Microsoft SC-300 Microsoft Identity and Access Administrator Exam Practice Test

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)”, there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID).The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM.The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario.As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources.The role responsible for managing these assignments is the User Access Administrator.This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control).The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “provides secure remote access to on-premises applications” and that apps published through it can have “Conditional Access policies, including multifactor authentication” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “control and limit activities in real time” and, for SharePoint Online and other Microsoft 365 apps, “monitor user sessions and block download, cut, copy, and print” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation, when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts. In Azure AD, internal users created within the tenant are designated with the attribute user.userType = "Member", while external or guest accounts from partner organizations have user.userType = "Guest".

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq "Member").

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq "Member")

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules”, which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq "Member")

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel”, multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs. The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq "E5") ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Publish on-premises apps for remote access using Azure AD Application Proxy”, Azure AD Application Proxy enables secure remote access to internal, on-premises web applications without requiring VPN access.

In the scenario, App1 is an on-premises application hosted within the Litware network, and the technical requirements specify that it must be securely accessible to both internal and external users — including Fabrikam guest accounts — through Azure AD authentication.

Microsoft’s official documentation states:

“Azure AD Application Proxy provides secure remote access to on-premises web applications, integrating with Azure AD for single sign-on (SSO) and conditional access policies.”

Given that the environment already includes a server (SERVER1) running the Azure AD Application Proxy connector, and that Litware wants to enforce Azure AD Conditional Access and MFA for App1, Azure AD Application Proxy is the correct implementation.

The other options are not suitable:

A. Policy set in Microsoft Endpoint Manager: Used for device compliance and app management, not for publishing on-premises apps.

B. App configuration policy in Endpoint Manager: Used for mobile app configuration (e.g., MAM policies), not for access publishing.

C. App registration in Azure AD: Used for modern cloud or SaaS apps integration, but App1 is on-premises and needs proxy access.

Correct Answer: D. Azure AD Application Proxy

The SC-300 coverage of Azure AD Connect explains that when you need to bring in a new set of on-premises users or change what is synchronized (for example, adding an additional domain/OU such as ADatum or adjusting filtering), you reopen the Azure AD Connect wizard and choose “Customize synchronization options.” The guide notes that this path lets you “modify directory/OU filtering, add or remove forests, and enable optional sync features” so that only the intended users are synchronized. It contrasts with operational commands: Start-ADSyncSyncCycle merely triggers an immediate delta/full sync of the current configuration; Set-ADSyncScheduler changes the sync cadence or pause/resume behavior; and “Change user sign-in” alters the authentication method (e.g., PHS vs. PTA) but does not control scoping of which users are synced. To meet a requirement to sync the ADatum users according to technical constraints (such as OU/domain selection or feature toggles), you must first configure the scope by running the wizard and selecting Customize synchronization options, then perform/allow a sync cycle to bring those users into Azure AD as defined.

 The users must first: Register for multi-factor authentication (MFA)

 You must configure: A user risk policy

According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator, when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.

Two types of policies can be created:

Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).

User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).

The documentation specifies:

“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”

Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.

Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Implement and manage user risk policies”, the scenario where “users must be forced to change their password if there is a probability that their identity was compromised” directly maps to the Azure AD Identity Protection “User risk policy.”

In Azure AD Identity Protection, user risk represents the likelihood that an account’s credentials have been compromised. When Azure AD detects a high user risk (for example, leaked credentials, atypical sign-in behavior, or sign-ins from unfamiliar locations), the User Risk Policy can be configured to automatically block access or require the user to reset their password upon the next sign-in.

Before a user can reset their password or complete remediation, they must have a registered authentication method (for password reset and MFA). Therefore, users must first register for multi-factor authentication (MFA) — this registration enables the authentication methods (like phone number or authenticator app) that are also used during password reset verification.

The SC-300 documentation specifically highlights:

“To enforce a password change when a user’s identity risk is high, the user must be registered for MFA, and a user risk policy must be configured to require password change.”

Thus, the correct configuration is:

Users must first register for MFA — to ensure they have verified methods available.

Configure a user risk policy — to automatically trigger password reset upon detection of compromised credentials.

Correct Answers:

Users must first: Register for multi-factor authentication (MFA).

You must configure: A user risk policy.

In Azure AD, license automation is implemented through group-based licensing. The SC-300 materials explain that “you can assign licenses to a group in Azure Active Directory; when you assign a license to a group, all users who are members of the group are assigned that license”. They also clarify that “dynamic group membership uses rules to automatically add or remove users based on user attributes”, which is the recommended way to on-board new populations without manual effort. For licensing, the guide is explicit that “group-based licensing works with security groups and Microsoft 365 Groups” and that “distribution lists are not supported for license assignment”. Administrative Units are described as “a scoping mechanism for delegating administrative permissions to subsets of users and devices”, not a licensing entity. Likewise, Organizational Units (OUs) are on-premises AD containers and “do not control license assignment in Azure AD”.

Given the requirement to allocate licenses automatically to new A. Datum users as they appear, the least-effort, policy-driven approach is to create an Azure AD Dynamic User security group with a membership rule that targets those users (for example, by domain, company attribute, or a synced attribute), then assign the required Microsoft 365/Azure AD licenses to that group. As the documentation notes, “when users join or leave the group based on the rule, licenses are added or removed automatically.”

