How much does the Microsoft SC-900 exam cost in 2026?

SC-900 costs $99 USD in the United States as of 2026. Microsoft notes that pricing varies by country where the exam is proctored — for example, it runs roughly GBP 69-75 in the UK, EUR 85-90 in most EU countries, INR 4,000-4,800 in India, and AUD 165 in Australia. Taxes may apply. Microsoft regularly offers the Exam Replay bundle (one exam + one retake) and student / military / nonprofit discounts, and Microsoft Learn Cloud Skills Challenges have historically provided free SC-900 vouchers to qualifying participants.

What is the passing score for SC-900?

SC-900 requires a score of 700 or greater on a 1-1000 scaled scoring system. Microsoft does not publish a fixed percentage of correct answers because questions are weighted differently by difficulty and exam form, but training providers consistently estimate that 70-75% correct answers map to a 700 scaled score. You receive a preliminary pass/fail result on-screen immediately after finishing, and a full score report (with per-skill performance bars) is emailed within a few hours.

How many questions are on the SC-900 and how long is the exam?

SC-900 contains 40-60 questions delivered in a 45-minute window. That is roughly 45-65 seconds per question. Formats include multiple-choice, multiple-response, true/false, drag-and-drop, matching, build-list, and short case studies. Unlike role-based Microsoft exams, SC-900 does not include lab or hands-on performance tasks — every item is question-based. Non-native English speakers can request an extra 30 minutes at the time of scheduling.

What are the 4 SC-900 skills measured and their 2026 weights?

The 4 skills measured on SC-900 (effective 7 November 2025 and current for 2026) are: (1) Describe the concepts of security, compliance, and identity — 10-15%, (2) Describe the capabilities of Microsoft Entra — 25-30%, (3) Describe the capabilities of Microsoft security solutions — 35-40%, and (4) Describe the capabilities of Microsoft compliance solutions — 20-25%. The security solutions domain at 35-40% is the largest and covers Azure core security, Defender for Cloud, Microsoft Sentinel, and the Microsoft Defender XDR stack.

Does the SC-900 certification expire?

No. SC-900 is a Microsoft Fundamentals certification, and per Microsoft credential-expiration policy, Fundamentals certifications do not expire. Once you pass, the credential remains on your Microsoft transcript indefinitely with no renewal required and no Continuing Education hours to track. This is different from role-based and specialty Microsoft certifications (like SC-200, SC-300, AZ-500), which are valid for 1 year and require a free annual online renewal assessment on Microsoft Learn.

How long should I study for SC-900?

Most candidates pass SC-900 with 20-40 hours of focused study over 2-4 weeks. IT professionals who already know Microsoft 365 and Azure basics can often prepare in 1-2 weeks at 10-15 hours per week. Complete beginners (business stakeholders, students, career changers) should plan 4-6 weeks at 8-10 hours per week to internalize Zero Trust, identity concepts, and the Microsoft security portfolio. Microsoft itself lists SC-900 as a "beginner" level credential.

SC-900 is considered one of the easier Microsoft certifications. It is a "what is it and why would you use it" exam, not a "how do you configure it" exam. No hands-on labs, no PowerShell syntax, no architecture diagrams to read. The main difficulty is the sheer volume of Microsoft product names (Defender for Cloud vs Defender for Cloud Apps vs Defender for Endpoint vs Defender for Identity — all different tools) and the relentless rebranding of Microsoft security products. Most candidates using the free Microsoft Learn paths plus the free official Practice Assessment pass comfortably on their first attempt.

Should I take SC-900 or AZ-900 first?

Take AZ-900 first if you are entirely new to Microsoft cloud — AZ-900 introduces Azure basics (subscriptions, resource groups, regions, pricing, support), which appear implicitly in SC-900 security content. Take SC-900 first if you already know cloud basics and want to pivot into cybersecurity — SC-900 is the canonical on-ramp to SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), and SC-400 (Information Protection Administrator). Many candidates take both AZ-900 and SC-900 back-to-back; combined they take 30-50 hours to prep and cost $198.

What jobs can I get with SC-900?

SC-900 alone is a beginner credential — it does not qualify you for senior roles. It does, however, help entry-level candidates get interviews for: IT Support / Help Desk ($55-75k), Junior Security Analyst ($65-85k), Security Administrator ($72-90k), Compliance Coordinator ($60-80k), SOC Tier 1 Analyst ($55-75k), and IT Auditor roles at small-to-mid firms ($65-85k). SC-900 also strengthens applications for Microsoft partner-network jobs, which often require Microsoft certifications on the resume. To unlock $100k+ security salaries, plan to stack SC-900 with a role-based cert (SC-200, SC-300, or AZ-500) within 12-18 months.

Is SC-900 worth it in 2026?

Yes, for three audiences: (1) career changers pivoting into cybersecurity who need a resume-grade entry credential, (2) IT professionals at Microsoft-shop organizations who will work with Entra, Defender, or Purview daily, and (3) business stakeholders (sales, compliance, project managers) who need fluency in Microsoft security terminology. At $99 with no expiration and 20-40 hours of prep, SC-900 is one of the highest-ROI certifications in the Microsoft ecosystem. It is NOT worth it for experienced security engineers who should go directly to SC-200 / SC-300 / AZ-500, or for people who have no interest in Microsoft products (study AWS, Google Cloud, or vendor-neutral CompTIA Security+ instead).

