AZ-500 vs SC-200 vs SC-300: Microsoft Security Certifications Compared 2026
AZ-500, SC-200, and SC-300 are the three Microsoft security certifications people compare most often. AZ-500 retires on August 31, 2026, while SC-200 and SC-300 have newer skills outlines. This guide breaks down what each exam covers, who it is for, and which order to study them in.
Video transcript
You've just landed a cloud security role at a mid-size company, and your manager asks: which Microsoft cert do you need first. A Z five zero zero, S C two hundred, or S C three hundred. Here's the thing: most people guess wrong, and it costs them months of wasted study time. Getting this choice wrong means you're either overqualified for what you're studying or you're missing foundational knowledge you'll desperately need on day one. When you walk into a S I E M dashboard or need to configure M F A across Azure, you need to know exactly where to start. One wrong turn in your certification path, and you're rebuilding from scratch. A Z five zero zero is your Azure infrastructure security foundation. Think of it like learning to build a secure house: you need to understand the walls, doors, and locks before you can install alarm systems. This cert teaches I A M, network security, and encryption at the Azure platform level. S C two hundred is the threat hunter's toolbox. Imagine having a detective who can read logs across your entire environment and spot the intruder everyone else missed. This exam focuses on S I E M platforms, log analysis, and threat investigation using real Microsoft tools. S C three hundred is your identity architect's license. If A Z five zero zero builds the house and S C two hundred watches it, S C three hundred designs the door locks, access tokens, and zero trust policies that keep everyone out or in the right spaces. It's all about I A M and conditional access. Start with A Z five zero zero if you're new to cloud. Then move to S C two hundred if you want to hunt threats, or S C three hundred if identity and access fascinates you more. Read the complete guide at protego dot me.
Three Certs, One Common Question
Most people studying Microsoft security eventually stare at the same fork in the road: AZ-500, SC-200, or SC-300. They all say "security" on the label. They all sit in the same Microsoft Learn catalog. And the exam descriptions sound just similar enough to be confusing.
Here is the honest breakdown: they cover completely different disciplines, aimed at completely different roles. The right cert depends on whether you are a cloud engineer, a SOC analyst, or an identity architect, and in many cases, you will eventually want all three.
Status note, June 2026: AZ-500 is scheduled to retire on August 31, 2026 at 11:59 PM Central Standard Time. SC-200 was refreshed for skills measured as of April 16, 2026, and SC-300's current guide puts more emphasis on workload identities than many older courses. Always check the Microsoft Learn study guide before booking an exam.
If you want the deeper version with domain tables, overlap mapping, and study strategy, use the full [AZ-500 vs SC-200 vs SC-300 comparison guide](/blog/az-500-sc-200-sc-300-azure-security-certs-comparison). This page is the quick decision version.
The One-Sentence Summary of Each
AZ-500 (Microsoft Azure Security Technologies) is for cloud security engineers who configure and harden Azure infrastructure: firewalls, Key Vault, RBAC, Defender for Cloud, network security groups.
SC-200 (Microsoft Security Operations Analyst) is for SOC analysts who investigate alerts, run threat hunts, and build detections in Microsoft Sentinel and Defender XDR.
SC-300 (Microsoft Identity and Access Administrator) is for identity architects who design and implement Entra ID: Conditional Access, PIM, app registrations, B2B, and hybrid identity.
AZ-500: Microsoft Azure Security Technologies
Who It Is For
AZ-500 is the exam for anyone whose job involves making Azure configurations secure. Cloud security engineers, Azure architects, and DevSecOps engineers who want a credential to validate their hands-on Azure security skills.
If you spend your day setting up Private Endpoints, configuring Defender for Cloud policies, managing Key Vault access, or writing Azure Policy definitions: AZ-500 is your exam.
What the Exam Covers
The exam is divided into four domains:
1. Secure identity and access (15-20%): Managing Azure roles, Microsoft Entra application access, PIM for Azure resources, and managed identities. This overlaps with SC-300 but goes less deep on identity governance and more into Azure resource access.
2. Secure Networking (20–25%): Network Security Groups, Azure Firewall, DDoS Protection, Private Endpoints, VNet peering security, and WAF configuration. This is the most Azure-specific domain.
3. Secure Compute, Storage, and Databases (20–25%): Disk encryption, Storage Account security (SAS tokens, firewalls, versioning), container security (ACR, AKS pod policies), and SQL/Cosmos DB encryption.
4. Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30-35%): Defender for Cloud posture and workload protection, Microsoft Sentinel basics, Key Vault monitoring, and Log Analytics. Note: Sentinel content here is much lighter than SC-200.
Difficulty
AZ-500 is considered moderately difficult. It requires hands-on Azure experience: you cannot pass by memorizing documentation. Microsoft regularly updates the exam to reflect service changes, so study materials from 2023 may already be outdated.
Recommended prerequisites: at least 6 months of hands-on Azure work. AZ-104 (Azure Administrator) first is strongly recommended but not required.