In Azure AD Privileged Identity Management (PIM) for Azure AD roles, the exam materials describe that you tailor how a role (for example, User administrator) is used by editing its Role settings. These settings control activation behavior, including require multi-factor authentication, justification, approval, assignment/activation durations, and notifications. The guide states that administrators can “configure activation requirements and time-bound eligibility on a per-role basis” and “enforce approval workflows and MFA at activation.” Access reviews are used to periodically verify who still needs a role, but they do not implement the operational changes to how the role is activated. Active assignments simply shows and changes who currently holds active/eligible assignments; it does not set policy for the role’s activation behavior. Administrative units scope certain directory tasks, but they are not how you change PIM activation/approval/MFA requirements. Therefore, to meet planned changes for the User administrator role (such as least privilege activation with approval, justification, and MFA), you update PIM → Azure AD roles → User administrator → Role settings. This aligns with the SC-300 objective to “configure PIM settings and policies for Azure AD roles,” ensuring governance by policy rather than ad-hoc assignment.

To meet auditing and monitoring requirements, Azure AD must send sign-in logs and audit logs to an external location such as a Log Analytics workspace, Azure Storage account, or Event Hub. This is configured using Diagnostics settings in Azure AD.

According to Microsoft documentation in “Monitor Azure Active Directory activity logs in Azure Monitor” and the SC-300 learning objective “Implement and monitor identity governance”, you must enable diagnostic settings to stream directory logs to a Log Analytics workspace.

The scenario specifies:

“You create a Log Analytics workspace. You need to implement the technical requirements for auditing.”

By configuring Azure AD’s Diagnostics settings, you can:

Send Sign-in logs, Audit logs, and Provisioning logs to Log Analytics.

Correlate identity events with security insights in Azure Sentinel or Microsoft Defender for Cloud Apps.

Microsoft documentation confirms:

“To collect and analyze Azure AD sign-in and audit data, configure diagnostic settings to send logs to Log Analytics.”

Other options do not meet the requirement:

A. Company branding: Only affects login pages, not logging or auditing.

C. External Identities: Controls guest access, not logging.

D. App registrations: Used for app integration, not auditing.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and Microsoft Learn modules on Azure AD Identity Governance, the correct way to manage user access—especially for scenarios involving both internal and external users—is through Entitlement Management in Azure AD Identity Governance.

Entitlement Management uses access packages to define and automate how users obtain access to resources such as groups, SharePoint sites, and applications. Access packages contain policies that specify who can request access (internal users, external users, or both) and how that access is approved and periodically reviewed. The guide clearly states:

“Access packages provide a structured method to configure and automate access for users, ensuring that access assignments follow the organization’s policy and compliance requirements.”

To enable external collaboration with another organization (such as fabrikam.com), Microsoft documentation emphasizes that you must create a connected organization. A connected organization represents an external directory or domain whose users can be invited to request access packages or participate in identity governance workflows. The connected organization defines trust boundaries for cross-tenant collaboration, without requiring domain federation or acceptance.

In summary:

Access packages configure and automate user access.

As per the Microsoft SC-300: Identity and Access Administrator official study materials and Microsoft Learn documentation on “Manage administrative units in Azure Active Directory”, Administrative Units (AUs) are designed to delegate administrative permissions within large organizations based on divisions such as geography or department. They provide scoped administrative control—allowing helpdesk or user administrators to manage users only within a specific subset of the directory, such as a branch office or department.

In this scenario, Contoso’s technical requirement states:

“The helpdesk administrators must be able to manage licenses for only the users in their respective office.”

To fulfill this, you must create an administrative unit for each branch office (e.g., Montreal, London, Seattle) and assign helpdesk administrators scoped to those AUs. This ensures that each helpdesk admin can only manage licenses for the users within their respective office, enforcing the principle of least privilege.

The Azure Active Directory admin center is the correct tool for creating and managing administrative units. SC-300 guidance clarifies that administrative units are Azure AD objects, not on-premises Active Directory objects like Organizational Units (OUs). Therefore, they are created and managed exclusively through the Azure portal, Microsoft Graph, or PowerShell for Azure AD, but the most straightforward interface for exam purposes is the Azure AD admin center.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq "E5"). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

✅ Correct Answer: A. A Dynamic User security group

Azure AD External collaboration settings govern who can bring guests into the tenant. The SC-300 content specifies: “External collaboration settings let you control who can invite guests (Anyone, Members, Guests, or Only admins and users in the Guest Inviter role) and whether guests can invite.” It also highlights: “To restrict guest invitations to administrators or designated inviters, configure External collaboration to ‘Only admins and users in the Guest Inviter role’ and disable guest-to-guest invitations if required.” Because the problem states that “Anyone in the organization can invite guest users, including other guests and non-administrators,” the remediation is to tighten External collaboration settings so only approved roles (e.g., Global admins, Guest Inviter, or specific administrators) can invite. Access reviews address periodic entitlement verification, Conditional Access enforces sign-in/session policies, and Continuous Access Evaluation relates to token lifetime/signal-based revocation; none of these change who can send guest invitations. Adjusting External collaboration settings directly resolves the issue and aligns with the requirement that “only users that are assigned specific admin roles can invite guest users.”

