Recently, well few months ago, Microsoft announced a new wave of security exams and certifications as a response to a strong market demand and a need that filled much needed space in Microsoft certification portfolio.

Four new security exams that were initially available on market in Beta versions in March are:

• Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals
• Exam SC-200: Microsoft Security Operations Analyst
• Exam SC-300: Microsoft Identity and Access Administrator
• Exam SC-400: Microsoft Information Protection Administrator

Two of these exams, SC-900 and SC-400 were updated on July 26^th and July 23^rd, and other two exams – SC-200 and SC-300 will be updated on September 24^th.

Let’s look at each exam’s targeted audience profile and new and updated list of skills measured. Naturally, the list of the skills measured is not definitive or exhaustive and you should have both adequate theoretical and practical knowledge of these and other relevant skills before attempting to sit an exam.

Exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals

For anyone who is just starting in security, and needs to familiarize with fundamentals of security, compliance and identity across cloud-based and related Microsoft services, exam SC-900: Microsoft Security, Compliance, and Identity Fundamentals, should be the first exam to learn, take and pass.

Passing SC-900 exam will earn you Microsoft Certified: Security, Compliance, and Identity Fundamentals certification, a great entry into next, associate level security certifications that cover other, relevant Microsoft security-related products and services. Typical job role relevant to this exam would be a student or a business user.

Audience Profile, according to Microsoft:

“This is a broad audience that may include business stakeholders, new or existing IT professionals, or students who have an interest in Microsoft security, compliance, and identity solutions.

Candidates should be familiar with Microsoft Azure and Microsoft 365 and want to understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.”

Skills Measured

Describe the Concepts of Security, Compliance, and Identity (10-15%)

• Describe security and compliance concepts & methodologies
• Define identity concepts

Describe the capabilities of Microsoft Identity and Access Management Solutions (30-35%)

• Describe the basic identity services and identity types of Azure AD
• Describe the authentication capabilities of Azure AD
• Describe access management capabilities of Azure AD
• Describe the identity protection & governance capabilities of Azure AD

Describe the capabilities of Microsoft Security Solutions (35-40%)

• Describe basic security capabilities in Azure
• Describe security management capabilities of Azure
• Describe security capabilities of Azure Sentinel
• Describe threat protection with Microsoft 365 Defender
• Describe security management capabilities of Microsoft 365
• Describe endpoint security with Microsoft Intune

Describe the Capabilities of Microsoft Compliance Solutions (25-30%)

• Describe the compliance management capabilities in Microsoft
• Describe information protection and governance capabilities of Microsoft 365
• Describe insider risk capabilities in Microsoft 365
• Describe the eDiscovery and audit capabilities of Microsoft 365
• Describe resource governance capabilities in Azure

Exam SC-200: Microsoft Security Operations Analyst

The SC-200 associate-level exam will test your knowledge and ability to accomplish several technical tasks: mitigate threats using Microsoft 365 Defender; mitigate threats using Azure Defender; and mitigate threats using Azure Sentinel.

As you can notice, you will be heavily tested about three heavyweight Microsoft infrastructure security products: Azure Defender, Azure Sentinel and Microsoft 365 Defender. I suggest you take time and explore and learn about these products even of you do not plan to take the exam, because these are great products and knowing them will make difference in protecting your infrastructure and your companies’ assets.

Audience Profile, according to Microsoft:

“The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders.

Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products. Since the Security Operations Analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.”

Passing SC-200: Microsoft Security Operations Analyst exam will earn you Microsoft Certified: Security Operations Analyst Associate certification. Typical job roles that would require knowledge of SC-200 exam are Security Engineer and Security Operations Analyst.

Skills measured

Mitigate threats using Microsoft 365 Defender (25-30%)

• Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365
• Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
• Detect, investigate, respond, and remediate identity threats
• Detect, investigate, respond, and remediate application threats
• Manage cross-domain investigations in Microsoft 365 Defender portal

Mitigate threats using Azure Defender (25-30%)

• Design and configure an Azure Defender implementation
• Plan and implement the use of data connectors for ingestion of data sources in Azure Defender
• Manage Azure Defender alert rules
• Configure automation and remediation

Mitigate threats using Azure Sentinel (40-45%)

• Design and configure an Azure Sentinel workspace
• Plan and implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
• Manage Azure Sentinel analytics rules
• Configure Security Orchestration Automation and Response (SOAR) in Azure Sentinel
• Manage Azure Sentinel Incidents
• Use Azure Sentinel workbooks to analyse and interpret data
• Hunt for threats using the Azure Sentinel portal

Exam SC-300: Microsoft Identity and Access Administrator

The SC-300 associate-level exam will test your knowledge and ability to accomplish several technical tasks: implement an identity management solution; implement an authentication and access management solution; implement access management for apps; and plan and implement an identity governance strategy.

