Earlier this week a major update for SC-900 went live. While very little has been added to the exam content, it’s what has been removed that is more important. Without covering all of the changes in detail, the summary is that the Describe endpoint security with Intune, and Describe the eDiscovery and audit capabilities of Microsoft 365 sections have been removed, and sections including Describe insider risk capabilities in Microsoft 365 have been simplified. There are other changes distributed amongst the objectives, but these are big changes.

If you work across Azure and Microsoft 365 security and compliance capabilities, this should be a pretty straight forward exam for you. If you only focus on the security and compliance capabilities of one of them, just make sure you focus your preparation on the areas that you are least familiar with.

Describe the Concepts of Security, Compliance, and Identity (10-15%)

Describe security and compliance concepts

Describe identity concepts

Describe the capabilities of Microsoft Identity and Access Management Solutions (25-30%)

Describe the basic identity services and identity types of Azure AD

Describe the authentication capabilities of Azure AD 

Describe access management capabilities of Azure AD

Describe the identity protection & governance capabilities of Azure AD

Describe the capabilities of Microsoft Security Solutions (25-30%)

Describe basic security capabilities in Azure

Describe security management capabilities of Azure

Describe security capabilities of Microsoft Sentinel

Describe threat protection with Microsoft 365 Defender

Describe the Capabilities of Microsoft Compliance Solutions (25-30%)

Describe the compliance management capabilities of Microsoft

Describe the compliance management capabilities of Microsoft 365

Describe information protection and governance capabilities of Microsoft 365

Describe insider risk capabilities in Microsoft 365

Describe resource governance capabilities in Azure

Check out my other exam reference guides here.