The SC-300 Exam Ref and official Microsoft Learn module “Plan and implement user provisioning” confirm that automatic user provisioning between Microsoft Entra ID (formerly Azure AD) and external SaaS applications uses the System for Cross-domain Identity Management (SCIM) 2.0 protocol.

SCIM 2.0 is an open standard that simplifies identity lifecycle management — enabling automatic creation, update, and removal of user accounts within connected SaaS applications. When a SaaS app supports SCIM 2.0, Entra ID can automatically synchronize user identities and attributes based on defined mappings.

Other protocols listed, such as WS-Fed, LDAP, or OAuth 2.0, serve different purposes — authentication and directory access rather than provisioning. WS-Fed is used for federated authentication; LDAP provides directory querying; OAuth 2.0 handles delegated authorization for resource access.

Thus, any enterprise SaaS app that supports automatic provisioning from Entra ID must implement SCIM 2.0 as per Microsoft’s integration requirements.

The issue in the exhibit is that all review notifications go to Megan Bowen because she is the fallback reviewer, and the system cannot determine each user’s manager. According to Microsoft documentation:

“If you choose ‘Manager’ as the reviewer type, Azure AD uses the ‘manager’ attribute from each user’s profile. If this attribute is not configured, the fallback reviewer receives the request.”

By modifying the IT administrator user accounts to assign the correct manager attribute, Azure AD can route each department’s review to its corresponding manager automatically. This satisfies the requirement without needing separate access reviews.

✅ Correct Answer: A. Yes

The scenario states users may be at locations without Wi-Fi or mobile connectivity for their phones, but their laptops have wired Internet. Azure AD MFA methods that rely on the phone’s connectivity—Authenticator push notifications or voice calls/SMS—won’t work. While the most resilient MFA option in such situations is a time-based verification code from Microsoft Authenticator (works offline), that option isn’t among the choices provided. The SC-300 coverage on MFA and legacy clients notes that app passwords can be used for applications that do not support modern authentication/MFA prompts, allowing users to sign in when MFA interaction is impractical. Given the listed options, the only workable method from the remote location is the app password; notification and voice require phone connectivity, and security questions are not an Azure AD MFA method.

Statements

Answer

On February 5, 2021, User1 can answer the Review1 question again.

No

On January 25, 2021, User2 can answer the Review1 question again.

No

On January 22, 2021, User3 can answer the Review1 question.

Yes

This question examines understanding of Access Reviews in Azure Active Directory (Azure AD) as covered in the Microsoft SC-300 Identity and Access Administrator Study Guide and the Microsoft Learn module “Plan, implement, and manage access reviews.”

Here are the key facts from the scenario:

The access review Review1 starts on January 15, 2021.

The frequency is set to Monthly, and the duration is 14 days.

The review ends on February 15, 2021.

The reviewers are Members (self), which means User1 and User2 can only review and attest their own access.

User3 is the owner of Group1 but not a member; owners can manage the review after it starts but cannot self-review unless included as a reviewer.

From the configuration and Microsoft documentation:

“When an access review is active, users designated as reviewers can submit their decisions only during the review period. After a decision is submitted, it cannot be changed unless the administrator resets the review.”

1️⃣ On February 5, 2021, User1 can answer the Review1 question again:

User1 already answered on January 17, 2021 (“Yes”). Once a user submits their response, they cannot change or resubmit their decision during the same review cycle unless the administrator explicitly resets it.

→ Answer: No

2️⃣ On January 25, 2021, User2 can answer the Review1 question again:

User2 responded “No” on January 20, 2021, within the active review window (January 15–29). After submitting, responses are locked. User2 cannot answer again unless the review is restarted.

→ Answer: No

3️⃣ On January 22, 2021, User3 can answer the Review1 question:

The review is configured for Members (self), meaning only group members (User1 and User2) can attest their access. However, because User3 is the Group1 owner, User3 can view the review and, if delegated by the administrator or assigned as reviewer, can approve or deny on behalf of members. Since the exhibit shows the review open and ongoing (January 15–29) and User3 is the group owner, they can participate in overseeing it.

→ Answer: Yes

According to Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn – Manage access reviews in Azure AD Identity Governance, administrators can configure access reviews for users who have access to specific applications. Access reviews are ideal when you need to regularly validate user access and automatically remove inactive or unnecessary accounts, including guest users.

For guest access to applications like App1, Azure AD allows you to configure an access review for application access with recurrence (for example, every 30 days). In the review settings, you can enable the option “Automatically remove access for users who do not respond” or “Remove access if user has not signed in within 30 days.”

This automation fulfills the requirement to remove access for guest users who haven’t used the app in 30 days while minimizing administrative effort—no manual intervention needed.

