Passed SC-100 last week — identity management section was the sleeper topic
Passed SC-100 with an 812 last Thursday. I've been a cloud security architect for three years, Azure-heavy, previously held AZ-500 and MS-500. I thought this exam would be a straightforward extension of what I already knew. It mostly was, but there were a few areas I underweighted in my prep that I want to flag for anyone getting ready.
The identity and access management architecture questions hit harder than I expected. Not the mechanics of Conditional Access or PIM — I know those cold. It was the governance and design questions: when to use which identity pattern for a hybrid environment, how to architect zero-trust identity at an enterprise scale, which controls to layer when you have on-prem AD plus Entra ID plus a bunch of SaaS apps. The SC-100 practice tests I used covered this material but the real exam went deeper on the architectural tradeoffs.
The MCRA (Microsoft Cybersecurity Reference Architecture) is worth reading in full, not just skimming. I skimmed it. I noticed on the exam. The sections on identity and on security operations are especially testable at the architectural reasoning level.
Four weeks of prep, roughly 90 minutes a day. Solid foundation from AZ-500 made a real difference. Happy to answer questions.
The MCRA callout is useful — thanks. Most prep guides treat it as supplementary. Sounds like it's more load-bearing than that for the actual exam questions.
What resources did you use beyond the MCRA? I have AZ-500 and SC-200 and I'm planning SC-100 for Q3. Trying to figure out if official Microsoft Learn is enough or if I need a third-party course.
The hybrid identity architecture questions are where I see most people struggle. There's a real gap between "I know how Entra ID works" and "I can design an identity architecture for 50,000 users across three countries with regulatory requirements." The latter is what SC-100 tests.
812 on SC-100 is a solid score. That exam has a reputation for being harder than the other SC-series in terms of requiring genuine architectural reasoning vs recall. Congrats.
The zero-trust framing runs through the entire exam. If you're prepping and haven't fully internalized the Microsoft Zero Trust model (identity, endpoints, apps, data, infrastructure, networks), that's worth doing before you sit. Every section connects back to it.
Related Discussions
- Deep dive: exam prep for the CSA — tips from someone who almost failed it5 replies
- How long does it realistically take to study for the CMA?5 replies
- "CTA" — how important is this for the CTA exam?5 replies
- What CPSA score do you need to pass? Breaking down the numbers5 replies
- Anyone else studying for ITA in the next month? Want to study together5 replies