SC-300 Microsoft Identity and Access Administrator Questions and Answers

Questions 4

Task 3

You need to add the Linkedln application as a resource to the Sales and Marketing access package. The solution must NOT remove any other resources from the access package.

Options:

Buy Now

Questions 5

Task 8

You need to prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID.

Options:

Buy Now

Questions 6

Task 5

You need to assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group.

Options:

Buy Now

Questions 7

You need to locate licenses to the A. Datum users. The solution must need the technical requirements.

Which type of object should you create?

Options:

A Dynamo User security group

An OU

A distribution group

An administrative unit

Buy Now

Questions 8

Task 2

You need to implement a process to review guest users who have access to the Salesforce app. The review must meet the following requirements:

• The reviews must occur monthly.

• The manager of each guest user must review the access.

• If the reviews are NOT completed within five days, access must be removed.

• If the guest user does not have a manager, Megan Bowen must review the access.

Options:

Buy Now

Questions 9

You create a Log Analytics workspace.

You need to implement the technical requirements for auditing.

What should you configure in Azure AD?

Options:

Company branding

Diagnostics settings

External Identities

App registrations

Buy Now

Questions 10

You need to allocate licenses to the new users from A. Datum. The solution must meet thetechnical requirements.

Which type of object should you create?

Options:

a distribution group

a Dynamic User security group

an administrative unit

an OU

Buy Now

Questions 11

Task 7

You need to lock out accounts for five minutes when they have 10 failed sign-in attempts.

Options:

Buy Now

Questions 12

Task 1

You need to deploy multi factor authentication (MFA). The solution must meet the following requirements:

• Require MFA registration only for members of the Sg-Finance group.

• Exclude Debra Berger from having to register for MFA.

• Implement the solution without using a Conditional Access policy.

Options:

Buy Now

Questions 13

You need implement the planned changes for application access to organizational data. What should you configure?

Options:

authentication methods

the User consent settings

access packages

an application proxy

Buy Now

Questions 14

You implement the planned changes for SSPR.

What occurs when User3 attempts to use SSPR? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-300 Question 14

Options:

Buy Now

Questions 15

You need to meet the planned changes and technical requirements for App1.

What should you implement?

Options:

a policy set in Microsoft Endpoint Manager

an app configuratifon policy in Microsoft Endpoint Manager

an app registration in Azure AD

Azure AD Application Proxy

Buy Now

Questions 16

You need to meet the technical requirements for the probability that user identifies were compromised.

What should the users do first, and what should you configure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-300 Question 16

Options:

Buy Now

Questions 17

You need to sync the ADatum users. The solution must meet the technical requirements.

What should you do?

Options:

From the Microsoft Azure Active Directory Connect wizard, select Customize synchronization options.

From PowerShell, run Set-ADSyncScheduler.

From PowerShell, run Start-ADSyncSyncCycle.

From the Microsoft Azure Active Directory Connect wizard, select Change user sign-in.

Buy Now

Questions 18

You need to resolve the issue of the sales department users. What should you configure for the Azure AD tenant?

Options:

the User settings

the Device settings

the Access reviews settings

Security defaults

Buy Now

Questions 19

You need to meet the technical requirements for the probability that user identities were compromised.

What should the users do first, and what should you configure? To answer, select the appropriate options in the answer area.

NOTE:Each correct selection is worth one point.

SC-300 Question 19

Options:

Buy Now

Questions 20

You need to meet the technical requirements for license management by the helpdesk administrators.

What should you create first, and which tool should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-300 Question 20

Options:

Buy Now

Questions 21

Task 6

You need to implement additional security checks before the members of the Sg-Executive can access any company apps. The members must meet one of the following conditions:

• Connect by using a device that is marked as compliant by Microsoft Intune.

• Connect by using client apps that are protected by app protection policies.

Options:

Buy Now

Answer:

See the Explanation for the complete step by step solution.

Explanation:

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

Questions 22

You need to implement the planned changes for litware.com. What should you configure?

