The SC-900 Microsoft Certified: Security, Compliance, and Identity Fundamentals exam is a foundational-level certification with no prerequisites. It validates your understanding of security, compliance, and identity concepts across Microsoft cloud and hybrid environments. This free printable PDF lets you review all four content domains offline, annotate key concepts, and quiz yourself before exam day.
SC-900 is popular as a first Microsoft certification for IT beginners, business analysts, and professionals moving into cloud or security roles. It pairs well with AZ-900 (Azure Fundamentals) as a broad cloud literacy credential.
The exam opens with foundational concepts that underpin everything else. The shared responsibility model defines which security obligations belong to you vs. Microsoft depending on whether your workload is on-premises, IaaS, PaaS, or SaaS โ understanding where the boundary sits in each model is a frequent exam question. Defense-in-depth describes a layered security approach spanning data, application, compute, network, perimeter, identity, and physical layers.
Zero Trust is a central theme throughout SC-900: the three principles โ verify explicitly, use least privilege, and assume breach โ apply to identity, devices, applications, data, infrastructure, and networks. You need to understand encryption at rest vs. in transit, how hashing differs from encryption, and multi-factor authentication concepts. Common threat types tested include phishing, ransomware, DDoS attacks, man-in-the-middle (MITM) attacks, and SQL injection.
Microsoft Entra is the identity pillar of SC-900. You must understand Azure AD tenants, the difference between identities and principals, and how authentication works. Authentication methods tested include the Microsoft Authenticator App, FIDO2 security keys, SMS, and phone call verification. Password protection and smart lockout protect against brute-force attacks, and SSPR (self-service password reset) reduces IT helpdesk burden.
On the authorization side, Azure RBAC controls access to Azure resources, while Azure AD roles control access to Azure AD itself โ the distinction between the two is commonly tested. Conditional Access policies evaluate conditions (user, device, location, app) and apply grant controls (require MFA, block access, require compliant device). Privileged Identity Management (PIM) provides just-in-time privileged access, reducing standing admin permissions. Identity Governance features โ access reviews and entitlement management โ automate access lifecycle. External Identities cover B2B (partner collaboration) and B2C (customer-facing apps).
Microsoft Defender for Cloud provides two core capabilities: cloud security posture management (CSPM) assesses your configuration against security best practices and reports a Secure Score, while cloud workload protection (CWP) detects and responds to threats across VMs, containers, databases, and more. The Secure Score concept โ a percentage showing how well you've implemented recommendations โ is frequently tested.
The Microsoft Defender XDR (extended detection and response) suite includes Defender for Endpoint (device protection), Defender for Office 365 (email and collaboration), Defender for Identity (Active Directory attack detection), and Defender for Cloud Apps (a CASB โ cloud access security broker that provides visibility and control over SaaS apps). Microsoft Sentinel is Microsoft's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform. Key Sentinel concepts tested include workbooks (dashboards), analytics rules (alerts), and playbooks (automated response via Logic Apps).
Networking security concepts include Azure Firewall (stateful, managed network security), Azure DDoS Protection (Basic vs. Standard tiers), and the distinction between Network Security Groups (NSGs, which filter traffic at the subnet/NIC level) and Azure Firewall (which provides application-level filtering, FQDN rules, and threat intelligence). Azure Bastion enables secure, browser-based RDP and SSH access to VMs without exposing public IP addresses.
The Microsoft Purview compliance portal (formerly the Microsoft 365 compliance center) is the central hub for compliance management. Data lifecycle management and records management help organizations retain, label, and dispose of content according to policy. Information protection uses two types of labels: sensitivity labels classify and protect content (applying encryption, watermarks, access restrictions), while retention labels govern how long content is kept and whether it can be deleted.
Compliance Score measures your organization's progress against regulatory requirements (GDPR, NIST, ISO 27001, etc.) using a points-based model. eDiscovery (Standard and Premium) and audit capabilities support legal and investigative workflows. Microsoft's Privacy Principles โ control, transparency, security, strong legal protections, no content-based targeting, and benefits to customers โ underpin the Trust Center. Data loss prevention (DLP) policies detect and prevent the sharing of sensitive information (credit card numbers, SSNs, health data) across Microsoft 365 services. Communication Compliance monitors for workplace policy violations in email, Teams, and other communication channels.
Pair your PDF review with online practice tests to simulate the real exam environment. Interactive questions help you identify knowledge gaps across all four SC-900 content domains and build the confidence to pass on your first attempt.
Visit our SC-900 practice test page for free online questions covering security concepts, Microsoft Entra, Defender solutions, and Microsoft Purview compliance tools.