Microsoft Security (SC-900): The Essential Cert for IT Support Staff
Security is no longer the sole domain of cybersecurity specialists. In 2025, every IT support professional needs foundational security knowledge to protect their organisation from increasingly sophisticated threats. The Microsoft Security, Compliance, and Identity Fundamentals (SC-900) certification validates exactly this knowledge, and it's becoming essential for anyone working in frontline IT roles.
Why do IT support staff need security knowledge in 2025?
Every IT support role now involves security responsibilities. The days of "just fixing computers" are over. Modern IT support staff handle password resets, manage user access, troubleshoot authentication issues, and respond to suspicious activity reports. Each of these tasks touches identity and security directly.
New Zealand lost an estimated $1.6 billion to cyber threats in 2024, according to the National Cyber Security Centre. Over 830,000 Kiwis suffered financial losses from online attacks, with the average loss per incident reaching $1,260. The NCSC's Q1 2025 report recorded $7.8 million in direct financial losses from cybercrime, a 14.7% increase from the previous quarter.
Help desk staff are often the first to encounter these threats. When an employee reports a suspicious email or notices unusual account behaviour, IT support responds first. Without proper security training, these frontline responders become a vulnerability rather than a defence.
What does the SC-900 certification cover?
SC-900 validates foundational understanding of security, compliance, and identity across Microsoft cloud services. The certification covers four key domains that align directly with the daily responsibilities of IT support professionals.
The exam structure breaks down as follows:
Security, compliance, and identity concepts (10-15%)
Microsoft Entra capabilities (25-30%)
Microsoft security solutions (35-40%)
Microsoft compliance solutions (20-25%)
Microsoft designed this certification specifically for people who aren't security specialists but need to understand how security works in modern cloud environments. IT administrators, service desk analysts, business analysts, and support technicians all benefit from this foundational knowledge.
The exam consists of 40-60 questions and must be completed within 45 minutes. A passing score of 700 (on a scale of 1-1000) earns the Microsoft Certified: Security, Compliance, and Identity Fundamentals credential.
What is Zero Trust, and why does it matter for IT support?
Zero Trust is a security model built on the principle of "never trust, always verify." Unlike traditional security that assumed everything inside the network was safe, Zero Trust treats every access request as potentially hostile, regardless of where it originates.
For IT support staff, Zero Trust means verifying every user, every device, and every access request. When someone calls the help desk asking for a password reset or access to a system, support staff must follow verification protocols. Social engineering attacks often target help desk staff precisely because they have the power to grant access.
The SC-900 certification teaches the Zero Trust framework that underpins Microsoft's entire security approach. Understanding concepts like least-privilege access, continuous verification, and identity protection helps support staff recognise when something doesn't feel right about a request.
| Aspect | Traditional Security Model | Zero Trust Model |
|---|---|---|
| Trust Assumption | Trust users and devices inside the network perimeter | Never trust, always verify every access request |
| Access Control | Once authenticated, broad access granted | Least-privilege access, continuously verified |
| Network Boundaries | Clear inside/outside perimeter | Identity is the new perimeter |
| Device Trust | Corporate devices trusted by default | Device health verified before access granted |
| Help Desk Impact | Password resets granted with basic verification | Multi-factor verification required for sensitive requests |
| Breach Response | Attackers can move laterally once inside | Micro-segmentation limits breach impact |
How does Microsoft Entra relate to everyday IT support tasks?
Microsoft Entra (formerly Azure Active Directory) handles identity and access management for most New Zealand organisations using Microsoft 365. IT support staff interact with Entra constantly, whether they realise it or not.
Password resets, account lockouts, multi-factor authentication issues, conditional access problems, and single sign-on troubleshooting all involve Microsoft Entra. The SC-900 certification builds understanding of how these systems work together, which makes troubleshooting faster and more effective.
Key Entra concepts covered in SC-900 include:
Authentication methods (passwords, MFA, passwordless)
Single sign-on and federation
Conditional Access policies
Identity protection and risk detection
Privileged Identity Management basics
When a user complains they can't access an application from home but can from the office, understanding Conditional Access policies helps diagnose the issue immediately. When someone reports their account was compromised, knowing how Identity Protection works enables faster response.
What security tools should IT support staff understand?
