Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Microsoft SC-900 Practice Questions

Pass your Microsoft Security, Compliance, and Identity Fundamentals exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which is the BEST description of Microsoft Sentinel?

A
B
C
D
to track
Same family resources

Explore More Microsoft Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Microsoft Power BI Data Analyst

Practice QuestionsStudy GuideCheat SheetFlashcards3 videos4 blogs

Azure MD-102

Practice QuestionsStudy GuideCheat SheetFlashcards1 video1 blog

Microsoft Certified: Security Operations Analyst Associate (SC-200)

Practice QuestionsStudy GuideCheat SheetFlashcards1 video1 blog

Azure MS-102

Practice QuestionsCheat Sheet2 videos3 blogs

Microsoft Power Platform Functional Consultant

Practice Questions2 blogs

Microsoft Certified: Identity and Access Administrator Associate (SC-300)

Practice Questions1 video1 blog

More From This Family

Videos and articles for deeper review.

VideoSC-900 Exam Guide 2026: Pass Microsoft Security Cert FREEThis examVideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoFREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)ArticleSC-900 Exam Guide 2026: Pass Microsoft Security Cert FREE28 min readArticlePL-900 Exam Guide 2026: Current Outline and Free Prep17 min readArticleFREE PL-400 Power Platform Developer Exam Guide 2026: Pass First Try16 min readArticlePL-200 2026: Pass Power Platform Functional Consultant FREE16 min read
2026 Statistics

Key Facts: Microsoft SC-900 Exam

700/1000

Passing Score

Microsoft

40-60

Questions

Microsoft

45 min

Time Limit

Microsoft

$99

Exam Fee

USD

20-30 hrs

Study Time

Recommended

5

Exam Domains

Microsoft (2026 update)

Sample Microsoft SC-900 Practice Questions

Try these sample questions to test your Microsoft SC-900 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which statement best describes the cloud shared responsibility model?
A.The cloud provider is responsible for all security regardless of service model
B.Security responsibilities are divided between the cloud provider and the customer based on the service model
C.The customer is always responsible for the physical datacenter
D.Responsibility shifts entirely to the customer once data is uploaded
Explanation: The shared responsibility model splits responsibilities between the cloud provider and customer. The provider always handles physical hosts, network, and datacenter. The customer always owns information and data, devices, and accounts/identities. Other responsibilities (OS, network controls, applications) shift between the parties depending on whether the service is IaaS, PaaS, or SaaS.
2Under the shared responsibility model, who is ALWAYS responsible for information and data, devices, and accounts/identities?
A.The cloud provider
B.The customer
C.It depends on the service model
D.A neutral third party
Explanation: Across IaaS, PaaS, and SaaS, the customer always retains responsibility for information and data, devices (mobile and PCs), and accounts and identities. The cloud provider is always responsible for the physical hosts, network, and datacenter.
3What is the core idea behind a defense in depth strategy?
A.Rely on a single strong perimeter firewall
B.Use multiple layers of security controls so no single failure exposes the asset
C.Encrypt data only when it leaves the network
D.Replace all on-premises controls with cloud-native ones
Explanation: Defense in depth uses a layered approach (physical, identity and access, perimeter, network, compute, application, data) so that if one control fails another still protects the asset. It avoids single points of failure in a security architecture.
4Which three principles form the foundation of the Zero Trust model?
A.Trust but verify, encrypt everything, audit annually
B.Verify explicitly, use least privilege access, assume breach
C.Build perimeter, monitor logs, patch systems
D.Block by default, allow by exception, log everything
Explanation: The three Microsoft Zero Trust guiding principles are Verify Explicitly (always authenticate and authorize using all available signals), Use Least Privilege Access (just-in-time and just-enough access), and Assume Breach (segment, encrypt, and use analytics to detect threats).
5Which Zero Trust principle is best illustrated by network microsegmentation and end-to-end encryption?
A.Verify explicitly
B.Use least privilege access
C.Assume breach
D.Trust internal traffic
Explanation: Assume Breach drives the use of microsegmentation, end-to-end encryption, and continuous analytics. The premise is that an attacker may already be inside, so you limit blast radius and continuously inspect activity.
6What does the C in the CIA triad stand for?
A.Compliance
B.Confidentiality
C.Continuity
D.Cryptography
Explanation: The CIA triad consists of Confidentiality (protecting data from unauthorized disclosure), Integrity (preventing unauthorized modification), and Availability (ensuring authorized users can access data when needed).
7Which CIA triad property is violated when an attacker tampers with a database record?
A.Confidentiality
B.Integrity
C.Availability
D.Authenticity
Explanation: Integrity ensures data is not changed in unauthorized ways. Tampering with records is an integrity violation. Confidentiality is about disclosure, and availability is about access.
8Which encryption state protects data while it is stored on disk in a database or storage account?
A.Encryption in transit
B.Encryption at rest
C.Encryption in use
D.Encryption in motion
Explanation: Encryption at rest protects stored data on disks, databases, or storage accounts. Encryption in transit protects data moving between systems (for example TLS). Encryption in use protects data while it is being processed in memory (for example confidential computing).
9Which technology is most associated with encryption in use?
A.TLS 1.3
B.BitLocker
C.Confidential computing using trusted execution environments
D.Storage Service Encryption
Explanation: Encryption in use protects data while it is being processed. Azure confidential computing uses hardware-based trusted execution environments (TEEs) such as Intel SGX or AMD SEV-SNP to keep data encrypted in memory during processing. TLS protects in transit, BitLocker and SSE protect at rest.
10Which statement correctly distinguishes hashing from encryption?
A.Hashing is reversible with the right key; encryption is one-way
B.Hashing is one-way and produces a fixed-length value; encryption is reversible with a key
C.Hashing requires a public and private key; encryption only requires a password
D.Hashing and encryption are interchangeable terms
Explanation: Hashing is a one-way function that produces a fixed-length digest from arbitrary input and cannot be reversed. It is used for integrity verification and password storage. Encryption is reversible by anyone with the correct key and is used to keep data confidential.

