In July 2021, I took the Microsoft Security, Compliance, and Identity Fundamentals (SC-900) exam.
NB The exam content has changed since then, so some of the specifics in this blog post might be out of date.
According to the exam description:
“Candidates should be familiar with Microsoft Azure and Microsoft 365 and want to understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.”
I’ve previously taken MS-900 (Microsoft 365 Fundamentals) and AZ-900 (Azure Fundamentals), and I’d recommend them as a starting point to address the prerequisites.
I used the free online training to prepare for this exam. This includes 4 “learning paths”, although I think that term is a bit confusing: each path is a group of modules, and you have to do all the paths, rather than choosing one route to get to your destination.
- Part 1: Describe the concepts of security, compliance, and identity
(2 modules, 0h 43m)
- Part 2: Describe the capabilities of Microsoft Azure Active Directory, part of Microsoft Entra
(4 modules, 1h 40m)
- Part 3: Describe the capabilities of Microsoft security solutions
(4 modules, 1h 51m)
- Part 4: Describe the capabilities of Microsoft compliance solutions
(6 modules, 2h 01m)
That’s a total of 16 modules (6h 15m).
Some of these modules are shared with other learning paths, e.g. Describe security capabilities of Microsoft Sentinel is used by SC-900 and MS-900. In other cases, there’s an overlap in content, e.g. describing the shared responsibility model for IaaS vs PaaS vs SaaS.
More generally, I didn’t learn much from part 1. As the title suggests, it’s dealing with concepts rather than implementation, e.g. the difference between hashing and encryption. If you’ve done an exam like Security+ then you’ll probably know most of this already. However, it didn’t take me long to whizz through it, and I don’t recommend skipping it; there might be something in there that’s new to you.
It took me about 10 calendar days to prepare for this exam. (More precisely, it took me 17 days, but there was a week in the middle when I didn’t spend any time on this.) I was working full time, so I had to fit my study time into evenings and weekends.
When I studied for AZ-900, several of the modules included a sandbox where you could try out a particular feature (e.g. creating a new VM). The SC-900 modules have “interactive guides” instead, but I found them quite clunky: you have to click on the relevant part of the screen, and clicking anywhere else will produce an error, rather than having all of the menus etc. available for you to explore.
As an alternative, if you have a subscription to Azure and Exchange Online then you can try out these features in a live environment. However, some of the features are only available with a more expensive licence, and you can expect to get exam questions about that. This creates something of a dilemma: if your subscription has access to all of the features then you’ll get the hands-on experience, but then it’s difficult to remember which features are licence-specific. By contrast, if you have a cheap licence then you’ll have a good idea of which features you can’t access, but then you won’t have experience with them. In my case, I was able to square that circle because I had access to 2 subscriptions: company A had the expensive licence and company B had the cheap licence. However, that solution might not be available to everyone.
I recommend taking notes as you go along, particularly if there are similar names which you might get confused. For instance, PIM (Privileged Identity Management) applies at role level, whereas PAM (Privileged Access Management) applies at task level. I also make notes when I see a list, e.g. the 4 pillars of identity or the 6 privacy principles.
As I mentioned above, Microsoft update the exam content (and the learning modules) periodically. However, they also keep rebranding their products, and the exams might lag behind. For instance, after Azure Security product name changes in November 2021, there were 2 products with very similar names:
- Microsoft Defender for Cloud (previously Azure Security Center and Azure Defender)
- Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security)
Good luck keeping them straight in your head! Likewise, if the exam asks you which website you would use to perform a particular task, all I can say is take your best guess.
Before I started the exam, they said I could go back to review previous questions in the same section. However, once I moved onto the next section, I wouldn’t be able to go back to any previous sections. As it turned out, the exam only contained 1 section, so that was irrelevant! I assume that Microsoft use the same preamble for every exam, so it won’t all be relevant.
Timing wasn’t a problem for me:
- They said that I had 60 minutes to answer 46 questions.
- It took me 16 minutes to finish my first pass, where I chose an answer for every question but flagged the ones I wasn’t sure about.
- I then did a second pass for the questions I’d flagged, and a third pass to review everything.
- I finished the entire exam in about 25 minutes (i.e. it took me 9 minutes for the second/third passes combined).
As I’ve said in other posts, this isn’t a race, so don’t worry if it takes you a bit longer. In lots of cases, I knew the answer within a few seconds of looking at the question, simply because I’m familiar with the technology.
That said, be aware that the “flag for feedback” box applies to the exam as a whole, not to a specific question. If you tick the box, you get an extra 5 minutes to go back through the exam and offer feedback (e.g. pointing out any spelling mistakes). In practical terms, that means that you’ll need to click through the questions fairly quickly to get to the ones you want. However, it only took me 2 minutes, because I only had feedback on 1 question.