The exam contains 40-60 questions (the exact number varies) and you have 120 minutes to complete it. Question types include standard multiple choice (select one correct answer), multiple select (select all that apply — these tell you how many to select), drag-and-drop ordering (arrange steps in the correct sequence), and scenario-based case studies (read a multi-paragraph scenario and answer 4-6 questions about it). The exam costs $165 USD (approximately $130 GBP) and can be scheduled through the Microsoft Learn credentials portal.
The certification is valid for one year. Renewal requires passing a free online assessment on Microsoft Learn — no exam center visit, no proctoring, no fee. The renewal assessment is open-book and tests whether you are current with recent platform changes. Set a calendar reminder for 11 months after certification to complete renewal before expiration.
The four exam domains
The SC-200 tests four skill areas. The percentage ranges indicate the approximate proportion of questions from each domain. These ranges are not exact — a specific exam session may lean slightly toward one domain — but they represent the general weight distribution.
Domain 1: Manage a Security Operations Environment (20-25%)
This domain tests whether you can set up and maintain the security platforms your SOC operates. It covers the operational infrastructure that must exist before you can detect or investigate anything.
Configure settings in Microsoft Defender XDR. This includes configuring alert and vulnerability notification rules so the right people are notified when critical alerts fire, configuring Defender for Endpoint advanced features (live response, automated investigation, attack disruption, custom network indicators), configuring endpoint rules settings (device groups, automation levels, web content filtering), managing automated investigation and response (AIR) capabilities including understanding the difference between full automation, semi-automation requiring approval, and no automation, and configuring automatic attack disruption including understanding how the AI model correlates cross-product signals to automatically contain attacks.
Manage assets and environments. This includes configuring and managing device groups with appropriate RBAC permissions and automation levels, identifying unmanaged devices using Defender for Endpoint's device discovery, discovering unprotected resources using Defender for Cloud's security recommendations, identifying and remediating devices at risk using Defender Vulnerability Management (TVM), and mitigating risk using Exposure Management which provides a unified view of your organization's attack surface across identities, devices, and cloud resources.
Design and configure a Microsoft Sentinel workspace. This includes planning workspace architecture (single vs. multi-workspace, regional considerations, multi-tenant scenarios), configuring Sentinel roles and Azure RBAC for least-privilege access, and designing data storage including understanding the difference between Analytics logs, Basic logs, and Archive tier, and configuring appropriate retention periods for each log type.
Ingest data sources in Microsoft Sentinel. This includes identifying which data sources to ingest based on detection requirements and cost constraints, implementing Content Hub solutions, configuring Microsoft connectors for Azure resources, planning and configuring Syslog and CEF event collection for third-party devices, planning Windows Security event collection using Data Collection Rules and Windows Event Forwarding, creating custom log tables for non-standard data sources, and monitoring and optimizing data ingestion to control costs.
Course modules covering Domain 1: M1 (Defender XDR platform), M6 (KQL — required for Sentinel), M7 (Sentinel workspace), M8 (Data connectors), M9 (Analytics rules)
Domain 2: Configure Protections and Detections (15-20%)
This domain tests whether you can configure security policies and build detection rules. It bridges the gap between infrastructure setup (Domain 1) and incident response (Domain 3) — the detections you configure here generate the alerts you investigate in Domain 3.
Configure protections in Microsoft Defender security technologies. This includes configuring policies for Defender for Cloud Apps (session policies, access policies, activity policies, file policies, OAuth app policies), configuring policies for Defender for Office 365 (anti-phishing policies, Safe Links, Safe Attachments, anti-spam, anti-malware, preset security policies vs. custom policies), configuring security policies for Defender for Endpoint including attack surface reduction (ASR) rules (which reduce the attack surface by blocking specific behaviors like Office applications spawning child processes or JavaScript/VBScript launching downloaded content), and configuring cloud workload protections in Defender for Cloud (enabling Defender plans for servers, databases, storage, containers, and App Service).
Configure detections in Microsoft Defender XDR. This includes configuring and managing custom detection rules (scheduled KQL queries that generate alerts when conditions are met), managing alerts including tuning (adjusting thresholds), suppression (silencing known false positives), and correlation (linking related alerts), and configuring deception rules which deploy decoy accounts, devices, or files designed to attract and detect attacker activity.
Configure detections in Microsoft Sentinel. This includes classifying and analyzing data using entities (mapping raw log fields to standard entity types like Account, IP, Host, URL), configuring and managing analytics rules across all four types (scheduled rules that run KQL on a timer, NRT rules that run every minute for high-priority detections, Microsoft Security rules that pass through alerts from other products, and anomaly rules that use ML-based behavioral detection), querying data using ASIM (Advanced Security Information Model) parsers that normalize data from different sources into a common schema, and implementing behavioral analytics using UEBA (User and Entity Behavior Analytics) to detect anomalous behavior patterns.
