1.1 Credential Purpose and Audience

SC-900 starts with purpose, not product memorization

Microsoft Certified: Security, Compliance, and Identity Fundamentals (exam code SC-900) demonstrates foundational knowledge of security, compliance, and identity concepts and related cloud-based Microsoft solutions. It sits at the Fundamentals tier of Microsoft's certification ladder, alongside AZ-900 (Azure Fundamentals) and AI-900 (AI Fundamentals). The Fundamentals tier is deliberately broad: the exam rewards clean definitions, accurate vocabulary, and correct product-to-scenario matching far more than deep configuration or implementation steps.

You will not be asked to write a Conditional Access policy or hunt through a portal blade; you will be asked which capability solves a stated problem.

Microsoft frames the credential around the abbreviation SCI — security, compliance, and identity. Treat SCI as three connected lenses you apply to every scenario:

• Security asks how resources are protected and how threats are detected, investigated, and responded to (Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Defender XDR).
• Compliance asks how legal and regulatory obligations, data handling, governance, and evidence are managed (Microsoft Purview, Service Trust Portal, Priva, Compliance Manager).
• Identity asks who or what is requesting access and what that identity is permitted to do (Microsoft Entra ID, authentication, authorization, Conditional Access).

The official audience profile shapes the question style

Microsoft publishes a specific audience profile, and it directly explains how questions are written. The exam is for anyone looking to familiarize themselves with the fundamentals of SCI across cloud-based and related Microsoft services. Three roles are named explicitly.

Microsoft also states that candidates should be familiar with Microsoft Azure and Microsoft 365 and want to understand how Microsoft SCI solutions span both solution areas to provide a holistic, end-to-end solution. That wording is load-bearing for the exam. SC-900 is not an Azure-only exam and it is not a Microsoft 365-only exam — it deliberately bridges the two. Microsoft Entra ID secures sign-in for both Azure resources and Microsoft 365 apps; Microsoft Purview governs data that lives in both; Microsoft Defender XDR protects Office 365, endpoints, and identities. Expect cross-solution answers.

Study like a product-aware generalist

The right posture for SC-900 is a product-aware generalist who can explain what a capability is for and when to choose it, without configuring it. You should be able to say why identity is the primary security perimeter in the cloud, why Zero Trust is a strategy rather than a single product you buy, and why an eDiscovery request belongs to Microsoft Purview rather than to Microsoft Entra. The hardest Fundamentals questions test category boundaries, not obscure trivia.

• If a question asks about beginner-level intent, choose foundational knowledge over job-role administration.
• If a question names Azure and Microsoft 365 together, expect a cross-solution SCI answer.
• If a question asks who should take SC-900, keep the audience broad: stakeholders, IT professionals, and students — not "only security analysts" or "only architects."

Keep the four product families crisp from day one: Microsoft Entra ID is identity and access management; Microsoft Defender for Cloud is cloud security posture management and workload protection; Microsoft Sentinel is cloud-native SIEM and SOAR; Microsoft Purview is compliance, data governance, and risk. This chapter builds the orientation map; the chapters that follow fill in each capability in depth.

Where SC-900 sits in the Microsoft certification landscape

Understanding the credential's neighbors helps you read questions correctly and plan what comes next. Microsoft organizes its certifications into Fundamentals, role-based (Associate and Expert), and Specialty tiers. SC-900 is a Fundamentals exam, which means it is a starting point and an end in itself for non-specialists, not a gate you must pass before a role-based exam. There is no prerequisite for SC-900, and SC-900 is not required before taking SC-200, SC-300, or SC-400 — though the foundational vocabulary it builds makes those exams considerably easier.

A recurring exam framing is the contrast between "describe" and "configure." Every SC-900 objective verb is describe or define — never implement, configure, or troubleshoot. If an answer option implies a hands-on engineering action ("deploy a firewall rule," "write a KQL hunting query," "build a DLP policy"), it is almost always describing the wrong tier of work for a Fundamentals question. The correct answer states what the capability is or which product addresses the need.

Common audience-and-purpose traps

• "SC-900 is only for security analysts." False — the audience is intentionally broad, including non-technical business stakeholders.
• "SC-900 proves you can run a SOC or administer Entra." False — those are role-based skills tested by SC-200 and SC-300.
• "SC-900 is an Azure exam, so Microsoft 365 tools won't appear." False — Microsoft 365 services such as Defender for Office 365 and Purview are squarely in scope.
• "You need AZ-900 first." False — there are no prerequisites for SC-900.

The orientation mindset, then, is breadth with precision. You are learning a vocabulary and a map: which problem each Microsoft product solves, and which lens — security, compliance, or identity — a scenario belongs to. Get that map right, and the remaining chapters simply add depth to landmarks you can already name.