RoleMath Study Track · free study companion

RoleMath Study Track for Microsoft Security, Compliance, and Identity Fundamentals (SC-900) (SC-900)

A free study companion keyed to the officially published exam domains of Microsoft Security, Compliance, and Identity Fundamentals (SC-900) (SC-900): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. Microsoft SC-900 study guide

A free, source-cited study companion built on Microsoft's published SC-900 study guide, for independent study only. It is not official training, is not affiliated with or endorsed by Microsoft, and is not a pass guarantee. SC-900 is an entry-level, no-prerequisite fundamentals exam, and every lab here is a worksheet completed against Microsoft's public documentation or a view-only look at your OWN free tenant. Verify the current objectives on the official study guide before your exam.

Program blueprint under review

Use the whole program, with the limits visible

A complete free Microsoft SC-900 program pinned to the currently published study guide and sequenced the way the ideas build - the security, compliance, and identity concepts first, then Microsoft Entra as the identity front door, then the self-contained compliance solutions, and finally the heaviest security-solutions domain with an integrated concept-map capstone - with every hands-on activity a RoleMath-owned worksheet completed against Microsoft's public documentation or a VIEW-ONLY look at your OWN free Azure or Microsoft 365 Developer tenant (never a work or school tenant, never a paid Defender plan), and an explicit recheck of the official study guide before any exam scheduling. SC-900 is an entry-level, no-prerequisite Fundamentals certification, so the diagnostic and goal paths welcome career changers with no security background, and completion is not certification, professional experience, or a job.

This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.

Modules
4
Labs
4
Concept checks
12
Resource mix
6 official / 1 community

Choose an outcome

Three routes through the same evidence

Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.

Certification-focused

Career changers and IT-curious learners with no required background who want one current, dependency-ordered SC-900 sequence across all four domains, with every worksheet completed against Microsoft's documentation or a view-only look at their own free tenant and a recheck of the official study guide before scheduling.

Completion emphasis: Complete every module in the build-up study order, finish each domain worksheet against the documentation or a view-only tenant look, correct every missed check, finish the integrated concept-map capstone, and diff the current study guide before booking the exam - never inferring a score from coverage, and understanding SC-900 is a Fundamentals credential with no prerequisites.

Required phases: Security, compliance, and identity concepts, The capabilities of Microsoft Entra, The capabilities of Microsoft compliance solutions, The capabilities of Microsoft security solutions, then the integrated capstone

Cloud-security literacy first

Career changers or non-security IT staff who want reviewable evidence that they can describe Zero Trust and shared responsibility, navigate Microsoft Entra identity, place the Defender and Sentinel security products, and summarize Microsoft Purview compliance capabilities, whether or not they sit the exam soon.

Completion emphasis: Retain a labeled worksheet per domain - a Zero-Trust and shared-responsibility concept map, an Entra admin-center exploration record, a security-solutions comparison grid, and a Purview and Service Trust Portal capability summary - each completed against the documentation or a view-only look at a tenant you own, plus the integrated capstone concept map.

Required phases: Security, compliance, and identity concepts, The capabilities of Microsoft Entra, The capabilities of Microsoft compliance solutions, The capabilities of Microsoft security solutions, then the integrated capstone

Career-fit sprint

Learners deciding whether cloud security, compliance, and identity work - the Microsoft-ecosystem concepts SC-900 introduces - is a direction worth deeper investment before committing to the full certification, given that it is entry-level with no prerequisites and a friendly on-ramp for career changers.

Completion emphasis: Complete the diagnostic, the concepts-foundation phase, and the Entra-identity phase with their worksheets, then choose a next Microsoft security experiment (such as continuing to SC-200 or AZ-500 later) or a full SC-900 commitment rather than inferring job readiness or a pass from partial coverage.

Required phases: Security, compliance, and identity concepts, The capabilities of Microsoft Entra

Start safely

Prerequisite diagnostic

Confirm you can read Microsoft's documentation and, optionally, spin up a free tenant you own before the SC-900 worksheets; this diagnostic is not a Microsoft prerequisite, a cost promise, or an exam prediction, and SC-900 is an entry-level Fundamentals exam that assumes no prior security or Azure experience.

  1. Are you comfortable with general computing and cloud vocabulary at a beginner level - what an account, a service, and 'the cloud' broadly mean - since SC-900 is descriptive and introduces its security terms from the ground up rather than assuming a security background?

    Ready when: Yes, or you are willing to look up unfamiliar terms as you go; SC-900 explicitly targets learners new to security, compliance, and identity.

    If not yet: Skim a free 'what is the cloud' or Azure fundamentals overview first if the basic cloud vocabulary is entirely new, then start Domain 1, which re-introduces the security concepts from zero.

  2. Can you read Microsoft Learn documentation and summarize an idea in your own words, since every SC-900 worksheet here is completed by reading the official free learning paths and recording your own paraphrase rather than copying?

    Ready when: Yes, and you understand the worksheets ask for your-words summaries, not verbatim copying of Microsoft's prose.

    If not yet: Practice reading one free Microsoft Learn module and writing a two-sentence summary before starting the worksheets, since the whole program is documentation-driven.

  3. Can you optionally create a free tenant you own - an Azure free account or a Microsoft 365 Developer Program tenant - to explore the Entra, Defender, and Purview portals view-only, understanding you must never use a work or school tenant and never enable a paid Defender plan?

    Ready when: Yes, with a free or developer tenant you own, OR you will complete every worksheet documentation-only, which is fully supported and reaches the same understanding.

    If not yet: Choose the documentation-only route for the Entra, security-solutions, and compliance worksheets; no lab here requires a tenant, and no lab may ever touch a work or school tenant.

  4. Do you understand that if you explore any portal you must stay view-only and must never enable a paid Microsoft Defender for Cloud plan or any billable resource, and that you should let any developer trial tenant expire or delete it afterward?

    Ready when: Yes, and you will inspect-and-cancel out of every policy or label blade, enable no paid plan, and clean up any trial tenant so nothing bills.

    If not yet: Re-read each worksheet's safety boundary before touching a portal, or stay on the documentation-only route where no billing is possible at all.

  5. Have you chosen a pace whose weekly hours you can realistically protect across roughly 20 to 26 total hours for a beginner (closer to 18 to 20 hours with some Azure or Microsoft 365 familiarity)?

    Ready when: Yes, with a pace selected and the study-guide recheck, the worksheet safety steps, and the capstone left uncompressed.