What is the difference between Microsoft Entra and Azure Active Directory?

Microsoft Entra is the new (2023+) umbrella brand for Microsoft's identity and network access product family. Microsoft Entra ID is the renamed Azure Active Directory (Azure AD) — the underlying product is the same, only the name changed. SC-900 uses "Microsoft Entra ID" throughout, not "Azure AD." The Entra family also includes Entra ID Governance (lifecycle, access reviews, entitlement management), Entra Permissions Management, Entra Verified ID, Entra External ID, and Entra Internet/Private Access (formerly Entra Global Secure Access). All of this is testable at a conceptual level on SC-900.

What is Microsoft Defender XDR and how is it tested on SC-900?

Microsoft Defender XDR (formerly Microsoft 365 Defender) is Microsoft's extended detection and response (XDR) portfolio that correlates signals across identities, endpoints, email, and cloud apps. SC-900 tests your ability to describe each XDR component: Defender for Office 365 (email/collaboration protection), Defender for Endpoint (endpoint EDR), Defender for Cloud Apps (CASB/SaaS protection), Defender for Identity (on-prem AD / identity threat detection), Defender Vulnerability Management, and Defender Threat Intelligence. You also need to describe the unified Microsoft Defender portal. Memorize which Defender covers which workload — this is the single most frequently confused SC-900 topic.

SC-900 Exam Guide 2026: FREE Microsoft Security Prep

SC-900 in 2026: The Fastest Entry Into Microsoft Security

Microsoft SC-900 (Security, Compliance, and Identity Fundamentals) is the single best $99 you can spend to enter the Microsoft security ecosystem in 2026. It is a beginner-level credential Microsoft explicitly designed for business stakeholders, IT newcomers, and students — one that takes most candidates 20-40 hours of study and a 45-minute exam to earn, and that never expires because Microsoft Fundamentals certifications are lifetime credentials.

This guide is the most comprehensive free SC-900 resource on the web. Every detail is cross-referenced against learn.microsoft.com/credentials/certifications/exams/sc-900/ and the official SC-900 study guide effective 7 November 2025 and current for 2026.

free SC-900 practice questionsPractice questions with detailed explanations

SC-900 Exam At-a-Glance (2026)

Detail	Information
Certification	Microsoft Certified: Security, Compliance, and Identity Fundamentals
Level	Beginner (Fundamentals)
Delivery	Pearson VUE — online proctored OR test center
Questions	40-60 (varies by form)
Duration	45 minutes
Question Formats	Multiple-choice, multiple-response, true/false, drag-and-drop, matching, build-list, case studies
Passing Score	700 on a 1-1000 scaled scale
Cost	$99 USD (varies by country)
Languages	English, Japanese, Simplified Chinese, Korean, French, Spanish, Brazilian Portuguese, Russian, Arabic (KSA), Indonesian, German, Traditional Chinese, Italian
Prerequisites	None (familiarity with Azure and Microsoft 365 recommended)
Validity	Lifetime — Microsoft Fundamentals do NOT expire
Renewal	Not required
Retake Policy	24 hours after first fail; 14 days for subsequent retakes; 5 attempts per 12 months
Skills Measured Effective Date	7 November 2025 (current through 2026)
Scheduling	learn.microsoft.com → Pearson VUE OR Certiport (students/educators)

Why SC-900 Is the Best $99 in Microsoft Certs

In 2026, three forces make SC-900 one of the highest-leverage certifications you can earn:

1. The security skills shortage is acute. ISC2's 2025 Cybersecurity Workforce Study reports a global cybersecurity workforce gap of 4.8 million professionals, and 60% of US organizations say their security team is understaffed. Entry credentials that prove Microsoft-ecosystem fluency are in heavy demand.

2. Microsoft owns the enterprise. Over 85% of Fortune 500 companies run Microsoft 365, and Microsoft Security revenue exceeded $20 billion in FY2024 — up 20% year over year. Every Microsoft-shop hiring manager values fluency in Entra, Defender, and Purview.

3. SC-900 never expires. Unlike role-based Microsoft certs (SC-200, SC-300, AZ-500) which require annual renewal, SC-900 is a Fundamentals credential. Pass it once; put it on your resume forever; never pay a renewal fee.

At $99, with 20-40 hours of study, and an average 2026 SC-900-adjacent salary band of $72,000-$92,000 for entry-level security roles, SC-900 returns its investment roughly 700x in the first year.

