Back to blog
Certification Deep Dives9 min read

Microsoft SC-900 Explained: Domains, Cost and Is It Worth It in 2026?

A complete breakdown of the Microsoft SC-900 exam in 2026: the four domains and their weights, exam cost, format, the new Security Copilot content, and an honest verdict on whether the Security, Compliance and Identity Fundamentals cert is worth your time.

C

CertCrush Team

27 June 2026

If you are weighing up the Microsoft SC-900 in 2026, the question is simple: is the Security, Compliance and Identity Fundamentals certification actually worth the time and the exam fee, or is it just a badge that looks nice on LinkedIn? This guide answers that directly, then breaks down the four exam domains, the cost, the format, and the new content you need to know about before you book.

The short version: for the right person, SC-900 is one of the best-value certifications in the entire Microsoft catalogue. It is cheap, it is achievable in a couple of weeks, and it sits at the front door of a security career path that leads straight to higher-paid role-based certs. For the wrong person, it is a credential that will not move the needle on its own. The trick is knowing which one you are. Let us work through it.

What Is the Microsoft SC-900 Certification?

SC-900 is the exam that earns you the Microsoft Certified: Security, Compliance, and Identity Fundamentals certification. It is a fundamentals-level credential, which means it is designed to prove you understand the concepts and the Microsoft tooling, not that you can configure everything hands-on.

It is aimed at a broad audience. You do not need to be a security engineer to sit it. The exam is built for:

  • Career changers stepping into IT or cybersecurity for the first time
  • Business stakeholders, sales and compliance staff who work alongside security teams
  • IT generalists and help desk staff who want to formalise their security knowledge
  • Students and graduates building a certification roadmap from the ground up

Crucially, SC-900 is vendor-specific. It teaches security, compliance and identity concepts through the lens of Microsoft Entra, Microsoft Defender, Microsoft Sentinel and Microsoft Purview. If your target employer runs on Microsoft 365 and Azure (and a huge proportion do), that focus is a feature, not a limitation.

Exam Tip: SC-900 has no prerequisites. You can sit it as your very first certification, with no prior IT experience required. That makes it one of the most accessible entry points into the security field.

SC-900 Exam Domains and Weights (2026)

The SC-900 exam is split into four domains. The weightings matter, because they tell you exactly where to spend your study hours. Here is the current breakdown.

DomainWeightWhat it covers
Describe the concepts of security, compliance and identity10 to 15%Core security principles, the shared responsibility model, zero trust, encryption, and identity concepts
Describe the capabilities of Microsoft Entra25 to 30%Identity and access management, authentication, single sign-on, conditional access, and identity protection
Describe the capabilities of Microsoft security solutions35 to 40%Microsoft Defender XDR, Microsoft Sentinel (SIEM and SOAR), the Defender product family, and Security Copilot
Describe the capabilities of Microsoft compliance solutions15 to 20%Microsoft Purview, data classification, information protection, insider risk, and compliance management

Where to focus your effort

The maths is not subtle. The Microsoft security solutions domain is the heaviest at 35 to 40% of the exam, and Microsoft Entra is second at 25 to 30%. Together those two domains make up roughly two thirds of your questions. If you are short on study time, that is where it goes.

The concepts domain is the lightest at 10 to 15%, but do not skip it. It is the easiest set of marks on the paper because it is pure theory: zero trust, the shared responsibility model, defence in depth, and the difference between authentication and authorisation. Learn those cold and you bank free points.

The New Security Copilot Content You Need to Know

Here is the part that catches people who study from older material. Recent versions of SC-900 now include Microsoft Security Copilot, the AI-powered security operations assistant. You are expected to describe what it does, including how it supports incident investigation and threat intelligence inside the Microsoft security stack.

This is part of a wider trend. Microsoft has been folding AI capability into its security exams across the board, and SC-900 is no exception. Expect questions on the role Copilot plays alongside Defender XDR and Sentinel, rather than deep technical configuration.

Exam Tip: The English language version of SC-900 is scheduled to update on 28 July 2026. Always check the official skills measured document on Microsoft Learn before you book, and confirm whether you will sit the current or the updated objectives based on your exam date.

One more terminology trap worth flagging: Azure Active Directory is now Microsoft Entra ID. Older study guides and practice questions still say Azure AD. The exam uses the current Entra naming, so train your brain on the new terms from day one.

SC-900 Exam Cost and Format

SC-900 is a fundamentals exam, which means it sits in Microsoft's cheapest pricing tier. Here is what to expect on exam day.

  • Cost: Around 99 USD (roughly 69 GBP in the UK), though the exact fee varies by country and local taxes
  • Questions: Typically 40 to 60 questions
  • Question types: Multiple choice, multiple response, and drag-and-drop style items
  • Duration: You get around 45 to 60 minutes of testing time within a roughly 60-minute appointment
  • Passing score: 700 on a scale of 100 to 1000
  • Delivery: Online with a proctor from home, or at a Pearson VUE test centre
  • Languages: Available in a wide range of languages including English, Spanish, Japanese, Chinese and more

Exam Tip: The 700 passing mark is scaled, not a simple percentage. You do not necessarily need to answer 70% of questions correctly, because questions are weighted. Aim comfortably above the line in practice tests rather than scraping 70%.

Does SC-900 expire?

This is a genuine perk. Microsoft fundamentals certifications, including SC-900, do not expire. Unlike the role-based associate and expert certifications that require annual renewal, once you pass SC-900 it is yours for good. No renewal fees, no recurring assessments. That alone improves the return on a 99 USD outlay.

Is SC-900 Worth It in 2026? An Honest Verdict

Now the question you came for. The honest answer is that it depends entirely on who you are and what you expect from it.

When SC-900 is absolutely worth it

  • You are new to IT or security. SC-900 gives you a structured, vendor-backed vocabulary for talking about security. That confidence pays off in interviews and on the job.
  • You work in a Microsoft 365 or Azure shop. The content maps directly to tools your organisation already uses, so it is immediately practical.
  • You are building a roadmap. SC-900 is the natural first rung. It feeds cleanly into role-based certs like SC-200 (security operations) and SC-300 (identity and access).
  • You want a quick, cheap win. For around 99 USD and one to three weeks of study, you get a permanent, recognised credential. The cost-to-value ratio is hard to beat.

When SC-900 alone is not enough

  • You are targeting a mid-level security role. SC-900 proves awareness, not hands-on skill. Recruiters for analyst and engineer roles will want to see role-based certs and practical experience on top.
  • You already have solid security knowledge. If you can comfortably explain zero trust, SIEM, and conditional access today, SC-900 may be too basic to add much. Consider going straight to a role-based exam.

The verdict: SC-900 is worth it as a foundation, not as a finish line. Treat it as the first cert in a sequence, not the cert that lands you the job on its own. Used that way, it is one of the smartest 99 USD you will spend on your career.

How Does SC-900 Compare to AZ-900 and MS-900?

SC-900 is one of several Microsoft fundamentals exams, and beginners often ask which to take first. Here is how they line up.

ExamFocusBest for
SC-900Security, compliance and identityAnyone heading towards a security or compliance role
AZ-900Azure cloud fundamentalsAnyone working with Azure infrastructure or cloud generally
MS-900Microsoft 365 fundamentalsAnyone supporting or selling Microsoft 365 services

If security is your destination, start with SC-900. If you are unsure and want the broadest possible base, AZ-900 is the most general-purpose of the three and pairs well with SC-900 afterwards. Many candidates use a free exam voucher (for example from a Microsoft skilling event) on one of these fundamentals exams and self-fund the second.

For a deeper look at the security-specific path beyond fundamentals, see our guide on how to pass SC-100 and our breakdown of the wider Microsoft security certification choices.

How to Pass SC-900: A Realistic Study Plan

Most candidates pass SC-900 with one to three weeks of focused study, totalling around 30 to 45 hours. Here is a no-nonsense approach.

  1. Week one: learn the concepts. Work through the official Microsoft Learn learning path for SC-900. It is free and it covers every objective in the blueprint. Take notes on the Entra and security solutions sections especially.
  2. Week two: reinforce and visualise. Supplement the reading with video walkthroughs to see the tools in action. Pay attention to how Defender XDR, Sentinel and Security Copilot fit together.
  3. Final days: test under exam conditions. Run timed practice questions until you are consistently scoring well above the 700 line. Practice tests do two jobs: they expose your weak domains, and they get you used to Microsoft's question phrasing.

Exam Tip: Microsoft's questions love to test the difference between similar products. Be able to state in one sentence what Sentinel does versus Defender XDR versus Purview. Mixing those up is the most common way candidates lose easy marks.

The single biggest predictor of passing is doing enough realistic practice questions before exam day. Reading alone builds recognition; practising builds recall, which is what the exam actually measures.

Ready to Start Practising?

SC-900 is achievable, affordable and permanent, and it opens the door to the entire Microsoft security path. The fastest way to pass is to pair the free Microsoft Learn content with focused, exam-style practice so nothing on exam day surprises you.

CertCrush gives you realistic practice questions with detailed explanations for SC-900 and the role-based certs it leads to, so you can study your weak domains, track your progress, and walk in confident.

Create your free CertCrush account and start practising today, or browse our full range of certification courses to map out your next steps after SC-900.

SC-900Microsoft certificationsecurity fundamentalsMicrosoft Entraentry-level cybersecuritycloud securityexam guide

Ready to start practising?

CertCrush gives you realistic exam simulations, domain tracking, and study guides — all in one place.

Create Free Account More Articles

More in Certification Deep Dives

CompTIA Security+ SY0-801 vs SY0-701: What's Changing in 2026 (And Should You Wait?)

CompTIA Security+ SY0-801 is due in late 2026 with dedicated AI and LLM content. Here is exactly what changes from SY0-701, who should sit which version, and whether it is worth waiting for the new exam.

Read

CompTIA SecurityX (CAS-005) Explained: Domains, Cost and Is It Worth It in 2026?

CompTIA SecurityX (CAS-005) is the new name for CASP+, and it is now CompTIA's expert level security certification. Here is a full breakdown of the four domains, the real exam cost, the difficulty, how it compares to CISSP, and whether it is worth it in 2026.

Read

AI-102 vs AI-103: Which Azure AI Certification Should You Take in 2026?

AI-102 retires on 30 June 2026 and AI-103 is its successor. Here is a clear, side-by-side comparison of the two Azure AI certifications, plus a straight answer on which one you should take this year.

Read