Pass score: 700/1000. Average first-attempt pass rate is around 55–65%.
SC-200: Microsoft Security Operations Analyst
Who It Is For
SC-200 is the exam for security operations center (SOC) analysts, incident responders, and threat hunters who work in Microsoft's security platforms. If your day involves triaging Sentinel incidents, writing KQL detection rules, investigating Defender for Endpoint alerts, or building playbooks: SC-200 validates that work.
It is also increasingly valuable for cloud security engineers who want to prove they can operate the detection and response side of the Microsoft stack, not just configure it.
What the Exam Covers
1. Manage a security operations environment (40-45%): Configure automation for Microsoft Defender XDR and Microsoft Sentinel, manage Sentinel platform settings, ingest data, configure detections, and tune alerting.
2. Respond to security incidents (35-40%): Investigate and remediate incidents across Defender XDR, Defender for Endpoint, Microsoft Sentinel, Microsoft Purview, Microsoft Entra ID, and Defender for Cloud workload protections.
3. Perform threat hunting (20-25%): Write KQL, choose the correct advanced hunting tables, use Sentinel Graph, create hunting queries, and investigate relationships between entities.
Difficulty
SC-200 is often described as the hardest of the three because KQL proficiency is effectively required, not optional. You need to be able to write queries from scratch in the exam scenario questions, not just read them.
Pass score: 700/1000. Strongly recommended: 6+ months in a SOC or working with Sentinel/Defender XDR. The SC-900 (Security Fundamentals) is a helpful but not required stepping stone.
KQL Is Not Optional
A common mistake is treating SC-200 like a conceptual exam. The case study and lab sections require you to write working KQL. At minimum, know these patterns before the exam:
// Search for suspicious process creation
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp desc
// Failed sign-in spike
SigninLogs
| where ResultType != "0"
| summarize FailedAttempts = count() by UserPrincipalName, bin(TimeGenerated, 1h)
| where FailedAttempts > 10SC-300: Microsoft Identity and Access Administrator
Who It Is For
SC-300 is for identity engineers, IAM architects, and anyone who manages Microsoft Entra ID in a production environment. If your work involves designing Conditional Access policies, implementing PIM governance, configuring app registrations, or managing hybrid identity with Entra Connect: SC-300 is your exam.
It is also increasingly required for security architects who need to prove they can design zero trust identity models, not just configure the firewall.
What the Exam Covers
1. Implement and manage user identities (20–25%): Creating and managing Entra ID users, groups, external identities (B2B, B2C), bulk operations, and HR-driven provisioning.
2. Implement authentication and access management (25–30%): MFA methods, password policies, SSPR, Conditional Access policies, authentication strengths, and Continuous Access Evaluation. This is the deepest Conditional Access coverage of any Microsoft exam.
3. Plan and implement workload identities (20-25%): Service principals, managed identities, application permissions, app registration credential hygiene, and federated identity credentials.
4. Plan and automate identity governance (20-25%): Entra ID Governance, Privileged Identity Management (PIM), access reviews, entitlement management, and lifecycle workflows. This domain tests real-world design scenarios, not just button clicks.
Difficulty
SC-300 is moderately difficult. It has fewer "trick" technical gotchas than AZ-500 and requires less hands-on scripting than SC-200, but the scenario-based questions on identity governance design are genuinely hard. Understanding the why behind Conditional Access policy design is more important than memorizing the settings.
Pass score: 700/1000. Recommended: 12+ months working with Entra ID in production. AZ-104 or SC-900 is a useful foundation.
Side-by-Side Comparison
| AZ-500 | SC-200 | SC-300 | |
|---|---|---|---|
| **Primary role** | Cloud security engineer | SOC analyst / threat hunter | Identity architect / IAM admin |
| **Core platform** | Azure infrastructure | Microsoft Sentinel, Defender XDR | Microsoft Entra ID |
| **Hardest skill tested** | Azure network security | KQL writing | CA policy design |
| **Hands-on labs in exam?** | Sometimes | Yes (case studies) | Sometimes |
| **Recommended prior exp.** | 6+ mo Azure | 6+ mo SOC / Sentinel | 12+ mo Entra ID |
| **Overlap with others** | Light Sentinel, Entra basics | Light Defender for Cloud | Light RBAC |
| **Renewal frequency** | Every 1 year | Every 1 year | Every 1 year |
| **Cost** | Check Microsoft Learn | Check Microsoft Learn | Check Microsoft Learn |
Which One Should You Take First?
Take AZ-500 first if:
You are a cloud engineer or DevOps engineer moving into security. You work hands-on with Azure infrastructure and want to prove you can lock it down. AZ-500 validates the defensive configuration skills that the other two exams assume you have.
Suggested path: AZ-104 → AZ-500 → then SC-200 or SC-300 depending on your specialization.
