabilities of Microsoft Entra

  • Describe Microsoft Entra entitlement management and explain how access packages, catalogs, and approval workflows automate access request, assignment, and expiration for groups, applications, and SharePoint sites.
  • Describe Microsoft Entra access reviews and explain how they enable periodic validation of user access to groups, applications, and privileged roles to ensure only appropriate access is retained over time.
  • Describe Microsoft Entra Privileged Identity Management and explain how just-in-time activation, time-bound role assignments, and approval workflows reduce persistent privileged access and the risk of privilege abuse.
  • Describe Microsoft Entra Permissions Management and explain how it provides cross-cloud visibility into permissions granted versus permissions used to help organizations right-size access in AWS, Azure, and GCP environments.
  • Apply knowledge of Microsoft Entra governance capabilities to describe how access reviews, PIM, and entitlement management work together to enforce a least-privilege access lifecycle for a given governance scenario.
3Domain 3: Describe the Capabilities of Microsoft Security Solutions
5 topics

Describe core infrastructure security capabilities in Azure

  • Describe Azure DDoS Protection and explain how it defends Azure resources from distributed denial-of-service attacks using traffic profiling, adaptive tuning, and real-time telemetry to absorb volumetric attacks.
  • Describe Azure Firewall and explain how it provides stateful, managed network security with threat intelligence-based filtering, FQDN rules, and DNAT capabilities to protect Azure virtual network resources.
  • Describe Web Application Firewall and explain how it provides centralized protection for web applications against common exploits including SQL injection and cross-site scripting through OWASP rule sets.
  • Describe Azure network security groups and explain how inbound and outbound rules filter network traffic between Azure resources using source and destination IP, port, and protocol matching.
  • Describe Azure Bastion and explain how it provides browser-based RDP and SSH access to virtual machines through the Azure portal without exposing management ports to the public internet.
  • Apply knowledge of Azure infrastructure security services to identify which Azure service addresses a specific network threat type or access control requirement in a given scenario.

Describe security management capabilities in Azure

  • Describe Microsoft Defender for Cloud and explain how it provides cloud security posture management, security recommendations, secure score, and threat protection across Azure, hybrid, and multi-cloud workloads.
  • Describe Microsoft Defender for Cloud secure score and explain how it quantifies security posture by converting security control compliance into a numeric score with actionable recommendations for improvement.
  • Describe Azure Key Vault and explain how it securely stores and controls access to secrets, encryption keys, and certificates to protect sensitive application configuration and cryptographic material.
  • Apply knowledge of Microsoft Defender for Cloud to describe how it identifies a specific type of security misconfiguration or exposed workload and what remediation action would improve secure score.

Describe security capabilities of Microsoft Sentinel

  • Describe SIEM and SOAR and explain how security information and event management collects and analyzes security data while security orchestration, automation, and response automates remediation workflows.
  • Describe Microsoft Sentinel and explain how it provides cloud-native SIEM and SOAR capabilities including data connectors, analytics rules, incidents, workbooks, and playbooks for unified security operations.
  • Apply knowledge of Microsoft Sentinel capabilities to describe how a security operations team would use data connectors, analytics rules, and playbooks together to detect a specific threat pattern and automate its response.

Describe threat protection capabilities with Microsoft Defender XDR

  • Describe Microsoft Defender XDR and explain how it correlates threat data across endpoints, email, applications, and identities into a unified security portal to provide extended detection and response capabilities.
  • Describe Microsoft Defender for Endpoint and explain how it provides endpoint detection and response including behavioral sensors, cloud-powered analytics, threat intelligence, and automated investigation for devices.
  • Describe Microsoft Defender for Office 365 and explain how it protects email, SharePoint, OneDrive, and Teams from phishing, malware, business email compromise, and safe links and attachments scanning.
  • Describe Microsoft Defender for Identity and explain how it monitors on-premises Active Directory signals to detect lateral movement, pass-the-hash, pass-the-ticket, and other identity-based attack techniques.
  • Describe Microsoft Defender for Cloud Apps and explain how it provides visibility into cloud app usage, data protection policies, threat detection, and session controls as a cloud access security broker.
  • Apply knowledge of Microsoft Defender XDR workloads to identify which Defender product would be most relevant for investigating a specific type of attack including endpoint intrusion, email phishing, identity compromise, or cloud app misuse.

Describe endpoint and device security with Microsoft Intune

  • Describe Microsoft Intune and explain how it provides mobile device management and mobile application management to enforce compliance policies, deploy apps, and configure security settings on managed endpoints.
  • Describe Microsoft Entra device registration and join options including Microsoft Entra registered, Microsoft Entra joined, and hybrid Microsoft Entra joined and explain how device identity enables Conditional Access device compliance checks.
  • Apply knowledge of Microsoft Intune and Microsoft Entra device management to describe how device compliance policies and Conditional Access work together to block non-compliant devices from accessing corporate resources.
4Domain 4: Describe the Capabilities of Microsoft Compliance Solutions
3 topics

Describe Microsoft Purview compliance management capabilities

  • Describe the Microsoft Purview compliance portal and explain how it provides a unified compliance management interface for data protection, compliance assessments, eDiscovery, and information governance in Microsoft 365.
  • Describe Microsoft Purview Compliance Manager and explain how it provides compliance assessments, improvement actions, and compliance scores to help organizations meet regulatory requirements including GDPR, ISO 27001, and HIPAA.
  • Apply knowledge of Microsoft Purview Compliance Manager to describe how improvement actions and compliance scores would guide an organization's prioritization of compliance work for a specific regulation.

