Passing the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is a realistic two-week goal for most candidates - if you study the right four domains in the right order. This guide gives you that exact roadmap: what the exam covers, how to build your study schedule, which free resources to use, and how to go from zero to 700/1000 passing score without wasting time on materials that miss the actual exam content.
SC-900 exam specs confirmed from Microsoft Learn's official study guide (updated November 7, 2025):
|
Exam Detail |
Information |
|---|---|
|
Exam Code |
SC-900 |
|
Full Name |
Microsoft Security, Compliance, and Identity Fundamentals |
|
Questions |
~40-60 (varies per attempt) |
|
Time Limit |
45 minutes |
|
Passing Score |
700 / 1000 |
|
Exam Cost |
~$165 USD (varies by country) |
|
Difficulty |
Beginner (Fundamentals tier) |
|
Renewal |
Renew free annually via Microsoft Learn renewal assessment |
|
Delivered By |
Pearson VUE or Certiport (students/educators) |
Step 1: Understand What the SC-900 Actually Tests
The SC-900 is Microsoft's entry-level security certification. It tests foundational knowledge - not hands-on configuration skills. You do not need to configure Azure Firewall or write Sentinel KQL queries to pass. You need to understand what each Microsoft security product does, when to use it, and how the concepts of Zero Trust, defense-in-depth, and shared responsibility apply.
According to the official SC-900 study guide, the exam is designed for business stakeholders, new IT professionals, and students who want to demonstrate foundational awareness of Microsoft's security, compliance, and identity (SCI) ecosystem.
The 4 Exam Domains and Their Weight
|
Domain |
Weight |
What It Covers |
|---|---|---|
|
Security, Compliance, and Identity Concepts |
10-15% |
Zero Trust, shared responsibility, defense-in-depth, encryption, GRC |
|
Capabilities of Microsoft Entra |
25-30% |
Entra ID, authentication, MFA, Conditional Access, RBAC, identity governance |
|
Capabilities of Microsoft Security Solutions |
35-40% |
Azure Firewall, DDoS, Defender XDR, Sentinel, Defender for Cloud |
|
Capabilities of Microsoft Compliance Solutions |
20-25% |
Microsoft Purview, Compliance Manager, DLP, insider risk, eDiscovery |
The biggest insight here: Microsoft Security Solutions is 35-40% of the exam. Most candidates spend too much time on concepts (10-15%) and not enough time on Defender XDR, Microsoft Sentinel, and Defender for Cloud - the actual heavy-hitters.
Step 2: Build Your 2-Week Study Schedule
You do not need the SANS course or a paid bootcamp to pass SC-900. Microsoft provides all the learning content for free on Microsoft Learn, and the exam is genuinely passable with two focused weeks.
Week 1: Concepts + Microsoft Entra (40-45% of exam)
|
Day |
Focus |
Time |
Resource |
|---|---|---|---|
|
Day 1 |
Zero Trust, shared responsibility, defense-in-depth |
60 min |
Microsoft Learn SC-900 learning path |
|
Day 2 |
Encryption, hashing, GRC concepts |
45 min |
Microsoft Learn + YouTube (John Savill) |
|
Day 3 |
Microsoft Entra ID, identity types, hybrid identity |
75 min |
Microsoft Learn module |
|
Day 4 |
Authentication methods, MFA, password protection |
60 min |
Microsoft Learn module |
|
Day 5 |
Conditional Access, RBAC, identity governance |
75 min |
Microsoft Learn module |
|
Day 6 |
Privileged Identity Management, ID Protection |
60 min |
Microsoft Learn module |
|
Day 7 |
Full Week 1 review + Microsoft official practice assessment |
90 min |
Free at learn.microsoft.com |
Week 2: Security Solutions + Compliance (55-60% of exam)
|
Day |
Focus |
Time |
Resource |
|---|---|---|---|
|
Day 8 |
Azure DDoS, Firewall, WAF, NSGs, Key Vault |
75 min |
Microsoft Learn module |
|
Day 9 |
Defender for Cloud, CSPM, cloud workload protection |
60 min |
Microsoft Learn module |
|
Day 10 |
Microsoft Sentinel (SIEM/SOAR), threat detection |
75 min |
Microsoft Learn module |
|
Day 11 |
Defender XDR suite (Endpoint, Office 365, Identity, Cloud Apps) |
90 min |
Microsoft Learn module |
|
Day 12 |
Microsoft Purview: Compliance Manager, DLP, sensitivity labels |
75 min |
Microsoft Learn module |
|
Day 13 |
Insider risk, eDiscovery, audit, Service Trust Portal |
60 min |
Microsoft Learn module |
|
Day 14 |
Full mock exam + weak-area review |
2 hrs |
EduSum SC-900 practice tests + free assessment |
Pro Tip: Microsoft's free practice assessment at learn.microsoft.com is the single most representative free resource available. Take it at the end of Week 1 and again at the end of Week 2. Track your score improvement - if you are hitting 75%+ on the practice assessment, you are ready to schedule.
