Insights on preparing for the Microsoft Certified: Cybersecurity Architect Expert (SC-100) certification

Photo by @punttim /

Last Thursday, the 7th of April, the new Microsoft Cybersecurity Architect Expert (SC-100) certification was made available in beta. If you’re in a hurry, do yourself a favor and sign up for the exam here. Me and my colleague Antti Kujamäki did the test during the last few days to test our knowledge while the exam is in beta. So I wanted to outline a bit about the preparation process here, which applies more generally to other Microsoft certification exams as well.


Unfortunately, we can’t disclose exactly what was asked in the SC-100 test, but we can say it wasn’t that different compared to other Microsoft Security area certifications (such as the SC-200 and SC-300).


Usually, beta exams are slightly more challenging. This was true this time as well. You get more questions, and since a result of fail or pass is not immediately available, it’s a bit more stressful as you don’t know how well you did. The slight agony of waiting for a few weeks for the results to land is worth it. You get exposed to the exam in a more raw form, and I feel this gives you more insights into how the finalized exam will appear. I’m always curious to see what the balance is, where do I get the most questions, and what will be the most challenging portions of the exam. Some previous beta exams had accurate simulations, where you had an hour to configure something in a real Azure environment. 


To prepare for this exam, we first dissected the knowledge areas from the source, and you can view the document here. The main topics are Zero Trust (strategy design & architecture), Governance Risk Compliance, Infrastructure security (design), and data & applications security (design).

I like to go through each portion separately to mentally focus on just one given category of knowledge and phase out the others. I separate my preparation for individual days, but I’m not planning to use full days for practice.


Today, there are no official labs; all learning mostly happens via Microsoft Docs, Microsoft Learn, and community blogs and content. Initially, my rudimentary approach was to find a single page for each sub-topic from Microsoft Docs. Thus, under Zero Trust, one of the sub-topics is about Microsoft Cybersecurity Reference Architecture (MCRA); I then know I have to open and do a deep dive through all of that. And so on for all other topics. I’m intimately familiar with some cases, I can mostly skip those, and I need to invest the time and energy for others.


Next, as I’m going through all these topics, I mark (usually in a modern way by using Notepad++) the areas where I feel weak. That’s my list of things I have to work on in a lab. Reading through content and technical docs is best when you more or less know your surroundings. But for things and features you have less experience with, I feel building a quick lab setup is the best way to internalize new concepts and more complex architecture deployments. As you run into trouble while doing this – especially with beta exams where many things are not new for you – it’s crucial to invest the sweat and tears into fixing the setup and keeping it consistent. This usually takes the longest time, but it allows me to skim through many docs rather than read and memorize them line-by-line.


Finally, I do a recap of everything. I dutifully check through each resource once more. It’s more of a mental thing. My partner has sometimes sat next to me on the sofa during an evening of preparing, and she asked me if I read as fast as I scroll through the pages. No, no, I don’t. It’s a way for me to visualize the entirety of the content – and during the exam, I often imagine the visualization in my head to try to bring back the details and specific points. It sounds as if I have a photographic memory – which I do not – but I like to think this last task also brings me peace and harmony – “I know enough now.”

The results are in for the Microsoft Cybersecurity Architect (SC-100) exam!

Security Architect as a Service