Photo by @hcmorr /

Thoughts on passing the SC-200 security certification exam

Thanks for reading my blog! If you have any questions or need a second opinion with anything Microsoft Azure or Power Platform related, don't hesitate to contact me. I'm happy to provide my professional services through my company, North Advisors.

These days, Microsoft has produced plenty of certifications and exams to earn them. I’ve lost count but having done several dozen exams, and I feel it’s simply a side hobby at this point. I’ve written how I prepare for a certification exam, and this is still my good approach.

In 2021, I’ve delivered trainings frequently – perhaps not weekly, but at least biweekly for the better portion of the year. I’ve ramped up on new training, such as preparing for all Power Platform certifications (PL-900, PL-100, PL-200, PL-400, PL-600, respectively) and many Azure certifications. As a reminder, you can see the up-to-date poster for all Microsoft certifications here.

The security-related certification exam, AZ-500, MS-500, and the SC-900/200/300/400 are all near and dear to my heart. I haven’t had the time to complete all of these, so I set out to do the SC-200 this week. The Security Operations Analyst exam focuses on Microsoft Defender, Azure Defender, and Azure Sentinel.

I prepared dutifully. Having done all the labs (which you can find here), I spent a few evenings deploying the numerous Defender products and services. I’m reasonably familiar with KQL and Azure Sentinel, so I opted not to spend any time on those for now.

I booked the exam for noon, as that’s when I have peak energy usually. Unfortunately, a few meetings ran over, so I had to rush into my exam appointment. It’s remotely proctored, but I cannot use my home office as I have too many displays bolted on my table. The living room is spacious but often has other family members working or relaxing, so that’s also a no-no. I did try my bedroom once, but the person delivering the exam told me to flat out that it isn’t a secure enough place. So, my only option at home is to do the exam on my balcony. Lovely views and all, but this time of the year, it gets reasonably cold, too.

The exam is divided between the three focus areas relatively evenly. Microsoft Defender being the most important here, perhaps.

I had 33 questions and two case studies in my exam. You are given 2 hours to complete them all. And as usual, once you’ve submitted the case study answers, you cannot revisit those any longer.

Overall, the exam was slightly challenging but not super difficult. The majority of the questions were super clean and relevant. A few questions included stuff you should memorize: when querying using KQL for managed devices and figuring out what to filter out from the query. I didn’t have any super simple questions, such as “You need to identify security threats rapidly. Do you use Azure Sentinel?

For Azure Sentinel, many of the questions expected you to know the terms and features well. When do you use a Workbook, and when do you use a Playbook? If you haven’t used either of those, it’s hard to recall which was which. Beyond this, Azure Sentinel was mostly around KQL and the fundamental features.

For Azure Defender, I recall the focus being on configuration rather than monitoring and incidents. Fair enough.

I spent exactly 1 hour on the exam and passed. I was relieved and not surprised as I was confined throughout I had enough experience with the services. My weakest category was Microsoft Defender, especially for Endpoints, which I’ve worked the least in the past few years.

I can recommend the exam – especially if you want to focus more on the operational side of Azure and Microsoft 365 security!