Audience Profile, according to Microsoft:

“The Microsoft Identity and Access Administrator designs, implements, and operates an organization’s identity and access management systems by using Azure AD. They manage tasks such as providing secure authentication and authorization access to enterprise applications. The administrator provides seamless experiences and self-service management capabilities for all users. Adaptive access and governance are core elements to the role. This role is also responsible for troubleshooting, monitoring, and reporting for the identity and access environment.

The Identity and Access Administrator may be a single individual or a member of a larger team. This role collaborates with many other roles in the organization to drive strategic identity projects to modernize identity solutions, to implement hybrid identity solutions and to implement identity governance.”

Passing SC-300: Microsoft Identity and Access Administrator exam will earn you Microsoft Certified: Identity and Access Administrator Associate certification. Typical job roles that would require knowledge of SC-300 exam are Security Engineer, Administrator and Identity And Access Administrator.

Here, among others, crucial topics you will encounter are Azure Active Directory, Multi-Factor Authentication, Access Management and Identity Governance – extremely important parts of any company’s identity and access business roles and security policy.

Skills measured

Implement an Identity Management Solution (25-30%)

• Implement initial configuration of Azure Active Directory
• Create, configure, and manage identities
• Implement and manage external identities
• Implement and manage hybrid identity

Implement an Authentication and Access Management Solution (25- 30%)

• Plan and implement Azure Multifactor Authentication (MFA)
• Manage user authentication
• Plan, implement and administer conditional access
• Manage Azure AD Identity Protection

Implement Access Management for Apps (10-15%)

• Plan, implement, and monitor the integration of Enterprise Apps for SSO
• Implement app registrations

Plan and Implement an Identity Governance Strategy (25-30%)

• Plan and implement entitlement management
• Plan, implement and manage access reviews
• Plan and implement privileged access
• Monitor and maintain Azure Active Directory

Exam SC-400: Microsoft Information Protection Administrator

The SC-400 associate-level exam will test your knowledge and ability to accomplish several technical tasks: implement information protection; implement data loss prevention; and implement information governance.

Audience Profile, according to Microsoft:

“The Information Protection Administrator plans and implements controls that meet organizational compliance needs. This person is responsible for translating requirements and compliance controls into technical implementation. They assist organizational control owners to become and stay compliant.

They work with information technology (IT) personnel, business application owners, human resources, and legal stakeholders to implement technology that supports policies and controls necessary to sufficiently address regulatory requirements for their organization. They also work with the compliance and security leadership such as a Chief Compliance Officer and Security Officer to evaluate the full breadth of associated enterprise risk and partner to develop those policies.

This person defines applicable requirements and tests IT processes and operations against those policies and controls. They are responsible for creating policies and rules for content classification, data loss prevention, governance, and protection.”

Passing SC-400: Microsoft Information Protection Administrator exam will earn you Microsoft Certified: Information Protection Administrator Associate certification. Typical job roles that would require knowledge of SC-400 exam are Security Engineer Administrator, Information Protection Administrator and Risk Practitioner.

This exam will test your knowledge and ability to protect and secure company information, a very important part of ensuring sensitive information is safeguarded against accidental or intentional loss.

Skills measured

Implement Information Protection (35-40%)

• Create and manage sensitive information types
• Create and manage trainable classifiers
• Implement and manage sensitivity labels
• Plan and implement encryption for email messages

Implement Data Loss Prevention (30-35%)

• Create and configure data loss prevention policies
• Implement and monitor Microsoft Endpoint data loss prevention
• Manage and monitor data loss prevention policies and activities

Implement Information Governance (25-30%)

• Configure retention policies and labels
• Manage data retention in Microsoft 365
• Implement records management in Microsoft 365

Someone asked me the other day: “What exam or certification do you recommend; as a security professional, which exam should I take?”

I would say, take SC-900 exam first, then take the one that has topics you are most familiar with. Some skills measured domains overlap with other Microsoft security-related exams, like AZ-500: Microsoft Azure Security Technologies, or MS-500: Microsoft 365 Security Administration, but each exam covers a range of very specific domains and, if you want to be a great security engineer or professional, take and pass all security exams. This way you will gain knowledge and learn about products that cover the bigger part of Microsoft’s security portfolio, prepare and enable you to understand the security at broader, more complete view.