Microsoft Defender, Microsoft Sentinel, and Microsoft Purview form the core of Microsoft's security and compliance ecosystem. SC-900 provides an overview of each tool's purpose and capabilities.
Microsoft Defender protects endpoints, email, identities, and cloud applications. IT support staff commonly encounter Defender when users report blocked files, quarantined emails, or security alerts. Understanding what Defender does helps explain these situations to frustrated users and escalate genuine threats appropriately.
Microsoft Sentinel provides security information and event management (SIEM) capabilities. While support staff won't typically work directly with Sentinel, understanding that security teams receive alerts about suspicious patterns helps frame the importance of accurate incident reporting.
Microsoft Purview handles compliance, data governance, and information protection. When users ask why they can't forward certain emails or why documents have sensitivity labels, SC-900 knowledge provides the context to explain these protections.
How vulnerable are New Zealand businesses to phishing attacks?
Phishing remains the most common attack vector, and IT support staff are prime targets. Research from KnowBe4's 2025 Phishing by Industry Benchmarking Report found that 36.8% of Australian and New Zealand employees were likely to fall for phishing attacks before training, higher than both the global average (33.1%) and European standards (32.5%).
The NCSC's Q1 2025 data shows phishing and credential harvesting incidents jumped 15% from the previous quarter, totalling 440 reported cases. These attacks increasingly target help desk staff because they have authority to reset passwords and modify access permissions.
The Tertiary Education Commission's Cyber Security initiative notes that 95% of reported cybersecurity breaches start with a phishing attempt. SC-900 training helps IT support staff recognise social engineering tactics and follow verification procedures that protect their organisation.
After 12 months of security awareness training, the KnowBe4 research shows phishing susceptibility drops to just 4.1%. Security certifications like SC-900 complement this training by providing the conceptual framework that makes individual security behaviours make sense.
What salary and career benefits does SC-900 provide?
SC-900 demonstrates security awareness that employers increasingly require for IT support roles. While it won't dramatically change an entry-level salary on its own, it signals to employers that a candidate understands the security context of their work.
IT Support Specialists in New Zealand earn an average of $63,332 according to PayScale, with entry-level positions starting around $49,000. Glassdoor reports IT Help Desk salaries averaging $64,000, with top earners reaching $82,500.
The certification also serves as a stepping stone. SC-900 provides the foundation for role-based certifications like SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or AZ-500 (Azure Security Engineer). These advanced certifications lead to dedicated security roles with significantly higher salaries.
The Kordia New Zealand Cyber Security Report 2025 found that 59% of New Zealand businesses experienced a successful cyber attack in the past year, with two-thirds reporting significant business impact. Organisations recognise they need security-aware staff at every level, not just in dedicated security teams.
Is SC-900 difficult for someone without a security background?
SC-900 is an entry-level certification designed for people new to security concepts. Microsoft explicitly targets business stakeholders, IT professionals, and students who want foundational knowledge rather than deep technical expertise.
The certification doesn't require coding skills or hands-on security experience. It focuses on understanding concepts rather than configuring systems. Someone comfortable with basic IT terminology and familiarity with Microsoft 365 or Azure can prepare for SC-900 with focused study.
Microsoft provides free learning paths on Microsoft Learn that cover all exam objectives. Combined with practice assessments, these resources allow self-paced preparation that fits around existing work responsibilities.
The certification doesn't expire, which distinguishes it from role-based Microsoft certifications that require annual renewal. Once earned, SC-900 remains valid indefinitely.
How can New Zealand IT support professionals get SC-900 certified?
NZIQ offers structured pathways to SC-900 certification with learning materials, practice tests, and exam vouchers. The Microsoft Certified Fundamentals bundle provides everything needed to prepare for and pass the exam.
The certification process involves:
Study the four exam domains using Microsoft Learn or structured courseware
Practice with GMetrix simulations to build confidence
Schedule the exam through Pearson VUE (online or at a testing centre)
Pass with a score of 700 or higher
New Zealand exam sessions run at convenient local times, with online proctoring available for those who prefer to test from home. The exam takes 45 minutes, and results appear immediately upon completion.
For IT support professionals looking to validate their security knowledge and prepare for the evolving demands of their role, SC-900 provides a recognised credential that demonstrates readiness for modern IT support responsibilities.
Explore the Microsoft Certified Fundamentals certification bundles at NZIQ to start your security certification journey.