Step 3: Master Each Domain - What to Actually Study
Domain 1: Security, Compliance, and Identity Concepts (10-15%)
This is the shortest domain but sets up everything else. Know these cold:
-
Shared responsibility model - what Microsoft owns vs. what you own in IaaS, PaaS, SaaS
-
Zero Trust principles - verify explicitly, use least privilege, assume breach
-
Defense-in-depth - physical, identity, perimeter, network, compute, application, data layers
-
Encryption types - symmetric vs asymmetric, hashing (integrity), encryption at rest vs in transit
-
GRC - Governance, Risk, Compliance: what each means in an enterprise security context
Domain 2: Microsoft Entra (25-30%)
Microsoft Entra is the new branding for Azure Active Directory and related identity services. Know:
-
Entra ID - cloud identity provider, directory service, authentication hub
-
Authentication methods - passwords, FIDO2 keys, Microsoft Authenticator, Windows Hello
-
MFA - why it matters, how it reduces identity risk (99.9% of account attacks blocked per Microsoft Security research)
-
Conditional Access - policy-based access control based on user, device, location, risk
-
RBAC - role-based access control in Entra and Azure; built-in vs custom roles
-
Privileged Identity Management (PIM) - just-in-time access, approval workflows, audit logs
-
Entra ID Protection - detects sign-in risk and user risk; takes automated actions
Domain 3: Microsoft Security Solutions (35-40% - highest weight)
This domain covers Azure infrastructure security and Microsoft's security products. Prioritize:
-
Azure DDoS Protection - Basic (free) vs Standard tiers, always-on monitoring
-
Azure Firewall - stateful, managed, FQDN filtering; NOT the same as NSGs
-
Network Security Groups (NSGs) - layer 3/4 rules on subnets and NICs
-
Azure Key Vault - secrets, keys, certificates management; HSM-backed options
-
Defender for Cloud - unified security posture management; secure score concept
-
Microsoft Sentinel - SIEM (log collection, analysis) + SOAR (automated response)
-
Defender XDR - extended detection and response across endpoints, email, identity, cloud apps
According to ISC2's 2024 Cybersecurity Workforce Study, organizations using integrated XDR platforms detect threats 28% faster than those using point solutions - Defender XDR's integration story is exactly what SC-900 tests you on.
