Preparing for the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam? Don’t know where to start? This post is the SC-900 Certificate Study Guide (with links to each exam objective).
I have curated a list of articles from Microsoft documentation for each objective of the SC-900 exam. Please share the post within your circles so it helps them to prepare for the exam.
SC-900 MS Security, Compliance & Identity Prep
| Pluralsight (Free trial) | Planning Microsoft Identity and Security |
| LinkedIn Learning | Implement Security and Threat Management |
| Udemy | MS Security, Compliance, Identity Basics |
SC-900 Practice Test [MS Security & Identity]
| Udemy Exam Questions | SC-900 Exam Questions [with Discount code] |
| Amazon e-book (PDF) | Master Azure Identity & Access Management |
Looking for SC-900 Dumps? Read This!
Using sc-900 exam dumps can get you permanently banned from taking any future Microsoft certificate exam. Read the FAQ page for more information. However, I strongly suggest you validate your understanding with practice questions.
To view other Azure Certificate Study Guides, click here
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Describe the Concepts of Security, Compliance, and Identity (5-10%)
Describe Security Methodologies
Describe the Zero-Trust methodology
What is Zero Trust? A model for effective security
Implementing a Zero Trust security model at Microsoft
Describe the shared responsibility model
Shared Responsibility for Cloud whitepaper
Define defense in depth
Describe Security Concepts
Describe common threats
Understanding malware & other threats
10 common security threats in the enterprise
Describe encryption
Describe Microsoft Security and Compliance Principles
Describe Microsoft’s privacy principles
Describe Microsoft’s privacy principles
Describe the offerings of the service trust portal
Describe the Capabilities of Microsoft Identity and Access Management Solutions (25-30%)
Define Identity Principles/Concepts
Define identity as the primary security perimeter
Identity as the primary security perimeter
Define authentication
Define authorization
Authentication vs. Authorization
Describe what identity providers are
What is an identity provider (IdP)?
Identity Providers for external identities
Describe what Active Directory is
Understanding Active Directory
Describe the concept of Federated services
A user wants to listen to music. So, he logs into the Spotify app with his Google account. See the below image for more details.
Based on the above scenario, which of the following is NOT True?
a. Azure AD used by Spotify trusts Google identity provider.
b. Google identity provider trusts Azure AD used by Spotify.
c. There is a trust relationship between Azure AD used by Spotify and Google.
d. The user does not need a separate username and password to log into Spotify.
Explanation: The above scenario is an example of a federation that enables the access of services across organizational/domain boundaries by establishing trust relationships between the identity providers of Spotify & Google.
Here is a step-by-step process of how this works:
- Spotify uses Azure AD authentication
- The user authenticates with Google
- Spotify has a trust relationship with Google.
- So, Spotify trusts the user and allows access.
In the above example, a trust relationship is configured between Spotify and Google. Spotify trusts Google. But the opposite isn’t true. That is, Google doesn’t trust Spotify unless that trust relationship is configured.
So, option b is the correct answer
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/5-describe-concept-federated-services
This question is part of my Udemy course SC-900 Exam Questions
Define common Identity Attacks
Describe the Basic Identity Services and Identity Types of Azure AD
Describe what Azure Active Directory is
What is Azure Active Directory?
Describe what is Azure Active Directory
Describe Azure AD identities (users, devices, groups, service principals/applications)
Describe Azure AD identity types
Describe what hybrid identity is
The concept of hybrid identities
Describe the different external identity types (Guest Users)
Amazon link (affiliate)
Describe the Authentication Capabilities of Azure AD
Describe the different authentication methods
Different authentication methods in Azure AD
Authentication & verification methods in Azure AD
Describe self-service password reset
Self-service Password Reset (SSPR)
How Azure AD self-service password reset works?
Describe password protection and management capabilities
Password protection & management capabilities of Azure AD
Eliminate bad passwords in the cloud
Eliminate weak passwords on-premises
Describe Multi-factor Authentication
Multi-factor authentication (MFA) in Azure AD
Configure Azure AD Multi-Factor Authentication
Describe Windows Hello for Business
Describe Access Management Capabilities of Azure AD
Describe what conditional access is
Describe uses and benefits of conditional access
Conditional access and its benefits
Security benefits of Conditional Access
Describe the benefits of Azure AD roles
Describe the Identity Protection & Governance Capabilities of Azure AD
Describe what identity governance is
What is Azure AD Identity Governance?
Describe what entitlement management and access reviews is
What is Azure AD entitlement management?
You create an access package in entitlement management and a set of resources to help onboard new team members.
Which of the following types of resources can you define in an access package (Select more than one option)?
a. Azure AD enterprise apps
b. SharePoint Online sites
c. Azure resources
d. Microsoft 365 groups
e. Microsoft 365 licenses
f. Azure AD security groups
Explanation: You define access packages in Azure AD entitlement management to automate access request workflows, access assignments & access expiration. This is important because, often, users (either new employees or ones with recent role changes) do not know what access they need and whom to request access.
