Microsoft Security Certifications: SC-900, SC-200, SC-300 and SC-400

  • Microsoft
  • Security
  • Certification
  • Published by: MARIA FORSBERG on Mar 15, 2021
Group classes

Microsoft cloud security certification refers to role-based paths for learning and validating security skills across Microsoft 365, Azure, identity, compliance and operations. Earlier broad credentials such as Microsoft 365 Security Administrator Associate and Microsoft Azure Security Engineer Associate asked candidates to cover endpoint, network and cloud security topics in one path. That model suited administrators who needed wide platform coverage, but it made it harder for beginners, managers, SOC analysts, identity specialists and compliance teams to find a focused route through Microsoft security.

The newer Microsoft security, compliance and identity tracks split that broad subject area into four clearer exam paths: SC-900 for fundamentals, SC-200 for security operations, SC-300 for identity and access, and SC-400 for information protection. The main change is not simply that there are more exams; the change is that each path now maps more closely to a real responsibility area inside a Microsoft cloud environment.

Published: 28 June 2026
Last updated: 28 June 2026
Change note: Microsoft updates exam skills measured from time to time. Before booking an exam, candidates should compare the latest Microsoft Learn exam page with their study plan, especially where product names, portal experiences or weighting have changed.

At a glance, SC-900 is the entry point for understanding Microsoft security, compliance and identity concepts; SC-200 is the operational route for detection, investigation and response; SC-300 is the identity route for Microsoft Entra ID, Conditional Access and privileged access; and SC-400 is the compliance and data protection route for Microsoft Purview, sensitivity labels, DLP and records. Readers who already know their job responsibility can usually choose quickly, while those moving into security often benefit from sequencing the tracks rather than treating them as four unrelated options.

What changed from the older Microsoft security tracks

The earlier model placed a heavy burden on broad administrator exams. MS-500 covered areas such as compliance, eDiscovery, data loss prevention, endpoint management, Defender technologies, Conditional Access and Microsoft 365 security administration. AZ-500, meanwhile, covered Azure security engineering topics such as network security, VPNs, Azure Firewall, Azure Bastion, container security, database security, identity and security controls across Azure.

Those areas remain important. The issue was depth and role fit. A Microsoft 365 administrator, an Azure infrastructure engineer, a SOC analyst and a compliance officer may all touch security, but they do not usually perform the same daily work. The newer SC tracks recognise that difference by separating introductory knowledge, security operations, identity administration and information protection into distinct paths.

This matters for team planning. A manager responsible for a mixed Microsoft environment may still need people with AZ-500 or Microsoft 365 security knowledge, but the SC tracks make it easier to assign learning to operational duties. A SOC analyst needs incident queues, Sentinel analytics and KQL practice. An identity administrator needs Conditional Access, Microsoft Entra ID governance and Privileged Identity Management. A compliance lead needs Purview data classification, retention and DLP design rather than a general survey of every security product.

Current Microsoft security terminology to know

One source of confusion is that Microsoft product names have changed while older training notes, blog posts and internal runbooks may still use legacy names. Azure Active Directory is now Microsoft Entra ID. Azure Security Center became Microsoft Defender for Cloud. Microsoft Cloud App Security is now Microsoft Defender for Cloud Apps. Azure ATP became Microsoft Defender for Identity. Endpoint Manager is now largely referred to through Microsoft Intune. Microsoft Purview is the umbrella for many compliance, information protection, data governance and risk capabilities.

These name changes are more than cosmetic when preparing for SC exams. SC-300 candidates should think in terms of Microsoft Entra ID and Entra governance features rather than older Azure AD wording. SC-200 candidates need to understand Microsoft Defender XDR, Microsoft Sentinel, Defender for Cloud, Defender for Endpoint, Defender for Identity and Defender for Cloud Apps as connected detection sources. SC-400 candidates should treat Microsoft Purview as the centre of the compliance story, including sensitivity labels, DLP, retention, records management, eDiscovery and insider risk features.