Start SC-900 practice questions nowPractice questions with detailed explanations

Who Should Take SC-900

Microsoft designed SC-900 as a foundational credential for three distinct audiences:

Audience	Why SC-900 Fits
Business stakeholders (sales, marketing, project managers, compliance officers)	Gain fluency in Microsoft security terminology to support customer conversations, sales calls, and cross-functional projects
New or existing IT professionals	Build foundational security, compliance, and identity knowledge before moving into role-based security, identity, or compliance administrator roles
Students	Establish a first Microsoft credential for internships and entry-level roles; often bundled free with student vouchers or Microsoft Learn Student Ambassador programs

SC-900 Is a Fit If You Are

Entering cybersecurity as a career changer with no prior security credentials
An IT generalist (helpdesk, sysadmin, junior cloud engineer) who wants to specialize in security
A Microsoft 365 or Azure administrator who needs to understand the security product portfolio
A compliance / legal / risk professional at a Microsoft-shop company
A consulting / presales / solution engineer at a Microsoft partner firm
A student finishing a CS, IS, or cybersecurity degree

SC-900 Is NOT a Fit If You Are

An experienced security engineer with 3+ years hands-on — go directly to SC-200, SC-300, SC-400, or AZ-500
Someone with no interest in the Microsoft ecosystem — consider CompTIA Security+, AWS Cloud Practitioner, or Google Cybersecurity Certificate instead
Looking for a technically deep or hands-on cert — SC-900 is concept-only; it does not validate configuration skills

The 4 SC-900 Skills Measured (Effective November 2025, Current for 2026)

Microsoft refreshed the SC-900 skills measured on 7 November 2025, and this version is in effect throughout 2026. The current exam weights:

#	Skill	Weight	Approx. Question Count (at 50 items)
1	Describe the concepts of security, compliance, and identity	10-15%	5-8
2	Describe the capabilities of Microsoft Entra	25-30%	13-15
3	Describe the capabilities of Microsoft security solutions	35-40%	18-20
4	Describe the capabilities of Microsoft compliance solutions	20-25%	10-13
	Total	100%	~50

Skill 3 (security solutions) at 35-40% is the single most important area. Together Skills 2 and 3 are 60-70% of the entire exam — if your study plan does not allocate most of your time to Entra + security solutions, you will come up short.

Skill 1 — Concepts of Security, Compliance, and Identity (10-15%)

This is the shortest domain, but it is the conceptual backbone. Every other domain builds on the vocabulary and mental models here.

What You Must Know

Topic	Key Concepts
Shared Responsibility Model	Who owns security in IaaS vs PaaS vs SaaS vs on-prem; customer always owns data, accounts, access management, and endpoints
Defense in Depth	Layered security: physical → identity/access → perimeter → network → compute → application → data
Zero Trust Model	Verify Explicitly, Use Least-Privilege Access, Assume Breach (Microsoft's 3 guiding principles)
Encryption	Symmetric (AES) vs asymmetric (RSA); encryption at rest vs in transit vs in use (confidential computing)
Hashing	One-way functions; used for passwords and integrity (SHA-256); NOT the same as encryption
GRC Concepts	Governance (policy, oversight), Risk (identification, assessment, treatment), Compliance (regulatory adherence)
Identity as Primary Security Perimeter	Cloud-era shift from network perimeter to identity perimeter
Authentication vs Authorization	AuthN = who you are; AuthZ = what you can do
Identity Providers (IdP)	Centralized service that creates, maintains, and verifies identities
Directory Services & Active Directory	On-prem AD for Windows domain identity
Federation	Trust relationship between IdPs enabling SSO across domains (SAML, OIDC, WS-Fed)

The Zero Trust Principles (Memorize Exactly)

Microsoft's Zero Trust framework has three guiding principles — expect at least one question on these:

Verify Explicitly — Always authenticate and authorize based on all available data points (user identity, location, device health, service or workload, data classification, anomalies)
Use Least-Privilege Access — Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA), risk-based adaptive policies, and data protection
Assume Breach — Minimize blast radius and segment access; verify end-to-end encryption; use analytics to get visibility, drive threat detection, and improve defenses

And six foundational pillars Zero Trust applies to: Identities, Endpoints, Applications, Data, Infrastructure, Network.

Encryption vs Hashing (Tested Directly)

Feature	Encryption	Hashing
Reversibility	Reversible with key	One-way (irreversible)
Purpose	Confidentiality	Integrity / authentication
Example Use	Protecting credit card data in transit	Storing passwords, verifying file integrity
Algorithms	AES-256, RSA, ECC	SHA-256, SHA-3, bcrypt

Skill 2 — Microsoft Entra Capabilities (25-30%)

This is where the rebrand traps candidates. Microsoft Entra is the 2023+ umbrella brand for Microsoft identity and network access products. Microsoft Entra ID is the renamed Azure AD. Every reference to "Azure AD" in older content should now read "Microsoft Entra ID" — and SC-900 uses only the new names.