Course modules covering Domain 2: M1 (Defender XDR configuration), M4 (Defender for Cloud protections), M9 (Sentinel analytics rules and detections), M15 (Detection engineering)
Domain 3: Manage Incident Response (25-30%)
This is the largest domain — nearly a third of the exam. It tests whether you can investigate and respond to active threats across every product in the Microsoft security stack. This domain is where your KQL skills, product knowledge, and investigation methodology all come together.
Respond to alerts and incidents in the Microsoft Defender portal. This covers investigation and remediation across every Defender product: investigating threats using Defender for Office 365 including automatic attack disruption for email-based attacks, investigating ransomware and BEC incidents identified by attack disruption, investigating compromised entities identified by Microsoft Purview DLP policies, investigating threats identified by Purview insider risk policies, investigating alerts from Defender for Cloud workload protections, investigating security risks identified by Defender for Cloud Apps, investigating compromised identities in Entra ID, and investigating security alerts from Defender for Identity.
Respond to Defender for Endpoint alerts. This includes investigating device timelines (reading chronological event data to trace attack progression), performing actions on devices including live response sessions and collecting investigation packages, and performing evidence and entity investigation (pivoting from a device to related files, IPs, URLs, and users to determine blast radius).
Investigate Microsoft 365 activities. This includes investigating threats using the unified audit log (the comprehensive record of user and admin activity across M365), investigating using Content Search (searching across mailboxes, SharePoint, and Teams for specific content), and investigating using Microsoft Graph activity logs.
Respond to incidents in Microsoft Sentinel. This includes investigating and remediating incidents within the Sentinel incident queue, creating and configuring automation rules (lightweight no-code logic that runs when incidents are created or updated), creating and configuring playbooks built on Azure Logic Apps for complex automated response workflows, and running playbooks on on-premises resources through hybrid connectivity.
Implement and use Microsoft Security Copilot. This includes creating and using promptbooks (saved sequences of natural-language prompts for standardized investigations), managing sources including plugins and uploaded files, integrating Copilot with Microsoft and third-party connectors, managing permissions and roles, monitoring capacity and cost, identifying threats using Copilot's natural language analysis, and investigating incidents with Copilot-guided workflows.
Course modules covering Domain 3: M1 (Defender XDR investigation), M2 (Defender for Endpoint deep dive), M3 (Purview investigation), M5 (Security Copilot), M9 (Sentinel incident response), M11 (AiTM investigation), M12 (BEC investigation), M13 (Token replay), M14 (IR reporting)
Domain 4: Manage Security Threats (15-20%)
This domain tests proactive threat hunting and security reporting — the activities you perform when you are not responding to active incidents.
Hunt for threats using Defender XDR. This includes identifying threats by writing KQL queries against the Advanced Hunting schema, interpreting threat analytics reports in the Defender portal (Microsoft's curated intelligence about active campaigns and vulnerabilities), and creating custom hunting queries for scenarios specific to your environment.
Hunt for threats using Sentinel. This includes analyzing attack vector coverage using the MITRE ATT&CK matrix (identifying which techniques your detections cover and which have gaps), managing and using threat indicators (ingesting IOCs from threat intelligence feeds and matching them against your data), creating and managing hunts (structured hunting operations with hypotheses and results), creating and monitoring hunting queries, using bookmarks to save interesting findings during hunts for later investigation, retrieving and managing archived log data (querying data that has been moved to cold storage for cost optimization), and creating and managing search jobs (asynchronous queries against large datasets that run in the background).
Create and configure Sentinel workbooks. This includes activating and customizing workbook templates from the Content Hub, creating custom workbooks with KQL-based visualizations for operational dashboards, and configuring visualizations that communicate security posture to different audiences (SOC analysts, management, compliance teams).
Course modules covering Domain 4: M6 (KQL query construction), M9 (analytics rules and MITRE mapping), M10 (threat hunting), M15 (detection engineering and custom queries)
Study strategy
Do not study domain by domain. The exam domains overlap significantly. A question about "responding to an Office 365 alert" (Domain 3) requires you to understand Defender for Office 365 configuration (Domain 2), the Defender XDR portal (Domain 1), and KQL investigation techniques (Domain 4). Studying domains in isolation creates knowledge silos that crumble under scenario-based questioning.
Instead, follow this course's module order. The modules are sequenced to build skills progressively across domains. By the time you reach Module 10 (Detections and Investigations), you have the KQL skills (Module 6), the Sentinel workspace (Module 7), the data connectors (Module 8), and the Defender XDR investigation experience (Module 1) to understand analytics rules in full operational context.