As seen in the image above, the following are the types of resources defined in an access package:
- Membership to Azure AD security groups, Microsoft 365 groups
- Access to Azure AD apps, SaaS apps
- Access to SharePoint Online sites
Although you cannot directly manage access to Microsoft 365 licenses or Azure resources, you can create an Azure AD security group in the access package and:
- Give access to users who need Microsoft 365 licenses (via group-based licensing).
- Create an Azure role assignment for that group
If it is difficult to understand, the below image will help.
So, options a,b,d,f are the correct answers.
Reference Link:
https://docs.microsoft.com/en-us/learn/modules/describe-identity-protection-governance-capabilities/3-describe-what-entitlement-management-access-reviews (check the video)
This question and the detailed explanation is part of my Udemy course SC-900 Exam Questions
Describe the capabilities of PIM
Privileged Identity Management
Capabilities of Privileged Identity Management
Describe Azure AD Identity Protection
Describe the Capabilities of Microsoft Security Solutions (30-35%)
Describe Basic Security Capabilities in Azure
Describe Azure Network Security groups
Describe Azure Network Security groups
Describe Azure DDoS protection
DDoS Protection Standard overview
Describe what Azure Firewall is
Describe what Azure Bastion is
Describe what Web Application Firewall is
What is a Web Application Firewall?
Web Application Firewall overview
Describe ways Azure encrypts data
Describe Security Management Capabilities of Azure
Describe the Azure Security center
What is Azure Security Center?
Describe Azure Secure score
Secure score in Azure Security Center
Describe the benefit and use cases of Azure Defender – previously the Cloud Workload Protection Platform (CWPP)
Benefits & use cases of Azure Defender
Benefits of Azure Defender for servers
Describe Cloud Security Posture Management (CSPM)
Cloud Security Posture Management with Azure Security Center
Cloud security posture management – part 2
Describe security baselines for Azure
Azure security baseline for Security Center
Security baseline for Resource Manager
Azure security baseline for Azure Monitor
Describe Security Capabilities of Azure Sentinel
Define the concepts of SIEM, SOAR, XDR
Microsoft Azure Sentinel is a scalable, cloud-native SIEM/SOAR solution. What do the acronyms stand for?
a. Security Incident Event Management (SIEM), Security Orchestration Autonomous Response (SOAR)
b. Security Information Event Management (SIEM), Security Orchestration Automated Response (SOAR)
c. Security Incident Event Management (SIEM), Security Orchestration Automated Response (SOAR)
d. Security Information Event Management (SIEM), Security Orchestration Autonomous Response (SOAR)
Explanation: SIEM(Security Information Event Management) is a centralized collection point for all the log entries generated by your infrastructure, resources, devices, firewall, and endpoints. It then correlates these logs to generate alerts and notifies the administrator.
SOAR (Security Orchestration Automated Response) takes these alerts and automates your threat response (with playbooks). So, SOAR decreases the incident response time.
In a nutshell, SIEM raises an alert if it detects a malicious activity. SOAR deals with the alerts (including false positives) and prepares an automated response.
So, option b is the correct answer
Reference Link:https://docs.microsoft.com/en-us/azure/sentinel/overview
This question is part of my Udemy course SC-900 Exam Questions
Describe the role and value of Azure Sentinel to provide integrated threat protection
Describe Threat Protection with Microsoft 365 Defender (Formerly Microsoft Threat Protection)
Describe Microsoft 365 Defender services
Microsoft 365 Defender services
Microsoft 365 Defender overview
Describe Microsoft Defender for Identity (formerly Azure ATP)
What is Microsoft Defender for Identity?
Microsoft Defender for Identity
Describe Microsoft Defender for Office 365 (formerly Office 365 ATP)
Microsoft Defender for Office 365
Microsoft Defender for Office 365 overview
Describe Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint
Describe Microsoft Cloud App Security
Describe Security Management Capabilities of Microsoft 365
Describe the Microsoft 365 Security Center
Explore the Microsoft 365 security center
The unified Microsoft 365 security center overview
Describe how to use Microsoft Secure Score
What is Microsoft Secure Score?
How to use Microsoft Secure Score?
Describe security reports and dashboards
Explore security reports and dashboards
Describe incidents and incident management capabilities
Describe Endpoint Security with Microsoft Intune
Describe what Intune is
Describe endpoint security with Intune
What is endpoint security with Intune?
Manage endpoint security in Microsoft Intune
Describe the endpoint security with the Microsoft Endpoint Manager admin center
Describe the Capabilities of Microsoft Compliance Solutions (25-30%)
Describe the Compliance Management Capabilities in Microsoft
When you log in to the Microsoft 365 compliance center as a compliance data administrator, which of the following compliance solution areas would you see in the Solutions catalog (Select more than one option)?
a. Communication compliance
b. Information protection & governance
c. Insider risk management
d. Data loss prevention
e. Discovery & response
f. Advanced eDiscovery
Explanation: Microsoft 365 solutions catalog helps you discover compliance & risk management solutions available to your organization.
