The SC-900 exam validates your foundational knowledge of security, compliance, and identity concepts within Microsoft Azure and Microsoft 365 environments. This certification is ideal for IT professionals, security analysts, compliance officers, and anyone entering cybersecurity roles who needs to understand core Microsoft security principles. This page guides you through the exam structure, key topics, and an efficient study plan to help you prepare confidently.
Use this topic map to guide your study for Microsoft SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) within the Microsoft Azure path.
The SC-900 exam measures both conceptual knowledge and practical decision-making through varied question types. Questions progress in difficulty and reflect real-world scenarios you may encounter in security and compliance roles.
Difficulty increases as you progress, encouraging you to think critically about how security, compliance, and identity concepts apply across different organizational scenarios.
An effective study routine breaks the four domains into weekly milestones, allowing time to absorb concepts and practice application. Dedicate 4-6 weeks to balanced coverage, with heavier focus on areas where you have less hands-on experience.
Explore other Microsoft certifications: view all Microsoft exams.
Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to SC-900 and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test or get Bundle Discount offer for both Formats: Microsoft Security, Compliance, and Identity Fundamentals.
Microsoft Entra capabilities and Microsoft Security Solutions typically account for 35-40% of exam questions combined. Compliance Solutions and foundational security concepts make up the remainder, but all domains are essential. Focus on understanding how these areas interconnect rather than memorizing isolated facts.
In practice, Entra manages who accesses resources, Security Solutions detect and respond to threats, and Compliance Solutions enforce data governance and audit requirements. For example, Entra's conditional access may block a risky login, Defender investigates the threat, and Purview logs the event for compliance reporting. Understanding these workflows helps you answer scenario questions accurately.
SC-900 is fundamentals-level; you do not need extensive hands-on experience to pass. However, exploring Microsoft Entra sign-in logs, running a Defender scan, and reviewing a compliance policy in Purview will deepen your understanding. Prioritize labs that let you navigate these tools and observe real alerts or reports.
Candidates often confuse similar Microsoft products (for example, Defender for Cloud vs. Defender for Endpoint) or misunderstand when to use conditional access versus multi-factor authentication. Another frequent error is selecting a compliance tool when a security tool is more appropriate, or vice versa. Review product distinctions carefully and practice scenario questions to avoid these pitfalls.
In your final week, spend 60% of study time on your weakest domain and 40% on a quick review of stronger areas. Take a full-length practice test mid-week to identify last-minute gaps, then focus your remaining days on those specific topics. On the day before the exam, do a light review of key definitions and avoid cramming new material.
You plan to implement a security strategy and place multiple layers of defense throughout a network infrastructure.
Which security methodology does this represent?
Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft's security guidance, defense in depth is described as employing ''a series of mechanisms across multiple layers'' to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By ''placing multiple layers of defense throughout a network infrastructure,'' an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft's defense in depth methodology.
Microsoft 365 Endpoint data loss prevention (Endpoint DLP) can be used on which operating systems?
Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) extends DLP controls directly to supported desktops. Microsoft states: ''Endpoint DLP extends the activity monitoring and protection capabilities of DLP to Windows 10 (and later) devices.'' The platform coverage is explicitly broadened to Apple desktops: ''Endpoint DLP for macOS enables the same set of DLP capabilities on macOS devices (supported versions) so you can monitor and protect sensitive items across Windows and Mac endpoints.'' At the same time, Microsoft clarifies the mobile scope: ''Endpoint DLP is supported on Windows and macOS devices.'' This means Android is not a supported operating system for Endpoint DLP (mobile data protection on Android uses different controls such as app protection policies via Microsoft Intune and conditional access). Therefore, the correct pairing of operating systems for Endpoint DLP support is Windows 10 and newer, and macOS---not Android. This aligns with Microsoft's Endpoint DLP platform support guidance and the intended desktop-focused endpoint protections for activities such as file copy, print, upload, and removable media interactions.
Which three authentication methods can be used by Azure Multi-Factor Authentication (MFA)? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
Microsoft states that Azure AD Multi-Factor Authentication ''adds a second form of verification'' to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft's description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD's core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.
In the shared responsibility model, for what is Microsoft responsible when managing Azure virtual machines?
In Microsoft's shared responsibility model, responsibilities vary by service type. For IaaS (for example, Azure Virtual Machines), Microsoft states that it is responsible for protecting and maintaining the cloud infrastructure that runs customer workloads, while customers secure what they deploy in that infrastructure. Microsoft's guidance explains that Microsoft ''operates and secures the datacenters, physical hosts, networking, and the virtualization fabric,'' and handles the underlying platform maintenance, including ''hardware and firmware'' that support those hosts. Conversely, customers are responsible for what runs inside their VM: ''the guest operating system (including updates and security configuration), applications, identity, and data.''
Applied to the options in this question:
Updating the operating system and updating installed applications are customer tasks because they are inside the guest VM.
Configuring permissions for shared folders is also a customer responsibility because it's an OS/application configuration within the guest.
Updating the firmware of the disk controller belongs to Microsoft, because firmware and hardware on the physical hosts (including storage controllers) are part of the infrastructure of the cloud that Microsoft manages and secures.
Which Microsoft Purview solution can be used to identify data leakage?
Within Microsoft Purview, Insider Risk Management is the solution that is explicitly designed to detect activities such as IP theft and data leakage. Microsoft describes it as a compliance solution that correlates many user and system signals to identify potentially malicious or inadvertent insider risks, including leaks of sensitive data and data spillage.
Organizations create Insider Risk Management policies that watch for risky behaviors such as unusual file downloads, copying data to removable media, or sharing sensitive information to external locations. When configured with templates like Data leaks, these policies can use high-severity alerts from Data Loss Prevention (DLP) policies as triggers, so that suspected data-leak events automatically generate alerts and cases for investigation. This workflow lets investigators quickly triage, investigate, and remediate possible data-exfiltration incidents.
The other options serve different purposes. Compliance Manager evaluates and tracks compliance posture against regulations and internal controls, rather than monitoring user behavior for leaks. Communication compliance focuses on inappropriate or non-compliant messages (such as harassment or improper sharing in chats and email). eDiscovery is used to find and preserve existing content for legal or investigative cases, not for proactive detection of leakage as it occurs.
Therefore, the Microsoft Purview solution used to identify data leakage is Insider Risk Management.