SC-900 vs SC-200: Which Microsoft Security Cert First?
Q&A Published 9 Jul 2026

SC-900 vs SC-200: Which Microsoft Security Cert First?

Compare SC-900 and SC-200 to decide which Microsoft security certification fits your experience level and career goals.

Microsoft's security certification track has a clear on-ramp problem: two exams sound similar but serve very different audiences. Here's how to decide between SC-900 and SC-200 without wasting study time on the wrong one.

What SC-900 Actually Tests

SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is a foundational, vendor-concept exam. It covers:

  • Core security, compliance, and identity concepts (zero trust, shared responsibility model, encryption basics)
  • Microsoft Entra ID (formerly Azure AD) capabilities: authentication, access management, identity governance
  • Microsoft Purview and compliance features at a high level
  • Basic overview of Defender products (Defender for Cloud, Defender for Office 365, etc.)

Critically, SC-900 is multiple-choice and conceptual. You won't touch a portal, write KQL, or investigate an incident. It's designed for people who need to talk about Microsoft security tooling—sales engineers, project managers, junior IT staff, or anyone starting a cloud security career who needs vocabulary and mental models before diving into hands-on work.

What SC-200 Actually Tests

SC-200 (Microsoft Security Operations Analyst) is a practitioner-level exam built around real SOC workflows. It assumes you already understand security fundamentals and tests your ability to:

  • Configure and use Microsoft Sentinel: data connectors, analytics rules, workbooks, playbooks (Logic Apps)
  • Write and interpret KQL (Kusto Query Language) queries for threat hunting and detection tuning
  • Investigate and respond to incidents using Microsoft Defender XDR (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps)
  • Manage and remediate vulnerabilities via Microsoft Defender Vulnerability Management
  • Build automation for SOC response using Sentinel playbooks and Defender automated investigation

This exam expects you to know what a SOC analyst does day-to-day—triaging alerts, correlating signals across products, and writing queries under time pressure. Microsoft explicitly recommends security operations experience or equivalent knowledge before attempting it.

Key Differences at a Glance

FactorSC-900SC-200
LevelFundamentalsAssociate
FormatConcept recallApplied scenarios, some hands-on-style questions
Prerequisite knowledgeNone requiredSecurity operations basics expected
Career fitPre-sales, GRC, IT generalists, career switchersSOC analysts, incident responders, threat hunters
Hands-on lab practice neededMinimalSignificant (Sentinel + Defender portals)
Typical prep time1-3 weeks4-8 weeks with lab practice

Which One Should You Take First?

If you're new to cybersecurity or coming from a non-technical role, start with SC-900. It's cheap in terms of time investment and gives you the shared vocabulary that makes SC-200 material click faster—terms like conditional access, RBAC, or zero trust won't be new concepts you're learning simultaneously with query syntax.

If you already work in IT, helpdesk, or a junior SOC role and understand networking, logs, and basic incident response, you can likely skip straight to SC-200. Many analysts with a few months of hands-on ticket work jump directly into SC-200 prep without ever sitting SC-900, and that's a valid path—Microsoft doesn't enforce SC-900 as a hard prerequisite.```` (There isn't a technical requirement to pass SC-900 before SC-200; it's purely a recommended on-ramp.)

Practical Prep Advice

For SC-900, Microsoft Learn's free modules are genuinely sufficient—this is one of the few certs where free official material alone gets most candidates a pass.

For SC-200, free reading isn't enough. You need:

  1. A trial or dev tenant with Microsoft Sentinel and Defender XDR enabled
  2. Practice writing KQL against sample log data—focus on where, summarize, join, and time-based filters
  3. Walkthroughs of the incident investigation queue in the Defender portal so the UI is familiar under exam pressure
  4. Review of Sentinel analytics rule creation and playbook automation, since scenario questions often hinge on choosing the right automation trigger

The Bottom Line

SC-900 answers

This article was generated with AI assistance and published to the Korra Studio knowledge base. Spotted an error? Let us know.

Field Notes

Ready to go deeper?

Turn these Field Notes into hands-on skills — deploy into the related Segments on DEFENSE_GRID.

bolt Create free account

Related Segments

arrow_backAll field notes grid_viewExplore the Operations Library