Microsoft SC-900 Study Notes

Zero Trust & Core Security Concepts

Security principles, Zero Trust model, and shared responsibility

Domain Weight

Security, Compliance, and Identity Concepts accounts for 10-15% of the SC-900 exam.

Zero Trust Model

Verify Explicitly

Always authenticate and authorize based on all available data points — identity, location, device, service/workload, data classification, and anomalies.

Use Least Privilege Access

Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection.

Assume Breach

Minimize blast radius, segment access, verify end-to-end encryption, use analytics to get visibility and drive threat detection.

Six Zero Trust Pillars

Pillar	Focus	Key Microsoft Solution
Identities	Verify with strong authentication, risk-based access	Microsoft Entra ID, ID Protection
Endpoints (Devices)	Validate device health and compliance before granting access	Microsoft Intune, Defender for Endpoint
Applications	Govern app permissions, shadow IT, in-app privileges	Defender for Cloud Apps, Entra App Proxy
Data	Classify, label, and encrypt; protect regardless of location	Microsoft Purview, AIP/MIP sensitivity labels
Infrastructure	Assess versions, configurations, and JIT access	Defender for Cloud, Azure Policy
Networks	Segment, encrypt, and limit lateral movement	Azure Firewall, NSG, DDoS Protection, WAF

Shared Responsibility Model

Responsibility	On-Premises	IaaS	PaaS	SaaS
Physical infrastructure	Customer	Microsoft	Microsoft	Microsoft
OS / Runtime	Customer	Customer	Microsoft	Microsoft
Network controls	Customer	Customer	Shared	Microsoft
Application	Customer	Customer	Customer	Shared
Identity & Access	Customer	Customer	Customer	Customer
Data	Customer	Customer	Customer	Customer

Key Security Concepts

Defense in depth: Layered security approach — physical, identity, perimeter, network, compute, application, data
Encryption at rest: Protects stored data (Azure Storage Service Encryption, Transparent Data Encryption for SQL)
Encryption in transit: Protects data moving over networks (TLS, HTTPS, VPN)
Hashing: One-way function for integrity verification — cannot be reversed (SHA-256, bcrypt for passwords)
Authentication vs Authorization: Authentication = who are you; Authorization = what can you do
Accountability (Auditing): Recording what an authenticated user did for forensic and compliance purposes
Federation: Cross-organization trust — user authenticates at home IdP, partner trusts the token
Passwordless authentication: Windows Hello for Business, FIDO2 security keys, Microsoft Authenticator — no password in auth flow

Pillar

Focus

Key Microsoft Solution

Identities

Verify with strong authentication, risk-based access

Microsoft Entra ID, ID Protection

Endpoints (Devices)

Validate device health and compliance before granting access

Microsoft Intune, Defender for Endpoint

Applications

Govern app permissions, shadow IT, in-app privileges

Defender for Cloud Apps, Entra App Proxy

Data

Classify, label, and encrypt; protect regardless of location

Microsoft Purview, AIP/MIP sensitivity labels

Infrastructure

Assess versions, configurations, and JIT access

Defender for Cloud, Azure Policy

Networks

Segment, encrypt, and limit lateral movement

Azure Firewall, NSG, DDoS Protection, WAF

Responsibility

On-Premises

IaaS

PaaS

SaaS

Physical infrastructure

Customer

Microsoft

OS / Runtime

Customer

Microsoft

Network controls

Customer

Shared

Microsoft

Application

Customer

Shared

Identity & Access

Customer

Data

Customer

Quick Feedback

Microsoft SC-900 Study Notes

Domain Weight

Zero Trust Model

Six Zero Trust Pillars

Shared Responsibility Model

Key Security Concepts

Microsoft SC-900 Study Notes

Domain Weight

Zero Trust Model

Six Zero Trust Pillars

Shared Responsibility Model

Key Security Concepts