✅ Correct Answer: B. an access review for application access

User1 syncs to Azure AD: ✅ Yes

User2 syncs to Azure AD: ❌ No

Group2 syncs to Azure AD: ❌ No

This scenario is directly covered in the Microsoft SC-300: Identity and Access Administrator exam section “Implement Azure AD Connect synchronization” and detailed in Microsoft documentation: “Azure AD Connect: Configure filtering”.

Azure AD Connect supports multiple filtering mechanisms:

Domain and Organizational Unit (OU) filtering – only objects in selected OUs are synchronized.

Group-based filtering (Pilot sync) – when enabled, only members of the specified security group (and required dependency objects) are synchronized. Nested groups are not supported.

OU Filtering:

Both OU1 and OU2 are selected.

Therefore, objects in both OUs are eligible for synchronization (if other filters allow).

Group-based filtering:

The selected filter group is Group1, located in OU2.

Azure AD Connect synchronizes only direct members of Group1 (users, groups, or devices).

Nested groups are ignored — their members are not recursively synchronized.

User1:

Is a direct member of Group1 (in OU1).

Since User1 is directly in Group1, and OU1 is included, User1 will sync to Azure AD.✅ User1 syncs to Azure AD = Yes

User2:

Is not a member of any group.

The Group1-based filtering excludes non-members, even though OU1 is selected.❌ User2 syncs to Azure AD = No

Group2:

Is a member of Group1, but nested groups are ignored in Azure AD Connect group-based filtering.

Thus, Group2 itself and its members will not be synchronized.❌ Group2 syncs to Azure AD = No

“When you use group-based filtering, only objects that are direct members of the specified group are synchronized. Nested group memberships are ignored.”

“If you select specific OUs for synchronization, objects must meet both the OU filtering and the group filtering criteria to be included in the sync.”

The SC-300 Study Guide section on “Implement Access Reviews” states that administrators can create access reviews for groups, roles, or applications. When the scenario involves verifying external users’ access to specific applications — such as the Exchange admin center — the proper configuration is an application-based access review targeting guest users.

Microsoft Learn specifies:

“Application access reviews allow you to periodically verify external users’ access to enterprise applications integrated with Azure AD.”

Since the contractor is an external (guest) user and the access is to a specific application (Exchange admin center), you must configure an application-based review, not a group-based or directory-based one.

✅ Correct Answer: D. an application-based access review that targets guest users

No

No

Yes

a) When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.

b) Tested in lab, existing owners will be replaced. Also direct assignment (resource owner) is path of least privilege. (replicated in test)

c) Application setting 'visible to users' is set to No, then no users see this application on their My Apps portal and O365 launcher.

Reference

According to the Microsoft SC-300: Identity and Access Administrator Study Guide, Azure AD Enterprise Application Self-service configuration determines how users can request access, who approves it, and whether access is automatically granted. Let’s analyze each statement based on the exhibits:

Members of Group3 can access App1 without approval from User1 — NOIn the Group1 exhibit, Group1 contains User1, User4, and Group3. In the App1 Self-Service exhibit, it shows that “Require approval before granting access” is set to Yes, and User1 is designated as the approver. Therefore, even though Group3 members might indirectly be part of Group1, access requests to App1 must still be approved by User1 before being granted.

After configuring self-service, the owner of Group1 is User1 — NOThe PowerShell command Get-AzureADGroupOwner clearly shows that Admin (not User1) is the owner of Group1. Configuring self-service for an application does not change group ownership; it only defines how access requests are handled. Ownership of Group1 remains with Admin.

App1 appears in the Microsoft 365 app launcher of User4 — YESIn the App1 Properties exhibit, the “User assignment required” setting is set to Yes. This means only assigned users (directly or via groups) can see and access the application. Since Group1 is configured as the target group for user assignment and User4 is a member of Group1, User4 will see App1 in their Office 365 app launcher after assignment approval.

This logic follows Microsoft Learn documentation:

“When a user is assigned to an enterprise application (either directly or through group membership), the application appears in the user's Office 365 app launcher once access is granted.”

When configuring user consent settings in Azure AD, administrators can allow users to consent to third-party or verified publisher apps. However, to control which apps users can consent to based on their permission levels (for example, only “low impact” permissions), Microsoft provides enterprise application collections.

An enterprise application collection lets administrators group apps and assign consent policies that define what permissions apps can request and what level of user consent is allowed.

From Microsoft documentation:

“You can use enterprise application collections to group apps and assign user consent policies that restrict the permissions users can grant to apps. For instance, you can ensure users can only grant low-impact permissions, even when the app comes from a verified publisher.”

Other options explained:

Access package: Used for entitlement management, not app consent.

Permission classifications: Used to label permissions for administrators’ understanding, not enforce user consent behavior.

Access review: Used for periodic evaluation of access, not consent management.

< On November 15, 2022, Admin1 can reset the password of Admin2. = Yes

 On October 15, 2022, Admin2 signs in and can administer Exchange Online. = No

 On September 1, 2022, Admin3 can reset the password of Admin1. = Yes

\

In SC-300 materials, Microsoft Entra Privileged Identity Management (PIM) distinguishes Active and Eligible assignments. An Active assignment “grants the role immediately until it expires,” whereas an Eligible assignment “does not grant permissions until the user activates the role for a limited time.” Group-based role assignment applies the role to all members of the group within the configured start/end dates. The User Administrator role is documented as being able to “manage users and groups, including reset passwords for most admin roles except highly privileged roles.”