The exam tests scenarios, not recall. You will not see "What is the name of the Sentinel table that stores sign-in logs?" You will see "A user reports they cannot access their email. You investigate and find a sign-in from an unfamiliar IP address 30 minutes before the user was locked out. The sign-in shows MFA satisfied but the authentication method was a new FIDO2 key the user does not recognize. What should you investigate next?" The answer requires you to understand sign-in log fields, MFA registration events, token replay mechanics, and the investigation workflow — not a single memorized fact.
This is why every Check My Knowledge section in this course uses scenario-based questions. You build the ability to reason through unfamiliar situations by practicing with scenarios that require multi-step analysis, not by memorizing facts that might not appear on your specific exam session.
Recommended study schedule for part-time learners (8-12 weeks to exam readiness for Modules 0-10):
Weeks 1-2: Complete Module 0 (lab setup) and Module 6 (KQL fundamentals). Run every query. Build the muscle memory for KQL syntax.
Weeks 3-4: Complete Module 1 (Defender XDR). Practice the triage workflow. Write cross-product correlation queries.
Weeks 5-6: Complete Modules 7 and 8 (Sentinel workspace and data connectors). Configure your lab workspace with multiple data sources.
Weeks 7-8: Complete Module 10 (detections and investigations). Build analytics rules. Create automation rules. Test a playbook.
Weeks 9-10: Complete Modules 2-5 (MDE, Purview, Defender for Cloud, Security Copilot). These modules cover the remaining exam objectives.
Week 11: Complete Module 11 (threat hunting). Practice hunting queries and bookmark management.
Week 12: Review. Take the free Microsoft practice assessment. Re-read the Check My Knowledge sections for any modules where you scored below 80%. Schedule and take the exam.
SC-200 exam callouts appear throughout the course. When a subsection covers a specific exam objective, you will see a callout box identifying the domain, the specific skill measured, and cross-references to related content in other modules. These callouts help you connect course content to exam expectations without needing to separately study the skills measured document.
Practice with the free Microsoft assessment. Microsoft offers a free practice assessment for SC-200 at learn.microsoft.com. Take it before you start the course (to establish your baseline and identify knowledge gaps) and again after Module 11 (to measure progress and identify remaining weak areas). The practice assessment uses the same question formats as the real exam and provides explanations for correct answers.
Do not rely on brain dumps or question databases from third-party sites. They test memorization of specific questions that may no longer appear on the current exam version. They also violate Microsoft's terms of service and can result in certification revocation. The SC-200 exam updates its question pool regularly — the questions you memorize from a dump may not appear on your exam session, and even if they do, understanding why an answer is correct is more valuable than recognizing a question you have seen before.
Exam day logistics
Online proctored exam. If taking the exam from home, you need a stable internet connection, a webcam and microphone, a clean desk with nothing on it except your computer, and a closed room with no other people. The proctor will ask you to show your room via webcam before the exam starts. You cannot have notes, books, phones, or second monitors visible. The online experience is identical to the testing center experience in terms of questions and scoring.
Testing center exam. You arrive 15 minutes early, present government-issued ID, store all personal items in a locker, and are escorted to a workstation. The testing center provides scratch paper or a whiteboard for notes during the exam.
During the exam. You can flag questions for review and return to them before submitting. For case study sections, read the entire scenario before answering any questions — the context builds across the questions. If you are unsure about an answer, eliminate obviously wrong options first. Microsoft exam questions often have one clearly wrong answer, one partially correct answer, and two plausible answers — the difference between the two plausible answers is usually a specific technical detail that the course covers.
Time management. With 40-60 questions in 120 minutes, you have approximately 2-3 minutes per question. Single-answer multiple choice should take 30-60 seconds. Scenario-based case studies require 5-10 minutes for the scenario plus 1-2 minutes per question. If you are spending more than 3 minutes on a single non-case-study question, flag it and move on — you can return after completing easier questions.
After the exam
Results are available immediately after submission. If you pass, the certification appears in your Microsoft Learn profile within 24 hours. You receive a digital badge through Credly that you can share on LinkedIn. The certification title is "Microsoft Certified: Security Operations Analyst Associate."
If you do not pass, the score report shows your performance in each domain. Focus your restudy on the domains where you scored lowest. You can retake the exam after 24 hours for the first retry, and after 14 days for subsequent retries, with a maximum of five attempts per year on the same exam.
Renewal
The SC-200 certification expires one year after you earn it. Approximately six months before expiration, Microsoft sends a renewal notification to your registered email. The renewal assessment is free, online, open-book, and unproctored. It contains approximately 25 questions focused on features and capabilities that have changed since your last certification or renewal. You can take it as many times as needed until you pass. There is no penalty for failed attempts and no waiting period between attempts.
Set a calendar reminder now for 11 months after your expected certification date. Renewal takes 30-45 minutes if you have stayed current with the platform. If you have been using the tools daily in your SOC work, the renewal assessment is straightforward.