The Entra Family (What Falls Under the Brand)

Product	What It Does
Microsoft Entra ID	Core identity directory (formerly Azure AD)
Microsoft Entra ID Governance	Identity lifecycle, entitlement management, access reviews
Microsoft Entra ID Protection	Risk-based identity threat detection
Microsoft Entra Privileged Identity Management (PIM)	Just-in-time privileged role activation
Microsoft Entra External ID	B2B and B2C external identity
Microsoft Entra Verified ID	Decentralized / verifiable credentials
Microsoft Entra Permissions Management	Cloud infrastructure entitlement management (CIEM)
Microsoft Entra Internet Access / Private Access	Identity-centric secure access (formerly Global Secure Access)

Identity Types in Entra ID

SC-900 expects you to distinguish:

Identity Type	Examples
Users	Humans (employees, guests)
Devices	Registered, joined, hybrid-joined devices
Groups	Security groups, M365 groups, dynamic groups
Service Principals / Managed Identities	Non-human identities for apps and Azure resources
Workload Identities	Apps, services, automation scripts authenticating to resources

Hybrid Identity

Hybrid identity is identity that spans on-prem Active Directory and cloud Entra ID. Key technologies:

Entra Connect Sync — synchronizes identities from on-prem AD to Entra ID
Entra Connect Cloud Sync — lighter-weight, cloud-managed sync
Password Hash Sync (PHS) — hash-of-hash synced to cloud; simplest
Pass-Through Authentication (PTA) — validates passwords against on-prem AD
Federation — delegates authentication to AD FS or third-party IdP

Authentication Capabilities

Capability	What It Is
Authentication Methods	Password, MFA, passwordless (Windows Hello, FIDO2 security keys, Authenticator app), certificate-based
Multi-Factor Authentication (MFA)	Two or more of: something you know, something you have, something you are
Self-Service Password Reset (SSPR)	Users reset their own passwords with verification
Password Protection	Banned password lists, on-prem password protection agent
Smart Lockout	Locks attackers out after failed attempts while allowing legitimate users

Access Management Capabilities

Capability	What It Is
Conditional Access	Policy engine: if [signals] then [access controls] — e.g., if sign-in risk high AND device non-compliant, require MFA + block download
Entra Roles & RBAC	Role-based access control at Azure resource level (Owner, Contributor, Reader, custom)
Entra Built-In Roles	Global Administrator, User Administrator, Security Administrator, etc.

Identity Protection and Governance

Capability	What It Is
Entra ID Protection	Detects sign-in risk (impossible travel, anonymous IP, leaked credentials) and user risk
Entra ID Governance	Lifecycle workflows, entitlement management, access reviews, PIM
Access Reviews	Periodic review of who has access to what (groups, apps, roles)
Privileged Identity Management (PIM)	Just-in-time activation of privileged roles with approval and MFA requirements

The Conditional Access Mental Model (Tested Often)

Conditional Access = IF [signals] THEN [access controls]

Signals include:

User / group membership
Location (IP ranges, named locations, countries)
Device (compliant, hybrid-joined, platform)
Application (which app being accessed)
Sign-in risk level (from Entra ID Protection)
User risk level (from Entra ID Protection)

Access controls include:

Block access
Grant access with requirements: require MFA, require compliant device, require approved client app, require terms of use, require password change

Conditional Access is the tool to know for SC-900. Any scenario involving "require MFA under these conditions" or "only allow this app from corporate devices" is Conditional Access.

Skill 3 — Microsoft Security Solutions (35-40%)

The biggest domain on SC-900. If you only have time to deeply master one skill area, make it this one. It splits into four sub-areas: Azure infrastructure security, Azure security management (Defender for Cloud), Microsoft Sentinel, and Microsoft Defender XDR.

Azure Core Infrastructure Security

Service	What It Does
Azure DDoS Protection	Always-on Basic tier (free) + Standard / IP Protection / Network Protection tiers for adaptive DDoS mitigation
Azure Firewall	Managed, cloud-native stateful firewall; application and network rules; FQDN filtering; threat intel filtering
Web Application Firewall (WAF)	Protects web apps from OWASP Top 10 (SQL injection, XSS, etc.); deployed with Azure Front Door, Application Gateway, or CDN
Azure Virtual Networks & Segmentation	VNets, subnets, peering — create private network boundaries
Network Security Groups (NSGs)	Layer-3/4 stateful access control lists on subnets and NICs
Azure Bastion	Jumpbox-as-a-service for secure RDP/SSH to VMs without public IPs
Azure Key Vault	Managed secret, key, and certificate store with HSM-backed options

Microsoft Defender for Cloud

Defender for Cloud is Microsoft's Cloud-Native Application Protection Platform (CNAPP) — combining:

CSPM (Cloud Security Posture Management) — continuous assessment, secure score, regulatory compliance dashboard
CWPP (Cloud Workload Protection) — threat protection for servers, containers, databases, storage, key vault, APIs, DNS
Multi-cloud — supports Azure, AWS, and GCP

Key concepts:

Secure Score — gamified posture metric (higher = more secure)
Security Policies, Standards, Recommendations — built on Azure Policy; includes built-ins (Azure Security Benchmark, NIST, ISO 27001, PCI DSS)
Enhanced Security Features — the paid "Defender for [workload]" plans (Defender for Servers, Containers, SQL, Storage, Key Vault, App Service, Resource Manager, DNS, APIs)

Microsoft Sentinel

Microsoft Sentinel is the cloud-native SIEM + SOAR:

Term	What It Is
SIEM	Security Information and Event Management — collects logs and security events, correlates them, and generates alerts
SOAR	Security Orchestration, Automated Response — automated playbooks that run in response to alerts

Sentinel capabilities:

Data connectors (100+ built-in, including Microsoft 365, Azure, AWS, GCP, third-party security tools)
Analytics rules — scheduled queries that generate incidents
Workbooks — dashboards
Hunting queries — proactive threat hunting (KQL-based)
Notebooks — Jupyter-based advanced investigation
Playbooks — Logic Apps-based automated response

Microsoft Defender XDR (Formerly Microsoft 365 Defender)

This is where rebranding traps candidates. Microsoft Defender XDR is the unified XDR platform. It includes several "Defender for [X]" products, each protecting a different workload. Memorize which Defender does what — this is the single most-confused topic on SC-900.