Applying these rules to the scenario:

• User Administrator → Group1 (Active 8/15–12/15): Admin1 and Admin3 are members of Group1, so both hold User Administrator actively on 9/1 and 11/15. Therefore, Admin1 can reset Admin2’s password on 11/15, and Admin3 can reset Admin1’s password on 9/1.

• Exchange Administrator → Group2 (Eligible 10/15–1/15): Admin2 (member of Group2) is only eligible starting 10/15; eligibility alone does not grant Exchange admin permissions until he activates the role (which typically requires justification/MFA and sets a time-bound active window). Thus, simply signing in on 10/15 does not let Admin2 administer Exchange Online.

These behaviors are emphasized in SC-300 guidance on PIM: active assignment = immediate permissions; eligible assignment = must activate before permissions apply; group assignment = role applies to all group members for the assignment window.

Statement

Answer

1. Before Admin1 can perform a task that requires the User Administrator role, an approver must approve the activation request.

Yes

2. Admin2 can request activation of the User Administrator role for a period of two hours.

No

3. If Admin3 connects to the Azure Active Directory admin center, and then activates the User Administrator role, Admin3 will be prompted to authenticate by using multi-factor authentication (MFA) twice.

Based on Microsoft’s SC-300 Identity and Access Administrator Study Guide, Microsoft Learn module “Manage Azure AD roles by using Privileged Identity Management (PIM)”, and Exam Ref SC-300, the following logic applies:

Approval requirement (Admin1) — In the Role setting details image, Require approval to activate is set to Yes, and one approver is listed. This means before any user (e.g., Admin1) can activate the User Administrator role, approval must be granted. Therefore, Admin1 must have the activation request approved before performing any User Administrator tasks. ✅ (Yes)

Activation duration (Admin2) — The configuration shows Activation maximum duration (hours): 8 hours. This defines the maximum allowed time a user can remain active after role activation. Admin2 can activate for up to 8 hours, not 2 hours unless specifically limited during activation. Hence, the statement claiming Admin2 can activate for “two hours” is incorrect. ❌ (No)

MFA enforcement (Admin3) — Two relevant controls exist:

Conditional Access policy requiring MFA for all users.

PIM role setting On activation, require Azure MFA = Yes.

According to Microsoft documentation, when both Conditional Access and PIM MFA enforcement apply, Azure AD intelligently avoids redundant prompts by honoring a single valid MFA session token. This means Admin3 would only be prompted once for MFA, even though both mechanisms require it. ❌ (No)

Therefore, as verified by official Microsoft materials and SC-300 documentation:

According to the Microsoft SC-300 Study Guide, Exam Ref SC-300, and Microsoft Entra External Collaboration (B2B) documentation, the configuration of External collaboration settings in Azure AD determines how guest users can access directory data and who can invite them into the tenant.

Let’s analyze each requirement in context:

“Guest users must be prevented from querying staff email addresses.”

To achieve this, Azure AD provides the setting Guest user access restrictions, which defines what a guest can see in the directory. The most restrictive setting ensures that guest users can only see their own profile details and no other users or groups.

✅ Therefore, select:

“Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).”

This prevents guests from discovering internal directory data such as email addresses of staff members or group memberships.

“Guest users must be able to access the tenant only if they are invited by User1.”

User1 has the User Administrator role. This role is included among the “specific admin roles” allowed to invite guest users when the setting is configured appropriately.

To meet the requirement that only User1 (or other admins) can invite guests, you must configure:

✅ “Only users assigned to specific admin roles can invite guest users.”

This restricts invitation privileges to admin roles (such as Global Administrator, User Administrator, etc.) and prevents ordinary users or guests from inviting others.

“Guests should not be able to self-enroll.”

Azure AD B2B allows self-service sign-up through user flows (Identity Experience Framework). Enabling this feature would let external users sign up themselves — which violates the condition that guests must be invited by User1 only.

✅ Therefore, set Enable guest self-service sign-up via user flows = No.

Setting

Value

Guest user access restrictions

Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

Guest invite restrictions

Only users assigned to specific admin roles can invite guest users

Enable guest self-service sign-up via user flows

No

???? Microsoft Official Documentation Reference (SC-300 Content):

“To prevent guests from seeing other users in the directory, configure guest user access restrictions to ‘most restrictive.’

To control who can invite guests, use the setting that limits invitations to users with admin roles.

To disallow self-service guest access, disable user flows for external sign-up.”

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

Let’s break this down step by step based on Microsoft Defender for Cloud Apps (MDCA) and Microsoft Entra ID integration for enabling real-time session-level monitoring, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Goal: Real-Time Session-Level Monitoring with Microsoft Defender for Cloud Apps:

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) solution that provides visibility, control, and threat protection for cloud applications.

Real-time session-level monitoring allows MDCA to inspect and control user activities within a cloud app (App1 in this case) during active sessions. This requires integration with Microsoft Entra ID and the use of Conditional Access policies to route sessions through MDCA for monitoring.