Domain 4: Microsoft Compliance Solutions (20-25%)
Focus on Microsoft Purview and its tools:
-
Compliance Manager - tracks compliance posture; generates compliance score
-
Sensitivity labels - classify and protect data in Office 365 and beyond
-
Data Loss Prevention (DLP) - prevents sensitive data from leaving the organization
-
Records management - retention labels, policies, regulatory record declaration
-
Insider risk management - detects anomalous behavior; privacy-preserving by design
-
eDiscovery - Core and Premium; legal hold, content search, review sets
-
Audit - basic and premium audit; who accessed what and when
-
Service Trust Portal - Microsoft's transparency hub for compliance documentation
Step 4: Use the Right Free Resources (in Order)
Spending money on SC-900 prep is optional. Here are the best free resources ranked:
|
Resource |
Cost |
Best Use |
Quality |
|---|---|---|---|
|
Free |
Primary study - covers every domain |
★★★★★ |
|
|
Microsoft free practice assessment |
Free |
Benchmark + exam-style questions |
★★★★★ |
|
John Savill's SC-900 YouTube series |
Free |
Visual explanations of Azure/Entra concepts |
★★★★★ |
|
Affordable |
High-volume question practice with rationale |
★★★★ |
|
|
Microsoft Exam Sandbox |
Free |
Familiarise yourself with question UI before exam day |
★★★★ |
|
Adam Marczak YouTube |
Free |
Cloud concepts explained clearly |
★★★ |
Study sequence that works: Microsoft Learn modules (read) → John Savill videos (watch) → free practice assessment (test) → EduSum practice tests (drill) → schedule exam.
Step 5: SC-900 vs AZ-900 vs AI-900 - Which Should You Take First?
Many candidates ask whether to start with SC-900, AZ-900, or AI-900. Here is a direct comparison:
|
Factor |
SC-900 |
AZ-900 |
AI-900 |
|---|---|---|---|
|
Focus |
Security, compliance, identity |
Azure cloud fundamentals |
Azure AI services |
|
Best For |
Security career path |
Any Azure cloud role |
AI/ML career path |
|
Difficulty |
Beginner |
Beginner |
Beginner |
|
Passing Score |
700/1000 |
700/1000 |
700/1000 |
|
Time to Pass |
2 weeks |
2 weeks |
2 weeks |
|
Job Relevance |
High - security is #1 hiring area |
Broad - useful for any cloud role |
Growing - AI roles expanding |
|
Recommended Order |
2nd (after AZ-900) or standalone |
1st |
3rd |
Recommendation: If you have no cloud background, take AZ-900 first to understand Azure fundamentals - SC-900 assumes basic Azure familiarity. If you already understand Azure concepts, SC-900 is a strong standalone starting point for a security career. You can explore Azure fundamentals resources on EduSum if you want to compare both paths.
Step 6: What to Do the Day Before and Day of the Exam
48 hours before:
-
Take one full timed practice exam under exam conditions
-
Review any questions you got wrong - focus on the concept, not the specific question
-
Do NOT try to learn new material - consolidate what you know
Day of exam:
-
If testing remotely (Pearson VUE OnVUE): close all applications, check your camera and mic 30 minutes early, clear your desk
-
The exam interface gives you ability to flag and review questions - flag anything uncertain and return at the end
-
You have 45 minutes for ~40-60 questions. That is roughly 45-60 seconds per question. Do not overthink.
-
For scenario questions: Microsoft exams often present a business scenario and ask which product is most appropriate. Always read the scenario for keywords like "identity" (→ Entra), "log analysis" (→ Sentinel), "compliance score" (→ Compliance Manager), "classify data" (→ sensitivity labels).
After the exam:
-
Results appear immediately on screen after submission
-
If you pass (700+), your Microsoft Certified badge appears in your Learn profile within 24-48 hours
-
If you do not pass: wait 24 hours and rebook. There is no shame in a retake - Microsoft's retake policy is among the most candidate-friendly in the industry
Is the SC-900 Worth It for Your Career?
SC-900 is a fundamentals-tier credential, which means it does not stand alone as a job-qualifying certification. Its value is as a foundation and a signal:
-
Entry into a Microsoft security career path → SC-900 → SC-200 (Security Operations Analyst) → SC-300 (Identity and Access Administrator) → SC-400
-
Demonstrates baseline Microsoft security awareness to employers evaluating cloud security candidates
-
Required prerequisite mindset (not formally required, but practically recommended) before SC-200 or AZ-500
According to Bureau of Labor Statistics projections, information security analyst roles are projected to grow 33% through 2033 - among the fastest of any occupation. SC-900 positions you at the entry gate to this career path. Explore EduSum's Microsoft security certification resources for the full certification roadmap from fundamentals to expert level.
