Microsoft Security Fundamentals Certification

A new foundation level qualification is being added to the Microsoft certification stable with the inclusion of Security, Compliance, and Identity Fundamentals.


The cert is based on a single exam - SC-900 - currently in beta. The exam covers a number of topics across the Microsoft Cloud ecosystem and, as with the other Fundamentals certifications is aimed at IT Professionals getting started in the subject, or those wanting an overall understanding to support their role without planning to dive deeper in the future.

Note- this article is based on the beta specification so is subject to change.

The syllabus for the exam is divided into four headings. The first “Describe the Concepts of Security, Compliance, and Identity” is worth 5-10% of the marks (and remember, this exam is currently in beta so this may change). This section covers general security principles, concepts such as Zero-Trust, Defense-in-Depth, and Encryption. Based on the document, these don’t look to be Microsoft Specific.

The second heading is “Describe the capabilities of Microsoft Identity and Access Management Solutions” and accounts for a quarter to a third of the marks. This section is all about Azure Active Directory and anyone taking the exam is expected to describe many of the features of that identity service.

It’s worth highlighting here that the language used is along the lines of describe what Azure Active Directory is whereas the more advanced “Identity and Access Administrator Associate” qualification (also currently in beta) uses terms such as configure and manage Azure AD… or implement and manage Azure Active Directory…. These fundamentals qualifications are looking for an understanding of what the technology is, not how to administer it.

The third section is “Describe the capabilities of Microsoft Security Solutions”, the largest of the four with a weighting of 30-35% of the marks. Here the candidate is expected to describe the security offerings in the Azure infrastructure world (think Network Security Groups, Azure Firewall, Bastion, Sentinel, and so on), the 365 world (such as 365 Defender, the former ATP range, etc.) and finally Intune.

Rounding off the syllabus, with 25-30% of the content is “Describe the Capabilities of Microsoft Compliance Solutions”. This final section focuses on compliance technologies such as Data Loss Prevention (DLP), Retention Policies, eDiscovery, and the auditing capabilities of Microsoft365. Also included (and I feel this might sit better with the other Azure infrastructure topics) is the Azure Policy, Blueprints, and resource locks.

I think this looks like a good addition to the Fundamentals suite of Microsoft qualifications and it definitely provides direction and potential certification for anyone either entering the Microsoft security world directly, or working alongside/ managing those who are.

Full details can be found here: