SC-900 prep, Microsoft Security, Compliance, and Identity Fundamentals with ARIA
Microsoft's SC-900 (Security, Compliance, and Identity Fundamentals) is a 60-minute exam of roughly 40 to 60 items scored on a 1000-point scale with 700 to pass. It is a beginner credential with no prerequisites, designed for candidates who want a credentialed foundation in Microsoft's security, compliance, and identity products before stepping into role-based exams like SC-200, SC-300, or SC-400. 
ARIA runs the adaptive evaluation, builds your four-domain roadmap, and stands behind it with a pass guarantee tied to five measurable conditions.
Start your SC-900 roadmap. About five minutes to the first signal.
TL;DR
- SC-900 is Microsoft's security fundamentals exam, current as of 2026: 60 minutes, approximately 40 to 60 items, 700 on a 1000-point scaled score to pass, no prerequisites.
- The blueprint splits across four domains: SCI concepts at 17 percent, Identity and Access Management at 33 percent, Security Solutions at 33 percent, Compliance Solutions at 17 percent.
- Identity and Security each carry 33 percent. Together those two domains drive two-thirds of the pass.
- Typical roadmap is 2 to 4 weeks for most candidates. SC-900 is one of the shortest in the catalog.
- Pass guarantee eligibility requires every milestone done, two mock exams passed, one gauntlet at 80 percent or higher, and a live readiness score of 80 or higher when you sit the exam.
What the SC-900 exam is
SC-900 tests recognition of security, compliance, and identity concepts plus Microsoft product capabilities at the fundamentals level. It is not a configuration exam. You will not need to know which PowerShell cmdlet enables a conditional access policy. You will need to know what conditional access does, which Microsoft product owns it, where it fits relative to MFA and identity protection, and when it applies. The exam rewards candidates who can map a stated security or compliance need to the Microsoft product that solves it.
Domain weights, current as of 2026
| Domain | Weight |
|---|---|
| Describe the concepts of security, compliance, and identity | 17% |
| Describe the capabilities of Microsoft Entra | 33% |
| Describe the capabilities of Microsoft security solutions | 33% |
| Describe the capabilities of Microsoft compliance solutions | 17% |
The blueprint is balanced around two heavy domains (Identity and Security) and two lighter framing domains. The two big domains together drive 66 percent of the exam, which is why the roadmap shape leans hard into Entra ID and Microsoft Defender from week one. The two smaller domains still need real coverage, because the scaled-score model penalizes weak coverage on any domain.
Fundamentals format and item types
The exam runs 60 minutes through Pearson VUE, online proctored or test center. Item types are mostly multiple-choice and multiple-select, with some drag-and-drop and matching items where you align a Microsoft product to a stated capability. SC-900 does not include case studies, lab simulations, or hot-area image clicks. That keeps the per-item time short and is why most candidates finish in 35 to 45 minutes, with the remainder used for review.
Where SC-900 sits in the Microsoft security stack
SC-900 is the foundational credential in the Microsoft Security, Compliance, and Identity certification family. The role-based exams above it cover specialized practitioner roles: SC-200 for Security Operations Analyst, SC-300 for Identity and Access Administrator, SC-400 for Information Protection Administrator, and MS-500 (now retired) historically for Security Administrator. SC-900 is not a prerequisite for any of those, but candidates new to the stack benefit from it because the higher exams assume Entra ID and Microsoft Defender fluency that SC-900 builds.
How ARIA preps you for it
SC-900 gets one of the shortest, tightest roadmaps in the catalog, because the blueprint is concept-focused and the exam runs only an hour.
The CAT evaluation hits all four domains in 15 to 25 questions. I open every cert with a CAT adaptive test. For SC-900, the evaluation samples Identity and Security more heavily than the two smaller domains because the exam does. A 25-question CAT typically allocates eight to ten items each to Entra ID and security solutions, and three to four each to the two framing domains. That domain-by-domain read decides which phase your roadmap opens with.
The roadmap is two to three phases, not four or five. Working professionals studying 30 to 45 minutes a day usually finish in 2 to 4 weeks. The roadmap is two heavy phases (Identity and Security) wrapped between two shorter framing phases. Strong-identity candidates compress phase one; weak-identity candidates spend an extra milestone on the conditional access and identity-protection details. See the roadmap overview for how phases, milestones, and tasks fit together.
Practice sessions train product recognition under time pressure. SC-900 writes scenarios where two or three Microsoft products technically could solve the stated problem, but only one fits the constraints in the prompt. The drill is recognizing that Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud, and Microsoft Sentinel each have specific scopes and that picking the wrong one on a prompt is the most common point loss. I build practice sessions around that pattern from milestone one.
The error backlog tags concept versus product mapping. Every wrong answer goes into a backlog with a tag. Did you miss it because you did not know what zero-trust means, or because you knew zero-trust but mapped it to the wrong Microsoft product? The two failure modes get different remediation. Concept misses come back as targeted micro-sessions within 24 hours. Product-mapping misses come back as discrimination drills where I show you three Microsoft products and ask which one fits a stated scenario.
The demo test mirrors exam conditions exactly. The demo test is a full exam-length session, locked until 60 percent readiness. I require one demo pass at 700 scaled or higher before the gauntlet unlocks. The gauntlet then layers in fatigue and unfamiliar product naming (because the Entra ID rebrand created naming variation that the exam reflects).
Readiness gates the demo test and the gauntlet. The demo test is locked until 60 percent readiness. The gauntlet is locked at 80 percent. Both reflect the point at which the next session type produces signal instead of noise. See readiness and decay for how the score moves and why it drops if you go quiet.