Product	What It Protects
Microsoft Defender for Office 365	Email, SharePoint, OneDrive, Teams — phishing, malware, impersonation, safe links, safe attachments
Microsoft Defender for Endpoint	Windows, macOS, Linux, Android, iOS endpoints — EDR, vulnerability management, attack surface reduction
Microsoft Defender for Cloud Apps	SaaS apps (Microsoft 365, Salesforce, Google Workspace, Box, etc.) — CASB, app discovery, policies, threat detection
Microsoft Defender for Identity	On-prem Active Directory — detects identity-based attacks (Kerberoasting, golden ticket, pass-the-hash)
Microsoft Defender Vulnerability Management	Discovers, prioritizes, and remediates vulnerabilities across endpoints
Microsoft Defender Threat Intelligence (Defender TI)	External threat intelligence and attack surface management
Microsoft Defender Portal	Unified portal at security.microsoft.com that stitches alerts into cross-domain incidents

The "Defender for X" Memorization Table

Attack Surface	Which Defender?
Phishing email	Defender for Office 365
Ransomware on laptop	Defender for Endpoint
Shadow IT / unsanctioned SaaS	Defender for Cloud Apps
Attacker lateral movement in AD	Defender for Identity
Exposed Azure storage account	Defender for Cloud (Defender for Storage plan)
Unknown vulnerabilities on servers	Defender Vulnerability Management
Unknown external assets	Defender EASM / Defender TI

A great heuristic: "For Cloud" = Azure resources. "For Cloud Apps" = SaaS apps. "For Endpoint" = devices. "For Identity" = on-prem AD. "For Office 365" = email/Teams/SharePoint/OneDrive.

Skill 4 — Microsoft Compliance Solutions (20-25%)

This is the Microsoft Purview domain. Microsoft consolidated its compliance and data governance tools under the Microsoft Purview brand in 2022 (merging the old Microsoft 365 Compliance Center and Azure Purview). Every compliance product you see on SC-900 now lives under Purview.

Microsoft Service Trust Portal and Privacy

Topic	What You Must Know
Service Trust Portal	servicetrust.microsoft.com — hosts Microsoft's audit reports (SOC 1/2/3, ISO 27001/27017/27018/27701, FedRAMP, HIPAA BAA)
Microsoft Privacy Principles	Control, Transparency, Security, Strong Legal Protections, No Content-Based Targeting, Benefits to You
Microsoft Priva	Privacy risk management and subject rights requests (DSR)

Microsoft Purview Portal and Compliance Manager

Microsoft Purview Portal — the unified admin portal at purview.microsoft.com
Compliance Manager — measures regulatory compliance posture; provides assessments against standards (GDPR, HIPAA, ISO 27001, NIST 800-53, etc.)
Compliance Score — gamified posture score based on completed improvement actions

Information Protection, Data Lifecycle, and Data Governance

Capability	What It Does
Data Classification	Built-in and custom sensitive info types (credit cards, SSNs, passports, PHI); trainable classifiers
Content Explorer	Shows what sensitive data exists across M365
Activity Explorer	Shows actions taken on labeled / DLP-matched content
Sensitivity Labels	Classify + protect (encrypt, watermark, restrict) documents and emails
Sensitivity Label Policies	Publish labels to users, enforce defaults, enable auto-labeling
Data Loss Prevention (DLP)	Prevents sensitive data from leaving via email, Teams, endpoints, or Defender for Cloud Apps
Records Management	Declaring content as a record with retention enforcement
Retention Policies, Labels, Label Policies	Retain content for X years; delete after Y; event-based triggers

Insider Risk, eDiscovery, and Audit

Capability	What It Does
Insider Risk Management	Detects risky internal user activity (data exfiltration, policy violations, departing employee risk)
eDiscovery	Find, preserve, collect, and export content for legal / investigation matters; Standard and Premium tiers
Audit	Unified audit log across Microsoft 365; Standard (90-day retention) and Premium (1-year or more)

The Purview Capability Mental Model

When a SC-900 question describes a scenario, match the business need to the Purview capability:

Business Need	Purview Capability
"Classify & encrypt sensitive docs"	Sensitivity labels
"Prevent credit cards leaving via email"	Data Loss Prevention (DLP)
"Retain or delete content on a schedule"	Retention policies / labels
"Measure our GDPR posture"	Compliance Manager
"Detect a departing employee exfiltrating data"	Insider Risk Management
"Preserve content for a lawsuit"	eDiscovery
"Investigate what a user did 6 months ago"	Audit (Premium)
"Respond to a GDPR subject rights request"	Microsoft Priva (subject rights requests)

Cost, Registration, and Retake Policy

SC-900 Cost (2026)

United States: $99 USD
United Kingdom: ~GBP 69-75
European Union (most): ~EUR 85-90
India: ~INR 4,000-4,800
Australia: ~AUD 165
Canada: ~CAD 125

Taxes may apply. Exact pricing is shown at checkout during Pearson VUE scheduling.

