Microsoft SC-900 Cheat Sheet: Security Fundamentals

May 1, 2026

Review Microsoft Security, Compliance, and Identity Fundamentals (SC-900) identity, Zero Trust, Microsoft Entra, Defender, Purview, compliance, and governance traps before using the SC-900 practice page.

On this page

SC-900 is a fundamentals route for Microsoft security, compliance, and identity. Use this cheat sheet to review the product families and core concepts before trying the SC-900 sample questions.

Use this with practice. Review the security fundamentals checklist, then open the SC-900 page for sample questions, current-exam notes, and related IT Mastery practice paths.

Open SC-900 practice page Compare Microsoft security routes

Exam snapshot

Field	Detail
Issuer	Microsoft
Route name	Microsoft Security, Compliance, and Identity Fundamentals
Exam code	SC-900
Product family	Microsoft Security
Status in IT Mastery	Sample questions with Notify me form

Topic map

Area	What to know	Common trap
Identity	Microsoft Entra ID, authentication, authorization, MFA, conditional access, and least privilege	Treating identity as only a username database
Security	Zero Trust, Defender product families, endpoint, cloud, email, identity, and SIEM/SOAR awareness	Choosing a product name before identifying the threat or asset
Compliance	Microsoft Purview, data governance, information protection, retention, and compliance management	Confusing security monitoring with compliance evidence
Governance	Policies, roles, risk, access review, and administrative controls	Giving permanent broad access because the route is fundamentals-level

Must-know distinctions

Distinction	How to decide
Authentication vs authorization	Authentication verifies who the user is; authorization controls what they can access.
MFA vs conditional access	MFA adds verification; conditional access decides when and how access is allowed.
Zero Trust vs perimeter trust	Zero Trust verifies explicitly and assumes breach; perimeter trust relies too much on network location.
Microsoft Entra vs Microsoft Defender	Entra is identity and access; Defender focuses on threat protection and detection.
Microsoft Purview vs Microsoft Sentinel	Purview handles compliance and data governance; Sentinel handles SIEM/SOAR security operations.
Data classification vs retention	Classification labels data; retention governs how long it is kept or disposed.
Least privilege vs just-in-time access	Least privilege limits permission scope; just-in-time limits when elevated permission is active.

High-yield checklist

Start every access question with identity, resource, condition, and least privilege.
Use Zero Trust language: verify explicitly, use least privilege, assume breach.
Match Entra to identity and access scenarios.
Match Defender to threat protection and detection scenarios.
Match Purview to compliance, information protection, retention, and governance scenarios.
Match Sentinel to security operations, incident detection, and response workflow.
Treat MFA and conditional access as related but not identical.
Separate role assignment, policy enforcement, and monitoring.
Remember that fundamentals questions often test product-family recognition.
Avoid product-name memorization without scenario fit.

Common traps

Choosing Microsoft Defender for a pure compliance retention problem.
Choosing Microsoft Purview for real-time security incident response.
Treating MFA as a full replacement for least privilege.
Trusting devices only because they are inside a corporate network.
Giving administrators permanent access instead of controlled privileged access.
Ignoring data classification when the scenario is about sensitive information.

Practice strategy

Use the SC-900 page to tag misses as identity, security, compliance, governance, or product-family recognition. Fundamentals questions usually reward the cleanest match between scenario and Microsoft security family.

Revised on Monday, May 25, 2026