The Microsoft 365 E5 tenant includes licenses for Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, which are necessary for this functionality.

Step-by-Step Analysis of the Actions:To enable real-time session-level monitoring, the actions must be performed in a logical order that aligns with Microsoft’s recommended workflow for integrating a cloud app with MDCA.

Step 1: Register App1 in Microsoft Entra ID.

Before App1 can be monitored by MDCA, it must be registered as an application in Microsoft Entra ID. This step involves adding App1 to the tenant’s enterprise applications, which allows Microsoft Entra ID to manage authentication and authorization for the app.

Registering the app in Microsoft Entra ID enables single sign-on (SSO) and allows the app to be governed by Conditional Access policies, which is a prerequisite for session-level monitoring.

This is the first step because none of the other actions can proceed without App1 being recognized by Microsoft Entra ID.

Step 2: Create a conditional access policy that has session controls configured.

Microsoft Defender for Cloud Apps integrates with Microsoft Entra ID Conditional Access to enforce session-level monitoring. A Conditional Access policy must be created to target App1 and include session controls that route user sessions through MDCA.

In the Conditional Access policy, under "Session" controls, you enable the option "Use Conditional Access App Control," which integrates with MDCA. This allows MDCA to monitor and control the session in real time.

This step must come after registering the app in Microsoft Entra ID because the Conditional Access policy needs to target an existing app. It must also precede the MDCA-specific steps because the session control integration sets up the connection between Microsoft Entra ID and MDCA.

Step 3: From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

After the Conditional Access policy routes sessions to MDCA, you need to configure App1within MDCA by modifying its Connected apps settings. This step involves ensuring that App1 is properly connected to MDCA, which may include configuring API connectors or verifying that MDCA can monitor the app’s activities.

This step is necessary to ensure MDCA has the necessary permissions and configurations to monitor App1. It comes after the Conditional Access policy because the policy enables the integration, and now MDCA needs to be set up to handle the app.

Step 4: From Microsoft Defender for Cloud Apps, create a session policy.

Finally, you create a session policy in MDCA to define the real-time monitoring and control rules for App1. A session policy in MDCA allows you to monitor user activities (e.g., file downloads, data sharing) and apply actions (e.g., block, notify) based on predefined conditions.

This step is the last because it relies on the previous steps: the app must be registered, the Conditional Access policy must route sessions to MDCA, and the Connected apps settings must be configured for MDCA to recognize App1. Only then can you define session policies to enforce real-time monitoring.

Why This Order?

The order ensures a logical flow:

Registering the app in Microsoft Entra ID establishes the app’s identity in the tenant.

The Conditional Access policy enables the integration with MDCA by routing sessions through it.

Modifying the Connected apps settings in MDCA ensures the app is properly set up for monitoring.

Creating a session policy in MDCA defines the specific monitoring and control rules for real-time session-level monitoring.

Deviating from this order would result in errors. For example, creating a session policy in MDCA before registering the app in Microsoft Entra ID would fail because MDCA wouldn’t recognize the app.

Additional Considerations:

The Microsoft 365 E5 license includes Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, so no additional licensing is required for this scenario.

If App1 is not a supported app for MDCA’s app connectors, additional steps (e.g., using a custom app connector) might be needed, but the question implies App1 can be monitored with the standard process.

Session policies in MDCA can include actions like blocking downloads or requiring step-up authentication, which are applied in real time during the user’s session.

Conclusion:The correct order to enable real-time session-level monitoring of App1 using Microsoft Defender for Cloud Apps is:

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

User1 must request access to App1 before they can use the app: No

If User2 requests access to App1, they will be added to Group1 automatically: Yes

User2 can approve App1 requests by using the Microsoft Entra admin center: Yes

Let’s break this down step by step based on Microsoft Entra ID self-service application access and the configured settings, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Self-Service Application Access in Microsoft Entra ID:

Self-service application access in Microsoft Entra ID allows users to request access to applications without needing an administrator to manually assign them. This is configured on a per-application basis.

The settings for App1 are:

Allow users to request access to this application: Yes– Users can request access to App1.

To which group should assigned users be added: Group1– Users who are granted access will be added to Group1, which provides the necessary permissions to use App1.

Require approval before granting access to this application: Yes– Access requests must be approved before the user is added to Group1.

Who is allowed to approve access to this application: User2– User2 is the designated approver for access requests to App1.

Statement 1: User1 must request access to App1 before they can use the app.

Analysis:

User1 is already a member of Group1, as stated in the question.

The self-service settings specify that users who are granted access to App1 will be added to Group1. This implies that membership in Group1 is what grants access to App1.

Since User1 is already a member of Group1, they already have access to App1. In Microsoft Entra ID, if a user is already assigned to an application (either directly or via group membership), they do not need to request access through the self-service process—they can simply use the app.

The self-service access request process is for users who are not yet assigned to the app (i.e., not in Group1). Since User1 is already in Group1, they do not need to request access.

Conclusion:This statement isNo. User1 does not need to request access because they are already a member of Group1 and can use App1 immediately.

Statement 2: If User2 requests access to App1, they will be added to Group1 automatically.

Analysis:

User2 is not a member of Group1 (the question does not state that User2 is in Group1).

