Click to upload or drag and drop
PDF, DOCX, PPTX, TXT, JPG, JPEG, PNG, HEIC, ODP, ODT, BMP, or TIFF
up to 20MB
Uploading...
SC-100 and AZ-500 are not rivals; they are two rungs of the same ladder. AZ-500 (Azure Security Engineer Associate) is an associate-level implementation exam: you configure Defender for Cloud, harden networks, and manage Key Vault. SC-100 (Microsoft Cybersecurity Architect) is the expert-level capstone above it: you design the security architecture that engineers then implement, and the certification only issues if you also hold a qualifying associate, of which Azure Security Engineer Associate is one. The complication in 2026: the AZ-500 exam retires on August 31, 2026, replaced by SC-500, so the classic AZ-500 then SC-100 sequence now has a deadline attached.
| SC-100 | AZ-500 | |
|---|---|---|
| Level | Expert (capstone) | Associate |
| Certification earned | Cybersecurity Architect Expert (with a qualifying associate) | Azure Security Engineer Associate |
| What it tests | Designing security strategy: Zero Trust, MCRA and MCSB alignment, ransomware resiliency, posture management across clouds | Implementing security: Defender for Cloud and Sentinel, network security, compute and data protection, identity and access |
| Question altitude | Trade-off scenarios; the outline uses Design, Evaluate or Specify 98 times | Configuration tasks; portal, CLI and policy specifics |
| Biggest domains | Security operations, identity and compliance 25 to 30%; infrastructure 25 to 30% | Defender for Cloud and Sentinel 30 to 35% |
| Passing score | 700 scaled | 700 scaled |
| Prerequisites | None to sit; certification requires one of AZ-500, SC-300 or SC-200 | None |
| Status in 2026 | Current; April 2026 outline, no retirement date published | Retires August 31, 2026; replaced by SC-500 |
| Official practice assessment | Yes, free on Microsoft Learn | Yes, free on Microsoft Learn |
Passing SC-100 alone does not make you a Cybersecurity Architect Expert. Microsoft requires at least one qualifying associate certification alongside the exam: Azure Security Engineer Associate (AZ-500), Identity and Access Administrator Associate (SC-300), or Security Operations Analyst Associate (SC-200). So the real question is rarely SC-100 or AZ-500; it is which associate you pair with SC-100, and whether AZ-500 is still the right pick with six weeks of runway. The full qualifying-route breakdown is on our SC-100 practice test page.
Microsoft retires Exam AZ-500 on August 31, 2026, with SC-500 (Cloud and AI Security Engineer Associate) as the successor. Three practical consequences:
AZ-500 has four implementation domains. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel is the largest at 30 to 35 percent, followed by secure networking at 20 to 25 percent, secure compute, storage and databases at 20 to 25 percent, and secure identity and access at 15 to 20 percent. Every objective is something you do: configure, deploy, manage, monitor.
SC-100 has four design domains with deliberately flat weights: design solutions that align with security best practices and priorities (20 to 25 percent, covering ransomware resiliency, BCDR and the named frameworks), design security operations, identity and compliance capabilities (25 to 30 percent), design security solutions for infrastructure (25 to 30 percent), and design security solutions for applications and data (20 to 25 percent). The flatness is the message: the exam tests one skill, architectural judgment, applied to four surfaces. The April 2026 outline also modernized quietly, adding Entra Agent ID for AI agent identities, a secure AI adoption strategy, and Security Exposure Management attack paths.
Yes, and after August 31, 2026 you will have to. The qualifying-associate requirement is satisfied by any one of the three certifications, and SC-300 or SC-200 may fit your actual job better anyway: SC-300 if your work centers on Entra ID, Conditional Access and identity governance, SC-200 if you live in Sentinel, Defender XDR and incident response. The identity and security-operations objective groups inside SC-100 are also the two deepest, so whichever associate you pick doubles as targeted preparation for the corresponding slice of the capstone. What you should not skip is implementation experience itself; SC-100's scenarios assume you have felt the consequences of the designs it asks about.
Associate first, capstone second, almost always. SC-100 assumes you already know what the services do; it tests whether you can choose between them under business constraints. An engineer who has actually configured Defender for Cloud posture recommendations will recognize what SC-100's infrastructure domain is asking; someone who memorized the marketing page will not. The exception is the experienced security architect who has designed multicloud security for years without certifying: sitting SC-100 first and backfilling the associate is allowed, and the credential issues once both are in place.
AZ-500 rewards lab time: build the policy, break it, read the alert. SC-100 rewards framework fluency, because the right answer is defined by alignment with the Microsoft Cybersecurity Reference Architectures, the Microsoft Cloud Security Benchmark, and the Zero Trust adoption framework rather than by what technically works. Its regulatory compliance objectives are a good example: the exam asks you to translate compliance requirements into security controls with Purview, Azure Policy and Defender for Cloud, the same translation work that regulated US teams increasingly hand to an AI compliance officer so architects can stay on architecture. Study the frameworks first, then drill judgment: upload your notes and generate scenario questions that force a design choice, not a definition. For AZ-500, generate configuration-level questions from the same notes and keep the two questioning styles separate; mixing them trains you for neither exam.
Harder is the wrong axis; they filter for different failures. AZ-500 fails people with thin hands-on time, because its questions hinge on configuration specifics you only retain by doing: which Defender plan covers which workload, where a NSG rule beats a firewall policy. SC-100 fails strong engineers who have never had to defend a design decision, because several answers in each scenario would technically work and the exam wants the one that aligns with the stated business constraint and the named framework. Candidates who cleared AZ-500 comfortably regularly describe SC-100 as the more disorienting exam, not because the content is deeper but because the question altitude changes and portal knowledge stops helping.
Microsoft prices exams by country and shows your regional fee when you schedule; US associate exams typically run US$165. Both certifications renew free every 12 months with an online renewal assessment on Microsoft Learn, with the AZ-500 caveat above: once the exam retires, its renewal path retires too, which is one more reason the SC-500 successor exists.
Compare SC-100 vs AZ-500 and you are really sequencing a path, not picking a winner. If you implement security today, take the associate now, and if AZ-500 is your target, book it before August 31, 2026 or switch to SC-500. If you already hold AZ-500, SC-300 or SC-200 and your job is drifting from configuring controls to choosing them, SC-100 is the exam that certifies the drift. The ladder only reads top to bottom in one case: architects with years of design experience and no Microsoft paper, who can sit the capstone first and let the associate follow.
Z tej samej rodziny narzędzi