    If not yet: Pick the steady pace and spread the four domains across a few weeks; never compress the view-only, cancel-not-save, and own-tenant-only steps to save time.

Plan, then adapt

Pace options

Steady

4 weeks 5-7 hours/week

A planning estimate of roughly 20-26 hours for a beginner with no security background: one domain per week in the build-up study order, each domain's worksheet completed against the free Microsoft Learn paths or a view-only look at a tenant you own, plus the integrated concept-map capstone and a study-guide recheck before scheduling.

Standard

3 weeks 7-9 hours/week

A planning estimate for a learner with some Azure or Microsoft 365 familiarity that pairs the Microsoft-cited domain study with one retained worksheet per domain and preserves the integrated capstone, the missed-check corrections, and a study-guide diff before any exam logistics. Budget more time if the security vocabulary is entirely new.

Intensive

2 weeks 10-13 hours/week

Roughly 20-24 hours compressed for a focused learner who already works around Microsoft 365 or Azure; do not compress the own-tenant-only boundary, the never-enable-a-paid-Defender-plan rule, the cancel-not-save discipline, or the capstone concept map. A learner new to security should prefer the steady pace and build the Domain 1 vocabulary first.

Evidence-gated sequence

Program roadmap

  1. Security, compliance, and identity concepts

    Build the vocabulary the whole exam assumes: Zero Trust, the shared-responsibility model, the CIA triad, encryption and hashing, and the authentication-versus-authorization distinction (Domain 1, 10-15%) - made concrete by a browser-and-docs concept-map worksheet with no tenant, account, or payment required.

    Exit evidence

    • Complete the Domain 1 concept-map worksheet: fill the six Zero Trust pillars with a control example each, build a shared-responsibility grid across on-prem, IaaS, PaaS, and SaaS, map five core terms to the CIA property or trust principle each serves, and write the 'assume breach' reflection - all in your own words from the documentation.
    • Complete the general-IT, documentation-reading, free-tenant-optional, no-paid-feature, and study-time diagnostics, choose a pace you can protect, and be able to state the three Zero Trust principles, the shared-responsibility line that never leaves the customer, and the authentication-versus-authorization distinction.
    • Attempt every authored security-and-identity-concepts check and correct each miss against its cited source before moving to Microsoft Entra.
  2. The capabilities of Microsoft Entra

    Learn identity as the front door of the Microsoft cloud: Entra ID identity types, authentication capabilities (MFA, SSPR, passwordless, SSO), access management (Conditional Access, RBAC), and identity governance (access reviews, entitlement management, PIM) (Domain 2, 25-30%) - made concrete by a view-only exploration of the Entra admin center in a free tenant you own, or documentation-only.

    Exit evidence

    • Complete the Domain 2 Entra exploration worksheet in a tenant you own (or documentation-only): record the member-versus-guest distinction, at least two MFA methods, the assignments and access controls of a Conditional Access policy inspected and cancelled without saving, and your tenant's identity tier and available governance features.
    • Retain the Entra exploration record and be able to explain how Conditional Access implements 'verify explicitly' and how PIM, access reviews, and entitlement management operationalize least privilege.
    • Attempt every authored Microsoft Entra check and correct each miss against its cited source, tracing why identity is called the primary security perimeter.
  3. The capabilities of Microsoft compliance solutions

    Work the self-contained compliance domain: compliance concepts (data residency, sovereignty, privacy, the Service Trust Portal), Microsoft Purview and Compliance Manager, information protection (sensitivity labels, DLP), data lifecycle management, and insider risk, eDiscovery, and audit (Domain 4, 20-25%) - made concrete by a Purview and Service Trust Portal capability-summary worksheet, view-only or documentation-only.

    Exit evidence

    • Complete the Domain 4 compliance worksheet: record what the login-free Service Trust Portal provides, summarize every Purview capability in your own words, inspect the anatomy of a Compliance Manager score, a DLP policy, and a sensitivity label view-only (cancelling without saving), and map the capabilities to the CIA triad.
    • Retain the Purview and Service Trust Portal summary and be able to explain why classification (sensitivity labels) comes first and enables DLP, retention, and protection, and how Compliance Manager parallels Secure Score.
    • Attempt every authored compliance-solutions check and correct each miss against its cited source, tracing which capability fits a described compliance need.
  4. The capabilities of Microsoft security solutions, then the integrated capstone

    Close with the heaviest, most product-dense domain and then integrate everything: Azure network security, Microsoft Defender for Cloud (Secure Score, CSPM, CWP), Microsoft Sentinel (SIEM and SOAR), and Microsoft Defender XDR and its component Defenders (Domain 3, 35-40%), made concrete by a comparison-grid worksheet - then run the integrated capstone that maps every Microsoft product across all four domains to the concept it implements.

    Exit evidence

    • Complete the Domain 3 security-solutions comparison worksheet: place each Defender product, Sentinel, and Defender XDR on a layer grid, resolve SIEM versus SOAR and CSPM versus CWP with the free-versus-paid line, record what Secure Score measures, and place the Azure network security building blocks - never enabling a paid Defender plan.
    • Complete the integrated capstone concept map spanning all four domains and produce the capstone evidence packet.
    • Retain the comparison grid and the capstone concept map, crosswalk every artifact to the four SC-900 domain IDs, diff the current SC-900 study guide, record remaining gaps, and choose a continue, practice, defer, or exam-scheduling next decision rather than inferring a pass from coverage.

Before a lab

Environment, access, and safety

Required and optional setup

Required

  • A web browser plus text, spreadsheet, or diagram tools for the Microsoft-cited SC-900 study guide, the four free Microsoft Learn learning paths, and for recording each worksheet's answers in your own words
  • The four RoleMath-owned worksheets under data/assets/lab_fixtures/microsoft-security-compliance-and-identity-fundamentals/ - a Zero-Trust and shared-responsibility concept map, an Entra admin-center exploration checklist, a Defender/Sentinel/XDR comparison worksheet, and a Purview and Service Trust Portal worksheet - each completable from documentation alone
  • The login-free Service Trust Portal (servicetrust.microsoft.com) public content for the compliance worksheet, which needs no account
  • A record, for each worksheet, that any portal viewing stayed view-only, used only a tenant you own, enabled no paid Defender plan, and that any developer trial tenant was let expire or deleted

