SC-900 Exam Flashcards

Q: What is the SC-900 passing score and exam length?

SC-900 requires a scaled score of 700 out of 1000 to pass. The exam contains 40-60 multiple-choice and multiple-select questions and you have 45 minutes to complete it. The fee is US$99 in the United States. The certification does not expire because it is a fundamentals-level credential.

Q: What changed in the 2026 SC-900 update?

Microsoft added a fifth domain on AI security solutions weighted 12-18%. It covers Microsoft Security Copilot, Data Security Posture Management for AI (DSPM for AI), risky AI prompt detection in Microsoft 365 Copilot, and oversharing prevention. Together with Microsoft Entra, this AI domain accounts for roughly 35-45% of the modern SC-900 blueprint.

Q: What are the five SC-900 exam domains and weights?

The 2026 SC-900 domains are: Describe SCI concepts (10-15%), Describe Microsoft Entra capabilities (25-30%), Describe Microsoft security solutions (25-30%), Describe Microsoft compliance solutions (25-30%), and Describe Microsoft AI security solutions (12-18%). Focus first on Entra and the security/compliance solution sets, then close out with the AI domain and SCI concepts.

Q: Do I need IT or Azure experience to pass SC-900?

No. SC-900 is a fundamentals exam testing conceptual knowledge, not hands-on configuration. You should be able to describe what each service does and when to use it, but you do not need to deploy resources. Most candidates pass with 20-35 hours of study using Microsoft Learn modules, a practice assessment, and flashcards for vocabulary recall.

Q: What is the SC-900 retake policy if I fail?

After a first failed attempt you can retake the exam after 24 hours. If you fail a second time you must wait 14 days before each subsequent attempt. Microsoft caps attempts at five within any rolling 12-month period. Each retake costs US$99 unless you have a voucher from a Microsoft Virtual Training Day.

Question 1

Shared responsibility model

Accepted Answer

Splits security duties between the cloud provider and customer. Provider always owns physical hosts, network, and datacenter; customer always owns data, devices, and identities. OS, network controls, and apps shift based on IaaS, PaaS, or SaaS.

Question 2

Defense in depth

Accepted Answer

Layered security strategy (physical, identity, perimeter, network, compute, application, data) so no single control failure exposes the asset. Microsoft uses these seven layers in its reference architecture diagrams.

Question 3

Zero Trust guiding principles

Accepted Answer

Three principles: Verify Explicitly (use all signals to authenticate), Use Least Privilege Access (just-in-time, just-enough), and Assume Breach (segment, encrypt, monitor). Memorize these exact phrases — they appear verbatim on the exam.

Question 4

Encryption at rest vs in transit vs in use

Accepted Answer

At rest = stored data on disk or in storage (BitLocker, SSE). In transit = data moving across a network (TLS). In use = data being processed in memory, protected by confidential computing with trusted execution environments.

Question 5

Hashing vs encryption

Accepted Answer

Hashing is one-way and produces a fixed-length digest used for integrity checks and password storage. Encryption is reversible with a key and used to keep data confidential. Salting adds randomness to defeat rainbow-table attacks on hashes.

Question 6

CIA triad

Accepted Answer

Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), Availability (authorized users can access). Tampering breaks Integrity; ransomware that locks files breaks Availability; data leaks break Confidentiality.

Question 7

Identity as the primary security perimeter

Accepted Answer

With cloud and remote work, the network boundary no longer reliably contains workloads. Identity is the most consistent control point across devices and apps, so authentication and authorization become the new perimeter.

Question 8

Microsoft Entra ID

Accepted Answer

Microsoft's cloud-based identity and access management service (formerly Azure Active Directory). Stores users, groups, and apps in a tenant and provides authentication, SSO, and Conditional Access. A tenant equals one dedicated Entra instance.

Question 9

Authentication vs authorization

Accepted Answer

Authentication (AuthN) proves who you are using credentials, MFA, or certificates. Authorization (AuthZ) decides what that verified identity is allowed to do, typically via roles or permissions. AuthN always happens before AuthZ.