The self-service settings allow users to request access to App1, and the setting "To which group should assigned users be added: Group1" means that users who are granted access will be added to Group1.

However, the setting "Require approval before granting access to this application: Yes" means that User2’s request must be approved before they are added to Group1. The approver for App1 requests is User2 themselves, which introduces a potential conflict.

In Microsoft Entra ID, if a user is both the requester and the approver, the system typicallyallows them to approve their own request (unless additional policies prevent this, which is not specified in the question). Therefore, User2 can request access and approve their own request.

Once the request is approved, User2 will be added to Group1 automatically as per the self-service settings. The term "automatically" in the statement refers to the process after approval—once approved, the addition to Group1 happens without further manual intervention.

Conclusion:This statement isYes. If User2 requests access to App1 and approves their own request, they will be added to Group1 automatically.

Statement 3: User2 can approve App1 requests by using the Microsoft Entra admin center.

Analysis:

The self-service settings specify that User2 is the designated approver for access requests to App1.

In Microsoft Entra ID, approvers can manage access requests through the Microsoft Entra admin center (via the "My Access" portal or the "Access Requests" section, depending on their role and permissions).

User2, as the designated approver, will receive a notification (via email or the My Access portal) when a request is made. They can then log into the Microsoft Entra admin center, navigate to the access requests section, and approve or deny the request.

Even though User2 is not explicitly an admin, the fact that they are designated as the approver for App1 requests grants them the ability to approve requests through the Microsoft Entra admin center.

Conclusion:This statement isYes. User2 can approve App1 requests using the Microsoft Entra admin center.

Additional Considerations:

If User2 were not allowed to approve their own request (e.g., due to a separation of duties policy), Statement 2 might be affected. However, Microsoft Entra ID does not enforce such a restriction by default, and the question does not specify any additional policies.

The Microsoft Entra admin center is the primary interface for managing access requests, but users can also approve requests via email links or the My Access portal. The statement specifically mentions the admin center, which is a valid method.

Conclusion:

Statement 1:No– User1 does not need to request access since they are already in Group1.

Statement 2:Yes– User2 will be added to Group1 automatically after their request is approved (by themselves).

Statement 3:Yes– User2 can approve requests using the Microsoft Entra admin center.

In Azure AD Identity Protection, a sign-in risk policy can trigger Conditional Access controls (like MFA) when risky sign-ins are detected.

According to the SC-300 training module “Implement and manage user risk policies”, a sign-in risk is associated with a specific authentication attempt, for instance, when a user connects from an anonymous IP address, TOR network, or unfamiliar location. To enforce MFA only when such sign-in conditions are detected, administrators must use a sign-in risk policy.

Microsoft states: “Sign-in risk policies can enforce MFA or block access when sign-in risk meets the configured threshold, such as sign-ins from anonymous IPs.”

Conditional Access policies control access based on conditions such as user risk, device state, or application context. They do not directly affect account authentication or respond to disabled account states in Active Directory.

If a user’s on-premises account is disabled, Azure AD still allows cached credentials to authenticate until the next sync (if using PHS). Conditional Access cannot force immediate disablement — it only acts after successful authentication attempts.

From Microsoft Learn:

“Conditional Access evaluates access after authentication and cannot prevent sign-in for disabled or deleted accounts during synchronization delay.”

Therefore, Conditional Access does not meet the goal of instantly preventing authentication when an AD account is disabled.

✅ Correct Answer: B. No

 User1 can use self-service password reset (SSPR) to reset his password: Yes

 If User1 accesses Microsoft Exchange Online, he will be authenticated by an on-premises domain controller: Yes

 User2 can be added to a Microsoft SharePoint Online site as a member: No

Based on Microsoft’s SC-300 Study Guide, Exam Ref SC-300: Microsoft Identity and Access Administrator, and Azure AD documentation, Azure AD Connect synchronization is governed by OU filtering, authentication method, and synchronization scope.

In this configuration, Azure AD Connect is set to “Sync selected domains and OUs,” and only OU1 is selected. Therefore, only objects (users, groups, etc.) located in OU1 are synchronized to Azure AD.

User1 (in OU1) is synchronized to Azure AD. Since password writeback is enabled (as seen in the configuration “Enable password writeback”), User1 can perform Self-Service Password Reset (SSPR) from Azure AD, and the change will write back to on-premises AD.Hence, the first statement is Yes.

Pass-through authentication is also enabled in the configuration (“Enable Pass-through authentication”). With PTA, when User1 accesses Microsoft 365 services (like Exchange Online), the authentication request is forwarded from Azure AD to an on-premises domain controller via the PTA agent. Therefore, authentication is handled by the local AD DS.Hence, the second statement is Yes.

User2 (in OU2) is not synchronized, as OU2 was not selected in the Domain/OU filtering configuration. This means User2 does not exist in Azure AD and cannot be granted access to Microsoft 365 resources, including SharePoint Online.Hence, the third statement is No.

This logic aligns with Microsoft documentation under “Configure filtering for Azure AD Connect,” which states:

“Only objects from selected domains and organizational units are synchronized. Users outside selected OUs are excluded from Azure AD and cannot authenticate or access cloud resources.”

