SC-900 vs SC-200: Which Microsoft Security Certification Should You Take First?

2026/07/13

Click to upload or drag and drop

PDF, DOCX, PPTX, TXT, JPG, JPEG, PNG, HEIC, ODP, ODT, BMP, or TIFF

up to 20MB

Please wait, your quiz is being created...

Uploading...

Take SC-900 first, then SC-200. SC-900 is the beginner exam ($99, confirmed in Microsoft's pricing feed) and SC-200 is the associate exam for people who already work in a security operations center. They are not alternatives to each other and they are not the same subject at two difficulty levels. SC-900 asks you to describe a security stack. SC-200 asks you to run one, at 2am, during an incident.

The single number that settles it: the word "Sentinel" appears twice in SC-900's official skills outline and sixteen times in SC-200's. That gap is the whole difference between the two exams.

SC-900 vs SC-200 at a glance

SC-900SC-200
Full nameSecurity, Compliance, and Identity FundamentalsMicrosoft Security Operations Analyst
LevelBeginnerAssociate
Exam fee (US)$99, confirmed in Microsoft's pricing feedNot in the pricing feed, so no fee can be honestly quoted
Domains43
Biggest domainMicrosoft security solutions, 35 to 40%Manage a security operations environment, 40 to 45%
"Sentinel" in the outline216
"Defender" in the outline1120
PrerequisiteNoneNone officially, but real SOC exposure in practice
Passing score700 / 1000700 / 1000

Both exams got a refreshed objectives version effective July 28, 2026. Before you panic and rebuy a course: we read both change logs, and every functional group on both exams is marked "No change" by Microsoft. Only sub-skills moved, and only by "Minor." No domain was renamed, added or removed on either exam, and no weight shifted.

What SC-900 actually is

SC-900 is a vocabulary exam about a product catalog. Only 10 to 15 percent of it (the smallest domain) is vendor-neutral security concepts you could learn from any textbook: zero trust, defense in depth, shared responsibility, authentication versus authorization. The other 85 to 90 percent is Microsoft product names, and there are a lot of them. Eleven mentions of Defender across seven different Defender products, six of Purview, twelve of Entra.

The four domains: Microsoft security solutions (35 to 40%), Microsoft Entra (25 to 30%), Microsoft compliance solutions (20 to 25%), and core security, compliance and identity concepts (10 to 15%).

Where people lose points is not difficulty, it is confusion between products with almost the same name. Defender for Identity versus Entra ID Protection. Sensitivity labels versus retention labels. Network security groups versus Azure Firewall versus Web Application Firewall. SC-900 is won by drilling distinctions until the names stop blurring, which is exactly what a SC-900 practice test built from your own security notes is good for.

One thing SC-900 does not cover, despite what half the prep market implies: Copilot. The word appears zero times in its outline. It does now examine agent identity, though. One bullet reads, verbatim, "Describe types of identities, including agent ID." AI agents get identities in Entra now, and Microsoft has decided a beginner should be able to describe that.

What SC-200 actually is

SC-200 is the most product-saturated Microsoft exam we have measured. In roughly 630 words of skills text, "Defender" appears 20 times and "Sentinel" 16. There is almost no conceptual material at all. You are expected to already know what a SIEM is; the exam tests whether you can operate Microsoft's.

Three domains only, and notice how operational they are:

  • Manage a security operations environment, 40 to 45%. The biggest.
  • Respond to security incidents, 35 to 40%.
  • Perform threat hunting, 20 to 25%.

SC-200 is also the first Microsoft certification exam to put agentic AI on the blueprint, and it is worth quoting the bullets exactly, because they are startling for a certification exam in 2026. One reads: "Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server." Another reads: "Investigate incidents by using agentic AI, including embedded Microsoft Security Copilot."

Model Context Protocol is now examinable. SC-200 is the only Microsoft exam of the several we have measured whose skills outline names Security Copilot at all. If your practice bank predates 2026, it does not have a single question on either, and those bullets sit inside the two largest domains.

That shift is not just an exam trend. As SOC work starts to include agents that hold identities, call tools and read tenant data, the agents themselves become an attack surface, and stopping a prompt injection from turning an agent into an insider is becoming its own discipline rather than a footnote in the SIEM runbook. SC-200 is the first Microsoft exam to admit that out loud.

Which one should you take?

You areTakeWhy
New to security entirelySC-900$99, no prerequisite, and it gives you the vocabulary every other Microsoft security exam assumes.
Already a SOC or IT analystSC-200SC-900 will teach you nothing you do not know. Skip it.
A student or career changerSC-900, then SC-200The associate exam is the one employers screen on. The fundamentals exam is how you survive studying for it.
An engineer, not an analystNeither: look at SC-500SC-500 is the Cloud and AI Security Engineer exam replacing AZ-500, which retires August 31, 2026.
Chasing a vendor-neutral credentialSecurity+Recognized outside the Microsoft ecosystem, and it is a genuinely different exam.

Can you skip SC-900 and go straight to SC-200?

Yes. Microsoft sets no formal prerequisite, and if you already work in security operations, SC-900 is a waste of $99 and a week. It is a describe-level exam and you will spend the whole time being told things you do things with every day.

The honest test is the Sentinel gap. If you can look at a Sentinel workspace, write a KQL query, and explain what an analytics rule does without looking anything up, go straight to SC-200. If "Sentinel" is a word you have read but never clicked, SC-900 first will save you time overall, because SC-200 will otherwise teach you twenty product names and an incident response workflow at the same time.

How much do they cost?

SC-900 is $99 in the United States, and that is not an estimate: it appears in Microsoft's own published exam pricing feed. It is the same price as AZ-900 and DP-900.

SC-200 is genuinely absent from that feed, which means no honest source can quote you a confirmed SC-200 fee. Associate exams are normally $165 in the US, so that is the reasonable expectation, but confirm at checkout. Any site printing a firm SC-200 price is guessing and not telling you so.

And a note on the numbers you will see quoted elsewhere: Microsoft publishes no question count and no pass rate for any of its exams, ever. Its only general guidance is that most exams contain 40 to 60 questions. Every "SC-200 has 44 questions and a 62% pass rate" claim you find was invented.

Studying for either one

Both exams changed on July 28, 2026, both are heavy on product names that shift under you, and both are badly served by static question banks scraped years ago. The approach that survives an objectives refresh is to build your questions from the current outline and your own notes rather than from someone else's snapshot of an older exam.

Upload your material and generate a SC-200 practice test from your own SOC and Sentinel notes, or start one domain earlier with SC-900 practice questions. If you are on the engineering track instead, SC-500 is replacing AZ-500 on August 31, 2026. For a vendor-neutral foundation, compare the Security+ practice test. And if you administer Microsoft 365 rather than defend it, the fundamentals exam you want is AB-900, which replaced the retired MS-900.

Z tej samej rodziny narzędzi