Microsoft Certified: Security, Compliance, and Identity Exam

1. Describe the Concepts of Security, Compliance, and Identity (10–15%)

This domain focuses on the foundational industry terminologies, core security methodologies, and the philosophy behind Microsoft's cloud architecture.

Describe Security and Compliance Concepts

The Shared Responsibility Model: Understanding how security responsibilities shift depending on the cloud deployment model (On-premises vs. Infrastructure as a Service (IaaS) vs. Platform as a Service (PaaS) vs. Software as a Service (SaaS)). Identifying what the customer always owns (data, identities) versus what the provider manages.

Defense-in-Depth: Defining the layered approach to security across multiple vectors (Physical, Identity & Access, Perimeter, Network, Compute, Application, Data).

The Zero Trust Model: Core principles of Zero Trust:

Verify explicitly.

Use least privilege access.

Assume breach.

Encryption and Hashing: Differentiating between Symmetric and Asymmetric encryption, understanding encryption-at-rest vs. encryption-in-transit, and defining how hashing guarantees data integrity.

Governance, Risk, and Compliance (GRC) Concepts: Defining corporate governance, risk assessment strategies, and regulatory standard compliance frameworks.

Define Identity Concepts

Identity as the Primary Security Perimeter: Shifting from legacy network-centric perimeters to modern identity-centric perimeters.

Authentication (AuthN) vs. Authorization (AuthZ):

Authentication: Proving who you are.

Authorization: Granting permissions to what you can access.

Identity Providers (IdP): The role of an IdP in authenticating users and issuing security tokens.

Directory Services and Active Directory: Core concepts of managing users, computers, and groups.

Federation: Extending trust relationships across separate organizations or distinct boundaries to allow seamless access.

2. Describe the Capabilities of Microsoft Entra (25–30%)

This domain covers Microsoft’s comprehensive cloud identity and access management solution (formerly Azure Active Directory).

Function and Identity Types of Microsoft Entra ID

Microsoft Entra ID Capabilities: Fundamental tenant-level directory management features.

Types of Identities: Distinguishing between human identities (Workplace users, External/Guest users) and non-human identities (Service Principals, Managed Identities for Azure resources, and Device identities).

Hybrid Identity: Concepts of connecting on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID via tools like Microsoft Entra Connect.

Authentication Capabilities of Microsoft Entra ID

Authentication Methods: Passwordless methods (FIDO2 keys, Microsoft Authenticator app, Windows Hello for Business), and legacy forms of authentication.

Multi-Factor Authentication (MFA): How MFA works, its benefits, and deployment criteria.

Password Protection and Management: Self-Service Password Reset (SSPR), smart lockout features, and custom banned password lists.

Access Management Capabilities of Microsoft Entra ID

Conditional Access (CA): Acting as the "policy engine" of Zero Trust. Evaluating signals (User/Location, Device status, Application, Risk) before making an automated enforcement decision (Allow, Require MFA, Block).

Role-Based Access Control (RBAC): Defining Microsoft Entra built-in roles vs. Azure resource roles to implement the principle of least privilege.

Identity Protection and Governance Capabilities

Microsoft Entra ID Governance: Managing the identity lifecycle via access packages and entitlement management.

Access Reviews: Periodically auditing group memberships and resource access to maintain compliance.

Privileged Identity Management (PIM): Providing Just-In-Time (JIT) and Just-Enough-Access (JEA) for administrative roles, including activation approval and alert workflows.

Microsoft Entra ID Protection: Risk detection, identifying risky users and risky sign-ins via automated machine learning telemetry.

3. Describe the Capabilities of Microsoft Security Solutions (35–40%)

This is the largest domain on the exam. It evaluates how Microsoft services actively defend infrastructures, workloads, and cloud architectures against operational threats.

Core Infrastructure Security Services in Azure

Network Security Tools:

Azure Virtual Networks (VNets) and Network Security Groups (NSGs) for network segmentation.

Azure Firewall: Centralized, cloud-native network security firewall.

Web Application Firewall (WAF): Centralized protection for web applications from common exploits (OWASP Top 10).