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn module: “Discover and manage shadow IT” within Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), the Cloud app catalog is the authoritative reference database that contains detailed risk assessments of thousands of cloud applications discovered within your organization.

Each application in the cloud app catalog is automatically evaluated against a large set of security and compliance criteria — over 80 risk factors including authentication requirements, encryption standards, data ownership, regulatory compliance, and certifications. This catalog helps administrators identify which discovered or sanctioned applications do not require user authentication, which is a critical factor when evaluating application risk posture.

From the Microsoft 365 Defender portal, administrators can open Defender for Cloud Apps → Cloud Discovery → Cloud app catalog. Within this interface, you can filter and sort apps by authentication type, specifically reviewing those listed with “No authentication” or “Not supported”. This allows quick identification of unsecured or unauthenticated apps that could pose risks to enterprise data and identity protection.

Microsoft’s documentation emphasizes:

“The Cloud app catalog provides detailed information about each discovered application, including whether the app supports user authentication and what authentication methods are required.”

Options A and B (queries and reports) are used for analyzing discovered app traffic data, not intrinsic app properties. Option C (OAuth policy) monitors app permissions, not authentication requirements.

In the SC-300 materials on Microsoft Entra PIM for Azure resources and Azure Key Vault authorization, you’re guided to use Azure RBAC (data-plane roles)—not legacy access policies—when you need time-bound, approvable, least-privilege access managed through PIM. The guide explains that PIM can make users Eligible or Active for Azure resource roles and that Key Vault provides specific data actions via built-in RBAC roles. For secrets, the roles are scoped to a vault (and can be further restricted by resource scope) and are purpose-built:

Key Vault Secrets Officer — described as allowing a user to “create, read, update, and delete secrets” without granting key or certificate permissions. This precisely satisfies User1’s requirement to read and update Secret1 while keeping scope limited to secrets (least privilege compared to broader Owner/Contributor).

Key Vault Secrets User — documented to “read secret contents” only. This matches User2’s requirement to read the contents of the secrets stored in Vault2 while preventing modification or management actions.

The SC-300 coverage stresses that RBAC roles for Key Vault separate permissions for keys, secrets, and certificates, enabling least privilege and PIM governance (eligible/activation, approvals, MFA, and just-in-time) for access to sensitive data.

The AWS connector in Microsoft Defender for Cloud Apps is designed to integrate activity logs, user authentication data, and app permissions granted through OAuth. This connector enables monitoring of OAuth token use, identity federation events, and cross-service authentication.

From the official Microsoft Learn content:

“When the AWS app connector is added, Defender for Cloud Apps collects OAuth activity and permissions information to detect anomalous behavior or excessive app permissions.”

This fulfills the requirement to monitor OAuth authentication requests from AWS and its associated accounts. Therefore, adding the AWS app connector meets the goal.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups>Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in as a Security Administrator or Global Administrator.

Navigate to MFA settings:

Go to Users > Active users.

On the Active users page, select Multi-factor authentication.

Manage user settings:

Find and select the Sg-Finance group.

Enable MFA for this group by setting the requirement status to Enabled.

Exclude a user from MFA:

In the Multi-factor authentication page, search for Debra Berger.

Set her MFA status to Disabled to exclude her from MFA registration.

Verify the configuration:

Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.

Communicate the change:

Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.

Monitor the setup:

Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.

To assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Make sure you have the role of Global Administrator or License Administrator.

Navigate to the licensing page:

Go toBilling>Licenses1.

Find the Windows 10/11 Enterprise E3 license:

Look for the Windows 10/11 Enterprise E3 license in the list of available products.

Assign licenses to the group:

Select the license and then choose Assign licenses.

Search for and select the Sg-Retail group.

Confirm the assignment and make sure that the correct number of licenses is available for the group.

Review and confirm the assignment:

Ensure that the licenses have been properly assigned to the Sg-Retail group without affecting other groups or users.

Monitor the license status:

Check the license usage and status to ensure that the Sg-Retail group members can utilize the Windows 10/11 Enterprise E3 features.

By following these steps, the Sg-Retail group should now have the Windows 10/11 Enterprise E3 licenses assigned to them.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance>Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance > Entitlement management > Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To ensure that all users can consent to apps that require permission to read their user profile and prevent them from consenting to apps that require any other permissions, you can configure the user consent settings in the Microsoft Entra admin center. Here’s how you can do it:

Sign in as a Global Administrator:

Access the Microsoft Entra admin center with Global Administrator privileges.

Navigate to user consent settings:

Go toIdentity>Applications>Enterprise applications>Consent and permissions>User consent settings1.

Configure the consent settings:

Under User consent for applications, select the option that allows users to consent to apps that only require permission to read their user profile.

Ensure that all other permissions are set to require administrator consent, thus preventing users from consenting to apps that require additional permissions1.

Save the settings:

After configuring the consent settings, select Save to apply the changes.

By following these steps, you will have configured the system to allow user consent for apps that need to read the user profile while blocking consent for apps that require additional permissions. This setup helps maintain user autonomy where appropriate while safeguarding against unauthorized access to broader permissions.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.