Optional

  • A free Azure account (Azure free account with permanent Entra ID Free) OR a Microsoft 365 Developer Program tenant (renewable E5 dev tenant) that YOU own, used view-only to ground the Entra, Defender, and Purview portal steps - never a work or school tenant, and never enabling a paid Defender for Cloud plan
  • The Microsoft SC-900 official free practice assessment as a readiness check across all four domains (the pool is finite and recycles)
  • John Savill's free SC-900 Study Cram video playlist as a fast visual review after the official Microsoft Learn paths (it may lag the July 28, 2026 minor update, so reconcile it against the official study guide)
Accounts and accessibility routes

Accounts

  • The core route requires no account and no payment: every worksheet can be completed by reading Microsoft's free public learning paths and documentation, and the Service Trust Portal public content needs no login.
  • The optional view-only portal steps need a free tenant you own - an Azure free account or a Microsoft 365 Developer Program tenant; a free Azure account may ask for a card for identity verification even though this program spends nothing, and the developer tenant does not.
  • No worksheet requires a paid subscription or a paid Defender plan; if any optional resource ever moves a needed exercise behind a paywall, rely on the official study guide and the documentation-only route instead.

Equivalent routes

  • When exploring a live tenant is impractical for account, device, memory, motor, or visual reasons, complete every worksheet documentation-only: read the objective's free Microsoft Learn path, answer each field from the documentation labelled documentation-only, and reach the same understanding and the same worksheet evidence with no tenant or portal.
  • Every worksheet is text-driven and keyboard-operable, with plain-text answers a screen reader can read; the concept-map, exploration-checklist, comparison-grid, and capability-summary templates are plain Markdown with labeled headings and fields, and no step requires pointer-only interaction.
  • In low-bandwidth conditions use the documentation-only route, which avoids the heavy Entra, Defender, and Purview portal UIs; the Microsoft Learn pages and the worksheet files are lightweight text.
Safety baseline
  • Complete every worksheet by reading Microsoft's public documentation or by VIEW-ONLY exploration of a free Azure or Microsoft 365 Developer tenant YOU own - never a work, school, employer, or client tenant.
  • Keep every portal interaction view-only: do not create, modify, or delete users, Conditional Access policies, DLP policies, sensitivity labels, or Compliance Manager assessments, and cancel out of every blade you open to inspect.
  • Never enable a paid Microsoft Defender for Cloud plan or any billable resource; the free Foundational CSPM and Secure Score are sufficient, and documentation-only completion is always available.
  • Use only generic or fictional examples in every worksheet - never enter a real organization's data, credentials, tenant IDs, or personal information - and do not share screenshots containing real data.
  • Let any Microsoft 365 Developer trial tenant expire or delete it after the program, and confirm nothing was created that persists or bills; this program grants no authorization to configure or change any system you do not own.

Show your work

Module evidence and missed-check protocol

Module exit evidence

  • A labeled worksheet per domain tied to its module: a Zero-Trust and shared-responsibility concept map; an Entra admin-center exploration record; a Defender/Sentinel/XDR comparison grid; or a Purview and Service Trust Portal capability summary - each completed against the documentation or a view-only look at a tenant you own.
  • A plain-language explanation of the domain's key ideas, which CIA property or Zero Trust principle each capability serves, the Microsoft product that implements it, and the boundary the work stayed inside (documentation or a view-only tenant you own, no paid plan enabled).
  • All authored checks for the domain attempted, with each miss corrected against its cited source and re-applied to a fresh scenario, plus a note that any portal viewing was view-only and any trial tenant was cleaned up.

After a missed check

  1. Identify whether the question tests the security-compliance-identity concepts, Microsoft Entra, the security solutions, or the compliance solutions before reviewing the answer.
  2. Write why the distractor was plausible and which principle - the Zero Trust pillar, the identity capability, the security product's scope and layer, or the compliance capability - distinguishes the correct answer, framing it as describing what a capability does rather than reciting a definition.
  3. Change one scenario detail - the layer being protected, the identity signal, the data-sensitivity need, or the product family - and explain whether the correct answer changes.

Completing this policy demonstrates current-study-guide SC-900 coverage and worksheet practice inside RoleMath against Microsoft's documentation and, optionally, a view-only look at a tenant you own; it does not predict an exam score, establish professional security experience, confer any authorization to configure or change systems you do not own, or serve as a RoleMath credential.

Integrated practice

Integrated SC-900 concept map: every Microsoft product mapped to the concept it implements

Run a complete, integrated review that spans all four SC-900 domains: build one concept map that takes every Microsoft security, compliance, and identity product you explored across the four worksheets and maps it to the security, compliance, or identity concept it implements - then diff the current study guide and record a next decision, producing one reviewable artifact from documentation and your own view-only tenant look.

Workflow

  1. Gather your four completed worksheets (concepts concept map, Entra exploration, security-solutions comparison grid, Purview and Service Trust Portal summary) as the raw material for the integrated map.
  2. Start from the concepts layer (Domain 1): write the core concepts as anchors - Zero Trust and its pillars, the shared-responsibility model, the CIA triad, and the four identity pillars (administration, authentication, authorization, auditing).
  3. Map the Microsoft Entra capabilities (Domain 2) onto the identity and Zero-Trust anchors: place Entra ID, MFA, SSPR, passwordless, SSO, Conditional Access, RBAC, and identity governance against the concept each implements (for example Conditional Access under 'verify explicitly', PIM under least privilege).
  4. Map the compliance solutions (Domain 4) onto the confidentiality, integrity, and accountability anchors: place Compliance Manager, sensitivity labels, DLP, retention, eDiscovery, audit, insider risk, and the Service Trust Portal against the concept each implements (for example labels under classification-enables-protection, eDiscovery under prove-what-happened).
  5. Map the security solutions (Domain 3) onto the defense-in-depth and Zero-Trust anchors: place the Azure network controls, Defender for Cloud with Secure Score/CSPM/CWP, Microsoft Sentinel as SIEM and SOAR, and Defender XDR with its component Defenders against the layer and concept each protects.
  6. Resolve the classic confusions on the map explicitly: SIEM versus SOAR, CSPM versus CWP, Secure Score versus Compliance Manager score, authentication versus authorization, and Defender XDR (unified console) versus Microsoft Sentinel (SIEM/SOAR).
  7. Write a one-paragraph reflection per domain explaining, in your own words, how that domain's products serve the concepts, and answer two integration scenarios (one cross-layer security scenario, one classify-then-protect-then-investigate compliance scenario) naming the right products.
  8. Diff the current SC-900 study guide against your map, flag any topic not represented as an explicit gap, confirm any portal viewing was view-only and any trial tenant was cleaned up, and record the next decision - continue, practice more, defer, or schedule the exam - rather than inferring a pass from coverage.

