SC-100 vs AZ-500: Different Levels, and One Retires August 2026

2026/07/16

Click to upload or drag and drop

PDF, DOCX, PPTX, TXT, JPG, JPEG, PNG, HEIC, ODP, ODT, BMP, or TIFF

up to 20MB

Please wait, your quiz is being created...

Uploading...

SC-100 and AZ-500 are not rivals; they are two rungs of the same ladder. AZ-500 (Azure Security Engineer Associate) is an associate-level implementation exam: you configure Defender for Cloud, harden networks, and manage Key Vault. SC-100 (Microsoft Cybersecurity Architect) is the expert-level capstone above it: you design the security architecture that engineers then implement, and the certification only issues if you also hold a qualifying associate, of which Azure Security Engineer Associate is one. The complication in 2026: the AZ-500 exam retires on August 31, 2026, replaced by SC-500, so the classic AZ-500 then SC-100 sequence now has a deadline attached.

SC-100 vs AZ-500 side by side

SC-100AZ-500
LevelExpert (capstone)Associate
Certification earnedCybersecurity Architect Expert (with a qualifying associate)Azure Security Engineer Associate
What it testsDesigning security strategy: Zero Trust, MCRA and MCSB alignment, ransomware resiliency, posture management across cloudsImplementing security: Defender for Cloud and Sentinel, network security, compute and data protection, identity and access
Question altitudeTrade-off scenarios; the outline uses Design, Evaluate or Specify 98 timesConfiguration tasks; portal, CLI and policy specifics
Biggest domainsSecurity operations, identity and compliance 25 to 30%; infrastructure 25 to 30%Defender for Cloud and Sentinel 30 to 35%
Passing score700 scaled700 scaled
PrerequisitesNone to sit; certification requires one of AZ-500, SC-300 or SC-200None
Status in 2026Current; April 2026 outline, no retirement date publishedRetires August 31, 2026; replaced by SC-500
Official practice assessmentYes, free on Microsoft LearnYes, free on Microsoft Learn

The relationship most comparisons miss

Passing SC-100 alone does not make you a Cybersecurity Architect Expert. Microsoft requires at least one qualifying associate certification alongside the exam: Azure Security Engineer Associate (AZ-500), Identity and Access Administrator Associate (SC-300), or Security Operations Analyst Associate (SC-200). So the real question is rarely SC-100 or AZ-500; it is which associate you pair with SC-100, and whether AZ-500 is still the right pick with six weeks of runway. The full qualifying-route breakdown is on our SC-100 practice test page.

What the retirement actually means

Microsoft retires Exam AZ-500 on August 31, 2026, with SC-500 (Cloud and AI Security Engineer Associate) as the successor. Three practical consequences:

  • Already hold Azure Security Engineer Associate? Your certification stays valid until its expiry date and keeps qualifying you for the Expert credential. What disappears is renewal: the renewal assessment retires with the exam.
  • Mid-study for AZ-500 now? Book before August 31, 2026 and your study investment converts to a qualifying associate as planned. Our AZ-500 practice test page covers the four domains, including the Defender for Cloud and Sentinel domain that carries 30 to 35 percent.
  • Starting from zero after August? Take SC-500, SC-300 or SC-200 instead. SC-500 covers cloud and AI workload security end to end and is the designated successor, though as of July 2026 it has no official practice assessment yet.

What each exam covers, domain by domain

AZ-500 has four implementation domains. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel is the largest at 30 to 35 percent, followed by secure networking at 20 to 25 percent, secure compute, storage and databases at 20 to 25 percent, and secure identity and access at 15 to 20 percent. Every objective is something you do: configure, deploy, manage, monitor.

SC-100 has four design domains with deliberately flat weights: design solutions that align with security best practices and priorities (20 to 25 percent, covering ransomware resiliency, BCDR and the named frameworks), design security operations, identity and compliance capabilities (25 to 30 percent), design security solutions for infrastructure (25 to 30 percent), and design security solutions for applications and data (20 to 25 percent). The flatness is the message: the exam tests one skill, architectural judgment, applied to four surfaces. The April 2026 outline also modernized quietly, adding Entra Agent ID for AI agent identities, a secure AI adoption strategy, and Security Exposure Management attack paths.

Can you skip AZ-500 entirely?

Yes, and after August 31, 2026 you will have to. The qualifying-associate requirement is satisfied by any one of the three certifications, and SC-300 or SC-200 may fit your actual job better anyway: SC-300 if your work centers on Entra ID, Conditional Access and identity governance, SC-200 if you live in Sentinel, Defender XDR and incident response. The identity and security-operations objective groups inside SC-100 are also the two deepest, so whichever associate you pick doubles as targeted preparation for the corresponding slice of the capstone. What you should not skip is implementation experience itself; SC-100's scenarios assume you have felt the consequences of the designs it asks about.

Which order should you take them in?

Associate first, capstone second, almost always. SC-100 assumes you already know what the services do; it tests whether you can choose between them under business constraints. An engineer who has actually configured Defender for Cloud posture recommendations will recognize what SC-100's infrastructure domain is asking; someone who memorized the marketing page will not. The exception is the experienced security architect who has designed multicloud security for years without certifying: sitting SC-100 first and backfilling the associate is allowed, and the credential issues once both are in place.

How the studying differs

AZ-500 rewards lab time: build the policy, break it, read the alert. SC-100 rewards framework fluency, because the right answer is defined by alignment with the Microsoft Cybersecurity Reference Architectures, the Microsoft Cloud Security Benchmark, and the Zero Trust adoption framework rather than by what technically works. Its regulatory compliance objectives are a good example: the exam asks you to translate compliance requirements into security controls with Purview, Azure Policy and Defender for Cloud, the same translation work that regulated US teams increasingly hand to an AI compliance officer so architects can stay on architecture. Study the frameworks first, then drill judgment: upload your notes and generate scenario questions that force a design choice, not a definition. For AZ-500, generate configuration-level questions from the same notes and keep the two questioning styles separate; mixing them trains you for neither exam.

Is SC-100 harder than AZ-500?

Harder is the wrong axis; they filter for different failures. AZ-500 fails people with thin hands-on time, because its questions hinge on configuration specifics you only retain by doing: which Defender plan covers which workload, where a NSG rule beats a firewall policy. SC-100 fails strong engineers who have never had to defend a design decision, because several answers in each scenario would technically work and the exam wants the one that aligns with the stated business constraint and the named framework. Candidates who cleared AZ-500 comfortably regularly describe SC-100 as the more disorienting exam, not because the content is deeper but because the question altitude changes and portal knowledge stops helping.

Cost and renewal

Microsoft prices exams by country and shows your regional fee when you schedule; US associate exams typically run US$165. Both certifications renew free every 12 months with an online renewal assessment on Microsoft Learn, with the AZ-500 caveat above: once the exam retires, its renewal path retires too, which is one more reason the SC-500 successor exists.

Bottom line

Compare SC-100 vs AZ-500 and you are really sequencing a path, not picking a winner. If you implement security today, take the associate now, and if AZ-500 is your target, book it before August 31, 2026 or switch to SC-500. If you already hold AZ-500, SC-300 or SC-200 and your job is drifting from configuring controls to choosing them, SC-100 is the exam that certifies the drift. The ladder only reads top to bottom in one case: architects with years of design experience and no Microsoft paper, who can sit the capstone first and let the associate follow.

Z tej samej rodziny narzędzi