12.6 Final Memory Check and Scenario Drills
Key Takeaways
- Compress the whole guide into compact decision maps: which product family owns which problem, which concept explains the scenario, and which logistics facts block bad assumptions.
- Memorize the rebrand map cold - Azure AD->Microsoft Entra ID, Azure Sentinel->Microsoft Sentinel, Microsoft 365 Defender->Microsoft Defender XDR, Azure Information Protection->Microsoft Purview Information Protection, MCAS->Defender for Cloud Apps.
- Azure infrastructure controls (Firewall, WAF, NSG, Bastion, Key Vault, DDoS Protection) live in the security-solutions domain and are NOT Defender products.
- End every drill by saying why each distractor is wrong - active recall of contrasts beats passive rereading on a fundamentals exam.
Use Compact Maps, Not More Pages of Notes
The final memory check should compress the guide into decision maps, not a rewrite. You need to recall which product family owns which problem, which concept explains a scenario, and which logistics facts block bad assumptions. Active drills beat passive rereading because SC-900 questions ask you to recognize and apply terms in context.
Start with the product map:
| Drill prompt | First thought | Lane |
|---|---|---|
| Require MFA for risky sign-ins | Identity access control | Microsoft Entra (Conditional Access + ID Protection) |
| Find recommendations to harden cloud resources | Cloud security posture | Defender for Cloud (CSPM, Secure Score) |
| Discover and govern shadow-IT SaaS apps | Cloud app security | Defender for Cloud Apps |
| Correlate alerts across sources and auto-respond | SIEM and SOAR | Microsoft Sentinel |
| Detect phishing in email and Teams | Email/collab protection | Defender for Office 365 |
| Apply sensitivity labels and DLP to data | Data protection/compliance | Microsoft Purview |
| Split duties between provider and customer | Cloud security concept | Shared responsibility |
| Verify explicitly, least privilege, assume breach | Security model | Zero Trust |
If the scenario is about network traffic, private admin access, or secret storage, the answer is an Azure infrastructure control (Firewall, WAF, NSG, Bastion, Key Vault, DDoS Protection) - not a Defender product. That distinction is a frequent trap.
Memorize the Rebrand Map and the Concept Contrasts
Microsoft rebrands are heavily tested, often hidden inside distractors. Burn this table in:
| Old name (may appear as a distractor) | Current name to choose |
|---|---|
| Azure Active Directory (Azure AD) | Microsoft Entra ID |
| Azure AD Premium P1/P2 | Microsoft Entra ID P1/P2 |
| Azure Sentinel | Microsoft Sentinel |
| Microsoft 365 Defender / Microsoft Threat Protection | Microsoft Defender XDR |
| Microsoft Cloud App Security (MCAS) | Microsoft Defender for Cloud Apps |
| Azure Information Protection / Microsoft Information Protection | Microsoft Purview Information Protection |
| Office 365 / Microsoft 365 Compliance Center | Microsoft Purview (compliance portal) |
Concept contrasts are the other high-yield drill, because they decide the concepts domain (10-15%):
- Encryption protects confidentiality by transforming data with a key and is reversible with the key; hashing supports integrity verification and is one-way (no key recovers the original).
- Authentication proves who you are; authorization decides what you can access. The exam loves to swap these.
- Defense in depth stacks layered controls; Zero Trust adds the three principles verify explicitly, use least-privilege access, assume breach.
- Compliance Manager / compliance score measures compliance posture against regulations; Microsoft Secure Score measures security posture of your environment. Different domains, similar shape.
A Ten-Minute Final Drill
Run this active, timed sequence the day before or the morning of the exam - no search engine allowed:
- Write the five lanes from memory: Microsoft Entra, Azure infrastructure controls, Microsoft Defender, Microsoft Sentinel, Microsoft Purview. Add three scenario clues under each.
- Recite the rebrand map - say each old name and its current name aloud.
- Write the four skills-measured domains and their weights: concepts 10-15%, Entra 25-30%, security solutions 35-40%, compliance 20-25%.
- Recite the logistics facts: ~45-minute assessment, ~65-minute seat, 700 to pass on a 1-1000 scale, no published pass rate, 24-hour then 14-day retakes capped at five per 12 months, non-expiring credential.
- Answer five mixed scenario questions and explain why each wrong option is wrong out loud.
The last step matters most. Explaining distractors forces the contrasts that win close questions: Defender for Cloud vs. Defender for Cloud Apps, Compliance Manager vs. Secure Score, Entra ID Governance vs. Defender for Identity, encryption vs. hashing. If you can name why three options are wrong, the right one usually selects itself. Keep your final notes to one page of maps - not chapters - and stop early enough to arrive rested.
High-Yield Scenario Clues to Rehearse
Most SC-900 questions hinge on a single clue word that points to one lane. Drill these trigger-to-product mappings until they fire instantly:
| Clue in the scenario | Points to |
|---|---|
| "risky sign-in," "compromised credential," "risk policy" | Entra ID Protection |
| "just-in-time," "eligible role," "approve activation" | Entra Privileged Identity Management (PIM) |
| "recurring access certification," "attest to access" | Entra access reviews / ID Governance |
| "if/then access rule based on signals" | Conditional Access |
| "regulatory assessment," "improvement actions" | Compliance Manager / compliance score |
| "recommendations to harden Azure/multicloud resources" | Defender for Cloud / Secure Score |
| "shadow IT," "sanction/unsanction SaaS apps" | Defender for Cloud Apps |
| "phishing/malware in email and Teams" | Defender for Office 365 |
| "endpoint EDR, device investigation" | Defender for Endpoint |
| "on-prem AD attack, lateral movement" | Defender for Identity |
| "label data by sensitivity," "prevent data exfiltration" | Purview sensitivity labels / DLP |
| "hold and search content for a legal case" | Purview eDiscovery |
The Three Zero Trust Principles and Six Pillars
The concepts domain almost always tests Zero Trust. Memorize the three guiding principles - verify explicitly, use least-privilege access, and assume breach - and the six pillars they protect: identities, devices (endpoints), applications, data, infrastructure, and networks. A scenario that says "never trust by network location" or "continuously validate every request" is signaling Zero Trust, not defense in depth.
Pair that with the shared responsibility model (the customer always owns data, identities/accounts, and devices; responsibility for the OS, network, and physical layers shifts toward Microsoft as you move from IaaS to PaaS to SaaS). Knowing exactly which party owns which layer at each service model is a recurring, high-yield item that rewards a few minutes of final-drill attention.
A scenario asks for a service to provide secure, private RDP/SSH access to virtual machines without exposing public IPs. Which lane is correct?
On the exam you see the distractor 'Azure Sentinel.' Which current product name should you map it to?
Which statement correctly distinguishes encryption from hashing for the concepts domain?