🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-900 Domain 1
Domain 1 — Module 2 of 4 50%
2 of 28 overall

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit
Domain 1: Security, Compliance & Identity Concepts Free ⏱ ~10 min read

Zero Trust: Never Trust, Always Verify

The modern security model that assumes breach and verifies everything. Three principles, six pillars — and the exam tests them constantly.

What is Zero Trust?

☕ Simple explanation

Imagine a building where everyone shows ID at every door — not just the front entrance.

The old security model was like a castle with a moat: once you got past the front gate (the corporate firewall), you were trusted everywhere. Walk freely, open any office, access any file.

Zero Trust says: no. Every door checks your ID. Every time. Even if you just walked through the door next to it. Even if you work here. Even if you’ve been here for 20 years.

Why? Because threats come from inside too. A stolen password, a compromised laptop, a disgruntled employee — if they’re already “inside,” the old model can’t stop them.

Zero Trust is a security framework based on the principle that no user, device, or network should be automatically trusted — regardless of their location or previous authentication status.

It replaces the traditional “castle-and-moat” perimeter model with continuous verification at every access point. Instead of trusting everything inside the corporate network, Zero Trust treats every request as if it originates from an untrusted network.

The three core principles

These three principles appear in nearly every security question on the exam:

PrincipleWhat It MeansExample
Verify explicitlyAlways authenticate and authorise based on all available data pointsCheck the user’s identity, device health, location, AND the sensitivity of what they’re accessing
Use least privilege accessGive only the minimum permissions needed, for only as long as neededSam gives Tina “store manager” access, not “global admin.” Elevated access expires after 4 hours.
Assume breachDesign systems as if an attacker is already insideSegment networks, encrypt data, monitor for anomalies, limit blast radius
💡 Exam tip: recognising Zero Trust principles in questions

The exam often describes a scenario and asks “which Zero Trust principle does this follow?”

Pattern recognition:

  • If the answer involves checking multiple factors before granting access → Verify explicitly
  • If the answer involves limiting permissions or time-bound access → Least privilege
  • If the answer involves monitoring, segmentation, or encryption → Assume breach

Sometimes questions combine principles: “Check device compliance (verify explicitly) and grant read-only access for 2 hours (least privilege).”

Zero Trust vs the old model

Why Zero Trust replaced the traditional model
FeatureZero TrustTraditional (Castle-and-Moat)
Trust modelNever trust, always verifyTrust everything inside the network
Network locationNot a factor in trust decisionsInside = trusted, outside = untrusted
Access controlLeast privilege, just-in-timeBroad access once authenticated
VerificationContinuous — every requestOnce — at the perimeter
Breach assumptionDesigns for breach from day oneAssumes perimeter will hold
Remote workWorks perfectly — location doesn't matterRequires VPN to 'get inside'

The six pillars of Zero Trust

Microsoft implements Zero Trust across six areas. Think of each pillar as a door that checks your ID independently:

PillarWhat It CoversMicrosoft Service
IdentityUsers, service accounts, devices requesting accessMicrosoft Entra ID (MFA, Conditional Access)
DevicesDevice health and complianceIntune, Defender for Endpoint
ApplicationsApp permissions and shadow ITDefender for Cloud Apps, app consent policies
DataData classification and protectionMicrosoft Purview (labels, DLP, encryption)
InfrastructureServer and cloud resource securityMicrosoft Defender for Cloud, secure configurations
NetworkNetwork segmentation and monitoringAzure Firewall, NSGs, Global Secure Access
💡 Scenario: Sam implements Zero Trust at BrightStar

Sam decides BrightStar Retail needs proper security. Here’s how Zero Trust applies:

  1. Identity: All 50 employees use MFA — even in the store
  2. Devices: Only company-managed tablets and laptops can access inventory data
  3. Applications: Employees can’t install random apps that connect to company data
  4. Data: Customer payment information is encrypted and labelled “Confidential”
  5. Infrastructure: The POS system runs on a separate network segment
  6. Network: Store Wi-Fi for customers is completely isolated from the business network

The result: When a phishing email compromises Tina’s password, MFA blocks the attacker. Even if they bypass MFA, they can only access Tina’s store-manager resources — not the financial system.

Common Zero Trust misconceptions

MisconceptionReality
”Zero Trust means zero access”No — it means verified access, not no access
”It’s a single product you buy”No — it’s a strategy applied across products and services
”It replaces firewalls”No — firewalls are one layer within Zero Trust (the network pillar)
“Only for big enterprises”No — even a 50-person business like BrightStar can implement it

🎬 Video walkthrough

🎬 Video coming soon

Zero Trust Explained — SC-900 Module 2

Zero Trust Explained — SC-900 Module 2

~8 min

Flashcards

Question

What are the three core Zero Trust principles?

Click or press Enter to reveal answer

Answer

1) Verify explicitly — always authenticate using all available signals. 2) Use least privilege access — minimum permissions, minimum time. 3) Assume breach — design as if an attacker is already inside.

Click to flip back
Question

What are the six pillars of Zero Trust?

Click or press Enter to reveal answer

Answer

Identity, Devices, Applications, Data, Infrastructure, Networks. Each pillar is an independent checkpoint — securing one doesn't replace securing the others.

Click to flip back
Question

How does Zero Trust differ from the traditional castle-and-moat model?

Click or press Enter to reveal answer

Answer

Traditional: trust everything inside the network. Zero Trust: trust nothing, verify everything — regardless of location. Every request is treated as if it comes from an untrusted network.

Click to flip back

Knowledge Check

Knowledge CheckSelect all that apply

Raj at Lakewood University needs to give Professor Chen temporary admin access to set up a new course site. The access should expire automatically after 48 hours. Which TWO Zero Trust principles does this demonstrate? (Select 2)
Knowledge Check

Sam wants to ensure that even if an employee's password is stolen, an attacker cannot access BrightStar's inventory system. Which Zero Trust principle should Sam prioritise?

← Previous

Security Foundations: Shared Responsibility & Defence-in-Depth

Next →

Encryption, Hashing & GRC

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.