Retained artifacts

  • One integrated SC-900 concept map with the core concepts as anchors and every Microsoft Entra, security-solutions, and compliance-solutions product mapped to the concept and layer it implements
  • An explicit resolution of the classic confusions (SIEM vs SOAR, CSPM vs CWP, Secure Score vs Compliance Manager score, authentication vs authorization, Defender XDR vs Microsoft Sentinel)
  • A one-paragraph-per-domain reflection in your own words plus answers to one cross-layer security scenario and one classify-protect-investigate compliance scenario
  • A crosswalk table linking every mapped product to at least one of the four SC-900 domain IDs, confirming full-domain coverage
  • A study-guide diff with any uncovered topics flagged as gaps, a confirmation that any portal viewing was view-only with any trial tenant cleaned up, and a recorded next decision

Review checklist

  • The concept map covers all four SC-900 domains and maps every product explored across the four worksheets to a security, compliance, or identity concept and layer.
  • Any portal viewing that informed the map stayed view-only in a tenant the learner owns, enabled no paid Defender plan, and touched no work or school tenant.
  • The classic confusions are each resolved explicitly on the map (SIEM vs SOAR, CSPM vs CWP, Secure Score vs Compliance Manager score, authentication vs authorization, Defender XDR vs Microsoft Sentinel).
  • Each domain has a your-words reflection, and both integration scenarios name the correct products with a short justification.
  • The current SC-900 study guide was rechecked and any changed domain, weight range, or skills-measured date invalidates the affected mapping.
  • All four current SC-900 domains map to at least one concept and product on the map; uncovered topics remain explicit gaps rather than implied completion.
  • The map uses only generic or fictional examples and publishes no real tenant, document, credential, or organization data.
  • The artifact does not claim exam success, official Microsoft approval or training beyond linked sources, professional security experience, any authorization to configure systems the learner does not own, or a RoleMath credential.

Safety boundary: Build the capstone from your completed worksheets, Microsoft's public documentation, and at most a VIEW-ONLY look at a free Azure or Microsoft 365 Developer tenant you own - never a work, school, employer, or client tenant, and never enabling a paid Defender plan. Use only generic or fictional examples, create and change nothing in any tenant, and let any developer trial tenant expire or delete it. This program grants no authorization to configure or change any system you do not own.

Finish honestly

Completion, portfolio, and maintenance

Completion evidence

  • All four current SC-900 domain modules have been covered and checked against the official Microsoft SC-900 study guide, including a recheck of the current study guide before any exam scheduling.
  • Every domain worksheet has been completed against Microsoft's documentation or a view-only look at a tenant the learner owns, with no work or school tenant touched, no paid Defender plan enabled, and its worksheet retained.
  • Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh scenario.
  • The official Microsoft Learn free paths, the Service Trust Portal, and any optional community resource (John Savill's cram) have been used within their current free-access terms, with any community video reconciled to the official study guide.
  • The integrated concept-map capstone passes its four-domain coverage, view-only-boundary, confusion-resolution, and study-guide-diff review, with any trial tenant cleaned up.
  • The learner has recorded remaining objective gaps and a next study or exam-scheduling decision; completion is not represented as an exam result, a credential, job readiness, or professional security experience.

Portfolio candidates

  • A concepts concept map: the six Zero Trust pillars, a shared-responsibility grid, and a CIA-and-vocabulary table, all in the learner's own words
  • An Entra exploration record: member-versus-guest identities, MFA methods, the anatomy of a Conditional Access policy inspected view-only, and the tenant's identity tier
  • A security-solutions comparison grid: each Defender product, Sentinel, and Defender XDR placed by layer, with SIEM/SOAR and CSPM/CWP resolved and Secure Score noted
  • A compliance capability summary: the Service Trust Portal contents, a per-capability Microsoft Purview summary, the view-only anatomy of a Compliance Manager score, DLP policy, and sensitivity label, and a CIA mapping
  • The integrated capstone concept map with the classic confusions resolved, both integration scenarios answered, and a study-guide diff plus next decision

Present the packet as self-directed SC-900 study done against Microsoft's public documentation and, at most, a view-only look at a tenant you own. Do not call it real-world security operations, Microsoft approval, professional security experience, authorization to configure or change any system you do not own, or a RoleMath credential, and never publish real tenant, document, credential, or organization data.

Freshness controls

Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 90 days.

Stop and re-verify when

  • Microsoft revises the SC-900 study guide, domain set, domain names or weight ranges, exam code, passing score, fee, duration, or Fundamentals level.
  • The staged skills-measured update (effective July 28, 2026) turns out to change a domain name or weight range rather than only minor sub-skills, or a later update does so.
  • A free Microsoft Learn SC-900 learning path, the official free practice assessment, or the Service Trust Portal changes URL, availability, or free-access terms.
  • A product referenced in the labs (Microsoft Entra, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Defender XDR and its component Defenders, or Microsoft Purview) is renamed, restructured, or changes its free-versus-paid boundary.
  • The free Azure account or Microsoft 365 Developer Program tenant used for the view-only portal steps changes its availability, free tier, or terms, or a worksheet can no longer be completed documentation-only.
  • Any module, worksheet, check, phase, capstone step, account instruction, safety guardrail, or study-guide diff fails technical, source, entry-level, safety, authorization, privacy, accessibility, currency, or claims review.

Skills measured

The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. Microsoft SC-900 study guide

35-40%Describe the capabilities of Microsoft security solutionsMicrosoft SC-900 study guide (2026-07-10)
25-30%Describe the capabilities of Microsoft EntraMicrosoft SC-900 study guide (2026-07-10)
20-25%Describe the capabilities of Microsoft compliance solutionsMicrosoft SC-900 study guide (2026-07-10)
10-15%Describe the concepts of security, compliance, and identityMicrosoft SC-900 study guide (2026-07-10)

