11.1 Read the Scenario Before Picking a Product

Product Selection Starts With the Workload

SC-900 is the Microsoft Security, Compliance, and Identity Fundamentals exam: roughly 40 to 60 multiple-choice questions in about 45 to 60 minutes, with a passing score of 700 out of 1000 and no prerequisites. Because it is a fundamentals exam, product-selection questions reward recognition rather than deep configuration skill. The scenario might describe a risky sign-in, a cloud workload recommendation, a phishing campaign, a data loss prevention requirement, or a security operations workflow. Before you scan for a familiar product name, decide what kind of problem the organization is actually trying to solve.

A reliable first pass sorts the scenario into four lanes that mirror the four SC-900 product families. Microsoft Entra is the identity and access lane. Microsoft Defender is the protection and detection lane covering endpoints, email, cloud apps, identity signals, threat intelligence, vulnerability exposure, and cloud workloads. Microsoft Sentinel is the SIEM and SOAR lane for collecting security data, correlating incidents, hunting, and automating response. Microsoft Purview is the compliance and data governance lane for classification, labels, retention, eDiscovery, audit, privacy, risk, and compliance assessment.

The Four-Step Exam Move

Use a consistent sequence so you never freeze on a long scenario:

• Identify the noun being protected — identity, device, app, data, cloud resource, or security event.
• Identify the action — authenticate, authorize, detect, investigate, automate, classify, retain, or audit.
• Match the action to the product family before choosing a specific service.
• Recheck close names, especially Microsoft Defender for Cloud versus Microsoft Defender for Cloud Apps.

Worked examples make the move concrete. A prompt about preventing a privileged administrator from keeping standing access points to Microsoft Entra Privileged Identity Management (PIM), not Sentinel. A prompt about correlating alerts from many different sources into a single investigable incident points to Microsoft Sentinel, not a single Defender workload product. A prompt about applying a label that marks files as confidential and can trigger encryption points to Microsoft Purview sensitivity labels, even though the protected files live in Microsoft 365.

Distractors Are Usually Real Services

The exam rarely invents fake products. Instead it offers real Microsoft services that solve a different layer of the problem. Azure Firewall controls network traffic but does not perform eDiscovery. Microsoft Defender for Endpoint protects devices but is not where you create retention labels. Microsoft Purview Compliance Manager assesses compliance posture and improvement actions but is not a SIEM. Azure Key Vault stores secrets and keys but does not detect risky sign-ins. The right answer is the product that owns the primary job in the scenario, not a plausible neighbor.

Keep the official SC-900 skill areas in mind when reviewing misses. The four measured domains are: concepts of security, compliance, and identity (about 10 to 15 percent); capabilities of Microsoft Entra and identity and access (about 25 to 30 percent); capabilities of Microsoft security solutions covering Azure infrastructure security, Defender for Cloud, Microsoft Sentinel, and Defender XDR (about 25 to 30 percent); and capabilities of Microsoft compliance solutions covering Purview, the Service Trust Portal, and Priva (about 25 to 30 percent).

Microsoft security and compliance solutions together dominate the blueprint, so being fast at moving from scenario language to the right product family is one of the highest-value skills you can drill before test day. When you slow down and name the lane first, the four-option list usually collapses to a single defensible answer.

Trigger Words That Pin the Lane

Microsoft tends to reuse a vocabulary of trigger words, and learning them is faster than learning every feature. The words below act as near-deterministic lane markers in SC-900 scenarios:

• Entra trigger words: sign-in, authentication, multifactor, Conditional Access, role assignment, RBAC, access review, eligible role, privileged, identity risk, tenant, single sign-on, federation, password protection.
• Defender trigger words: endpoint, device, malware, phishing, email attachment, SaaS app, shadow IT, virtual machine posture, secure score, vulnerability, threat intelligence, on-premises Active Directory attack.
• Sentinel trigger words: data connector, log ingestion, analytics rule, incident, correlate, hunt, KQL, workbook, automation rule, playbook, SIEM, SOAR, security operations center.
• Purview trigger words: classify, sensitivity label, DLP, retention, records, eDiscovery, audit log search, insider risk, compliance score, data lifecycle, privacy, subject rights request.

When two lanes seem to apply, the primary verb breaks the tie. A scenario can mention an email phishing campaign (Defender territory) but actually ask how to correlate that alert with sign-in and endpoint alerts into one incident — the primary verb is correlate, so the answer is Sentinel. Another scenario can mention sensitive customer records (Purview territory) but ask how to prevent users from emailing those records externally — the verb is prevent leakage, so the answer is Purview DLP specifically, not labels and not Defender.

Reading for the verb that the question actually asks you to satisfy, rather than the most eye-catching noun, is the discipline that separates a confident pass from a coin-flip.

Finally, watch for questions that ask for the broadest or most appropriate single product. If a scenario lists symptoms that span endpoint, email, and identity and then asks for one unified detection-and-response experience, the intended answer is usually Microsoft Defender XDR (the correlation layer) rather than any single workload Defender. If it asks to bring non-Microsoft logs into the same investigation too, the intended answer shifts to Microsoft Sentinel.

Holding this hierarchy — workload product, then XDR, then Sentinel — in mind prevents both under-selecting (picking one workload product when correlation is required) and over-selecting (jumping to Sentinel when a single workload product is the better fit).