Question 10

Entra ID identity types

Accepted Answer

Four types: users (humans, member or guest), service principals (app identities in a tenant), managed identities (Azure-managed service principals, no secrets to rotate), and devices. Managed identities come in system-assigned and user-assigned flavors.

Question 11

Multi-factor authentication (MFA)

Accepted Answer

Requires two or more factors from different categories: something you know (password), something you have (phone, token), something you are (biometric). MFA blocks over 99% of identity attacks per Microsoft research.

Question 12

Passwordless authentication options

Accepted Answer

Microsoft supports three passwordless methods: Windows Hello for Business (biometric or PIN bound to device), Microsoft Authenticator app phone sign-in, and FIDO2 security keys. All replace passwords with a private key and a second factor.

Question 13

Self-service password reset (SSPR)

Accepted Answer

Entra ID feature letting users reset or unlock their own accounts after verifying identity through approved methods. Reduces helpdesk calls. Administrators must register at least two authentication methods regardless of policy.

Question 14

Conditional Access

Accepted Answer

Entra ID P1+ policy engine that evaluates signals (user, device, location, app, risk) and enforces access decisions like require MFA, require compliant device, or block. Acts as the Zero Trust policy enforcement layer.

Question 15

Single sign-on (SSO)

Accepted Answer

Lets a user authenticate once and gain access to multiple applications without re-entering credentials. Improves security (one strong sign-in to harden with MFA) and user experience. Implemented through federation protocols like SAML, OIDC, or WS-Fed.

Question 16

Entra External ID

Accepted Answer

Unified product for external identities, covering business-to-business (B2B) collaboration with partners and customer identity and access management (CIAM) for consumer-facing apps. Replaces the legacy Azure AD B2C tenant model for new projects.

Question 17

Entra Verified ID

Accepted Answer

Microsoft's decentralized identity service based on W3C Verifiable Credentials. Lets organizations issue digital credentials (employment, education, certifications) that users hold in a wallet and present to verifiers without contacting the issuer.

Question 18

Entra ID P1 vs P2

Accepted Answer

P1 adds Conditional Access, dynamic groups, group-based licensing, and hybrid identity (Entra Connect). P2 adds everything in P1 plus Identity Protection (risk-based policies) and Privileged Identity Management (PIM). PIM and risk policies require P2.

Question 19

Privileged Identity Management (PIM)

Accepted Answer

Entra ID P2 feature providing just-in-time, time-bound elevation to privileged Entra and Azure roles. Adds approval workflows, MFA on activation, and access reviews. Implements Zero Trust least-privilege for admins.

Question 20

Entra Identity Protection

Accepted Answer

P2-only service that detects identity risks (leaked credentials, impossible travel, anonymous IP, malware-linked IP) and assigns user risk and sign-in risk scores. Risk signals feed Conditional Access for automated remediation.

Question 21

Access reviews vs entitlement management

Accepted Answer

Access reviews recertify whether a user still needs an existing role or group. Entitlement management packages roles, groups, and apps into access packages with request workflows and expirations. Both are Entra ID Governance features.

Question 22

Role-Based Access Control (RBAC) in Azure

Accepted Answer

Authorization model that assigns built-in or custom roles to a security principal at a scope (management group, subscription, resource group, resource). Inheritance flows down; deny assignments override allows.

Question 23

Microsoft Defender XDR

Accepted Answer

Microsoft's cross-domain extended detection and response platform. Correlates signals from Defender for Endpoint, Office 365, Identity, and Cloud Apps into unified incidents in the Microsoft Defender portal. Replaces the old Microsoft 365 Defender brand.

Question 24

Defender for Endpoint

Accepted Answer

Endpoint detection and response (EDR) for Windows, macOS, Linux, iOS, and Android. Provides next-gen antivirus, attack surface reduction rules, automated investigation and remediation, and Threat and Vulnerability Management.

Question 25

Defender for Office 365

Accepted Answer

Protects email and collaboration tools (Exchange Online, Teams, SharePoint, OneDrive) from phishing, business email compromise, and malicious attachments. Key features: Safe Links, Safe Attachments, and Attack Simulation Training.

Question 26

Defender for Identity

Accepted Answer

Detects identity-based attacks targeting on-premises Active Directory, such as pass-the-hash, golden ticket, and lateral movement. Uses sensors installed on domain controllers to analyze authentication traffic. Different from Entra Identity Protection (cloud).

Question 27

Defender for Cloud Apps

Accepted Answer

Microsoft's cloud access security broker (CASB). Discovers shadow IT, assesses SaaS app risk, applies session controls through reverse proxy, and protects sanctioned apps with policies. Do not confuse with Defender for Cloud (Azure CSPM).

Question 28

Defender for Cloud (CSPM and CWPP)

Accepted Answer

Combines Cloud Security Posture Management (assess configuration against Microsoft Cloud Security Benchmark, generate Secure Score) and Cloud Workload Protection (runtime threat protection for servers, containers, databases, storage) across Azure, AWS, and GCP.

Question 29

Microsoft Secure Score

Accepted Answer

Measurement of an organization's security posture in Defender for Cloud (Azure) and Microsoft 365 Defender (productivity workloads). Higher score = more recommended controls implemented. The two scores are separate products and not interchangeable.

Question 30

Microsoft Sentinel

Accepted Answer

Cloud-native SIEM and SOAR built on Azure. Ingests logs through data connectors, hunts with Kusto Query Language (KQL), and automates response with playbooks built on Azure Logic Apps. Pay-as-you-go pricing based on data ingested.

Question 31

SIEM vs SOAR vs XDR

Accepted Answer

SIEM aggregates and analyzes logs across the enterprise (Sentinel). SOAR automates response with playbooks (Sentinel). XDR correlates telemetry from endpoint, identity, email, and cloud apps into incidents (Defender XDR). Sentinel and Defender XDR integrate bidirectionally.

Question 32

Microsoft Intune

Accepted Answer

Unified endpoint management (formerly Endpoint Manager). Enforces device compliance, deploys configuration profiles, manages apps with MAM policies, and feeds device compliance status to Conditional Access. Supports Windows, macOS, iOS, Android, and Linux.

Question 33

Azure Key Vault

Accepted Answer

Managed service for storing and accessing secrets, keys, and certificates with hardware-protected options. Apps authenticate using managed identities so no secrets are embedded in code. Supports soft delete and purge protection to recover deleted items.

Question 34

Network Security Group (NSG)

Accepted Answer

Stateful packet filter applied to Azure subnets or NICs. Allows or denies traffic by source/destination IP, port, and protocol. Evaluated in priority order with implicit deny at the end. Application Security Groups let you group VMs by workload, not IP.

Question 35

Azure Firewall

Accepted Answer

Managed, cloud-native stateful firewall-as-a-service with built-in high availability and unrestricted scale. Provides FQDN filtering, threat intelligence-based filtering, and TLS inspection (Premium). Use it for centralized network filtering across virtual networks.

Question 36

Microsoft Purview Information Protection

Accepted Answer

Discovers, classifies, labels, and protects sensitive data across Microsoft 365, endpoints, and SaaS. Built on sensitivity labels that apply encryption, watermarks, and access restrictions that travel with the file wherever it goes.

Question 37

Sensitivity labels vs retention labels

Accepted Answer

Sensitivity labels classify and PROTECT data (encryption, headers, access). Retention labels manage data LIFECYCLE (retain or delete after a period, declare records). A file can carry one sensitivity label and one retention label simultaneously.

Question 38

Microsoft Purview Data Loss Prevention (DLP)

Accepted Answer

Detects, monitors, and blocks risky sharing of sensitive content (credit cards, PII, IP) across Exchange, SharePoint, OneDrive, Teams, endpoints, and non-Microsoft cloud apps. Policies use sensitive info types and trainable classifiers.