Suggested study order

SC-900 is a fundamentals exam that tests whether you can describe Microsoft's security, compliance, and identity capabilities, so our sequencing follows how the ideas build on each other rather than the raw weight order alone. Microsoft weights the four domains as 'Describe the concepts of security, compliance, and identity' 10-15%, 'Describe the capabilities of Microsoft Entra' 25-30%, 'Describe the capabilities of Microsoft security solutions' 35-40%, and 'Describe the capabilities of Microsoft compliance solutions' 20-25%, so the security-solutions domain is by far the heaviest and the concepts domain the lightest. We still open with the concepts domain (Domain 1, 10-15%) because it is the vocabulary layer: Zero Trust, the shared-responsibility model, the CIA triad, encryption and hashing, and the difference between authentication and authorization are the words every later domain uses, and a few hours here makes the rest far easier. We go to Microsoft Entra (Domain 2, 25-30%) second because identity is the front door of the entire Microsoft cloud: Entra ID, multi-factor authentication, Conditional Access, and identity governance are referenced constantly inside both the security and the compliance domains, so learning them early pays off everywhere. We then deliberately take compliance (Domain 4, 20-25%) BEFORE security solutions (Domain 3, 35-40%), inverting the exam's numbering, because compliance is a narrower, more self-contained story built around one product family (Microsoft Purview) that reinforces the data-protection and identity ideas you just learned, and clearing it first lets you give the heaviest domain your freshest, most sustained attention. We close with security solutions (Domain 3, 35-40%) because it is the largest and the most product-dense domain, prone to confusing the many similarly named Defender products, Microsoft Sentinel, and Azure network security controls, so it deserves to be studied last, with every earlier concept already in place to anchor it. This is sequencing advice based on the published weight ranges and how the topics depend on each other, not a claim about the science of learning; if a different order fits how you think, use it.

  1. Describe the concepts of security, compliance, and identity10-15% of the exam
  2. Describe the capabilities of Microsoft Entra25-30% of the exam
  3. Describe the capabilities of Microsoft compliance solutions20-25% of the exam
  4. Describe the capabilities of Microsoft security solutions35-40% of the exam

Module 1 of 4 · domain 1 · 10-15% of the exam

Describe the concepts of security, compliance, and identity

Study this first. At 10-15% it is the lightest domain, but it is the vocabulary layer the whole exam is built on: Zero Trust, the shared-responsibility model, the CIA triad, encryption and hashing, and authentication versus authorization are the words every later domain reuses.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-900 study guide

This is the 'what do the words mean' domain, and Microsoft weights it at 10-15% - the smallest slice of SC-900. Do not let the low weight fool you into skipping it: it is the conceptual foundation that makes the three heavier domains legible. Everything Microsoft Entra, the security solutions, and the compliance solutions do is an implementation of the principles named here, so a few focused hours on this vocabulary turns the rest of the exam from memorization into recognition. For a career changer with no security background, this is also the friendliest place to start, because it is about ideas and definitions rather than product menus.

The shared-responsibility model is the mental frame the cloud portion of the exam rests on. In an on-premises datacenter you secure everything; as you move to infrastructure, platform, and software as a service, more of the stack is secured by the cloud provider and less by you. The exam expects you to reason about who is responsible for what at each service model - and to recognize the responsibilities that never leave the customer no matter the model, above all your own data and your own identities and accounts. The practical takeaway is that adopting a cloud service does not outsource your security; it redraws the line of what you still own.

Zero Trust is the security philosophy Microsoft threads through the entire exam, so understand it as a stance rather than a product. Its three guiding principles are verify explicitly (authenticate and authorize every request using all available signals, never trusting something just because it is inside the network), use least-privilege access (grant just enough access, just in time), and assume breach (design as if an attacker is already inside, so you segment and limit blast radius). Zero Trust is often organized around pillars - identities, devices, applications, data, infrastructure, and networks - each of which later maps to specific Microsoft capabilities. When a question describes not trusting a device merely because it sits on the corporate network, Zero Trust is the concept being tested.

The core security concepts give you the language of protection itself. The CIA triad - confidentiality, integrity, and availability - names the three properties every control ultimately serves: keeping data private, keeping it accurate and untampered, and keeping systems reachable when needed. Encryption protects confidentiality, and you should distinguish encryption at rest from encryption in transit; hashing protects integrity by producing a fingerprint that changes if the data changes. Defense in depth - layering controls so no single failure is fatal - and the practical distinction between a threat, a vulnerability, and a risk round out the vocabulary the exam draws on.

The identity concepts set up the entire Entra domain that follows, so learn them cleanly here. Identity is described as the new primary security perimeter, because in a cloud world the network boundary has dissolved and 'who is making this request' becomes the control point. The four pillars of an identity infrastructure - administration (managing identities and their lifecycle), authentication (proving who you are), authorization (deciding what you may do), and auditing (recording what happened) - recur throughout the exam. The single most important distinction to nail is authentication versus authorization: authentication answers 'are you who you claim to be,' authorization answers 'what are you allowed to do,' and confusing the two is a classic exam trap. Concepts like single sign-on, multi-factor authentication, and federation are introduced here and made concrete in Domain 2.

Study this domain by turning the vocabulary into a concept map you built yourself, because SC-900 rewards being able to describe and place ideas, not recite them. The lab below uses the Zero-Trust and shared-responsibility worksheet: with only a browser and Microsoft's public documentation, you fill in the six Zero Trust pillars, build a shared-responsibility grid across the service models, and map five core terms to the CIA property or trust principle each serves - no tenant, account, or payment required. As always, read the official SC-900 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Sc900 Concepts Worksheet Lab

Map the six Zero Trust pillars and the shared-responsibility model across on-prem, IaaS, PaaS, and SaaS in your own words Map the CIA triad, encryption, and authentication-versus-authorization onto a concept table for the SC-900 concepts domain

Free tools

  • Any web browser
  • A plain-text or Markdown editor

Steps

  1. Open the free Microsoft Learn concepts path in one tab and the zero-trust-shared-responsibility-concept-map.md worksheet in your editor, and read the worksheet's top note confirming it touches no live system.
  2. Fill in Part A (the six Zero Trust pillars with a control example each) and Part B (the shared-responsibility grid marking who secures what across on-prem, IaaS, PaaS, and SaaS), summarizing the docs in your own words.
  3. Fill in Part C (mapping confidentiality, integrity, availability, authentication versus authorization, and encryption to the CIA property or trust principle each serves) and write the 'assume breach' reflection paragraph, then save the worksheet.

What you should see

Confirm the worksheet has all six Zero Trust pillars with control examples, a shared-responsibility grid that shifts responsibility toward Microsoft as it moves to SaaS while keeping data and identity with the customer, a five-row concept table mapping terms to CIA properties or trust principles, and a reflection paragraph on assume breach.