How to Register

Create (or sign in to) a personal Microsoft Account (MSA) — Microsoft strongly recommends NOT using a work/school account, because exam records are lost if you leave that organization
Go to learn.microsoft.com/credentials/certifications/exams/sc-900/ and click "Schedule exam"
Choose Pearson VUE (most candidates) or Certiport (if you are a student/educator)
Select online-proctored or test center, pick date/time, pay

Discounts and Free Vouchers

Exam Replay — bundle of one exam + one retake at reduced total cost
Microsoft Learn Cloud Skills Challenges — periodic free voucher opportunities
Microsoft Student Ambassadors / Imagine Academy — free exams for qualifying students
Military / VA / nonprofit discounts — available in select regions
Employer sponsorship — many Microsoft-shop employers reimburse passed exams

Retake Policy

After first failure: wait 24 hours
After second+ failure: wait 14 days
Maximum: 5 attempts per 12-month period
Full exam fee applies to every retake

Renewal Policy (There Is None)

SC-900 does not expire. Per Microsoft's credential expiration policy, Fundamentals certifications are lifetime credentials. Once you pass SC-900, it remains on your Microsoft transcript indefinitely with:

No annual renewal assessment
No Continuing Education hours
No maintenance fees
No re-testing

This is different from role-based and specialty Microsoft certifications (SC-200, SC-300, SC-400, AZ-500, etc.), which are valid for 1 year and require a free annual online renewal assessment on Microsoft Learn.

4-Week SC-900 Study Plan

This plan assumes 8-10 hours per week (40 total hours). Compress to 2 weeks at 15-20 hours/week if you are an IT professional with Microsoft 365 / Azure familiarity. Extend to 6-8 weeks at 5-6 hours/week if you are a complete beginner.

Week 1 — Concepts + Microsoft Learn Path 1

Read: Official SC-900 study guide in full (30 min)
Microsoft Learn: Complete the learning path "Describe the concepts of security, compliance, and identity" (~3 hours)
Memorize:
- 3 Zero Trust principles (Verify Explicitly, Least Privilege, Assume Breach)
- 6 Zero Trust pillars (Identities, Endpoints, Apps, Data, Infrastructure, Network)
- Shared responsibility split (IaaS / PaaS / SaaS / on-prem)
- Encryption vs hashing distinction
- AuthN vs AuthZ
Practice: 25 SC-900 questions on Skill 1 concepts
Watch: John Savill's SC-900 Zero Trust episode (free on YouTube)

Week 2 — Microsoft Entra (Skill 2)

Microsoft Learn: Complete the learning path "Describe the capabilities of Microsoft Entra" (~5 hours)
Focus on:
- Entra ID vs on-prem AD differences
- Hybrid identity options (PHS, PTA, federation)
- MFA and passwordless methods
- Conditional Access policy components (signals → controls)
- PIM workflow (eligible → active with approval)
- Entra ID Protection sign-in risk vs user risk
Build: A free Microsoft 365 Developer tenant; click through the Entra admin center to see features live (free, high ROI)
Practice: 40 SC-900 questions on Skill 2
Watch: Andy Malone's Microsoft Entra breakdown (YouTube)

Week 3 — Microsoft Security Solutions (Skill 3, Biggest)

Microsoft Learn: Complete the learning path "Describe the capabilities of Microsoft security solutions" (~6 hours)
Build the Defender table: Make a 1-page cheat sheet of which Defender protects which workload (Office 365 / Endpoint / Cloud Apps / Identity / Cloud) — this is the single most-tested area
Memorize:
- Azure Firewall vs WAF vs NSGs (which operates at which layer, for which purpose)
- Defender for Cloud: CSPM vs CWPP; Secure Score
- Microsoft Sentinel: SIEM + SOAR; data connectors, analytics rules, playbooks
- Defender XDR unified portal
Practice: 60 SC-900 questions on Skill 3 — this is the biggest domain
Watch: Microsoft Mechanics videos on Defender for Cloud and Sentinel

Week 4 — Compliance + Full Mocks + Weak Spots

Microsoft Learn: Complete the learning path "Describe the capabilities of Microsoft compliance solutions" (~4 hours)
Memorize the Purview capability matching table (sensitivity labels → protect docs; DLP → prevent leakage; retention → delete on schedule; Compliance Manager → posture; Insider Risk → departing employee; eDiscovery → legal hold; Audit → user activity history)
Take the official Microsoft Practice Assessment — this is the #1 most predictive of exam score; take it twice, aim for 85%+
Take 2 full-length timed mocks (45 minutes, 50 questions) — use our free SC-900 practice for timed runs
Review weak areas: For every missed question, click the linked Microsoft Learn module and re-read the section
Day before exam: Flashcards only. Defender product differentiation, Purview capability differentiation, Zero Trust principles, Conditional Access signals. Sleep 8 hours.

