SC-900 exam domains
The SC-900 exam is weighted across 4 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Describe the concepts of security, compliance, and identity | 13% | Practice this topic |
| Describe the capabilities of Microsoft Entra | 27% | Practice this topic |
| Describe the capabilities of Microsoft security solutions | 38% | Practice this topic |
| Describe the capabilities of Microsoft compliance solutions | 22% | Practice this topic |
Sample SC-900 questions
A sample of the SC-900 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A compliance officer at Contoso needs to ensure that members of a sensitive project group are periodically re-evaluated so that people who no longer n…View question
- A company runs all of its user accounts and computers on servers located in its own data center. The IT team uses a Windows Server role that stores ac…View question
- A user at Contoso enters their username and password to sign in to a company portal. After signing in successfully, the system checks whether the user…View question
- A company hosts several virtual machines in Azure. The security team wants administrators to connect to these VMs using RDP and SSH securely through t…View question
- A company hosts a public-facing web application on Azure virtual machines behind a public IP address. During a recent event, the application became un…View question
- A company routes all outbound internet traffic from its Azure virtual networks through Azure Firewall. The security team wants the firewall to automat…View question
- A company runs several virtual machines in an Azure virtual network. The security team needs to control outbound traffic by allowing connections only…View question
- A development team currently hardcodes API keys, database connection strings, and TLS certificates directly into application configuration files store…View question
- A compliance auditor asks a company that runs all of its workloads in Microsoft Azure who is responsible for the physical security of the datacenters,…View question
- A security administrator notices that several sign-ins to Microsoft 365 are occurring through older email clients that do not support modern authentic…View question
Key SC-900 terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SC-900 exam.
SC-900 frequently asked questions
What is the SC-900 certification?+
Microsoft positions SC-900 as validating a foundational understanding of security, compliance, and identity concepts and the related Microsoft and Azure solutions. It is aimed at people who want to understand how Microsoft SCI solutions span across cloud-based and Microsoft 365 services.
It covers the concepts of security, compliance, and identity; the capabilities of Microsoft Entra; Microsoft security solutions such as Defender and Sentinel; and Microsoft compliance solutions built on Microsoft Purview.
What topics are on the SC-900 exam?+
The SC-900 exam is organised into four weighted skill areas. The percentages below sit within Microsoft’s published ranges (for example 35–40%), normalized to total 100, so treat them as a study-time guide. Microsoft security solutions carry by far the most weight.
Describe the concepts of security, compliance, and identity (13%)
The smallest area, covering the foundations: security and compliance concepts such as the shared responsibility model, defense-in-depth, the Zero Trust model, encryption and hashing, and Governance, Risk, and Compliance; plus identity concepts including authentication, authorization, identity providers, directory services, and federation.
Describe the capabilities of Microsoft Entra (27%)
Covers the function and identity types of Microsoft Entra ID, its authentication capabilities (authentication methods, multifactor authentication, password protection), access management (Conditional Access, roles and RBAC), and identity protection and governance (ID Governance, access reviews, Privileged Identity Management, ID Protection).
Describe the capabilities of Microsoft security solutions (38%)
The heaviest area. It covers core Azure infrastructure security services (DDoS Protection, Azure Firewall, Web Application Firewall, network security groups, Azure Bastion, Key Vault), security management with Microsoft Defender for Cloud, Microsoft Sentinel (SIEM and SOAR), and threat protection with Microsoft Defender XDR.
Describe the capabilities of Microsoft compliance solutions (22%)
Covers the Service Trust Portal and Microsoft privacy principles, and compliance management with Microsoft Purview — the Purview portal, Compliance Manager and compliance score, information protection and data lifecycle management, sensitivity labels, data loss prevention, records management, insider risk, eDiscovery, and audit.
Is the SC-900 hard?+
SC-900 is a fundamentals exam and one of the more approachable certifications: it tests conceptual understanding and which Microsoft capability addresses a need rather than hands-on configuration. Most candidates pass with a few weeks of focused study.
The main challenge is the breadth of Microsoft product names and knowing which one fits a scenario — distinguishing Defender for Cloud from Defender XDR, or Conditional Access from Privileged Identity Management. Practising scenario questions until those distinctions are automatic is the key.
How many questions are on the SC-900 exam and how long is it?+
Microsoft does not fix a single public question count for SC-900; it typically presents roughly 40–60 questions in a mix of formats — multiple choice, multiple response, and drag-and-drop — within about 60 minutes of working time.
Our full-length practice mock uses a 65-question, 90-minute session so you can rehearse pacing under realistic time pressure before test day.
What score do you need to pass the SC-900?+
Microsoft scores SC-900 on a scale of 1 to 1,000, and the passing score is 700. That is a scaled score rather than a raw 70%, because Microsoft adjusts for question difficulty, and there is no penalty for wrong answers, so you should never leave a question blank. Our practice mock uses a 70% threshold to give you a comparable target.
How much does the SC-900 exam cost?+
The SC-900 exam fee is set by Microsoft and varies by region — check the Microsoft certification page for current pricing, and note that fundamentals certifications like this one do not expire. Everything on this hub is free.
Who should take the SC-900?+
SCI Fundamentals is aimed at business stakeholders, new or existing IT professionals, and students who want to understand Microsoft security, compliance, and identity solutions across cloud-based and Microsoft 365 services.
Microsoft recommends general familiarity with Microsoft Azure and Microsoft 365. No security-engineering experience is required — the exam is about understanding capabilities, not implementing them.
What jobs and salaries can the SC-900 lead to?+
SC-900 is relevant for aspiring security, compliance, and identity professionals, and for business and IT roles that need a shared vocabulary for Microsoft SCI solutions. It is a foundation for role-based security certifications such as Azure Security Engineer (AZ-500) and the Microsoft security operations and identity paths.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SC-900 is best viewed as a way to demonstrate foundational security literacy rather than a guaranteed raise on its own.
How long does it take to study for the SC-900?+
Most candidates need two to four weeks at roughly an hour a day. The most efficient path is to learn the four skill areas in order, giving extra time to the heavily weighted security-solutions area, and drilling the topic quiz for each before moving on.
Review every explanation, including for questions you answered correctly, because SC-900 distractors are built from plausible but incorrect Microsoft products or concepts. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.
How should you prepare for the SC-900?+
Study the four skill areas above, giving the most time to Microsoft security solutions, then drill practice questions area by area. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — the fastest way to absorb the product terminology this exam rewards.
When you can answer topic drills comfortably, move to a full-length timed mock to rehearse pacing. Use the glossary to keep the Microsoft product names straight, and aim to score consistently above the pass mark on mocks before you book.
Can you take the SC-900 exam online?+
Yes. Microsoft delivers SC-900 through Pearson VUE, so you can test at a physical Pearson VUE centre or online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, Microsoft requires a 24-hour wait before a second attempt; after that, a 14-day wait applies between further attempts, with a limit of five attempts in a 12-month period, and each attempt needs its own registration.
What certification should you take after the SC-900?+
After SC-900, common next steps include role-based security certifications such as the Azure Security Engineer Associate (AZ-500), the Security Operations Analyst (SC-200), or the Identity and Access Administrator (SC-300), which build on these concepts with hands-on skills.
If your interest is broader Azure, the AZ-900 Azure Fundamentals exam pairs well. Pairing any of these with hands-on practice is what turns a certificate into a career.