Module 0 — Check My Knowledge (15 questions)
1. You are setting up your lab environment. You sign into the Defender XDR portal at security.microsoft.com but see "You don't have permission." You created your M365 E5 tenant 10 minutes ago. What is the most likely cause?
License propagation delay. E5 license features take 30-60 minutes to activate across all services after tenant creation. Wait and retry.
Your account does not have Global Administrator role
The Defender XDR portal is only available in certain regions
You need a separate Defender license
New M365 E5 tenants require time for all services to provision. The Defender XDR portal, Entra ID Protection features, and advanced hunting capabilities activate asynchronously. 30-60 minutes is normal; up to 4 hours is possible during high-demand periods.
2. The SC-200 exam has four domains. Which domain accounts for the largest percentage of exam questions?
Manage a Security Operations Environment (20-25%)
Configure Protections and Detections (15-20%)
Manage Incident Response (25-30%) — nearly a third of the exam focuses on investigation and response. This is why the course dedicates 5 unique modules (11-15) to real-world investigation skills.
Manage Security Threats (15-20%)
Manage Incident Response is the largest domain at 25-30%. Microsoft places the most weight on your ability to investigate and respond to active threats — not just configure tools. This aligns with the course's emphasis on investigation skills in Modules 11-15.
3. You created your Azure subscription with a different Microsoft account than your M365 tenant. What problem will this cause?
Sentinel will not be able to connect to your M365 data. The Defender XDR and Entra ID data connectors require the Azure subscription and M365 tenant to share the same Entra ID directory. Using different accounts creates separate directories that cannot see each other's data.
Azure will cost more
No problem — they connect automatically
You cannot create a Log Analytics workspace
This is the most common lab setup mistake. The Azure subscription must be associated with the same Entra ID tenant as your M365 environment. If they are separate, Sentinel's data connectors cannot authenticate to M365 services. The fix: transfer the Azure subscription to the correct tenant, or start over with the correct account.
4. You run a KQL query in Sentinel and get zero results, but you connected data connectors 45 minutes ago. What should you check first?
The KQL syntax is wrong
Verify the data connector is actually connected and the specific event tables are selected. Navigate to Data connectors, open the connector page, and confirm the status shows "Connected" with the correct tables enabled. The most common issue is connecting the Defender XDR connector but not selecting the individual event tables.
Sentinel is not provisioned correctly
The free tier does not support queries
Always verify the data pipeline before debugging the query. The connector page shows exactly which tables are enabled and their last event time. If a table shows "Never" for last event, the table is not receiving data — the issue is the connector configuration, not your query.
5. Which M365 licensing tier provides full Defender for Endpoint P2 (device timeline, live response, advanced hunting)?
M365 Business Basic
M365 Business Premium (provides P1 only)
M365 E5 — includes Defender for Endpoint P2 with full EDR, device timeline, live response, advanced hunting, and automated investigation.
M365 E3
E5 provides the complete security stack. E3 includes Defender for Endpoint P1 (basic protection). Business Premium includes P1. Only E5 (or standalone Defender for Endpoint P2 add-on) provides the full investigation capabilities covered in Module 4.
6. The course recommends building KQL queries incrementally rather than copy-pasting complete queries. Why?
Incremental building forces you to understand each line's purpose and see how the output changes as you add operators. Copy-pasting a complete query gives you the result but not the understanding. When you face a scenario not covered in the course, you need to construct queries from scratch — and that requires understanding each component.
Copy-pasting causes syntax errors
Incremental queries run faster
The course exercises require it
The goal is not to complete the exercise — it is to build the skill. An analyst who can write KQL from scratch is vastly more capable than one who can only modify existing queries. Incremental construction builds that capability.
7. You want to simulate a suspicious sign-in for practice. What should you do in your lab environment?
Sign in as a test user from a different browser, VPN, or mobile device to create a sign-in from a different IP address and location. This generates the anomalous sign-in patterns (unfamiliar IP, unfamiliar location) that you will learn to detect in Module 1 and investigate in Module 11.
Use a brute-force tool against your tenant
Modify the SigninLogs table directly
Wait for real attacks to occur
Lab environments are for controlled experimentation. Signing in from a different network creates legitimate sign-in log entries with different IP and location attributes. Do NOT use attack tools against your tenant — even a developer tenant. Microsoft monitors for abuse and may revoke your subscription.
8. What is the purpose of the Content Hub solutions you installed (M365, Entra ID, Defender XDR, UEBA)?
They provide pre-built analytics rules, workbooks, and playbooks for your workspace. They do not generate data — they provide the detection logic and visualization templates that you will explore and modify in Modules 7 and 9. Think of them as starter packs that give you working examples to learn from.