Recommended Resources (Free-First)

Free (The Full Pass Stack)

Resource	Why
Microsoft Learn SC-900 Learning Paths	The primary source. Microsoft writes the exam from these modules. ~18 hours total across the 4 skills.
Microsoft Official Practice Assessment (learn.microsoft.com)	50 questions with per-objective scoring and direct Microsoft Learn module linkbacks. Highest single-resource ROI on the entire web.
Microsoft Exam Sandbox	Free interactive demo of the exam interface — eliminates test-day UI surprises.
John Savill's SC-900 Exam Cram (YouTube)	The gold standard of free SC-900 video content. ~3-4 hour comprehensive walkthrough.
Andy Malone MVP (YouTube)	Excellent Microsoft Entra and Defender deep dives.
Microsoft Mechanics (YouTube)	First-party product demos for Defender for Cloud, Sentinel, Purview.
OpenExamPrep free SC-900 practice	Start here — free practice questions with AI tutor explanations.
r/AzureCertification and r/Microsoft365 subreddits	Trip reports, study tips, current-week updates.
GitHub SC-900 study repos (e.g., RickKotlarz/SC-900)	Community-maintained study notes and flashcards.

Paid (Only If You Want Structure)

Resource	What It Is	Who Should Buy
Tutorials Dojo SC-900 Practice Exams	High-quality timed practice exams (~$15)	Candidates who want extra practice beyond the free Microsoft assessment
MeasureUp Official Practice Test	Microsoft-endorsed practice test	Candidates who want the most official-feel practice
Pluralsight / LinkedIn Learning SC-900 Paths	Video courses (often via employer subscription or free trial)	Candidates who learn best via video
Udemy SC-900 Courses (Scott Duffy, Alan Rodrigues, John Christopher)	Comprehensive video + practice, often $15-25 on sale	Candidates who want structured video pacing
Exam Ref SC-900 (Microsoft Press)	Official textbook	Candidates who prefer reading over video

The lean budget stack: Microsoft Learn (free) + Microsoft Official Practice Assessment (free) + John Savill YouTube (free) + Tutorials Dojo practice tests ($15) + $99 exam. Total: $114.

Exam-Day Strategy: The SC-900 Sprint

SC-900 is a fast exam — 40-60 questions in 45 minutes. That is 45-65 seconds per question. You do not have time to reread long passages.

Pacing

Minute 0-30: Answer every question as you encounter it. If a question takes more than 60 seconds, flag it and move on.
Minute 30-40: Revisit flagged questions.
Minute 40-45: Final review. Change answers only with concrete reason.

Microsoft Question Archetypes

Archetype	Signal	Strategy
Definition check	"Which of the following is..."	Pick the definition. Move fast.
Match capability to scenario	"A company wants to [do X]. Which service should they use?"	Eliminate implausible products first.
Drag-and-drop / matching	Drag items onto correct categories	Work from your most-confident matches outward.
Build list	Order steps in a process	Know the standard Microsoft workflow (Conditional Access flow, PIM flow, Sentinel flow).
Hot area / case study	Short scenario + multiple questions	Read the scenario twice, then answer each question without reopening the scenario.

The Elimination Engine

For scenario questions:

Eliminate wrong-workload answers. If the scenario is about email, eliminate Defender for Endpoint. If it is about laptops, eliminate Defender for Office 365.
Eliminate deprecated/renamed options. Microsoft loves to put old product names as distractors. If you see "Azure AD Conditional Access" and "Microsoft Entra Conditional Access" on the same question, Entra is correct.
Eliminate "on-prem only" answers when the scenario is cloud, and vice versa.
When genuinely unsure, pick the broader Microsoft recommendation — the "Microsoft wants you to use Zero Trust + managed services" answer is almost always correct.

Online-Proctored Setup

Quiet room, door closable
Clear desk — no papers, phones, books, extra monitors
Government ID ready
Close every other app (Teams, Slack, browser tabs)
Test your webcam and mic before start
Log in 30 minutes before start to run Pearson VUE system checks

Common Mistakes That Tank First-Time Candidates

Mistake #1: Ignoring the Microsoft Rebrand

Azure AD → Microsoft Entra ID. Microsoft 365 Defender → Microsoft Defender XDR. Compliance Center → Microsoft Purview. Azure Security Center → Microsoft Defender for Cloud. Exam questions use the new names. If your study material is older than late 2022, replace it.

Mistake #2: Confusing the Defender Family

Defender for Cloud (Azure resources) ≠ Defender for Cloud Apps (SaaS apps). Defender for Endpoint (laptops/servers) ≠ Defender for Identity (on-prem AD). Build a 1-page Defender differentiation cheat sheet in Week 3 and drill it daily.

Mistake #3: Over-Studying Skill 1 Concepts

Skill 1 is only 10-15% of the exam. Candidates love the conceptual readings (Zero Trust, defense in depth) and spend too long here. Give it 1 week max and move on.

Mistake #4: Under-Practicing Skills 2 and 3

Skills 2 (25-30%) and 3 (35-40%) are 60-70% of the exam. Most failed candidates spent the majority of their time on Skills 1 and 4 and "ran out of time" for proper Entra + Defender depth.