Options:

Azure AD Connect cloud sync between the Azure AD tenant and litware.com

Azure AD Connect to include the litware.com domain

staging mode in Azure AD Connect for the litware.com domain

Buy Now

Questions 23

You need to modify the settings of the User administrator role to meet the technical requirements. Which two actions should you perform for the role? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options:

Select Require justification on activation

Set all assignments to Active

Set all assignments to Eligible

Modify the Expire eligible assignments after setting.

Select Require ticket information on activation.

Buy Now

Questions 24

You need to configure app registration in Azure AD to meet the delegation requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE:Each correct selection is worth one point.

SC-300 Question 24

Options:

Buy Now

Questions 25

You need to implement the planned changes for Package1. Which users can create and manage the access review?

Options:

User3 only

User4 only

User5 only

User3 and User4

User3 and User5

User4and User5

Buy Now

Questions 26

You need to meet the planned changes for the User administrator role.

What should you do?

Options:

Create an access review.

Modify Role settings

Create an administrator unit.

Modify Active Assignments.

Buy Now

Questions 27

You need to implement the planned changes and technical requirements for the marketing department.

What should you do? To answer, select the appropriate options in the answer area.

NOTE:Each correct selection is worth one point.

SC-300 Question 27

Options:

Buy Now

Questions 28

You need to resolve the recent security incident issues.

What should you configure for each incident? To answer, drag the appropriate policy types to the correct issues. Each policy type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

SC-300 Question 28

Options:

Buy Now

Questions 29

You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1 is

assigned the Security administrator role.

SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.

You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of nonadministrative

users. The solution must use the principle of least privilege.

Which role should you assign to SecAdmin1?

Options:

Authentication administrator

Helpdesk administrator

Privileged authentication administrator

Security operator

Buy Now

Questions 30

You need to resolve the issue of the guest user invitations. What should you do for the Azure AD tenant?

Options:

Configure the Continuous access evaluation settings.

Modify the External collaboration settings.

Configure the Access reviews settings.

Configure a Conditional Access policy.

Buy Now

Questions 31

You need to resolve the issue of I-.Group1. What should you do first?

Options:

Recreate the IT-Group 1 group.

Change Membership type of IT-Group1 to Dynamic Device

Add an owner to IT_Group1.

Change Membership type of IT-Group1 to Dynamic User

Buy Now

Questions 32

You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs.

Yon receive more than 100 email alerts each day for tailed Azure Al) user sign-in attempts.

You need to ensure that a new security administrator receives the alerts instead of you.

Solution: From Azure AD, you create an assignment for the Insights at administrator role.

Does this meet the goal?

Options:

Yes

Buy Now

Questions 33

You have an Azure Active Directory (Azure AD) tenant that uses conditional access policies.

You plan to use third-party security information and event management (SIEM) to analyze conditional access usage.

You need to download the Azure AD log that contains conditional access policy data.

What should you export from Azure AD?

Options:

sign-ins in JSON format

sign-ins in CSV format

audit logs in JSON format

audit logs in CSV format

Buy Now

Questions 34

You have an Azure AD tenant named contoso.com that has Email one-time passcode for guests set to Yes.

You invite the guest users shown in the following table.

SC-300 Question 34

Which users will receive a one-time passcode, and how long will the passcode be valid? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-300 Question 34

Options:

Buy Now

Questions 35

You have an Azure Active Directory (Azure AD) tenant.

You need to review the Azure AD sign-in logs to investigate sign-ins that occurred in the past.

For how long does Azure AD store events in the sign-in logs?

Options:

14 days

30 days

90 days

365 days

Buy Now

Questions 36

You have an Azure AD tenant that contains an access package named Package1 and a user named User1. Package1 is configured as shown in the following exhibit.

SC-300 Question 36

You need to ensure that User1 can modify the review frequency of Package1. The solution must use the principle of least privilege.

Which role should you assign to User1?

