11.1 Read the Scenario Before Picking a Product
Key Takeaways
- SC-900 product-selection questions usually start with the business problem, not the product name.
- Microsoft Entra maps to identity and access, Defender maps to protection and detection, Sentinel maps to SIEM and SOAR, and Purview maps to compliance and data governance.
- The fastest elimination strategy is to identify whether the scenario is about identity, security operations, cloud workload posture, or compliance.
- Similar product names are traps only if you ignore the workload, data source, or user action described in the question.
Product Selection Starts With the Workload
SC-900 is a fundamentals exam, so product-selection questions usually reward recognition rather than deep configuration skill. The scenario might mention a risky sign-in, a cloud workload recommendation, a phishing campaign, a data loss prevention policy, or a security operations workflow. Before you look for a familiar product name, decide what kind of problem the organization is trying to solve.
A reliable first pass is to sort the scenario into four broad lanes. Microsoft Entra is the identity and access lane. Microsoft Defender is the protection and detection lane for endpoints, email, cloud apps, identity signals, threat intelligence, vulnerability management, and cloud workloads. Microsoft Sentinel is the SIEM and SOAR lane for collecting security data, correlating incidents, hunting, and automating response. Microsoft Purview is the compliance and data governance lane for classification, labels, retention, eDiscovery, audit, privacy, risk, and compliance assessments.
| Scenario clue | Best product family to consider first | Why it fits |
|---|---|---|
| Sign-in risk, multifactor authentication, access review, privileged role | Microsoft Entra | The problem is identity, access, or governance. |
| Endpoint, email, SaaS app, on-premises identity attack, cloud workload protection | Microsoft Defender | The problem is threat protection, detection, or remediation. |
| Cross-source incident, analytics rule, workbook, hunting query, playbook | Microsoft Sentinel | The problem is SIEM, SOAR, or security operations workflow. |
| Sensitivity label, DLP, retention, eDiscovery, audit, compliance score | Microsoft Purview | The problem is compliance, data protection, or investigation of data activity. |
The Four-Step Exam Move
- Identify the noun being protected: identity, device, app, data, cloud resource, or security event.
- Identify the action: authenticate, authorize, detect, investigate, automate, classify, retain, or audit.
- Match the action to the product family before choosing a specific service.
- Recheck close names, especially Defender for Cloud versus Defender for Cloud Apps.
For example, a prompt about preventing a privileged administrator from keeping standing access points to Microsoft Entra Privileged Identity Management, not Sentinel. A prompt about correlating alerts from many sources into incidents points to Sentinel, not a single Defender workload product. A prompt about applying a sensitivity label to confidential files points to Microsoft Purview, even though the protected data might be stored in Microsoft 365.
The exam also likes distractors that are real Microsoft services but solve a different layer of the problem. Azure Firewall is useful for network traffic control, but it does not perform eDiscovery. Microsoft Defender for Endpoint protects endpoint devices, but it is not the place to create retention labels. Microsoft Purview Compliance Manager helps assess compliance posture and improvement actions, but it is not a SIEM. The right answer is the product that owns the primary job in the scenario.
Keep the official SC-900 domain weights in mind when reviewing misses. Microsoft security solutions are the largest domain, followed by Microsoft Entra, then Microsoft compliance solutions, then general concepts. That does not mean every question is a product-matching item, but it does mean you should be fluent at moving from scenario language to product family quickly.
A question describes a risky sign-in and asks which Microsoft service can evaluate access based on identity conditions. Which product family should you consider first?
A security team wants to collect alerts from multiple sources, correlate them into incidents, hunt with queries, and trigger automated response. Which product is the best match?
A compliance officer needs data classification, sensitivity labels, retention, eDiscovery, and audit capabilities. Which product family is the best starting point?