For exam preparation, the safest habit is to map old names to current product families before building a study plan. It prevents wasted time in outdated portals and helps candidates understand why a feature may appear under a different admin centre than expected. It also reflects how Microsoft security work happens in production, where older tenant configurations and newer portal experiences often coexist.

TrackMain responsibility areaTypical platform focusGood fit for
SC-900Foundation knowledgeMicrosoft security, compliance and identity conceptsBeginners, managers, sales engineers, administrators crossing into security
SC-200Security operationsMicrosoft Sentinel and Microsoft Defender XDRSOC analysts, incident responders, security operations engineers
SC-300Identity and accessMicrosoft Entra ID, Conditional Access, PIM and hybrid identityIdentity administrators, Microsoft 365 administrators, access governance owners
SC-400Information protectionMicrosoft Purview, labels, DLP, retention and recordsCompliance administrators, information protection specialists, auditors

SC-900: Microsoft Security, Compliance and Identity Fundamentals

SC-900 Microsoft Security, Compliance and Identity Fundamentals is the broadest of the four SC tracks. It is designed for readers who need to understand the language of Microsoft security before going deeper into operations, identity or compliance. It is also useful for technical managers and commercial roles that need to discuss Microsoft security capabilities accurately without administering every feature.

The value of SC-900 is orientation. It introduces identity concepts, Microsoft Entra ID, access control, security principles, Microsoft Defender capabilities, Microsoft Purview concepts and compliance fundamentals. A Microsoft 365 administrator who has never worked deeply with Azure security can use it to understand the wider ecosystem. An Azure administrator who has not worked with DLP, eDiscovery or information protection can use it to see how Microsoft 365 security and compliance fit into the same operating model.

SC-900 is usually the right first step when the candidate cannot yet explain how identity, threat protection and compliance relate to one another. It is less suitable as the only credential for someone expected to run incidents, design identity governance or implement DLP. In those cases, it works better as a foundation before SC-200, SC-300 or SC-400.

Readers who decide this foundation route fits their role can review the SC-900 training and certification track for course structure and delivery details.

SC-200: Microsoft Security Operations Analyst

SC-200 Microsoft Security Operations Analyst is aimed at people who detect, investigate, respond to and remediate threats using Microsoft security tools. It is the track most closely aligned with SOC work, incident response and hands-on operational security in Microsoft cloud environments.

The practical core of SC-200 is Microsoft Sentinel and Microsoft Defender XDR. Candidates should expect to work with incident queues, alerts, analytics rules, hunting queries, automation and data connectors. The track is also connected to Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps and identity-related threat signals from Microsoft Entra ID.

A common preparation mistake is to rely too heavily on portal walkthroughs while under-practising Kusto Query Language. KQL is not merely an exam topic; it is how analysts ask better questions of security data. A candidate who can click through incidents but cannot shape a query, filter noisy results or correlate signals across tables will struggle to work confidently in Sentinel.

SC-200 also has an implementation side that is easy to underestimate. Sentinel data connector choices affect coverage, retention and cost. Multi-cloud and on-premises signals can matter as much as Azure logs in a real investigation. Automation rules and playbooks can reduce manual effort, but they also need careful design so that response actions do not create new operational risk. These considerations influence what candidates should practise first: start with the data sources and incidents closest to the organisation’s real threats, then expand into hunting and automation.

Security professionals preparing for this route can use the SC-200 course to focus on Sentinel, Microsoft Defender technologies, threat hunting and incident response workflows.

SC-300: Microsoft Identity and Access Administrator

SC-300 Microsoft Identity and Access Administrator focuses on securing identities, access and applications in cloud and hybrid Microsoft environments. It is the natural route for administrators responsible for Microsoft Entra ID, Conditional Access, MFA, Privileged Identity Management, access reviews, enterprise applications and hybrid identity integration.