Take SC-200 first if:
You already work in a SOC or with Microsoft Sentinel and Defender XDR. You want a certification that reflects what you actually do every day. SC-200 has the strongest salary correlation in Microsoft job postings for security analyst roles.
Suggested path: SC-900 (optional) → SC-200 → AZ-500 for the infrastructure context.
Take SC-300 first if:
You are an identity administrator or work primarily in Entra ID. Your organization is implementing zero trust and you own the identity pillar. SC-300 is the credential most IAM architects get early in their Microsoft career.
Suggested path: AZ-104 or SC-900 → SC-300 → SC-200 for detection skills.
The Microsoft Security Expert Path
If you want the highest-level Microsoft security credential, all three exams contribute to the Microsoft Certified: Security Operations Analyst Associate (SC-200), Microsoft Certified: Identity and Access Administrator Associate (SC-300), and Microsoft Certified: Azure Security Engineer Associate (AZ-500) independently.
There is no single "CISSP equivalent" in the Microsoft stack: the expert-level role is Microsoft Certified: Cybersecurity Architect Expert (SC-100), which requires either AZ-500, SC-200, or SC-300 as a prerequisite, then a fourth exam on security architecture.
If you are serious about a Microsoft security career, the realistic sequence is:
- AZ-104 (admin foundations)
- AZ-500 (cloud security infrastructure)
- SC-300 (identity architecture)
- SC-200 (SOC and detection)
- SC-100 (security architect: expert level)
Each exam builds directly on skills from the previous one. The SC-100 scenario questions explicitly test whether you can synthesize knowledge from all four domains.
Study Resources
AZ-500: John Savill's AZ-500 study playlist on YouTube (free), the Microsoft Learn AZ-500 learning path, and Pluralsight's AZ-500 course by Tim Warner are the top choices.
SC-200: The Microsoft Learn SC-200 path is excellent and includes interactive Sentinel lab exercises. KQL Cafe (kqlcafe.com) is essential for KQL practice. Rod Trent's "Must Learn KQL" series covers the query patterns tested on the exam.
SC-300: Microsoft Learn SC-300 path covers all domains. The hands-on Entra ID lab exercises on the Microsoft Learning portal are more valuable than any third-party course for this exam.
For all three: use practice exams from MeasureUp (Microsoft's official partner) rather than braindumps. Braindumps are unreliable since Microsoft refreshes exam questions frequently, and the scenario-based questions cannot be memorized anyway.
Bottom Line
AZ-500 is the infrastructure security exam. SC-200 is the detection and response exam. SC-300 is the identity exam. They complement rather than replace each other, and the Microsoft security job market increasingly rewards holding two or three of them.
Start with the one that maps to your current role, use Microsoft Learn as your primary study resource, and treat the hands-on labs as non-optional preparation.
Frequently Asked Questions
What is the difference between AZ-500, SC-200, and SC-300?
AZ-500 covers Azure infrastructure security including network controls, key management, and Defender for Cloud. SC-200 is the Security Operations Analyst exam focused on Microsoft Sentinel, Defender XDR, and KQL-based threat detection. SC-300 is the Identity and Access Administrator exam covering Entra ID, Conditional Access, PIM, and Entitlement Management. Each exam certifies a different security role within the Microsoft ecosystem.
Is AZ-500 retiring in 2026?
Yes. AZ-500 is scheduled to retire on August 31, 2026. Microsoft plans to replace it with AZ-5002, which has a narrower scope. If you want the AZ-500 credential, schedule your exam before the retirement date. SC-200 and SC-300 have updated skills outlines but are not being retired.
Which exam is hardest: AZ-500, SC-200, or SC-300?
Community data consistently shows AZ-500 has the lowest first-attempt pass rate (55-65%) because it covers the widest range of domains. An engineer strong in identity may struggle with networking controls, and vice versa. SC-200 is technically demanding because of KQL, but its scope is narrower. SC-300 has the highest pass rate (65-75%) for engineers who manage Entra ID daily.
How long does it take to study for each Microsoft security exam?
Typical study times for candidates with no prior Microsoft certifications: AZ-500 requires 100-140 hours, SC-200 requires 80-120 hours, and SC-300 requires 80-110 hours. Engineers who already work daily in the relevant product (Sentinel for SC-200, Entra ID for SC-300) typically study at the lower end of those ranges because the content reinforces existing knowledge.
Do Microsoft security certifications require annual renewal?
Yes. All three certifications require free online renewal assessments taken through Microsoft Learn, available starting 180 days before the certification expiration date. The renewal assessment reflects the current exam blueprint and must be completed before the expiration date. Failure to renew causes the certification to lapse, requiring a full proctored exam to recertify.
Recommended tool: Pluralsight
Level up your security skills with expert-led courses. Free 10-day trial, then access thousands of courses across cloud security, networking, and certifications.
Get weekly security insights
Cloud security, zero trust, and identity guides — straight to your inbox.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Share this article
Questions & Answers
Related Articles
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us