About the Microsoft SC-900 Exam

Foundational certification that validates understanding of security, compliance, and identity (SCI) concepts and the related Microsoft Entra, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, Microsoft Priva, and Microsoft Security Copilot capabilities across Azure and Microsoft 365.

Questions

45 scored questions

Time Limit

45 minutes

Passing Score

700/1000

Exam Fee

$99 USD (Microsoft)

Microsoft SC-900 Exam Content Outline

10-15%

Security, Compliance, and Identity Concepts

Shared responsibility, defense in depth, Zero Trust, CIA triad, encryption, hashing, identity as the primary security perimeter

25-30%

Microsoft Entra Capabilities

Entra ID, authentication methods, MFA, SSPR, Conditional Access, External ID, Verified ID, Entra ID P1 vs P2 awareness

25-30%

Microsoft Security Solutions

Microsoft Defender XDR, Defender for Endpoint/Office 365/Identity/Cloud Apps, Defender for Cloud, Microsoft Sentinel, Intune

25-30%

Microsoft Compliance Solutions

Service Trust Portal, Microsoft Purview Information Protection, DLP, Retention, Records Management, Insider Risk, eDiscovery, Audit, Compliance Manager, Microsoft Priva

12-18%

Microsoft AI Security Solutions (NEW 2026)

Microsoft Security Copilot, DSPM for AI, risky AI prompt detection, oversharing prevention, Adaptive Protection

How to Pass the Microsoft SC-900 Exam

What You Need to Know

  • Passing score: 700/1000
  • Exam length: 45 questions
  • Time limit: 45 minutes
  • Exam fee: $99 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Microsoft SC-900 Study Tips from Top Performers

1Memorize the three Zero Trust principles: Verify Explicitly, Use Least Privilege Access, and Assume Breach
2Know the difference between Defender for Cloud (Azure CSPM/CWPP) and Defender for Cloud Apps (Microsoft 365 CASB)
3Distinguish Microsoft Sentinel (cloud-native SIEM/SOAR) from Microsoft Defender XDR (cross-domain XDR)
4Be able to pick between sensitivity labels (classification + protection) and retention labels (lifecycle) for a given scenario
5Study the new 2026 AI security content: Microsoft Security Copilot and DSPM for AI (risky AI prompts and data oversharing)
6Use Microsoft branding correctly: Microsoft Entra ID (not Azure AD) and Microsoft Sentinel (not Azure Sentinel)

Frequently Asked Questions

What is the Microsoft SC-900 exam?

The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is an entry-level certification that validates understanding of security, compliance, and identity concepts and how Microsoft Entra, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, Microsoft Priva, and Microsoft Security Copilot deliver them across Azure and Microsoft 365.

How many questions are on the SC-900 exam?

The SC-900 exam contains 40-60 multiple-choice and multiple-select questions. You have 45 minutes to complete the exam. The passing score is 700 out of 1000.

How long should I study for SC-900?

Most candidates need 20-30 hours of study over 2-4 weeks. Focus on Microsoft Entra capabilities and the new AI security domain (Security Copilot and DSPM for AI), which together account for over 35% of the 2026 exam.

What topics are covered on the SC-900 exam?

The 2026 SC-900 exam covers five domains: SCI concepts (10-15%), Microsoft Entra capabilities (25-30%), Microsoft security solutions (25-30%), Microsoft compliance solutions (25-30%), and the new Microsoft AI security solutions domain (12-18%) covering Security Copilot and DSPM for AI.

Is Microsoft SC-900 worth it?

Yes. SC-900 is the recommended starting point for anyone moving into Microsoft security, compliance, or identity roles. It establishes vocabulary needed for SC-200 (Security Operations), SC-300 (Identity and Access), SC-400 (Information Protection), and AZ-500 (Azure Security Engineer).

What is the difference between SC-900 and AZ-500?

SC-900 is a fundamentals exam testing conceptual knowledge of Microsoft SCI solutions across Azure and Microsoft 365. AZ-500 is an associate-level Azure Security Engineer exam requiring hands-on experience configuring identity, platform, data, and application security in Azure. SC-900 is recommended before AZ-500.