Identity is often the foundation for effective Microsoft security. Sentinel investigations, Defender alerts and Purview controls all become more useful when identities are well governed and risky access patterns are understood. For that reason, many administrators moving into security benefit from SC-900 followed by SC-300 before attempting SC-200. The sequence gives them a stronger grasp of Conditional Access, privileged access and identity risk before they start interpreting identity-related alerts in a SOC context.

The depth in SC-300 is in design and operational judgement. Candidates need to understand how access policies affect real users, how privileged roles should be activated and reviewed, how external collaboration should be controlled, and how hybrid identity is synchronised. Older terminology such as Azure AD Connect still appears in many environments, but the current identity platform language is Microsoft Entra ID and Microsoft Entra Connect Sync.

Preparation should include more than creating users and groups. Conditional Access policies need testing against realistic scenarios, including break-glass accounts, guest users, device compliance and workload-specific exceptions. Privileged Identity Management requires attention to role activation, approval, justification and audit trails. Skipping this depth is one of the fastest ways to pass through the syllabus without being ready for production identity work.

Administrators who own access governance or hybrid identity can review the SC-300 training path for a more structured route through Microsoft Entra ID, Conditional Access and PIM topics.

SC-400: Microsoft Information Protection Administrator

SC-400 Microsoft Information Protection Administrator is the specialist route for protecting organisational data in Microsoft 365. It focuses on Microsoft Purview capabilities such as sensitivity labels, sensitive information types, data loss prevention, retention labels, records management, eDiscovery and trainable classifiers.

This track suits compliance administrators, information protection specialists, Microsoft 365 auditors and security administrators who are responsible for how data is classified, retained, protected and discovered. It is also relevant to organisations that need stronger controls around regulated information, insider risk, collaboration data or long-term records.

SC-400 can be frustrating to study without the right environment. Some Purview features require specific licensing, seeded data, configured locations or enough realistic content for classifiers and policies to behave meaningfully. A tenant with no representative documents, no realistic sensitive information and no test users will make DLP and trainable classifier practice feel abstract. Candidates should plan a sandbox or trial environment carefully, then create sample documents, labels, policies and user activity that reflect the scenarios they need to learn.

The most useful SC-400 practice connects policy design with user impact. A sensitivity label is not just a label in an admin centre; it affects encryption, sharing, marking and downstream access. A DLP policy is not just a rule; it can interrupt business workflows if conditions and exceptions are poorly designed. Retention and records management require clear ownership because deleting, preserving or declaring information has legal and operational consequences.

Teams focused on governance and data protection may choose SC-900 followed by SC-400, especially where the main responsibility is Purview rather than SOC operations. Readers who need structured preparation for this route can review the SC-400 course.

How to choose the right Microsoft security track

The simplest decision framework is to start with responsibility rather than exam difficulty. Someone who needs a vocabulary and platform overview should start with SC-900. Someone who responds to alerts and investigates incidents should look at SC-200. Someone who owns authentication, authorisation and privileged access should choose SC-300. Someone who owns data classification, DLP, retention or records should choose SC-400.

Real roles are rarely that tidy, so the better question is what the person is accountable for when something goes wrong. If the issue is a compromised account, Conditional Access gap or uncontrolled privileged role, SC-300 is the closer match. If the issue is an incident queue, suspicious endpoint behaviour or Sentinel correlation rule, SC-200 is more relevant. If the issue is sensitive data leaving the organisation, unclear retention or poor classification, SC-400 is the better fit.

ScenarioRecommended routeReasoning
A Microsoft 365 administrator is moving into security and has limited exposure to Azure security tools.SC-900, then SC-300 or SC-200 depending on dutiesThe foundation helps connect identity, threat protection and compliance before specialising.
A SOC analyst will investigate Microsoft Defender alerts and build Sentinel detections.SC-200, with extra KQL practiceThe role depends on incidents, hunting, analytics rules, connectors and automation.
A compliance lead must implement labels, DLP and retention across Microsoft 365.SC-900, then SC-400The work is centred on Microsoft Purview and data governance rather than incident response.
An identity administrator owns MFA, Conditional Access, access reviews and privileged roles.SC-300The role maps directly to Microsoft Entra ID governance and access control.