Describe information protection and data lifecycle management in Microsoft Purview

  • Describe Microsoft Purview Information Protection and explain how sensitivity labels classify and protect documents, emails, and files by applying encryption, access restrictions, and visual markings to sensitive content.
  • Describe Microsoft Purview Data Loss Prevention and explain how DLP policies detect and prevent accidental or malicious sharing of sensitive information including credit card numbers, health records, and PII across Microsoft 365 and endpoints.
  • Describe Microsoft Purview Data Lifecycle Management and explain how retention policies and retention labels automatically retain or delete content based on time-based rules to satisfy legal hold and regulatory retention requirements.
  • Apply knowledge of Microsoft Purview information protection capabilities to describe how sensitivity labels and DLP policies work together to protect a specific category of sensitive data from unauthorized disclosure.

Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview

  • Describe Microsoft Purview Insider Risk Management and explain how it uses policy-based detection and workflow to identify and investigate potentially risky activities by users including data theft, security violations, and IP leakage.
  • Describe Microsoft Purview Communication Compliance and explain how it helps organizations monitor communications for regulatory compliance, code-of-conduct policy violations, and insider threat indicators in email and Teams.
  • Describe Microsoft Purview eDiscovery capabilities including Content Search, Core eDiscovery, and eDiscovery Premium and explain how they identify, hold, collect, and export electronic evidence for legal investigations.
  • Describe Microsoft Purview Audit capabilities including Standard Audit and Premium Audit and explain how audit logs capture user and admin activities across Microsoft 365 services for security investigations and compliance reporting.
  • Apply knowledge of Microsoft Purview eDiscovery and Audit to describe the steps an organization would take to collect and preserve electronic evidence for a given legal hold or regulatory investigation scenario.

Hands-On Labs

15 labs ~168 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$80,000
Average Salary

Related Job Roles

IT Support SpecialistCompliance AnalystSecurity Awareness SpecialistBusiness Analyst

Industry Recognition

SC-900 provides foundational Microsoft security literacy recognized as a baseline credential for professionals entering cloud security and compliance roles, serving as a prerequisite stepping stone to associate-level SC certifications.

Scope

Included Topics

  • All domains in the Microsoft Security, Compliance, and Identity Fundamentals (SC-900) exam guide: Domain 1 Describe the concepts of security, compliance, and identity (~10-15%), Domain 2 Describe the capabilities of Microsoft Entra (~25-30%), Domain 3 Describe the capabilities of Microsoft security solutions (~35-40%), and Domain 4 Describe the capabilities of Microsoft compliance solutions (~20-25%).
  • Foundational knowledge of security principles including the Zero Trust model, defense-in-depth, the shared responsibility model, encryption, hashing, authentication versus authorization, common cyberthreat types, SIEM, SOAR, and XDR.
  • Foundational knowledge of compliance concepts including data residency, data sovereignty, privacy regulations, and Microsoft compliance framework fundamentals.
  • Microsoft Entra identity and access fundamentals including Microsoft Entra ID, authentication methods, MFA, self-service password reset, Conditional Access, role-based access control, identity governance, Privileged Identity Management, and Microsoft Entra Permissions Management.
  • Microsoft security solutions including Microsoft Defender for Cloud, Microsoft Defender XDR, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Microsoft Sentinel, Azure Firewall, Web Application Firewall, Azure DDoS Protection, Azure Network Security Groups, Microsoft Intune, and Microsoft Entra Internet Access.
  • Microsoft compliance solutions including Microsoft Purview compliance portal, Compliance Manager, eDiscovery, Content Search, Audit, Information Protection, Data Lifecycle Management, Insider Risk Management, Communication Compliance, Information Barriers, and Priva.

Not Covered

  • Deep implementation and configuration details expected only for associate-level certifications SC-300, AZ-500, SC-200, SC-400, and SC-100.
  • Hands-on PowerShell scripting, Azure CLI commands, SDK-level API integration, and advanced automation that is not tested at the fundamentals level.
  • Current Azure or Microsoft 365 service price points, promotional licensing bundles, and region-by-region pricing values that change over time.
  • Third-party security tooling, non-Microsoft SIEM platforms, competitor endpoint detection products, and open-source security frameworks not covered in the SC-900 exam guide.
  • Deep networking protocol internals, cryptographic algorithm implementation details, and hardware security module operations beyond conceptual understanding.

Official Exam Page

Learn more at Microsoft Azure

Visit

SC-900 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

Microsoft and Azure are registered trademarks of Microsoft Corporation. Microsoft does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.