JT
JT Exams
Log inStart Free Trial
SecuritySC-900

Microsoft Security, Compliance, and Identity Concepts Explained for SC-900

The SC-900 exam exists because security, compliance, and identity are not just features of Microsoft products: they are disciplines with their own principles, frameworks, and vocabulary. Before the exam asks you about Microsoft Defender or Microsoft Purview, it tests whether you understand concepts like Zero Trust, the shared responsibility model, authentication versus authorization, and what regulatory compliance actually means. Getting these foundations right makes every service-specific question easier because you understand the problem each service is solving.

8 min
3 sections · 7 exam key points

Security concepts: Zero Trust and defense in depth

Zero Trust is a security model built on a simple assumption: never trust, always verify. Traditional security drew a perimeter around the corporate network and assumed everything inside was safe. Zero Trust treats every access request as if it originates from an untrusted network, whether the user is in the office or working remotely, whether the device is corporate-managed or personal. Three Zero Trust principles guide every decision: verify explicitly (authenticate and authorize using all available data including identity, location, device, service, and workload), use least privilege access (limit user rights to the minimum necessary, use just-in-time and just-enough-access), and assume breach (design systems as if attackers are already inside, minimize blast radius, use end-to-end encryption).

Defense in depth is the strategy of layering multiple security controls so that if one layer fails, another stops the attacker. The seven layers in the Microsoft model are: Physical security (building access), Identity and access (who can authenticate), Perimeter (network-level defenses like firewalls and DDoS protection), Network (internal segmentation and monitoring), Compute (securing VMs and endpoints), Application (security built into code), and Data (encryption of data at rest and in transit). Each layer reduces risk independently.

Confidentiality protects information from unauthorized access. Integrity ensures data has not been tampered with and remains accurate. Availability ensures systems and data are accessible when authorized users need them. Authentication verifies who you are. Authorization determines what you are allowed to do after authentication. Non-repudiation ensures actions cannot be denied: if a signed document is sent, the sender cannot later claim they did not send it.

Compliance concepts and Microsoft identity solutions

Compliance means meeting the requirements of laws, regulations, or standards that apply to your organization. Different industries face different compliance requirements: healthcare organizations must comply with HIPAA, organizations handling EU personal data must comply with GDPR, and companies processing payment card data must comply with PCI-DSS. Microsoft provides compliance certifications for its services (FedRAMP, ISO 27001, SOC 2) and tools to help customers meet their own compliance obligations.

Microsoft Purview Compliance Portal is the centralized hub for managing compliance in Microsoft 365. It provides compliance scores, data classification, insider risk management, audit logs, and eDiscovery tools. The Compliance Manager within Purview provides a compliance score that assesses your environment against specific regulations and tracks improvement actions.

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity service. It provides authentication (verifying users are who they claim to be) and authorization (controlling what authenticated users can access). Key capabilities include Single Sign-On (one login for all connected applications), Multi-Factor Authentication (requiring a second form of verification beyond password), Conditional Access (applying access policies based on conditions like device compliance or location), and B2B and B2C identity for external partners and customers.

How to choose the correct answer

Zero Trust principles: verify explicitly, use least privilege, assume breach. Applied to every access request regardless of location.

Defense in depth layers: Physical, Identity, Perimeter, Network, Compute, Application, Data. Multiple layers reduce risk.

Authentication: prove who you are (password, MFA). Authorization: determine what you can do. Non-repudiation: cannot deny an action.

Entra ID: cloud identity, SSO, MFA, Conditional Access. Not the same as on-premises Active Directory.

Conditional Access: enforce access policies based on user, device, location, app, and risk. Entra ID feature.

Compliance Manager: compliance score, tracks improvement actions against specific regulations.

GDPR: EU personal data, 72-hour breach notification. HIPAA: US health information. PCI-DSS: payment card data.

Key exam facts — SC-900

  • Zero Trust: never trust always verify. Three principles: verify explicitly, least privilege, assume breach.
  • Defense in depth: seven layers from physical to data. Layered controls reduce single-point-of-failure risk.
  • CIA triad: Confidentiality, Integrity, Availability. Core security principles.
  • Authentication (who you are) vs. Authorization (what you can do). Distinct steps in access control.
  • Microsoft Entra ID: cloud identity provider. SSO, MFA, Conditional Access, B2B, B2C.
  • Conditional Access: policies that enforce MFA or block access based on signals (location, device, risk).
  • Microsoft Purview: compliance and data governance. Compliance Manager provides compliance score.

Common exam traps

Zero Trust means not trusting external networks but trusting internal corporate networks.

Zero Trust explicitly rejects the idea that any network, internal or external, should be inherently trusted. Traditional perimeter security trusted everything inside the firewall. Zero Trust applies the same scrutiny to an internal request from a corporate workstation as to an external request from a home network: verify explicitly every time, regardless of network location.

Authentication and authorization are different terms for the same process.

Authentication verifies identity: it answers 'who are you?' by checking credentials like passwords or biometrics. Authorization happens after authentication and answers 'what are you allowed to do?' by checking permissions and access rights. A user can successfully authenticate but be unauthorized for a specific resource. They are sequential steps, not synonyms.

Compliance certification means a Microsoft service is automatically compliant with a regulation for all customers.

Microsoft Purview Compliance certifications cover the Microsoft cloud infrastructure and services. Customers are still responsible for how they configure and use those services to meet their own compliance obligations. Microsoft provides a compliant platform; customers must build compliant solutions on top of it. This is the shared responsibility model applied to compliance.

Practice this topic

SC-900practice questions

Test yourself on Security, Compliance & Identity

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Zero Trust

Security+CISSP

Azure Entra ID

AZ-104

Azure Cloud Concepts

AZ-900

Risk Management

Security+CISSP