Hiring signals also vary by organisation size. Smaller teams often value combined skill stacks because one person may own identity policy, incident triage and compliance configuration. In that setting, SC-300 plus SC-200 can be a useful combination because identity signals are central to many investigations. Larger organisations often separate SOC, identity and governance functions, so a deeper single-track credential may be more relevant than a broad collection of badges.

Managers planning team development should therefore align certification choices with on-call duties, change ownership and escalation paths. A person who can configure Conditional Access but has no authority to change access policy may not need the same path as the identity owner. A compliance administrator who designs labels and retention policies needs different practice from an analyst who only responds to Purview alerts surfaced through a SOC queue.

Hands-on study considerations before booking an exam

The four SC tracks are easier to understand when candidates practise in a tenant rather than reading feature descriptions in isolation. Microsoft Learn should be used to confirm the latest exam objectives, but practical study should include portal configuration, realistic policy testing and review of logs, alerts or policy outcomes. The point is to connect the exam objective to the operational task it represents.

Licensing is the main practical obstacle. Features such as Purview DLP, trainable classifiers, Defender for Identity, advanced identity governance, Microsoft Sentinel connectors and some Defender capabilities may require specific licences, trial tenants or configured subscriptions. Candidates should check prerequisites before setting aside lab time, because a missing licence can make an otherwise good study plan unworkable.

There is also a sequencing issue. Identity foundations often come before effective security operations because many incidents are identity-led. A candidate who understands Conditional Access, PIM, access reviews and risky sign-ins will usually interpret Microsoft Defender and Sentinel alerts more effectively. By contrast, a governance-focused candidate may not need SC-200 first if the immediate responsibility is Purview labelling, DLP and records management.

When structured training is useful, Readynez can provide instructor-led preparation and labs around the relevant SC track, but the choice of course should follow the responsibility analysis rather than the other way around. The practical goal is to leave with enough context to configure, test and explain the controls in a real tenant, not simply recognise product names.

Where MS-500 and AZ-500 still fit

The newer SC tracks do not make earlier Microsoft security knowledge irrelevant. MS-500 and AZ-500 represented broad administrative and engineering views of Microsoft security, and many of their topics still appear in modern security work. Microsoft Learn remains the right source for current exam availability, retirement status and replacement guidance because certification pages can change.

AZ-500 remains closely associated with Azure security engineering topics such as network controls, platform protection, workload security and Azure-native security services. MS-500 historically sat closer to Microsoft 365 security administration, including identity, compliance and threat protection features across the Microsoft 365 environment. The SC tracks narrow the lens: they make it easier to go deeper into operations, identity or compliance without forcing every candidate through the same broad route.

In practice, many professionals mix these areas. An Azure security engineer may add SC-200 to strengthen Sentinel and detection skills. A Microsoft 365 administrator may add SC-300 for identity governance or SC-400 for Purview. A technical manager may start with SC-900 to understand the vocabulary before deciding whether the team’s biggest gap is operations, identity or data protection.

Choosing a path that matches the work

The Microsoft SC tracks are most useful when treated as role maps. SC-900 explains the foundation, SC-200 builds security operations capability, SC-300 develops identity and access administration, and SC-400 focuses on information protection and compliance. The right path is the one that matches the systems, decisions and incidents the candidate is expected to handle.

A practical next step is to write down the responsibilities attached to the role, then compare them with the four tracks. If the responsibilities are still broad, start with SC-900. If they point clearly to incidents, access or data governance, choose SC-200, SC-300 or SC-400 accordingly. Readers who want guided preparation can use the relevant Readynez course page for SC-900, SC-200, SC-300 or SC-400 once the track decision is clear.

Related resources

A group of people discussing the latest Microsoft Azure news

Unlimited Microsoft Training

Get Unlimited access to ALL the LIVE Instructor-led Microsoft courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}