Mistake #5: Skipping the Official Microsoft Practice Assessment

The Microsoft Official Practice Assessment on Microsoft Learn is free, includes 50 exam-style questions, and has per-objective scoring with direct Microsoft Learn module linkbacks. Candidates who pass the practice assessment at 85%+ have a ~95% pass rate on the real exam. This is the single best free resource.

Mistake #6: Treating SC-900 Like a Hands-On Exam

SC-900 is conceptual only. You do not need to know PowerShell syntax, Kusto Query Language (KQL), or how to configure Conditional Access in the admin portal. You need to know what each service does and when to use it. Do not waste time memorizing CLI commands.

Mistake #7: Misreading "NOT" Questions

Microsoft frequently writes questions as "Which of the following is NOT a capability of Microsoft Entra ID?" Missing the NOT is a guaranteed wrong answer. Slow down on question stems that contain NOT, EXCEPT, ONLY, BEST, or FIRST.

Mistake #8: Not Using the Free Microsoft 365 Developer Tenant

Microsoft gives you a free M365 E5 dev tenant with 25 user licenses. Logging in and clicking through Entra ID, Defender, and Purview portals lets you see the products live — and that 3-hour tour is worth 10 hours of reading.

SC-900 vs AZ-900 vs AI-900 — The Microsoft Fundamentals Trio

All three are beginner-level Microsoft Fundamentals certs. Many candidates take all three back-to-back.

Dimension	SC-900	AZ-900	AI-900
Focus	Security, Compliance, Identity	Azure cloud fundamentals	Azure AI fundamentals
Cost	$99	$99	$99
Duration	45 min	45 min	45 min
Questions	40-60	40-60	40-60
Passing Score	700/1000	700/1000	700/1000
Expires	No	No	No
Hours to prep	20-40	20-40	15-30
Best for	Security career path	Cloud career path	AI/ML career path

Recommended order for a Microsoft beginner with zero Microsoft experience:

AZ-900 first (cloud basics)
SC-900 second (security specialization)
AI-900 third (AI fluency)

Combined cost: $297. Combined prep time: 55-110 hours. Combined resume weight: enormous for career changers.

Career Paths After SC-900

SC-900 alone is a beginner credential. To unlock $100k+ security salaries, stack SC-900 with a role-based Microsoft security cert within 12-18 months.

The Microsoft Security Certification Ladder

Cert	Role	Typical Salary Range (US, 2026)
SC-900 (this exam)	Foundational knowledge	n/a — resume credential only
SC-200: Security Operations Analyst	SOC analyst, threat hunter	$85,000 - $125,000
SC-300: Identity and Access Administrator	Entra ID admin, identity engineer	$90,000 - $135,000
SC-400: Information Protection Administrator	Purview / DLP admin	$85,000 - $125,000
AZ-500: Azure Security Engineer Associate	Azure-focused security engineer	$105,000 - $150,000
SC-100: Cybersecurity Architect Expert	Senior architect / principal	$140,000 - $210,000
CISSP / CISM	Manager / CISO	$140,000 - $250,000

Entry-Level Roles SC-900 Helps Land

Role	Typical Salary (US, 2026)
IT Support / Help Desk	$55,000 - $75,000
Junior Security Analyst	$65,000 - $85,000
Security Administrator	$72,000 - $90,000
Compliance Coordinator	$60,000 - $80,000
SOC Tier 1 Analyst	$55,000 - $75,000
Junior IT Auditor (small-mid firm)	$65,000 - $85,000

Realistic 2-year path: SC-900 now → entry-level security job within 3-6 months → SC-200 or SC-300 within 12 months → senior analyst or identity engineer role at $100,000+ within 18-24 months.

Final CTA: Start Practicing Today

SC-900 is the cheapest, fastest, highest-ROI credential in the Microsoft ecosystem. The candidates who fail almost always share one trait: they studied passively with only Microsoft Learn reading. You can fix that right now.

Start practicing nowPractice questions with detailed explanations

The 2026 Microsoft ecosystem has more security openings than qualified candidates. SC-900 is the fastest credential path into those openings, and the cert itself lasts the rest of your career — no renewal, no fees, no re-testing.

Good luck. You can pass this in a month.

Official Sources

Microsoft SC-900 certification page: https://learn.microsoft.com/en-us/credentials/certifications/exams/sc-900/
Official SC-900 study guide (effective 7 Nov 2025): https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-900
Microsoft credential expiration policy: https://learn.microsoft.com/en-us/credentials/support/credential-expiration-policy
Microsoft exam retake policy: https://learn.microsoft.com/en-us/credentials/support/retake-policy
Microsoft Zero Trust guidance: https://learn.microsoft.com/en-us/security/zero-trust/
Microsoft Entra documentation: https://learn.microsoft.com/en-us/entra/
Microsoft Defender XDR documentation: https://learn.microsoft.com/en-us/defender-xdr/
Microsoft Purview documentation: https://learn.microsoft.com/en-us/purview/
Microsoft Service Trust Portal: https://servicetrust.microsoft.com

Information current as of April 2026. Always verify specific fees, dates, and skills-measured details at learn.microsoft.com before scheduling.

✓Key Facts