Microsoft SC-900 exam – detailed requirements

The SC-900 exam tests your knowledge of Security, Compliance and Identity principles using Microsoft Azure, Microsoft Defender, Microsoft Sentinel and Microsoft Purview. The requirements of the SC-900 exam are checked every two months and updated as necessary. This article is based on the February 2023 update.

The SC-900 requirements are grouped into the following skills:

  1. Describe the concepts of security, compliance, and identity.
  2. Describe the capabilities of Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra.
  3. Describe the capabilities of Microsoft Security solutions.
  4. Describe the capabilities of Microsoft compliance solutions.

Microsoft has not released a definitive set of topics for the exam. However, it has published a suggested set of topics. They are a useful guide upon which to base your preparations for this exam. These topics are broken down as follows:

Describe the concepts of security, compliance and identity (10-15% of total marks)

Describe security and compliance concepts

  • Describe the shared responsibility model.
  • Describe defense in depth.
  • Describe the Zero-Trust model.
  • Describe encryption and hashing.
  • Describe compliance concepts.

Define identity concepts

  • Define identity as the primary security perimeter.
  • Define authentication.
  • Define authorization.
  • Describe identity providers.
  • Describe Active Directory.
  • Describe the concept of Federation.

Describe the capabilities of Azure Active Directory (Azure AD), part of Microsoft Entra (25-30% of total marks)

Describe the basic identity services and identity types of Azure AD

  • Describe Azure AD.
  • Describe Azure AD identities.
  • Describe hybrid identity.
  • Describe the different external identity types.

Describe the authentication capabilities of Azure AD

  • Describe the authentication methods available in Azure AD.
  • Describe Multi-factor Authentication.
  • Describe self-service password reset.
  • Describe password protection and management capabilities available in Azure AD.

Describe access management capabilities of Azure AD

  • Describe conditional access.
  • Describe the benefits of Azure AD roles.
  • Describe the benefits of Azure AD role-based access control.

Describe the identity protection and governance capabilities of Azure AD

  • Describe identity governance in Azure AD.
  • Describe entitlement management and access reviews.
  • Describe the capabilities of Azure AD Privileged Identity Management (PIM).
  • Describe Azure AD Identity Protection.

Describe the capabilities of Microsoft Security solutions (25-30% of total marks)

Describe basic security capabilities in Azure

  • Describe Azure DDoS protection.
  • Describe Azure Firewall.
  • Describe Web Application Firewall.
  • Describe Network Segmentation with Azure Virtual Networks.
  • Describe Azure Network Security groups.
  • Describe Azure Bastion and JIT Access.
  • Describe ways Azure encrypts data.

Describe security management capabilities of Azure

  • Describe Cloud security posture management (CSPM).
  • Describe Microsoft Defender for Cloud.
  • Describe the enhanced security features of Microsoft Defender for Cloud.
  • Describe security baselines for Azure.

Describe security capabilities of Microsoft Sentinel

  • Define the concepts of SIEM and SOAR.
  • Describe how Microsoft Sentinel provides integrated threat management.

Describe threat protection with Microsoft 365 Defender

  • Describe Microsoft 365 Defender services.
  • Describe Microsoft Defender for Office 365.
  • Describe Microsoft Defender for Endpoint.
  • Describe Microsoft Defender for Cloud Apps.
  • Describe Microsoft Defender for Identity.
  • Describe the Microsoft 365 Defender portal.

Describe the capabilities of Microsoft compliance solutions (25-30% of total marks)

Describe Microsoft’s Service Trust Portal and privacy principles

  • Describe the offerings of the Service Trust portal.
  • Describe Microsoft’s privacy principles.

Describe the compliance management capabilities of Microsoft Purview

  • Describe the Microsoft Purview compliance portal.
  • Describe compliance manager.
  • Describe the use of benefits of compliance score.

Describe information protection and data lifecycle management capabilities of Microsoft Purview

  • Describe data classification capabilities.
  • Describe the benefits of content explorer and activity explorer.
  • Describe sensitivity labels.
  • Describe Data Loss Prevention (DLP).
  • Describe Records Management.
  • Describe Retention Polices and Retention Labels.

Describe insider risk capabilities in Microsoft Purview

  • Describe Insider Risk Management.
  • Describe communication compliance.
  • Describe information barriers.

Describe resource governance capabilities in Azure

  • Describe Azure Policy.
  • Describe Azure Blueprint.
  • Describe the capabilities in the Microsoft Purview governance portal.

How to learn the SC-900 requirements

To learn all of the above topics, look at our SC-900 course.

Click image to view course

I do data… and so can you!