SC-200 was updated in August, and while there are quite a few changes, it wasn’t a major overhaul, instead it’s more of a consolidation of some topics, as well as the expansion and addition of topics. Before we get into the main changes, it’s also worth noting the section weightings have changed, most notably the Microsoft Sentinel section expanding to 50-55% and Defender for Cloud dropping to 20-25%. This means that the weighting is still very heavily Azure leaning, now sitting and 70-80% of the exam versus previously sitting at 65-75% of the exam.

Why was the Sentinel weighting increased? Simple, there’s quite a few additional Sentinel topics included, reflecting some of the additional capabilities that have been introduced over the last few years. Let’s get into some of the differences with the exam update. Let’s start with what’s been removed, and then what’s been added.


  • Sensitivity labels
  • Attack surface reduction rules
  • Privileged Identity Management
  • Defender for Cloud automatic response using an Azure Resource Manager template
  • Defender for Cloud for Key Vault alerts


  • Device security baselines
  • Custom detections and alerts in Microsoft 365 Defender
  • Identify and remediate security risks using the Microsoft Defender for Cloud Secure Score
  • Defender for Cloud policies for regulatory compliance 
  • Defender for Cloud security recommendations
  • Sentinel content hub, repositories and community resources
  • Sentinel watchlists
  • Sentinel threat indicators
  • Sentinel data classification and normalization
  • Sentinel automation
  • MCSTIPy in Sentinel Notebooks

As you can see. the list of what was removed is fairly short, but some of them are still potentially covered by other parts of the exam though. The list of what was added is dominated by Sentinel topics, and while they are mostly self explanatory, the one that stands out to me is Sentinel automation. Pay close attention here, because this is effectively telling you that it’s not just about automation using Playbooks. The other thing to note is that the inclusion of custom detections in Microsoft 365 Defender means another area where KQL can turn up in the exam.

If you are starting your exam preparation already having exposure to Microsoft Defender for Cloud, Microsoft Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know a bit more about the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

If you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Mitigate threats to the productivity environment by using Microsoft 365 Defender 

Mitigate endpoint threats by using Microsoft Defender for Endpoint

Mitigate identity threats

Manage extended detection and response (XDR) in Microsoft 365 Defender

Mitigate threats using Microsoft Defender for Cloud (20-25%)

Design and configure an Microsoft Defender for Cloud implementation

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender for Cloud

Configure and respond to alerts and incidents in Microsoft Defender for Cloud

Mitigate threats using Microsoft Sentinel (50-55%)

Design and configure an Microsoft Sentinel workspace

Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel

Manage Microsoft Sentinel analytics rules

Perform data classification and normalization

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

Manage Microsoft Sentinel Incidents

Use Microsoft Sentinel workbooks to analyze and interpret data

Hunt for threats using Microsoft Sentinel