Microsoft · Foundational

Microsoft Security, Compliance, and Identity Fundamentals (SC-900) practice exam & study guide

The Microsoft Security, Compliance, and Identity Fundamentals (SC-900) is Microsoft’s foundational certification for security, compliance, and identity (SCI) concepts and Microsoft solutions. It validates the ability to describe security and identity concepts and the capabilities of Microsoft Entra, Microsoft security solutions, and Microsoft compliance solutions.

SC-900 is an entry-level, concept-focused exam. Questions describe a security, identity, or compliance need and ask which concept or Microsoft capability addresses it — you are not expected to configure or administer the services.

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic practice questions with teacher-style explanations, a glossary of the Microsoft security and compliance services the exam relies on, and full-length timed mock exams that mirror the real testing experience.

65
Questions
90 min
Time limit
70%
Mock pass %
4
Domains

Start studying SC-900

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 4 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    65 questions · 90 min · 70% to pass our mock.

    Take the mock exam

All SC-900 study resources

SC-900 exam domains

The SC-900 exam is weighted across 4 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Describe the concepts of security, compliance, and identity13%Practice this topic
Describe the capabilities of Microsoft Entra27%Practice this topic
Describe the capabilities of Microsoft security solutions38%Practice this topic
Describe the capabilities of Microsoft compliance solutions22%Practice this topic

Sample SC-900 questions

A sample of the SC-900 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key SC-900 terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SC-900 exam.

SC-900 frequently asked questions

What is the SC-900 certification?+

Microsoft positions SC-900 as validating a foundational understanding of security, compliance, and identity concepts and the related Microsoft and Azure solutions. It is aimed at people who want to understand how Microsoft SCI solutions span across cloud-based and Microsoft 365 services.

It covers the concepts of security, compliance, and identity; the capabilities of Microsoft Entra; Microsoft security solutions such as Defender and Sentinel; and Microsoft compliance solutions built on Microsoft Purview.

What topics are on the SC-900 exam?+

The SC-900 exam is organised into four weighted skill areas. The percentages below sit within Microsoft’s published ranges (for example 35–40%), normalized to total 100, so treat them as a study-time guide. Microsoft security solutions carry by far the most weight.

Describe the concepts of security, compliance, and identity (13%)

The smallest area, covering the foundations: security and compliance concepts such as the shared responsibility model, defense-in-depth, the Zero Trust model, encryption and hashing, and Governance, Risk, and Compliance; plus identity concepts including authentication, authorization, identity providers, directory services, and federation.

Describe the capabilities of Microsoft Entra (27%)

Covers the function and identity types of Microsoft Entra ID, its authentication capabilities (authentication methods, multifactor authentication, password protection), access management (Conditional Access, roles and RBAC), and identity protection and governance (ID Governance, access reviews, Privileged Identity Management, ID Protection).

Describe the capabilities of Microsoft security solutions (38%)

The heaviest area. It covers core Azure infrastructure security services (DDoS Protection, Azure Firewall, Web Application Firewall, network security groups, Azure Bastion, Key Vault), security management with Microsoft Defender for Cloud, Microsoft Sentinel (SIEM and SOAR), and threat protection with Microsoft Defender XDR.

Describe the capabilities of Microsoft compliance solutions (22%)

Covers the Service Trust Portal and Microsoft privacy principles, and compliance management with Microsoft Purview — the Purview portal, Compliance Manager and compliance score, information protection and data lifecycle management, sensitivity labels, data loss prevention, records management, insider risk, eDiscovery, and audit.

Is the SC-900 hard?+

SC-900 is a fundamentals exam and one of the more approachable certifications: it tests conceptual understanding and which Microsoft capability addresses a need rather than hands-on configuration. Most candidates pass with a few weeks of focused study.

The main challenge is the breadth of Microsoft product names and knowing which one fits a scenario — distinguishing Defender for Cloud from Defender XDR, or Conditional Access from Privileged Identity Management. Practising scenario questions until those distinctions are automatic is the key.

How many questions are on the SC-900 exam and how long is it?+

Microsoft does not fix a single public question count for SC-900; it typically presents roughly 40–60 questions in a mix of formats — multiple choice, multiple response, and drag-and-drop — within about 60 minutes of working time.

Our full-length practice mock uses a 65-question, 90-minute session so you can rehearse pacing under realistic time pressure before test day.

What score do you need to pass the SC-900?+

Microsoft scores SC-900 on a scale of 1 to 1,000, and the passing score is 700. That is a scaled score rather than a raw 70%, because Microsoft adjusts for question difficulty, and there is no penalty for wrong answers, so you should never leave a question blank. Our practice mock uses a 70% threshold to give you a comparable target.

How much does the SC-900 exam cost?+

The SC-900 exam fee is set by Microsoft and varies by region — check the Microsoft certification page for current pricing, and note that fundamentals certifications like this one do not expire. Everything on this hub is free.

Who should take the SC-900?+

SCI Fundamentals is aimed at business stakeholders, new or existing IT professionals, and students who want to understand Microsoft security, compliance, and identity solutions across cloud-based and Microsoft 365 services.

Microsoft recommends general familiarity with Microsoft Azure and Microsoft 365. No security-engineering experience is required — the exam is about understanding capabilities, not implementing them.

What jobs and salaries can the SC-900 lead to?+

SC-900 is relevant for aspiring security, compliance, and identity professionals, and for business and IT roles that need a shared vocabulary for Microsoft SCI solutions. It is a foundation for role-based security certifications such as Azure Security Engineer (AZ-500) and the Microsoft security operations and identity paths.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SC-900 is best viewed as a way to demonstrate foundational security literacy rather than a guaranteed raise on its own.

How long does it take to study for the SC-900?+

Most candidates need two to four weeks at roughly an hour a day. The most efficient path is to learn the four skill areas in order, giving extra time to the heavily weighted security-solutions area, and drilling the topic quiz for each before moving on.

Review every explanation, including for questions you answered correctly, because SC-900 distractors are built from plausible but incorrect Microsoft products or concepts. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.

How should you prepare for the SC-900?+

Study the four skill areas above, giving the most time to Microsoft security solutions, then drill practice questions area by area. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — the fastest way to absorb the product terminology this exam rewards.

When you can answer topic drills comfortably, move to a full-length timed mock to rehearse pacing. Use the glossary to keep the Microsoft product names straight, and aim to score consistently above the pass mark on mocks before you book.

Can you take the SC-900 exam online?+

Yes. Microsoft delivers SC-900 through Pearson VUE, so you can test at a physical Pearson VUE centre or online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.

If you do not pass, Microsoft requires a 24-hour wait before a second attempt; after that, a 14-day wait applies between further attempts, with a limit of five attempts in a 12-month period, and each attempt needs its own registration.

What certification should you take after the SC-900?+

After SC-900, common next steps include role-based security certifications such as the Azure Security Engineer Associate (AZ-500), the Security Operations Analyst (SC-200), or the Identity and Access Administrator (SC-300), which build on these concepts with hands-on skills.

If your interest is broader Azure, the AZ-900 Azure Fundamentals exam pairs well. Pairing any of these with hands-on practice is what turns a certificate into a career.