Domain 1 of 4

Security, Compliance, and Identity Concepts

Domain · 10–15% of the SC-900 exam

In the cloud, the perimeter is a request, not a place

When workloads move to the cloud, the network edge stops being where you draw the line, because your users, devices, and data now sit outside it. Security therefore shifts from guarding a place to verifying every request. This domain hands you the two halves of that shift: the security and compliance concepts that say what you are protecting and the strategy for it (shared responsibility, defense in depth, encryption, and governance, risk, and compliance), and the identity concepts that say who is asking and whether they may act. The classic trap is reading these as two unrelated checklists. They are one idea, because Zero Trust's first principle, verify explicitly, is exactly what promotes identity from one control among many into the control plane you build everything else around.

Two pages, two questions, and the order matters

Read the domain as two pages that build on each other. Start with Security and Compliance Concepts, the free first page: it sets the vocabulary every later domain reuses, the shared responsibility model (what Microsoft secures versus what stays yours, from IaaS, infrastructure as a service, up to SaaS, software as a service), defense in depth and the CIA triad (confidentiality, integrity, availability), Zero Trust's three principles, encryption versus hashing, and GRC (governance, risk, and compliance). Reach for it when a question turns on who is responsible, whether something is reversible, or law versus security. Then move to Identity Concepts: it takes Zero Trust's verify-explicitly idea and shows why identity became the perimeter, then the machinery, authentication versus authorization, identity providers and single sign-on (SSO), directory services with Active Directory Domain Services (AD DS) versus Microsoft Entra ID, and federation. Reach for it when a question turns on who is asking and whether they may act.

When two answers both work, verify explicitly and grant the least

One instinct is the tie-breaker across the whole domain: when two answers both look valid, prefer the one that verifies explicitly rather than trusting a network location, and grants the least privilege for the shortest time. That is Zero Trust in miniature, and it points the same way whether the question is about a control (encrypt and segment as if already breached), a responsibility (your data, devices, and identities stay yours to protect in every service model), or an access decision (authenticate first, then authorize only what the role needs). Compliance is a floor, not the goal: an organization can pass an audit and still be insecure, so the exam rewards the answer that reduces real risk over the one that merely checks a box.

The two halves of the domain (and where each is covered)

HalfThe question it answersCore vocabularyDrill into
Security and compliance conceptsWhat am I protecting, against what, and by what strategy?Shared responsibility, defense in depth and the CIA triad, Zero Trust, encryption vs hashing, GRCSecurity and Compliance Concepts
Identity conceptsWho is asking, and may they act?Identity as the perimeter, authentication vs authorization, identity providers and SSO, directory services and AD DS vs Entra ID, federationIdentity Concepts

Subtopics in this domain