Frequently Asked Questions
Q: What is the SC-900 passing score?
A: The SC-900 passing score is 700 out of 1000, as confirmed by Microsoft's official exam scoring page. You must score 700 or higher to earn the Microsoft Certified: Security, Compliance, and Identity Fundamentals credential.
Q: How many questions are on the SC-900 exam?
A: The SC-900 has approximately 40-60 questions. Microsoft does not publish the exact count, as it varies per exam version. You have 45 minutes to complete the assessment.
Q: Is the SC-900 hard for beginners?
A: SC-900 is one of Microsoft's easiest certifications. It is a fundamentals-tier exam designed for non-technical stakeholders, students, and career changers. With two weeks of focused study using free Microsoft Learn resources, most candidates pass on their first attempt.
Q: How long does SC-900 preparation take?
A: Most candidates pass with 10-15 hours of total study time over one to two weeks. Candidates already working with Microsoft 365 or Azure environments often need less. Complete beginners should budget two full weeks of 1-1.5 hours per day.
Q: Does SC-900 expire?
A: Microsoft Fundamentals certifications (including SC-900) do not expire on a fixed schedule. However, Microsoft encourages annual renewal via a free online renewal assessment at Microsoft Learn - completing it extends your certification for one more year.
Q: What is the SC-900 exam cost?
A: The SC-900 exam costs approximately $165 USD, though pricing varies by country. Students and educators can take it through Certiport at discounted rates. Check Pearson VUE's Microsoft exam page for current pricing in your region.
Q: Should I take SC-900 before SC-200?
A: SC-900 is not a formal prerequisite for SC-200, but it is strongly recommended if you are new to Microsoft security concepts. SC-200 (Security Operations Analyst) requires hands-on Microsoft Sentinel and Defender XDR experience - SC-900 gives you the conceptual foundation first.
Q: Which domain has the most SC-900 questions?
A: Microsoft Security Solutions (Domain 3) carries the highest weight at 35-40%, covering Defender XDR, Microsoft Sentinel, Defender for Cloud, and Azure infrastructure security. This domain should receive the most study time, not the concepts domain (only 10-15%).
Q: Is SC-900 worth it without IT experience?
A: Yes. SC-900 is specifically designed for non-technical roles - business analysts, project managers, compliance officers, and salespeople working in Microsoft environments all benefit from SC-900 as a signal of baseline security awareness.
Q: What comes after SC-900?
A: The natural progression from SC-900 is: SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or AZ-500 (Azure Security Engineer). Your next step depends on your role - operations (SC-200), identity (SC-300), or cloud infrastructure security (AZ-500). EduSum has Microsoft SC-200 resources for the next step.
Q: Can I take SC-900 from home?
A: Yes. SC-900 is available via Pearson VUE's OnVUE remote proctoring. You need a quiet room, a working webcam and microphone, a stable internet connection, and a clean desk. The check-in process starts 30 minutes before your scheduled exam time.
Q: How is SC-900 different from AZ-900?
A: AZ-900 (Azure Fundamentals) covers general Azure cloud services - compute, storage, networking, pricing, governance. SC-900 focuses specifically on security, compliance, and identity across Microsoft 365 and Azure. SC-900 goes deeper on Entra ID, Defender XDR, Sentinel, and Purview - none of which are covered in depth by AZ-900.
Start Your SC-900 Prep Today
The path to passing SC-900 is straightforward: follow the four domains in order, prioritize Microsoft Security Solutions (35-40%), use free Microsoft Learn content as your backbone, and drill with timed practice questions in Week 2.
Test your knowledge with EduSum's SC-900 sample questions to benchmark where you stand before committing to an exam date. When you are ready to move beyond fundamentals, check the AZ-500 Azure Security Engineer path for the next level of Microsoft security expertise.
