Audit, Retention & eDiscovery in SC-900
Audit, Retention & eDiscovery in SC-900 explains how organisations gain visibility into user actions, control how long data is kept, and respond to legal or regulatory requests when required.
Security focuses on preventing threats.
Compliance focuses on evidence, accountability, and traceability.
SC-900 introduces audit, retention, and eDiscovery to help learners understand how organisations prove what happened, when it happened, and why controls exist.
Why SC-900 Covers Audit, Retention & eDiscovery
In real environments, organisations must be able to:
- Prove user actions
- Meet regulatory requirements
- Respond to audits and investigations
- Support legal and HR cases
Without proper visibility and controls:
- Incidents cannot be investigated
- Compliance cannot be demonstrated
- Trust is lost
SC-900 includes these topics to explain how accountability is built into Microsoft platforms.
What Is Audit in SC-900? (Conceptual View)
At SC-900 level, audit means:
Recording and reviewing activities performed by users and systems.
Audit helps answer questions like:
- Who accessed data?
- What action was performed?
- When did it happen?
SC-900 focuses on why auditing matters, not how logs are searched.
Why Auditing Is Critical for Security and Compliance
Auditing supports:
- Incident investigations
- Regulatory compliance
- Internal accountability
- Forensic analysis
Without audit logs:
- Security incidents lack evidence
- Compliance claims cannot be proven
- Root cause analysis becomes impossible
SC-900 positions auditing as a foundational compliance control.
What Is Retention in SC-900?
Retention defines how long data is kept and when it should be deleted.
At SC-900 level, retention means:
Managing the data lifecycle from creation to deletion, based on business and regulatory needs.
Retention ensures that data is:
- Kept when required
- Deleted when no longer needed
This reduces both legal risk and data sprawl.
Why Retention Policies Matter
Retention policies help organisations:
- Meet legal obligations
- Reduce unnecessary data storage
- Limit exposure of old or unused data
SC-900 highlights retention as a balance between:
- Keeping data too long (risk)
- Deleting data too early (non-compliance)
What Is eDiscovery in SC-900?
eDiscovery is introduced in SC-900 as:
The process of identifying, preserving, and reviewing data for investigations or legal cases.
It is commonly used for:
- Legal matters
- HR investigations
- Regulatory inquiries
SC-900 focuses on purpose and outcomes, not case creation steps.
How Audit, Retention & eDiscovery Work Together
These three concepts are closely connected:
- Audit → Shows what happened
- Retention → Controls how long data exists
- eDiscovery → Retrieves relevant data when needed
Together, they provide:
- Visibility
- Accountability
- Compliance readiness
SC-900 tests whether you understand this relationship.
Audit vs Security Monitoring (Important Distinction)
SC-900 clearly separates:
- Security monitoring → Detecting threats
- Audit logging → Recording actions
Audit logs are not primarily for threat detection.
They are for evidence and accountability.
Retention vs Backup (SC-900 Clarity)
Another important distinction:
- Retention → Compliance and lifecycle control
- Backup → Disaster recovery
SC-900 ensures learners don’t confuse these concepts.
Audit, Retention & eDiscovery and Zero Trust
Zero Trust assumes:
- Breaches may occur
- Access must be verified
- Actions must be traceable
Audit and eDiscovery support Zero Trust by:
- Providing activity visibility
- Supporting investigations
- Enforcing accountability after access
This conceptual link is exam-relevant.
What SC-900 Does NOT Expect You to Know
SC-900 does not require:
- Creating audit searches
- Configuring retention policies
- Running eDiscovery cases
- Legal workflow details
The exam tests understanding of why these controls exist, not how to operate them.
Common Misconceptions SC-900 Helps Correct
- “Audit is only for security teams.”
Audit supports compliance and legal needs. - “Retention is just storage management.”
Retention is a compliance requirement. - “eDiscovery is rare.”
It is commonly used in enterprises.
SC-900 Exam Tip
For SC-900:
- Know what audit, retention, and eDiscovery are
- Understand why each exists
- Recognise how they work together
- Avoid thinking in technical steps
If you can explain how organisations prove actions and meet compliance, you’re exam-ready.
Final Thoughts: Compliance Is About Proof
Security prevents incidents.
Compliance proves responsibility.
By implementing audit, retention, and eDiscovery, organisations:
- Gain visibility
- Demonstrate accountability
- Respond confidently to audits and investigations
SC-900 introduces these concepts to ensure learners understand how trust and compliance are maintained in modern IT environments.
Also, view our detailed guide on what is SC-900 to understand Microsoft Security, Compliance, and Identity fundamentals.
For official and up-to-date exam objectives, learning paths, and reference material, refer to Microsoft Learn’s SC-900 documentation.
What’s Next in the SC-900 Series
Next, we’ll cover:
Security vs Compliance in SC-900: Understanding the Critical Differences