Microsoft's security certification track has a clear on-ramp problem: two exams sound similar but serve very different audiences. Here's how to decide between SC-900 and SC-200 without wasting study time on the wrong one.
What SC-900 Actually Tests
SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) is a foundational, vendor-concept exam. It covers:
- Core security, compliance, and identity concepts (zero trust, shared responsibility model, encryption basics)
- Microsoft Entra ID (formerly Azure AD) capabilities: authentication, access management, identity governance
- Microsoft Purview and compliance features at a high level
- Basic overview of Defender products (Defender for Cloud, Defender for Office 365, etc.)
Critically, SC-900 is multiple-choice and conceptual. You won't touch a portal, write KQL, or investigate an incident. It's designed for people who need to talk about Microsoft security tooling—sales engineers, project managers, junior IT staff, or anyone starting a cloud security career who needs vocabulary and mental models before diving into hands-on work.
What SC-200 Actually Tests
SC-200 (Microsoft Security Operations Analyst) is a practitioner-level exam built around real SOC workflows. It assumes you already understand security fundamentals and tests your ability to:
- Configure and use Microsoft Sentinel: data connectors, analytics rules, workbooks, playbooks (Logic Apps)
- Write and interpret KQL (Kusto Query Language) queries for threat hunting and detection tuning
- Investigate and respond to incidents using Microsoft Defender XDR (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps)
- Manage and remediate vulnerabilities via Microsoft Defender Vulnerability Management
- Build automation for SOC response using Sentinel playbooks and Defender automated investigation
This exam expects you to know what a SOC analyst does day-to-day—triaging alerts, correlating signals across products, and writing queries under time pressure. Microsoft explicitly recommends security operations experience or equivalent knowledge before attempting it.
Key Differences at a Glance
| Factor | SC-900 | SC-200 |
|---|---|---|
| Level | Fundamentals | Associate |
| Format | Concept recall | Applied scenarios, some hands-on-style questions |
| Prerequisite knowledge | None required | Security operations basics expected |
| Career fit | Pre-sales, GRC, IT generalists, career switchers | SOC analysts, incident responders, threat hunters |
| Hands-on lab practice needed | Minimal | Significant (Sentinel + Defender portals) |
| Typical prep time | 1-3 weeks | 4-8 weeks with lab practice |
Which One Should You Take First?
If you're new to cybersecurity or coming from a non-technical role, start with SC-900. It's cheap in terms of time investment and gives you the shared vocabulary that makes SC-200 material click faster—terms like conditional access, RBAC, or zero trust won't be new concepts you're learning simultaneously with query syntax.
If you already work in IT, helpdesk, or a junior SOC role and understand networking, logs, and basic incident response, you can likely skip straight to SC-200. Many analysts with a few months of hands-on ticket work jump directly into SC-200 prep without ever sitting SC-900, and that's a valid path—Microsoft doesn't enforce SC-900 as a hard prerequisite.```` (There isn't a technical requirement to pass SC-900 before SC-200; it's purely a recommended on-ramp.)
Practical Prep Advice
For SC-900, Microsoft Learn's free modules are genuinely sufficient—this is one of the few certs where free official material alone gets most candidates a pass.
For SC-200, free reading isn't enough. You need:
- A trial or dev tenant with Microsoft Sentinel and Defender XDR enabled
- Practice writing KQL against sample log data—focus on
where,summarize,join, and time-based filters - Walkthroughs of the incident investigation queue in the Defender portal so the UI is familiar under exam pressure
- Review of Sentinel analytics rule creation and playbook automation, since scenario questions often hinge on choosing the right automation trigger
The Bottom Line
SC-900 answers