Options:

Privileged role administrator

User administrator

External Identity Provider administrator

Security administrator

Buy Now

Questions 37

You have an Azure AD tenant that uses Azure AD Identity Protection and contains the resources shown in the following table.

SC-300 Question 37

Azure Multi-Factor Authentication (MFA) is enabled for all users.

User1 triggers a medium severity alert that requires additional investigation.

You need to force User1 to reset his password the next time he signs in. the solution must minimize administrative effort.

What should you do?

Options:

Configure a sign-in risk policy.

Mark User1 as compromised.

Reconfigure the user risk policy to trigger on medium or low severity.

Reset the Azure MFA registration for User1.

Buy Now

Questions 38

You have an Azure subscription that contains the resources shown in the following table.

SC-300 Question 38

The subscription contains the virtual machines shown in the following table.

SC-300 Question 38

Which identities can be assigned the Owner role for RG1, and to which virtual machines can you assign Managed2? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.

SC-300 Question 38

Options:

Buy Now

Questions 39

You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User1, and User3,

You create a group named Group1. You add User2 and User3 to Group1.

You configure a role in Azure AD Privileged identity Management (PIM) as shown in the application administrator exhibit. (Click the application Administrator tab.)

SC-300 Question 39

Group1 is configured as the approver for the application administrator role.

You configure User2to be eligible for the application administrator role.

For User1, you add an assignment to the Application administrator role as shown in the Assignment exhibit. (Click Assignment tab)

SC-300 Question 39

For each of the following statement, select Yes if the statement is true, Otherwise, select No.

NOTE: Each correct selection is worth one point.

SC-300 Question 39

Options:

Buy Now

Questions 40

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.

You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

Solution: You configure conditional access policies.

Does this meet the goal?

Options:

Yes

Buy Now

Questions 41

You have multiple on-premises devices that run either Windows or Linux.

You have a Microsoft 365 E5 subscription.

You configure Microsoft Entra Internet Access.

You need to ensure that all the on-premises devices route internet traffic through Global Secure Access for security policy evaluation.

What should you do in the Microsoft Entra admin center?

Options:

Deploy the Global Secure Access client.

Create a remote network.

Create a named location.

Create an access package.

Buy Now

Answer:

Explanation:

Comprehensive and Detailed In-Depth Explanation:

Let’s break this down step by step based on Microsoft Entra Internet Access, Global Secure Access, and the requirements for routing internet traffic from on-premises devices, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Scenario and Requirements:

On-premises devices running Windows or Linux:The devices are located in an on-premises environment (e.g., a corporate office or branch) and run either Windows or Linux operating systems.

Microsoft 365 E5 subscription:This subscription includes Microsoft Entra ID P2 and Microsoft Entra Internet Access, which are part of the Global Secure Access suite. This provides the necessary licensing for the solution.

Microsoft Entra Internet Access:This is a Secure Web Gateway (SWG) solution that securesinternet and SaaS app access by routing traffic through Microsoft’s Security Service Edge (SSE) for policy evaluation (e.g., web content filtering, Conditional Access).

Requirement:All on-premises devices must route their internet traffic through Global Secure Access for security policy evaluation. Global Secure Access is the unified framework for Microsoft Entra Internet Access and Microsoft Entra Private Access, providing a centralized way to manage network traffic security.

How Global Secure Access Routes Internet Traffic:

Global Secure Access can route internet traffic in two primary ways:

Global Secure Access Client:This client is installed on individual devices (e.g., Windows, macOS, Android, iOS) and routes traffic from the device to Microsoft’s SSE for policy evaluation. The client is user-aware and integrates with Microsoft Entra ID for identity-based policies.

Remote Network:This method creates an IPsec tunnel between an on-premises network (e.g., a branch office) and Microsoft’s SSE. All internet-bound traffic from devices in the network is routed through the tunnel for security policy evaluation, without requiring a client on each device.