The solutions catalog is organized into three compliance solution areas. Each solution area contains information on several compliance solutions.
See the below infographic for more details.
As evident, Insider risk management, Information protection& governance, and Discovery & responseare the only three compliance solution areas.
Data loss prevention is a compliance solution within the Information protection & governance solution area.
Advanced eDiscovery is a compliance solution within the Discovery & response solution area.
And Communication compliance is a compliance solution within the Insider risk management solution area.
Finally, the role compliance data manager doesn’t make any difference. All three roles (Global administrator, Compliance administrator, Compliance data administrator) get the same user experience when they access Microsoft Compliance Center.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-solution-catalog?view=o365-worldwide
This question is part of my Udemy course SC-900 Exam Questions
Describe compliance manager
Microsoft Compliance Manager overview
Describe use and benefits of compliance score
Describe Information Protection and Governance Capabilities of Microsoft 365
Describe data classification capabilities
Understand data classification
Data classification capabilities in Microsoft 365 Compliance Center
Describe the value of content and activity explorer
Get started with content explorer
Get started with activity explorer
Describe sensitivity labels
Learn about sensitivity labels
What are sensitivity labels and policies?
Describe Retention Policies and Retention Labels
Learn about retention policies & labels
What are retention policies and retention labels?
Describe Records Management
Your teammate creates a retention label for applying to documents in OneDrive. He needs to ensure that no one can remove the label. He is presented with the following retention settings screen while creating the label.
Per the requirement, is he good to create the label?
a. Yes
b. No
Explanation: This question has several layers, so let’s uncover them
First, only the retention labels that mark content as a regulatory record cannot be removed by anyone, even the global administrator.
But, as evident from the image, your teammate can only create a retention label that marks items as records, not regulatory records.
That’s because this is the default interface when trying to create retention labels under Records management (See the below image).
You don’t see the option to mark items as regulatory records because applying regulatory records to content is far more restrictive than applying records (Refer to the table in the above link).
Since Microsoft wants you to be sure about marking content as regulatory records before you do so, they require you to perform an extra step to display that option in the UI:
· Connect to the Office 365 Security & Compliance Center PowerShell
· Run a PowerShell command (details on them below)
After you perform these steps, you can see the option to mark items as a regulatory record
Per the requirement in the question, he cannot create a label that no one can delete. The correct answer isNo.
If you are curious about connecting to PowerShell and executing the command to display the option, continue reading.
First, install the PowerShell module Exchange Online Management by running this command:
Install-Module -Name ExchangeOnlineManagement
Reference Link: https://powershellgallery.com/packages/Exchange-OnlineManagement/2.0.4
And run the following PowerShell commands on your system:
Import the module
Import-Module ExchangeOnlineManagement
Specify username and password to connect to Microsoft 365 compliance in the window prompt
$UserCredential = Get-Credential
Connect to your Compliance center
Connect-IPPSSession -Credential $UserCredential
Command that enables the display mark content as regulatory records
Set-RegulatoryComplianceUI -Enabled $true
Reference Link:
https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps#connect-to-security–compliance-center-powershell-using-modern-authentication (For connecting to Compliance center with PowerShell)
https://docs.microsoft.com/en-us/microsoft-365/compliance/declare-records?view=o365-worldwide#how-to-display-the-option-to-mark-content-as-a-regulatory-record (PowerShell command to display the option to mark content as a regulatory record)
This question is part of my Udemy course SC-900 Exam Questions
Describe Data Loss Prevention
Describe Insider Risk Capabilities in Microsoft 365
Describe Insider Risk Management solution
What is an Insider risk management solution?
Learn about insider risk management in M365
Describe communication compliance
What is communication compliance?
Learn about communication compliance
Describe information barriers
What are the different information barriers?
Information barriers in Microsoft 365
Describe privileged access management
What is Privileged Access Management (PIM)?
Privileged access management in Microsoft 365
Describe customer lockbox
Describe the ediscovery Capabilities of Microsoft 365
Describe the purpose of eDiscovery
What’s the purpose of eDiscovery?
eDiscovery solutions in Microsoft 365
Describe the capabilities of the content search tool
What are the capabilities of the content search tool?
Describe the core eDiscovery workflow
Explore the Core eDiscovery workflow
What is the core eDiscovery workflow?
Describe the advanced eDisovery workflow
Describe the Audit Capabilities in Microsoft 365
Describe the core audit capabilities of M365
What are the core audit capabilities of Microsoft 365?
Describe the purpose and value of Advanced Auditing
Describe Resource Governance Capabilities in Azure
Describe the use of Azure Resource locks
Lock resources to prevent unexpected changes
Describe what Azure Blueprints is
What’s the use of Azure Blueprints?
Define Azure Policy and describe its use cases
Describe cloud adoption framework
This brings us to the end of the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam study guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you how your preparation is going on!
In case you are looking for other Azure certification exams check out this page
Follow/Like ravikirans.com to Receive Updates
Want to be notified as soon as I post? Subscribe to RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
1 Comment
Merci ! thank you 😉