Practice evidence maps to exam_domain_microsoft_security_compliance_and_identity_fundamentals_sc_900_01

Stay safe & legal: This lab is reading Microsoft's public documentation and filling in a local worksheet only; it touches no Azure or Microsoft 365 tenant, requires no account and no payment, and creates, changes, or deletes nothing on any live system. Account required: no; payment required: no; maximum designed cost: $0.

Check yourself

2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A learner is asked why modern security does not automatically trust users or devices just because they are on the corporate network. Which concept should they describe?
Check 2. A business stakeholder asks why moving to cloud services does not mean Microsoft handles every security task. Which concept should the candidate explain?

Module 2 of 4 · domain 2 · 25-30% of the exam

Describe the capabilities of Microsoft Entra

Study this second. Microsoft weights it at 25-30% - the second-heaviest domain - and identity is the front door of the whole Microsoft cloud: Entra ID, multi-factor authentication, Conditional Access, and identity governance are referenced constantly inside both the security and the compliance domains.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-900 study guide

This is the 'how does Microsoft manage identity' domain, and Microsoft weights it at 25-30% - the second-largest slice of SC-900. It takes the identity vocabulary from Domain 1 and grounds it in Microsoft Entra, the product family that handles who signs in and what they can reach across the Microsoft cloud. Because identity is described as the primary security perimeter, this domain is load-bearing: nearly every capability in the security and compliance domains assumes an Entra identity behind it, so time invested here pays off across the exam. For a career changer, much of this domain is administrative and approachable - managing users, requiring multi-factor sign-in, and reading access policies rather than configuring deep technology by hand.

Microsoft Entra ID is the centerpiece: Microsoft's cloud-based identity and access management service, and the directory that authenticates users and applications for Microsoft 365, Azure, and thousands of other apps. You should be able to describe the identity types it manages - the human users and groups of an organization, the guest or external identities that let partners and contractors collaborate, and the workload identities (service principals and managed identities) that let applications and services authenticate without a human. The unifying idea is that Entra ID is the trusted source of 'who is this,' and everything downstream - authorization, Conditional Access, governance - depends on that answer.

The authentication capabilities are where Entra makes 'verify explicitly' real, and they are heavily tested. Multi-factor authentication (MFA) requires two or more forms of proof - something you know, have, or are - and is the single highest-value defense against stolen passwords, so understand the methods (authenticator app, phone, hardware key). Self-service password reset (SSPR) lets users recover their own accounts without a help-desk ticket, reducing administrative load. Passwordless options (like FIDO2 keys or the authenticator app) push beyond passwords entirely, and single sign-on lets one authentication unlock many applications. The exam expects you to describe what each capability does and the problem it solves, not to configure it.

Access management is the domain's core reasoning skill, and Conditional Access is its flagship. Conditional Access is the policy engine that enforces Zero Trust: it evaluates signals about a sign-in - the user, the device, the location, the app, the risk level - and then decides whether to grant access, block it, or require an extra control such as MFA. This is 'verify explicitly' as a running system: access is never granted on network location alone but on a real-time assessment of the request. Alongside it, Azure role-based access control (RBAC) applies least privilege by assigning roles at a scope, so an identity gets only the permissions it needs. When a scenario describes requiring MFA only for risky sign-ins or from unmanaged devices, Conditional Access is the answer.

Identity protection and governance close the domain and connect it to compliance. Microsoft Entra ID Protection uses signals and risk detections to flag risky users and sign-ins so policy can respond automatically. Identity governance capabilities - access reviews (periodically re-certifying who should still have access), entitlement management (packaging access for streamlined requests and approvals), and Privileged Identity Management (PIM, granting powerful roles just-in-time and time-bound rather than standing) - operationalize least privilege at organizational scale. Some of these are premium (Entra ID P1/P2) features, so recognize them by capability even if your own free tenant cannot enable them. The through-line is lifecycle: an identity is provisioned, governed as its needs change, and de-provisioned when it leaves, and Entra provides tooling for each stage.

Study this domain by exploring the Entra admin center with your own eyes, because seeing where these capabilities live cements them. The lab below uses the Entra admin-center exploration checklist on a free tenant you own: you observe member versus guest users, list the MFA methods a user can register, open a Conditional Access policy to inspect its assignments and access controls (then cancel without saving), and record your tenant's identity tier - all view-only, changing nothing. Documentation-only completion is fully supported if you have no tenant. As always, read the official SC-900 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Sc900 Entra Exploration Lab

Observe member versus guest identities and the multi-factor authentication methods available in a tenant you own Inspect the anatomy of a Conditional Access policy and record your tenant's identity tier without changing anything

Free tools

  • Microsoft Entra admin center (entra.microsoft.com)
  • A web browser
  • A plain-text or Markdown editor

Steps

  1. Read the checklist's safety boundary, sign in to a free tenant you own, and explore Users to record how a member differs from a guest and how a Security group differs from a Microsoft 365 group.
  2. Record the MFA methods a user could register and why SSPR reduces help-desk load, then open a Conditional Access policy blade to inspect its assignments and access controls and CANCEL without saving.
  3. Record your tenant's Entra tier and which identity governance features are available versus premium-only, then save the checklist with the confirmation line that you viewed only and changed nothing.

What you should see

Confirm the checklist records the member-versus-guest distinction, at least two MFA methods, the assignments and access controls of a Conditional Access policy inspected and cancelled without saving, the tenant's identity tier, and a view-only confirmation.

Practice evidence maps to exam_domain_microsoft_security_compliance_and_identity_fundamentals_sc_900_02

Stay safe & legal: Sign in and explore ONLY a free Azure or Microsoft 365 Developer tenant you own; never a work, school, employer, or client tenant. The entire lab is view-only - do not create, modify, or delete any user, policy, group, or license, and cancel out of every blade you open to inspect. Account required: yes; payment required: no; maximum designed cost: $0.

Check yourself

3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. An organization needs a cloud identity platform for users, groups, authentication, and access to Microsoft cloud resources. Which Microsoft family should the candidate identify?
Check 2. A company wants to require multifactor authentication when users access sensitive apps from risky sign-ins or unmanaged devices. Which Microsoft Entra capability matches this need?
Check 3. Managers need a periodic review process to confirm whether users should keep access to groups, apps, and privileged roles. Which Microsoft Entra governance feature should they use?