Common pitfalls on SC-900
These are the topics that quietly cost the most points.
The Microsoft Defender family. Microsoft Defender for Endpoint, for Office 365, for Cloud, for Identity, for Cloud Apps. Five products with overlapping names, each scoped to a different attack surface. The exam writes distractors out of these confusions on purpose. I run dedicated discrimination drills inside the Security Solutions milestone so candidates can match a stated threat (phishing email, lateral movement, exposed cloud resource) to the correct Defender product reflexively.
Entra ID terminology and rebrand effects. Azure AD became Entra ID, and the new naming covers Entra ID, Entra Verified ID, Entra Permissions Management, and Entra ID Governance. Materials older than 2024 still use Azure AD names. The exam uses Entra ID terminology now. Candidates who studied from older content sometimes lose 4 to 6 points just on naming, even when they recognize the underlying concept.
Conditional access versus MFA versus identity protection. Three related controls with different scopes. Conditional access is the policy engine. MFA is one control conditional access can require. Identity protection detects risk signals that conditional access can react to. The exam writes scenarios where the right answer requires picking which of the three solves the stated business problem. I drill the discrimination in the Identity milestones.
Compliance product mapping. Microsoft Purview spans information protection, data loss prevention, insider risk management, eDiscovery, audit, communication compliance, and records management. The exam tests whether you can map a compliance scenario (regulated data leaving the org, internal investigation, retention policy enforcement) to the correct Purview capability. Candidates who study Purview as one block instead of seven distinct capabilities lose points here.
Zero trust principles and the shared responsibility model. The two framing concepts the exam returns to repeatedly. Zero trust has three principles (verify explicitly, least privilege, assume breach) and the exam tests recognition of which principle a given control implements. The shared responsibility model differs by service tier (SaaS, PaaS, IaaS) and the exam tests which responsibilities sit with Microsoft versus the customer at each tier. Both topics are conceptual recall, and both get tested every exam.
Authentication versus authorization versus identity governance. Three identity concepts that get conflated. Authentication is who you are. Authorization is what you can do. Identity governance is who should have what access and how it gets reviewed. The exam tests this discrimination explicitly. I cover it in the first Identity milestone.
Common Questions
Is SC-900 worth taking, or should I skip to SC-200 or SC-300?
SC-900 is worth taking when your security and identity background is light. It is a foundational credential, not a senior one. If you already work with Microsoft 365, Entra ID, and Microsoft Defender daily, skip SC-900 and target SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or SC-400 (Information Protection Administrator) directly. SC-900 is most useful for candidates new to the Microsoft security stack or pivoting from adjacent roles.
Do I need prerequisites for SC-900?
No formal prerequisites. Microsoft positions SC-900 as a fundamentals exam, accessible to candidates without prior security experience. General familiarity with cloud computing and Microsoft 365 helps, but the exam tests recognition of concepts and Microsoft product capabilities at the conceptual level, not deep configuration knowledge.
How does SC-900 score and how many questions does it have?
The exam runs 60 minutes with approximately 40 to 60 items, mixing multiple-choice, multiple-select, and drag-and-drop questions. A pass is 700 on a 1000-point scaled score, with item difficulty and weighting factored in, not a raw percentage. Microsoft does not publish exact item counts because forms vary. Most candidates finish in 35 to 45 minutes.
How long should I expect to study for SC-900?
At 30 minutes a day, plan on 4 to 6 weeks. At 45 minutes a day, 3 to 4 weeks. At 60 minutes a day, 2 to 3 weeks. SC-900 is one of the shortest typical roadmaps in the catalog because the blueprint is concept-focused and the exam is fixed-form MCQ. Candidates with prior Microsoft 365 exposure compress these timelines further.
SC-900 vs AZ-900, which one fits my path?
AZ-900 is a fundamentals exam for Azure broadly, including compute, storage, networking, identity, and pricing. SC-900 is a fundamentals exam for security, compliance, and identity specifically, with deeper Entra ID and Microsoft Defender coverage. Candidates targeting a general Azure role take AZ-900 first; candidates pivoting into security and compliance roles take SC-900 first. Both are reasonable starting points and neither prerequisites the other.
Is SC-900 still relevant given the Entra ID rebrand?
Yes. The exam was updated to reflect the Azure AD to Entra ID rebrand, and the current blueprint references Entra ID throughout. The underlying identity concepts (RBAC, conditional access, MFA, identity protection) are unchanged. Candidates studying from materials older than 2024 should verify they cover the rebrand, because the exam now uses Entra ID terminology and the older Azure AD names will not match the question text.
Where do I see whether I am eligible for the pass guarantee?
On the dashboard, once all five conditions hold. The check runs after every milestone validation, and the eligibility flag flips automatically. Read the full breakdown of the conditions on the pass guarantee page, and the adaptive cert prep explained article for the structural reasoning behind the design.
Start your SC-900 roadmap
The cheapest possible signal is a 15 to 25 question CAT evaluation against the SC-900 blueprint. The output is a domain-by-domain skill estimate across the four domains, a roadmap weighted toward Identity and Security (the two 33 percent domains), and your day-one task. If the evaluation lands you Novice on Identity, the roadmap opens with Entra ID fundamentals before touching the Defender stack. If you are already Competent on Identity, the roadmap moves into Security Solutions sooner.
Either way, the measurement is more useful than another month of unmeasured study. Open the SC-900 onboarding flow and start the evaluation. From there, practice sessions take over the daily cadence, and I pick the next task every time you reopen the app.