Passing Microsoft SC-900 - Strengthening My Foundation in Security, Compliance & Identity
☁️🔐 Passing Microsoft SC-900 - Strengthening My Foundation in Security, Compliance & Identity
I’m happy to share that I recently passed the Microsoft SC-900: Security, Compliance, and Identity Fundamentals certification.
The SC-900 exam itself is designed as a broad introduction to Microsoft’s security, compliance, and identity ecosystem rather than a deeply technical implementation exam. The topics are generally divided across four main areas:
- security concepts and Zero Trust principles
- identity and access management with Microsoft Entra ID
- Microsoft security solutions such as Defender and Sentinel
- Microsoft compliance and governance solutions including Purview
While the certification is considered foundational, I found the exam still required careful reading and a solid understanding of how Microsoft’s various security and compliance services fit together across enterprise environments.
Over the past year, I’ve been transitioning from a background in financial risk governance within global investment banking into technology risk and cybersecurity. Through my internship experience with Cyber Range (LOG(N) Pacific), I gained hands-on exposure to Microsoft Sentinel, Defender for Endpoint, SIEM investigations, alert triage, and KQL-based telemetry analysis. SC-900 helped connect many of those practical experiences back to broader security, identity, and governance concepts within the Microsoft ecosystem.
One area I especially enjoyed was learning more about Microsoft Entra ID and identity-focused security controls. The certification reinforced how central identity has become within modern cloud environments through concepts such as Conditional Access, Multi-Factor Authentication, Identity Protection, and Privileged Identity Management.
The sections covering Microsoft Sentinel and the broader Defender ecosystem also tied directly into some of the investigations and incident analysis work I completed during Cyber Range. Understanding the distinctions between SIEM, XDR, endpoint security, identity security, and cloud application monitoring became much clearer through the certification process.
I also found the governance and compliance portions particularly interesting because they connected naturally with my earlier financial risk experience. Topics such as Data Loss Prevention (DLP), Sensitivity Labels, eDiscovery, Insider Risk Management, and data governance reinforced how cybersecurity increasingly overlaps with governance, auditability, regulatory expectations, and enterprise risk management.
Another aspect I appreciated was how SC-900 complemented my earlier AWS Certified Cloud Practitioner (AWS CCP) studies. While AWS CCP introduced broader cloud concepts and shared responsibility models, SC-900 focused more deeply on Microsoft’s security, identity, and compliance ecosystem.
One lesson I’ve learned throughout this transition is that cybersecurity is not only about technical expertise. Communication, structured analysis, governance, and risk prioritization are equally important. In many ways, my previous experience in financial risk governance and audit coordination has translated more naturally into technology risk and security governance than I initially expected.
Going forward, I plan to continue building experience in technology risk, security governance, SIEM investigations, and Microsoft security technologies while continuing to strengthen my broader IT and cloud security foundation.
For anyone considering SC-900, especially those interested in cybersecurity, governance, cloud security, or the Microsoft ecosystem - I think it provides a strong introduction to modern enterprise security concepts.
Thanks for reading! 🙏
If you're interested in technology risk, security governance, or enterprise security operations, feel free to connect with me on LinkedIn.
Feel free to reach out with questions or thoughts.