The question involvesmultiple on-premises devicesrunning Windows or Linux, which suggests a network-level solution may be more practical than installing a client on each device, especially since Linux support for the Global Secure Access client is limited.

Questions 42

You have an Azure subscription that containes a registered app named App1.

You need to review the sign-in activity for App1. The solution must meet the following requirements:

• Identify the number of failed sign-ins.

• Identify the success rate of sign-ins.

• Minimize administrative effort.

What should you use?

Options:

Audit logs

Usage & insights

Access reviews

Sign-in logs

Buy Now

Questions 43

You have a Microsoft 365 E5 subscription.

You plan to deploy a third-party software as a service (SaaS) app named App1.

You need to onboard App1 to Microsoft Defender for Cloud Apps. The solution must ensure that you can implement session control policies.

What should you do first?

Options:

From the Microsoft Defender portal, configure Cloud discovery.

From the Microsoft Entra admin center, configure a traffic forwarding profile.

From the Microsoft Entra admin center, configure single sign-on (SSO) for App1.

From the Microsoft Defender portal, create an OAuth app policy.

Buy Now

Questions 44

You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2 and the users shown in the following table.

SC-300 Question 44

The subscription contains a Conditional Access policy that has the following settings:

• Name: Policy1

Target resources

• Include

• All cloud apps

• Access controls

• Grant

• Requite multifactor authentication

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

SC-300 Question 44

Options:

Buy Now

Questions 45

You have a Microsoft 365 E5 subscription.

You purchase the app governance add-on license.

You need to enable app governance integration.

Which portal should you use?

Options:

the Microsoft Defender for Cloud Apps portal

the Microsoft 365 admin center

Microsoft 365 Defender

the Azure Active Directory admin center

the Microsoft Purview compliance portal

Buy Now

Questions 46

After you answer a question in this section, you will NOT be able to return to it as a result, these questions will not appear in the review screen.

You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.

You deploy an Azure subscription and enable Microsoft 365 Defender.

You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.

Solution: From the Microsoft 365 Defender portal, you add the Amazon Web Services app connector.

Does this meet the goal?

Options:

Yes

Buy Now

Questions 47

You have an Azure AD tenant.

You deploy a new enterprise application named App1.

When users attempt to provide App1 with access to the tenant, the attempt fails.

You need to ensure that the users can request admin consent for App1. The solution must follow the principle of least privilege.

What should you do first?

Options:

Enable admin consent requests for the tenant.

Designate a reviewer of admin consent requests for the tenant.

From the Permissions settings of App1, grant App1 admin consent for the tenant

Create a Conditional Access policy for Appl.

Buy Now

Questions 48

You have an Azure AD tenant named Contoso that contains a terms of use (ToU) named Terms1 and an access package. Contoso users collaborate with an external organization named Fabrikam. Fabrikam users must accept Terms1 before being allowed to use the access package.

You need to identify which users accepted or declined Terms1.

What should you use?

Options:

provisioning logs

the Usage and Insights report

sign-in logs

audit logs

Buy Now

Questions 49

You have a Microsoft 365 subscription that contains the users shown in the following table.

SC-300 Question 49

From the tenan1, you configure a naming policy for groups.

Which users are affected by the naming policy?

Options:

User2 only

User3only

User2 and User3 only

User3 and User4 only

User1, User2, and User3 only

User1, User2, User3, and User4

Buy Now

Questions 50

You have an Azure subscription.

You are evaluating enterprise software as a service (SaaS) apps.

You need to ensure that the apps support automatic provisioning of Microsoft Entra users.

Which specification should the apps support?

Options:

WS-Fed

SCIM 2.0

LDAP3

OAuth 2.0

Buy Now

Exam Code: SC-300

Exam Name: Microsoft Identity and Access Administrator

Last Update: Jun 9, 2025

Questions: 326

PDF + Testing Engine

$61.25 ~~$174.99~~

Testing Engine

$47.25 ~~$134.99~~

PDF (Q&A)

$40.25 ~~$114.99~~