Module 3 of 4 · domain 4 · 20-25% of the exam

Describe the capabilities of Microsoft compliance solutions

Study this third, before the heaviest security domain. At 20-25% it is a middle-weight domain, but it is narrow and self-contained - built around one product family, Microsoft Purview - so clearing it first lets you give the 35-40% security-solutions domain your freshest attention.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-900 study guide

This is the 'how does Microsoft help an organization stay compliant and protect its data' domain, and Microsoft weights it at 20-25%. It is the most self-contained domain on the exam, built largely around one product family - Microsoft Purview - so it rewards a coherent mental model rather than a scattering of facts. We study it before the heaviest security domain because clearing this narrower, well-organized material first builds momentum and frees your best concentration for the product-dense security domain that follows. Much of this domain is about governing, classifying, and protecting data and about demonstrating and managing regulatory compliance, which ties directly back to the confidentiality and integrity properties from Domain 1.

The compliance concepts open the domain and give it its frame. Data residency, data sovereignty, and data privacy describe where data physically lives, which laws govern it, and the individual's rights over it - concepts that drive real design decisions in regulated industries. The shared-responsibility idea from Domain 1 returns here in a compliance guise: the provider attests to the security and compliance of the platform while the customer remains responsible for compliant use of it. The Service Trust Portal is the public resource where Microsoft publishes audit reports, certifications, and compliance guidance so customers can verify the provider's side - the 'trust but verify' surface of shared responsibility, and one you can explore with no login.

Microsoft Purview and Compliance Manager are the domain's governance backbone. Compliance Manager helps an organization measure and manage its compliance posture against regulations and standards, producing a compliance score built from improvement actions - concrete, prioritized steps that raise the score as you complete them, some the customer's responsibility and some Microsoft's. The mental model to carry, and the parallel that makes it click, is that Compliance Manager is to regulatory compliance what Secure Score is to security posture: a single measurable number that turns a vague 'are we compliant' into an actionable, tracked list. Purview is the umbrella under which the data-protection, governance, and risk capabilities that follow all live.

Information protection and data lifecycle management are the domain's data-security heart and the part most worth understanding as a system. Sensitivity labels classify data by how sensitive it is (for example Public, Internal, Confidential) and can enforce protection such as encryption or watermarking that travels with the file wherever it goes. Data Loss Prevention (DLP) policies detect and prevent risky sharing of sensitive information - for example blocking credit-card numbers from leaving via email - by matching content against sensitive information types across defined locations. Records management and retention govern how long data is kept and when it is defensibly deleted across its lifecycle. The unifying insight the exam rewards is that classification comes first: labeling data by sensitivity is what lets DLP, retention, and protection act on it intelligently.

Insider risk and eDiscovery and audit close the domain and connect data protection to investigation. Insider risk management helps detect and act on risky internal activity - data theft by a departing employee, for example - while balancing privacy. eDiscovery is the capability to identify, hold, and export content relevant to a legal case or investigation, and audit provides the searchable record of what happened across the environment. Communication compliance monitors messaging for policy violations. Together these are the 'prove what happened and find what matters' capabilities: where information protection stops bad things, these let an organization investigate and demonstrate compliance after the fact, supporting the integrity and accountability properties from Domain 1.

Study this domain by summarizing every Purview capability against the concept it implements, because the exam rewards knowing which tool fits a described compliance need. The lab below uses the Purview and Service Trust Portal worksheet: you browse the login-free Service Trust Portal and record what it provides, summarize each Purview capability (Compliance Manager, sensitivity labels, DLP, retention, eDiscovery, audit, insider risk) in your own words, inspect the anatomy of a Compliance Manager score, a DLP policy, and a sensitivity label view-only in a free tenant you own (cancelling out, never acting on real data), and tie the capabilities back to CIA - with documentation-only completion fully supported. As always, read the official SC-900 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Sc900 Compliance Purview Lab

Record what the Service Trust Portal provides and summarize each Microsoft Purview capability in your own words Inspect the anatomy of a Compliance Manager score, a DLP policy, and a sensitivity label view-only and tie the capabilities to the CIA triad

Free tools

  • Service Trust Portal (servicetrust.microsoft.com)
  • A web browser
  • A plain-text or Markdown editor
  • Optional: Microsoft Purview compliance portal in a tenant you own

Steps

  1. Read the worksheet's safety boundary, then browse the login-free Service Trust Portal and record two document types it provides, one standard or regulation referenced, and how it supports 'trust but verify'.
  2. Fill Part B by writing a one-line 'what it does' in your own words for Compliance Manager, sensitivity labels, DLP, records management/retention, eDiscovery, audit, and insider risk management.
  3. Do the three view-only anatomy exercises (Compliance Manager score, DLP policy - cancel without saving, sensitivity label - cancel), fill the CIA-mapping section, answer the scenario prompt, and save the worksheet with any view-only confirmation.

What you should see

Confirm the worksheet records Service Trust Portal contents, a your-words summary of each Purview capability, the inspected anatomy of a Compliance Manager score, DLP policy, and sensitivity label (cancelled without saving), a CIA mapping, and a correct scenario answer.

Practice evidence maps to exam_domain_microsoft_security_compliance_and_identity_fundamentals_sc_900_04

Stay safe & legal: The Service Trust Portal public content needs no login; any Purview compliance portal viewing is done ONLY in a Microsoft 365 Developer tenant you own, never a work, school, employer, or client tenant, and everything is view-only - do not create DLP policies, apply sensitivity labels to real data, or change Compliance Manager assessments, and cancel out of every blade you inspect. Account required: optional; payment required: no; maximum designed cost: $0.

Check yourself

3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A compliance team wants a Microsoft portal for data governance, risk, compliance, audit, eDiscovery, and information protection capabilities. Which solution family should they identify?
Check 2. Leadership wants a dashboard that helps assess compliance posture, track improvement actions, and understand compliance score. Which Microsoft Purview capability fits?
Check 3. A company needs to discover, classify, label, and protect sensitive information such as financial and personal data. Which Microsoft Purview capability should the candidate describe?

Module 4 of 4 · domain 3 · 35-40% of the exam

Describe the capabilities of Microsoft security solutions

Study this last. At 35-40% it is by far the heaviest domain and the most product-dense - the many similarly named Defender products, Microsoft Sentinel, and Azure network security controls are easy to confuse - so give it your freshest, most sustained attention with every earlier concept already in place.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-900 study guide

This is the 'how does Microsoft defend the estate' domain, and Microsoft weights it at 35-40% - by far the heaviest slice of SC-900, worth studying last and hardest. Its difficulty is not conceptual but organizational: Microsoft's security portfolio is large and its products share overlapping names (many begin with 'Defender'), so the skill the exam tests is placing each product against the layer it protects and the job it does. We study it after concepts, identity, and compliance so that every acronym here lands on a foundation you already understand. Approach it as a mapping exercise rather than a memorization slog: know what each tool is for and which similar-sounding tool it is not.

