SC-900 cheat sheet
A one-page reference for the Microsoft Security, Compliance, and Identity Fundamentals exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Microsoft
Level
Foundational
Questions
65
Time
90 min
Mock pass mark
70%
Domains
4
Practice Qs
151
Code
SC-900
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Shared responsibility model
- The shared responsibility model is a framework that divides security duties between the cloud provider and the customer depending on the service type. SC-900 covers it as a foundational security concept.
- Zero Trust
- Zero Trust is a security model that assumes breach and verifies each request explicitly rather than trusting anything inside a network perimeter. SC-900 covers its guiding principles in the concepts domain.
- Defense-in-depth
- Defense-in-depth is a strategy that uses multiple layers of security controls so that if one layer fails, others still protect the asset. SC-900 covers it among core security concepts.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft's cloud-based identity and access management service, formerly known as Azure Active Directory. SC-900 covers its functions and identity types in the Entra domain.
- Multifactor authentication
- Multifactor authentication (MFA) is an authentication method that requires two or more forms of verification before granting access. SC-900 covers it among the authentication capabilities of Microsoft Entra ID.
- Conditional Access
- Conditional Access is a Microsoft Entra capability that enforces access policies based on signals such as user, device, location, and risk. SC-900 covers it within the access-management capabilities of Entra ID.
- Privileged Identity Management
- Privileged Identity Management (PIM) is a Microsoft Entra service that provides just-in-time, time-bound, and approval-based access to privileged roles. SC-900 covers it under identity protection and governance.
- Microsoft Defender for Cloud
- Microsoft Defender for Cloud is a service that provides cloud security posture management and workload protection across Azure, hybrid, and multi-cloud resources. SC-900 covers it in the security-solutions domain.
- Microsoft Sentinel
- Microsoft Sentinel is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution. SC-900 covers its threat detection and mitigation capabilities.
- Microsoft Defender XDR
- Microsoft Defender XDR is an extended detection and response suite that unifies threat protection across endpoints, identities, email, and cloud apps. SC-900 covers its component services in the security-solutions domain.
- Azure Key Vault
- Azure Key Vault is a service for securely storing and controlling access to secrets, keys, and certificates. SC-900 covers it among the core infrastructure security services in Azure.
- Network security group
- A network security group (NSG) is an Azure resource that filters inbound and outbound network traffic to resources using allow and deny rules. SC-900 covers it among core infrastructure security services.
- Microsoft Purview
- Microsoft Purview is a set of compliance and data-governance solutions covering information protection, data lifecycle management, eDiscovery, and audit. SC-900 covers it as the core of the compliance-solutions domain.
- Data loss prevention
- Data loss prevention (DLP) is a capability that detects and helps prevent the unauthorized sharing of sensitive information. SC-900 covers it as an information-protection capability within Microsoft Purview.
- Compliance Manager
- Compliance Manager is a Microsoft Purview tool that helps assess and manage compliance through a risk-based compliance score. SC-900 covers it under compliance management capabilities.