Azure DDoS Protection: Mitigating malicious high-volume traffic.

Secure Remote Access: Azure Bastion for secure, seamless RDP/SSH connectivity directly through the portal without public IP exposure.

Secrets Management: Azure Key Vault for securely storing keys, secrets, certificates, and cryptographic tokens.

Security Management Capabilities of Azure

Microsoft Defender for Cloud: A unified Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).

Cloud Security Posture Management (CSPM): Tracking regulatory compliance metrics and monitoring secure scores.

Enhanced Security via Cloud Workload Protection: Defending specific cloud workloads (VMs, databases, containers) against direct attacks.

Capabilities of Microsoft Sentinel

SIEM and SOAR Core Concepts:

Security Information and Event Management (SIEM): Aggregating data logs across an entire estate.

Security Orchestration, Automation, and Response (SOAR): Running automated responses (playbooks) when a threat is identified.

Threat Detection and Mitigation: Aggregating data, detecting anomalies, and threat hunting across digital landscapes inside Microsoft Sentinel.

Threat Protection with Microsoft Defender XDR

Extended Detection and Response (XDR): Unifying detection across distinct pillars into a cohesive portal (Microsoft Defender Portal).

Microsoft Defender Core Components:

Microsoft Defender for Office 365: Email and collaboration protection (phishing, safe attachments, safe links).

Microsoft Defender for Endpoint: Device protection (EDR, antivirus capabilities).

Microsoft Defender for Cloud Apps: Cloud Access Security Broker (CASB) identifying shadow IT.

Microsoft Defender for Identity: Monitored signals from on-premises AD to spot compromised accounts.

Microsoft Defender Vulnerability Management & Threat Intelligence (Defender TI).

4. Describe the Capabilities of Microsoft Compliance Solutions (20–25%)

This domain focuses on Microsoft Purview and Priva—how data is governed, discovered, and protected against loss or internal security risks.

Service Trust Portal and Privacy Principles

Service Trust Portal (STP): Microsoft's public repository providing independent audit reports, compliance documentations, and pen-test assessments.

Microsoft Privacy Principles: Data residency, sovereignty, and data minimization frameworks.

Microsoft Priva: Managing privacy risks and automating privacy operations around personal data.

Compliance Management Capabilities in Microsoft Purview

Microsoft Purview Compliance Portal: The single pane of glass for compliance officers.

Compliance Manager: Tracking specific regulatory templates (GDPR, ISO 27001, HIPAA).

Compliance Score: A quantifiable metric displaying current compliance progress with actionable insights on improvement.

Information Protection, Lifecycle, and Data Governance

Data Classification Capabilities: Identifying data types through Sensitive Information Types (SITs), Trainable Classifiers, and Exact Data Match (EDM).

Content Explorer & Activity Explorer: Auditing what data exists and tracking what users are doing with sensitive files.

Sensitivity Labels and Policies: Applying metadata tags to files to enforce encryption, watermarking, and access rules (Data Protection).

Data Loss Prevention (DLP): Designing policies to block users from accidentally sharing restricted information outside the corporate boundary.

Data Lifecycle and Records Management: Establishing retention policies and retention labels to legally maintain or permanently delete stale records.

Insider Risk, eDiscovery, and Audit Capabilities

Insider Risk Management: Detecting intentional or accidental malicious actions within the company (e.g., intellectual property theft, data leaks before termination).

eDiscovery Solutions: Finding, preserving, and exporting electronic data for legal review and litigation workflows (eDiscovery Standard vs. Premium).

Audit Solutions: Logging user actions and administrative actions across services to support security investigation trails.

SC-900 Exam Structure & Fast Facts

+1

Format: 40–60 questions (Multiple choice, matching, drag-and-drop, case scenarios).

Duration: ~60 minutes.

Passing Score: 700 / 1000.

Cost: $99 USD (Varies by region).

For a visual walkthrough of these topics, check out the SC-900 Microsoft Security, Compliance, and Identity Fundamentals Study Cram, which maps out these exact core domains, architectures, and identity models in an easy-to-follow format.