Review the Microsoft Cybersecurity Architect (SC-100) scope, Zero Trust strategy, governance, operations, data security, identity, and cloud-security design traps before practicing.
SC-100 is an architecture exam. Use this cheat sheet to keep the discussion at the design level: strategy, risk, identity, data, operations, governance, and Microsoft security service fit.
Use this with practice. Review the architecture checkpoints, then return to the SC-100 exam page for sample questions and update tracking.
| Field | Detail |
|---|---|
| Issuer | Microsoft |
| Certification lane | Microsoft Cybersecurity Architect |
| Exam code | SC-100 |
| Main scope | Security architecture strategy across identity, data, apps, operations, infrastructure, and governance |
| IT Mastery status | Sample questions available |
| Area | What to know | Common trap |
|---|---|---|
| Zero Trust strategy | Verify explicitly, use least privilege, assume breach, and monitor continuously | Treating VPN or network location as sufficient trust |
| Governance and risk | Tie controls to business risk, regulatory needs, policy, exception handling, and evidence | Recommending tools without ownership or operating model |
| Identity and access | Microsoft Entra ID, privileged access, conditional access, external identities, workload identities | Giving every problem a network-only answer |
| Security operations | Detection, incident response, escalation, measurement, and integration across Microsoft Defender and Sentinel-style workflows | Confusing alert volume with detection quality |
| Data and compliance | Classification, protection, retention, DLP, auditing, eDiscovery, and data lifecycle controls | Protecting storage while ignoring sharing, labels, and lifecycle |
| Cloud, hybrid, and AI security | Secure landing zones, posture management, network boundaries, workload controls, AI data boundaries, and monitoring | Treating AI security as only prompt filtering |
| Distinction | How to decide |
|---|---|
| Strategy vs implementation | SC-100 usually asks what architecture or operating model should exist, not which button to click first. |
| Risk control vs product feature | Start with the risk, then pick the Microsoft control that reduces it. |
| Identity control vs network control | Identity proves and governs access; network controls limit paths. Strong designs usually need both. |
| Detection vs response | Detection finds suspicious activity; response contains, investigates, recovers, and measures. |
| Governance vs compliance | Governance defines decision rights and accountability; compliance demonstrates that requirements are met. |
| Data classification vs data protection | Classification names sensitivity; protection enforces encryption, access, DLP, retention, or audit behavior. |
| AI grounding vs AI safety | Grounding controls retrieved context; safety controls input/output behavior and abuse risk. |
When you miss an SC-100 question, label the miss by design layer: identity, data, operations, governance, infrastructure, application, or AI. If you cannot name the layer, you are probably answering at too low a level. Return to mixed practice only after you can explain why the selected control directly reduces the stated risk.