Azure network security is the first grouping, and it covers the controls that protect resources at the network layer. Network Security Groups (NSGs) filter traffic to and from Azure resources with allow and deny rules; Azure Firewall is a managed, stateful firewall service for a virtual network; Azure DDoS Protection defends against volumetric attacks that try to overwhelm a service; and a Web Application Firewall (WAF) protects web applications from common exploits. The exam expects you to describe each control's purpose and recognize which one fits a described need - for example, choosing DDoS Protection for an availability attack versus a WAF for application-layer exploits.

Microsoft Defender for Cloud is the cloud security posture and workload protection grouping, and two distinctions matter. Cloud Security Posture Management (CSPM) continuously assesses your configuration against best practice and surfaces a Secure Score with recommendations to improve - available in a foundational free form. Cloud Workload Protection (CWP) adds active threat detection for specific workloads (servers, storage, databases, containers) and requires enabling paid Defender plans. Defender for Cloud also extends across multicloud and hybrid environments. Secure Score is the concept to internalize: a single measurable posture number that turns 'are we configured securely' into an actionable, prioritized list, and it maps directly back to Zero Trust and least privilege from the earlier domains.

Microsoft Sentinel is the security operations grouping, and it introduces two acronyms the exam probes. Sentinel is Microsoft's cloud-native SIEM and SOAR platform: as a SIEM (Security Information and Event Management) it collects and correlates security data from across the estate so that a pattern invisible in any single source becomes visible; as a SOAR (Security Orchestration, Automation, and Response) it automates response through playbooks so routine reactions happen without manual effort. The clean distinction to carry is that SIEM is about seeing - centralizing and analyzing signals - while SOAR is about acting - orchestrating and automating the response. When a scenario describes one console to collect logs from many sources and hunt across them, Sentinel is the answer.

Microsoft Defender XDR is the extended detection and response grouping and the umbrella that ties much of the portfolio together. XDR (Extended Detection and Response) unifies signals across email, endpoints, identities, and cloud apps into a single incident view and coordinated response, so an analyst investigates one correlated incident rather than juggling separate tools. Under it sit the component Defenders you should recognize by scope: Defender for Endpoint (device protection and EDR), Defender for Office 365 (email and collaboration threats), Defender for Identity (on-premises Active Directory signals), and Defender for Cloud Apps (a cloud access security broker for SaaS visibility and control). Microsoft Security Copilot, the generative-AI assistant that helps analysts investigate and respond, is the newest capability to recognize here. The recurring exam skill is telling these apart: XDR is the unified console and Sentinel is the SIEM/SOAR, and each component Defender guards a specific layer.

Study this domain by placing every product on a comparison grid yourself, because that placement is exactly what the exam rewards and what defeats the name confusion. The lab below uses the Defender, Sentinel, and XDR comparison worksheet: you fill a grid of what each product does and the layer it protects, resolve the two confusable pairs (SIEM vs SOAR, CSPM vs CWP), and record Secure Score - optionally grounded by a view-only look at the Defender portal or Defender for Cloud in a free tenant you own, but never enabling a paid Defender plan, and fully completable from documentation alone. As always, read the official SC-900 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Sc900 Security Solutions Comparison Lab

Place each Defender product, Microsoft Sentinel, and Defender XDR against the layer it protects on a comparison grid Resolve the SIEM-versus-SOAR and CSPM-versus-CWP distinctions and record what Secure Score measures without enabling any paid plan

Free tools

  • Any web browser
  • A plain-text or Markdown editor
  • Optional: Microsoft Defender portal or Azure portal in a tenant you own

Steps

  1. Read the worksheet's safety boundary, then fill Part A by writing a one-line purpose for each of Defender XDR, Defender for Endpoint, Defender for Cloud, Sentinel, Defender for Office 365, and Defender for Identity and ticking the layer(s) each protects.
  2. Fill Part B (SIEM versus SOAR and CSPM versus CWP, noting the free-versus-paid line) and Part C (what Secure Score measures and one recommendation, from docs or a view-only portal look labelled accordingly).
  3. Fill Part D (one sentence each on NSG, Azure Firewall, Azure DDoS Protection, and WAF), answer the cross-layer hunting scenario, and save the worksheet with any view-only no-paid-plan confirmation.

What you should see

Confirm the worksheet places each product against a layer, distinguishes SIEM from SOAR and CSPM from CWP with the free-versus-paid line, records what Secure Score measures, places the four network building blocks, and (if any portal was viewed) confirms no paid Defender plan was enabled.

Practice evidence maps to exam_domain_microsoft_security_compliance_and_identity_fundamentals_sc_900_03

Stay safe & legal: Any portal viewing is done ONLY in a free Azure or Microsoft 365 Developer tenant you own, never a work, school, employer, or client tenant, and you must NEVER enable a paid Microsoft Defender for Cloud plan - the free Foundational CSPM and Secure Score are sufficient and documentation-only completion is fully supported. Account required: optional; payment required: no; maximum designed cost: $0.

Check yourself

4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A security team wants incidents that correlate signals from endpoints, identities, email, and cloud apps in a unified experience. Which Microsoft security solution should the candidate recognize?
Check 2. A company needs endpoint protection, vulnerability information, attack surface reduction, and endpoint detection and response for Windows devices. Which product family fits?
Check 3. A security operations center wants cloud-native SIEM and SOAR capabilities for analytics rules, incidents, hunting, and automation. Which Microsoft security solution should they evaluate?
Check 4. A cloud team needs recommendations and workload protection for Azure, hybrid, and multicloud resources. Which Microsoft solution provides cloud security posture management and workload protection?

Skills you’ll build

Studying Microsoft Security, Compliance, and Identity Fundamentals (SC-900)builds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:

Before you book the exam

Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.

Exam facts (cited)

A free, source-cited study companion built on Microsoft's published SC-900 study guide, for independent study only. It is not official training, is not affiliated with or endorsed by Microsoft, and is not a pass guarantee. SC-900 is an entry-level, no-prerequisite fundamentals exam, and every lab here is a worksheet completed against Microsoft's public documentation or a view-only look at your OWN free tenant. Verify the current objectives on the official study guide before your exam.

Sources used on this page

Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Microsoft.