SC-900 Overview & My Tips

SC-900 or Microsoft Security, Compliance, and Identity Fundamentals is a fundamentals (one star) certification from Microsoft. It is aimed at people who want to know about the security, compliance and identity feature of the various Microsoft Cloud products (Microsoft 365, Azure and Dynamics 365). Note this certification focuses on Microsoft 365 and Azure only.

Generally, the Fundamentals qualifications can be classified as looking at what not how. So, for example, with the Security, Compliance and Identity Fundamentals you need to know what options are available for securing your cloud services within the Microsoft stack but not how to implement it. Therefore these qualifications are often targeted at those in business management and sales roles. If you have a technical role or mindset, the challenge with the fundamentals certifications can be that we tend to want to know how something works in order to understand what it can do and therefore end up overcomplicating things and going too deep. The objectives for this exam are primarily to describe or define the features.

Disclaimer: All these links were correct at the time of posting. But the Cloud changes regularly, so the referenced articles my change/be removed. Please do post a comment if you spot a broken link or have suggestions to add so others can benefit too.

General References

SC-900 Exam page https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900
Microsoft Learn. Provides searchable learning paths and modules for a variety of roles and levels. https://docs.microsoft.com/en-us/learn/
Learn TV. Digital content so you can always keep updated on the latest announcements, features, and products from Microsoft. https://docs.microsoft.com/en-us/learn/tv/
Microsoft Azure Blog https://azure.microsoft.com/en-us/blog/
Channel 9. Informational videos, shows, and events on variety of technical topics. https://channel9.msdn.com/
Microsoft Learning Community Blog. Get the latest information about the certification tests and exam study groups. https://www.microsoft.com/en-us/learning/community-blog.aspx
Azure Documentation https://docs.microsoft.com/en-us/azure/
Microsoft 365 Documentation https://docs.microsoft.com/en-us/microsoft-365
Microsoft Security Documentation https://docs.microsoft.com/en-gb/security/

Taking a Microsoft Professional Exam

There are a number of blogs about taking MCP exams. My personal favourites are:

Pre-study References

Before attending an SC-900 course you should have a good understanding of what the Microsoft Cloud is. I would recommend reviewing both MS-900 (Microsoft 365 Fundamentals) and AZ-900 (Azure Fundamentals) content either by attending a course or reviewing the content on Microsoft Learn. You do not need to pass the exams, but the content will help with this course and exam. These resources can help.

My MS-900 Extras Page – https://m365train.co.uk/2021/08/15/ms-900-course-extras
Azure Fundamentals Learning Path (Microsoft Learn)
- Describe Core Azure Concepts https://docs.microsoft.com/en-us/learn/paths/az-900-describe-cloud-concepts/
- Describe Core Azure Services https://docs.microsoft.com/en-us/learn/paths/az-900-describe-core-azure-services/
- Describe core solutions and management tools on Azure https://docs.microsoft.com/en-us/learn/paths/az-900-describe-core-solutions-management-tools-azure/
- Describe general security and network security features https://docs.microsoft.com/en-us/learn/paths/az-900-describe-general-security-network-security-features/
- Describe identity, governance, privacy and compliance features https://docs.microsoft.com/en-us/learn/paths/az-900-describe-identity-governance-privacy-compliance-features/
Introduction to Azure security (Microsoft Learn) https://docs.microsoft.com/en-us/azure/security/fundamentals/overview
Introduction to Microsoft 365 Security & Compliance (Microsoft Learn) https://docs.microsoft.com/en-us/learn/paths/m365-security-compliance-capabilities/
Azure identity management security overview https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-overview
Microsoft Azure Well-Architected Framework Security (Learn) https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/

Microsoft Learn Learning Paths (SC-900)

SC-900 part 1: Describe the concepts or security, compliance, and identity https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/
SC-900 part 2: Describe the capabilities of Microsoft identity and access management https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-identity-access/
SC-900 part 3: Describe the capabilities of Microsoft security solutions https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-security-solutions/
SC-900 part 4: Describe the capabilities of Microsoft compliance solutions https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-compliance-solutions/

Relevant Videos

Zero Trust https://www.microsoft.com/en-us/videoplayer/embed/RE4J3ms
Cloud adoption framework video https://www.microsoft.com/en-us/videoplayer/embed/RE4tyzr
Azure AD Authentication Fundamentals https://www.microsoft.com/en-us/videoplayer/embed/RE4Kdt9
The new sign-in standard: Passwordless authentication https://www.microsoft.com/en-us/videoplayer/embed/RE4zhD7
Azure AD Conditional Access https://www.microsoft.com/en-us/videoplayer/embed/RE4INyI
AD entitlement management https://www.microsoft.com/en-us/videoplayer/embed/RE4JXQr
Privileged identity Management https://www.microsoft.com/en-us/videoplayer/embed/RE4ILbu
Azure Sentinel https://www.microsoft.com/en-us/videoplayer/embed/RE4LHLR
M365 Defender Overview https://www.microsoft.com/en-us/videoplayer/embed/RE4IPYr
M365Defender-Incident https://www.microsoft.com/en-us/videoplayer/embed/RE4J3mt
Explore endpoint security https://www.microsoft.com/en-us/videoplayer/embed/RE4LTIu
Compliance Manager https://www.microsoft.com/en-us/videoplayer/embed/RE4FGYZ
Data Classification in the M365 Compliance Center https://www.microsoft.com/videoplayer/embed/RE4vx8x
Detect Workplace Harassment & Respond – Communication Compliance in Microsoft 365 https://www.microsoft.com/videoplayer/embed/RE4xlaF
Privileged Access Management https://www.microsoft.com/videoplayer/embed/RE4xqtC

References by Exam Objectives

Based on exam objectives from July 26, 2021

Describe the Concepts of Security, Compliance, and Identity (10-15%)

Describe security and compliance concepts & methodologies

describe the Zero-Trust methodology
- Zero Trust Guidance Center | Microsoft Docs
describe the shared responsibility model
- Bear in mind this exam cover Microsoft 365 (SaaS) and Azure (PaaS & IaaS) so you do need to understand and describe the shared responsibility model for all 3
- Shared responsibility in the cloud – Microsoft Azure | Microsoft Docs
define defense in depth
- Defense In Depth: Enterprise Mobility and Security’s advanced protection capabilities (microsoft.com)
- End-to-end security in Azure | Microsoft Docs
describe common threats

There is no specific reference for this and the actual threat landscape does shift continuously. Threats to organisational security are around the risks to organisations of loss of data or loss of service. The terms you should understand and be able to explain are unauthorised access to systems (commonly known as hacking), unauthorised use of user credentials, denial of service attacks, malware, ransomware, data stolen by staff, data accidentally lost by staff, phishing, spear phishing, scams, SQL injection, dictionary attack, brute force attack, trojan, worm, rootkit exploits