They generate sample data for testing
They connect additional data sources
They are required for Sentinel to function
Content Hub solutions are packages of pre-built Sentinel content. They include analytics rules (detections), workbooks (dashboards), hunting queries, and playbooks (automation). Module 9 teaches you to build your own analytics rules — the Content Hub solutions give you working examples to study and modify.
9. The course says "Do not study the SC-200 exam domain by domain." Why?
The domains overlap significantly. An exam question about "responding to an Office 365 alert" (Domain 3) requires understanding Office 365 configuration (Domain 2) and KQL investigation (Domain 1). Studying domains in isolation creates knowledge silos. The course modules build skills progressively across domains.
The domains are not important for the exam
The exam questions are randomized
Each domain is covered by exactly one module
Real security operations work crosses all domains simultaneously. An incident investigation requires environment configuration knowledge (Domain 1), understanding of detection rules (Domain 2), investigation methodology (Domain 3), and threat hunting skills (Domain 4). The exam reflects this reality with cross-domain scenario questions.
10. Your lab query returns 5 results where the course Expected Output shows 500. Is your lab broken?
No. A 6-user lab generates far less data than the 500-user organization in the course's Expected Output examples. The learning is in the query construction and analysis methodology, not in data volume. Your 5 results contain the same fields and patterns as the 500 — analyze them the same way.
Yes — reinstall the data connectors
You need a production tenant for the exercises
The Expected Output is fictional
Expected Output blocks show realistic production-scale data to teach you what to look for in a real environment. Your lab data is smaller but structurally identical. The analysis methodology is the same regardless of scale — 5 sign-in events or 5,000, you are looking for the same anomaly patterns.
11. You chose M365 Business Premium instead of E5 due to budget. At which module will you first encounter a limitation?
Module 1 — the Defender XDR portal is not available
Module 6 — KQL requires E5
Module 4 (Defender for Endpoint) — Business Premium includes P1 only. The device timeline, live response, and advanced hunting exercises in Module 4 require P2, which is only in E5 or as a standalone add-on.
Module 15 — detection engineering is E5 only
Business Premium provides enough functionality for Modules 0-3, 6-8. The P2 features (device timeline, live response, Threat Explorer) required in Modules 1 and 4 are the first meaningful limitation. KQL works with any license level. Sentinel analytics rules work with any license that provides data.
12. The course recommends a study pace of 1-2 hours per day for part-time learners. At that pace, approximately how long will the full course take?
1-2 months
10-14 months at 3-4 weeks per module across 16 modules. This is a comprehensive course equivalent to a technical textbook — not a weekend crash course. Consistent daily study produces better retention than intensive weekend sessions.
2-3 years
It depends on previous experience only
This is a long-form course designed for deep learning. Part-time learners should plan for approximately one year of consistent study. Learners with existing security experience or full-time study availability can complete faster. The subscription model supports this — monthly access for as long as you need.
13. What is the primary risk of using the M365 E5 30-day trial for your lab?
The trial automatically converts to a paid subscription on day 31. If you forget to cancel or convert, you are charged $57/month. Set a calendar reminder for day 25 to decide: cancel, start a new trial with a different email, or accept the paid subscription.
Limited features during trial
Data is deleted after 30 days
Trial accounts cannot use Sentinel
The trial is fully functional E5 — no feature limitations. The risk is purely financial: auto-conversion to paid at the end of the trial period. All data, configurations, and users persist after conversion. If you plan to study for several months, the paid subscription may be the most convenient option.
14. You connected the Defender XDR data connector but forgot to select the individual event tables. What happens?
Incidents and alerts flow to Sentinel (the "Connect incidents and alerts" checkbox handles that), but the underlying event tables (DeviceProcessEvents, EmailEvents, etc.) remain empty. You can see incidents in the Sentinel incident queue but cannot run advanced hunting queries against the raw data. Go back to the connector page and select the event tables.
No data flows at all
All data flows automatically
The connector shows an error
The Defender XDR connector has two connection points: incidents/alerts (one checkbox) and event tables (individual table selection). Both must be configured. This is the most common reason for empty query results in a lab that appears correctly connected.
15. Why does the course include 5 unique modules (11-15) that are not part of the SC-200 exam objectives?
The SC-200 exam tests whether you can use the tools. It does not test whether you can investigate a real incident from start to finish, write a CISO report, preserve evidence for legal proceedings, or build detection rules that prevent recurrence. These are the skills that separate a certified analyst from a competent one — and they are what employers actually hire for.
They are bonus content for subscribers
Microsoft requires them for a partner certification
They will be added to the SC-200 exam next year
Certifications test tool proficiency. Employers test operational competence. The 5 unique modules bridge that gap — they teach the real-world skills you need on day one in a SOC that no certification exam covers. This is the course's competitive advantage over Microsoft Learn and every other SC-200 resource.