Question 39

Records management

Accepted Answer

Purview capability for declaring content as records with regulatory retention. Records cannot be edited or deleted during retention. Used to meet legal-hold and regulatory requirements like SEC 17a-4 or GDPR retention rules.

Question 40

Insider Risk Management

Accepted Answer

Purview solution that uses machine learning to detect risky behavior by employees (data exfiltration, departing-employee theft, policy violations) while protecting privacy through pseudonymization. Feeds Adaptive Protection signals into DLP and Conditional Access.

Question 41

Communication compliance

Accepted Answer

Purview solution that scans messages across Teams, Exchange, Yammer, and connected third-party platforms for harassment, code of conduct violations, regulatory leaks, and inappropriate content. Surfaces alerts for designated reviewers with workflow.

Question 42

eDiscovery (Standard vs Premium)

Accepted Answer

Tools for searching, identifying, and exporting content for legal cases. Standard supports basic search, hold, and export. Premium adds custodian management, review sets, deeper analytics, machine learning to reduce review volume, and predictive coding.

Question 43

Purview Audit (Standard vs Premium)

Accepted Answer

Audit logs capture user and admin activity across Microsoft 365. Standard retains logs 180 days. Premium extends to 1 year (or 10 years with add-on), adds high-bandwidth API access, and surfaces premium events like MailItemsAccessed for forensic investigations.

Question 44

Compliance Manager and improvement actions

Accepted Answer

Purview tool that gives a Compliance Score across assessments (GDPR, HIPAA, ISO 27001, NIST). Improvement actions are concrete tasks (technical or documentation) that raise the score. Microsoft-managed actions are inherited; customer-managed actions require manual work.

Question 45

Service Trust Portal

Accepted Answer

Microsoft public site providing audit reports (SOC 1/2/3, ISO, FedRAMP), penetration test results, white papers, and compliance documentation for cloud services. Used by customers to demonstrate due diligence to their own auditors.

Question 46

Microsoft Priva

Accepted Answer

Privacy management product separate from Purview. Handles Priva Privacy Risk Management (identifies privacy risks in stored personal data) and Priva Subject Rights Requests (automates GDPR/CCPA data-subject access and deletion requests across Microsoft 365).

Question 47

Microsoft Security Copilot

Accepted Answer

Generative AI assistant for security professionals built on GPT-4 and Microsoft's security-specific model. Standalone and embedded experiences inside Defender XDR, Sentinel, Intune, and Entra. Priced per Security Compute Unit (SCU) on a provisioned basis.

Question 48

DSPM for AI

Accepted Answer

Data Security Posture Management for AI is a Purview capability that discovers AI usage in the tenant, flags risky AI prompts containing sensitive data, and detects oversharing in Microsoft 365 Copilot responses. Surfaces shadow AI use of unsanctioned tools like ChatGPT.

Question 49

Microsoft 365 Copilot oversharing risk

Accepted Answer

Copilot inherits the permissions of the asking user, so it can surface any file that user has access to — including files overshared due to broad SharePoint permissions. DSPM for AI and sensitivity labels with encryption are the mitigation, not just blocking Copilot.

Question 50

Adaptive Protection

Accepted Answer

Capability that takes risk levels from Insider Risk Management and dynamically tightens DLP policies and Conditional Access for users showing risky behavior (for example, a departing employee triggers stricter blocking on sensitive downloads).

Free SC-900 Exam Flashcards

Filter by Topic

Jump to Card

About These SC-900 Flashcards

Topics Covered

Frequently Asked Questions

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)

Explore More Microsoft Certifications

Microsoft Power BI Data Analyst

Azure MD-102

Microsoft Certified: Security Operations Analyst Associate (SC-200)

Azure MS-102

Microsoft Power Platform Functional Consultant

Microsoft Certified: Identity and Access Administrator Associate (SC-300)

More From This Family