JT
JT Exams
Log inStart Free Trial
SecuritySC-900

Microsoft Security Solutions Explained for SC-900

Microsoft has built a sprawling security product portfolio across endpoints, identities, cloud workloads, and SIEM. The SC-900 exam expects you to understand what each major product does and which security problem it addresses, not how to configure it. Microsoft Defender products protect specific surfaces (endpoints, Office 365, cloud apps). Microsoft Sentinel is the SIEM and SOAR platform. Microsoft Purview handles information protection and data governance. Knowing which product belongs to which category is the core skill the exam tests at the fundamentals level.

8 min
3 sections · 7 exam key points

Microsoft Defender and endpoint protection

Microsoft Defender for Endpoint is an enterprise endpoint detection and response (EDR) solution. It provides behavioral-based threat protection for Windows, macOS, Linux, iOS, and Android devices. It continuously monitors endpoint activity, detects suspicious behaviors, provides forensic investigation tools, and supports automated response actions like isolating a compromised device. The portal gives security teams a unified view of endpoint health and active threats.

Microsoft Defender for Office 365 protects email, collaboration tools (Teams, SharePoint, OneDrive), and Office applications against phishing, malware, and business email compromise. Safe Links rewrites URLs and checks them at click time. Safe Attachments detonates email attachments in a sandbox before delivery. Attack Simulator lets security teams run simulated phishing campaigns to train employees.

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for Azure, multi-cloud, and hybrid environments. It evaluates your environment against security benchmarks, identifies misconfigurations, and provides threat detection for virtual machines, containers, databases, and storage. Defender for Cloud Apps (formerly Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility and control over sanctioned and unsanctioned SaaS application usage.

Microsoft Sentinel and Purview

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform. It collects log data from across the Microsoft ecosystem (Entra ID, Defender products, Office 365) and from third-party sources, correlates events across sources to detect attacks, and supports automated playbook responses through Azure Logic Apps. Sentinel uses built-in analytics rules, machine learning, and threat intelligence to surface high-fidelity alerts from large volumes of raw log data.

Microsoft Purview covers information protection and data governance. Information Protection classifies and labels sensitive data (using sensitivity labels) and applies protection policies like encryption and access restrictions that travel with the data. Data Loss Prevention (DLP) policies detect and prevent sensitive data from leaving the organization through email, SharePoint, or endpoint upload. The Purview Data Catalog provides a unified view of data assets across the organization for governance and compliance purposes.

Microsoft Entra Permissions Management (formerly CloudKnox) addresses the challenge of excessive permissions in multi-cloud environments. It discovers all permissions granted across AWS, Azure, and GCP, identifies high-risk overpermissioned identities, and enables rightsizing to enforce least privilege at scale across cloud environments.

How to choose the correct answer

Defender for Endpoint: EDR for devices (Windows, Mac, Linux, mobile). Behavioral detection, forensics, automated response.

Defender for Office 365: email and collaboration security. Safe Links, Safe Attachments, anti-phishing.

Defender for Cloud: CSPM and CWPP. Security posture management and threat detection for cloud workloads.

Sentinel: cloud SIEM and SOAR. Log collection, threat detection, automated playbook responses.

Purview Information Protection: classify, label, and protect sensitive data wherever it travels.

Purview DLP: detect and prevent sensitive data exfiltration through email, SharePoint, endpoints.

Defender for Cloud Apps: CASB. Shadow IT discovery, SaaS app visibility, session controls.

Key exam facts — SC-900

  • Defender for Endpoint: EDR for devices. Behavioral detection, isolation, investigation timeline.
  • Defender for Office 365: Safe Links (URL checking), Safe Attachments (sandbox detonation), anti-phishing.
  • Defender for Cloud: CSPM (posture scoring) and CWPP (workload threat detection). Azure and multi-cloud.
  • Microsoft Sentinel: cloud-native SIEM and SOAR. Collects logs, correlates threats, automates responses via playbooks.
  • Sensitivity labels: classify and protect data. Encryption and access controls follow the label wherever the document goes.
  • DLP policies: detect sensitive data patterns (credit card numbers, SSNs) and prevent sharing or exfiltration.
  • CASB (Defender for Cloud Apps): visibility into SaaS app usage, shadow IT discovery, session controls.

Common exam traps

Microsoft Sentinel and Microsoft Defender are the same product.

Defender products are endpoint, email, cloud, and identity protection tools that generate security alerts. Sentinel is the SIEM that collects those alerts from Defender and many other sources, correlates them, and enables centralized investigation and automated response. Defender products feed data into Sentinel. Sentinel is not a protection product itself.

Microsoft Purview only covers data governance for databases.

Microsoft Purview covers a broad range of data and compliance capabilities: sensitivity labels that protect Office documents and emails, DLP policies that prevent data exfiltration, a unified data catalog for discovering data assets across cloud and on-premises sources, compliance manager for regulatory assessments, and eDiscovery for legal investigations. It applies to files, emails, databases, and cloud storage.

Defender for Cloud only works with Azure resources.

Defender for Cloud extends to multi-cloud and hybrid environments. It can protect AWS and Google Cloud workloads alongside Azure resources, and supports on-premises servers through Azure Arc. It provides unified security posture management and threat detection across heterogeneous environments, not just Azure.

Practice this topic

SC-900practice questions

Test yourself on Microsoft Security Solutions

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Security, Compliance & Identity

SC-900

SIEM & SOC

Security+CISSP

Azure Entra ID

AZ-104

Zero Trust

Security+CISSP