SC-300 Microsoft Identity and Access Administrator Questions and Answers

To answer this question correctly, we must reference the supported cloud platforms for Microsoft Entra Permissions Management (formerly known as CloudKnox).

1. What is Microsoft Entra Permissions Management? Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution. Its primary purpose is to discover, remediate, and monitor permission risks for any identity and any resource across your multi-cloud infrastructure.

2. Supported Cloud Platforms: According to the official Microsoft Entra Permissions Management documentation, the service provides comprehensive visibility and control over permissions for the following specific cloud providers:

Microsoft Azure

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

3. Analysis of the Options:

Alibaba Cloud: While Microsoft Defender for Cloud (CSPM) and Azure AD (for SSO) have integrations with Alibaba Cloud, Microsoft Entra Permissions Management explicitly supports only the three major public clouds listed above (Azure, AWS, and GCP). It does not currently support Alibaba Cloud for entitlement and permission management.

The Scenario: You have already configured it for Azure. You need to identify which additional platforms from the list (Alibaba, AWS, GCP) can be managed.

Conclusion: Since Alibaba Cloud is not supported, the only remaining valid platforms from your list are AWS and GCP.

Reference Extract:

"Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities... across cloud infrastructures Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP)."

User1 is eligible for the Application Administrator role and needs to configure an Application Proxy connector group. Application Proxy is an Azure AD feature used to publish on-premises applications securely.

To activate the eligible role, User1 must perform a Privileged Identity Management (PIM) activation within the Azure AD admin center.

From Microsoft Documentation:

“Privileged Identity Management (PIM) role activations are performed in the Azure AD admin center under Azure AD → Privileged Identity Management → My roles.”

Activation steps are not available through Microsoft 365 or Defender portals.

In the SC-300 materials on Microsoft Entra PIM for Azure resources and Azure Key Vault authorization, you’re guided to use Azure RBAC (data-plane roles)—not legacy access policies—when you need time-bound, approvable, least-privilege access managed through PIM. The guide explains that PIM can make users Eligible or Active for Azure resource roles and that Key Vault provides specific data actions via built-in RBAC roles. For secrets, the roles are scoped to a vault (and can be further restricted by resource scope) and are purpose-built:

Key Vault Secrets Officer — described as allowing a user to “create, read, update, and delete secrets” without granting key or certificate permissions. This precisely satisfies User1’s requirement to read and update Secret1 while keeping scope limited to secrets (least privilege compared to broader Owner/Contributor).

Key Vault Secrets User — documented to “read secret contents” only. This matches User2’s requirement to read the contents of the secrets stored in Vault2 while preventing modification or management actions.

The SC-300 coverage stresses that RBAC roles for Key Vault separate permissions for keys, secrets, and certificates, enabling least privilege and PIM governance (eligible/activation, approvals, MFA, and just-in-time) for access to sensitive data.

To enable Security defaults for contoso.com, you should first sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. Then, browse to Azure Active Directory > Properties and select Manage security defaults. Set the Enable security defaults toggle to Yes and select Save.

After that, you can assign Admin1 the Identity Administrator role for Au1 to enable them to manage security defaults for the tenant.

https://practical365.com/what-are-azure-ad-security-defaults-and-should-you-use-them/

SC-300 teaches using Conditional Access session controls with SharePoint and OneDrive to protect data on unmanaged devices. The documentation states: “Session controls allow limiting the experience within cloud apps, including Use app enforced restrictions to apply SharePoint Online policies like block download on unmanaged devices.” It defines unmanaged as devices that are “not compliant or not hybrid Azure AD joined.” The scenario requires blocking download/sync only for user-owned (registered) devices, while allowing access for company-owned (joined/compliant) devices—precisely what session controls achieve. Activity or app-discovery policies in Microsoft Defender for Cloud Apps (MCAS) are not required here, and client apps conditions target protocol types rather than shaping in-app actions. Therefore, create a Conditional Access policy targeting SharePoint Online, scope to devices that are not compliant or not hybrid joined, and set Session → Use app enforced restrictions (or Sign-in frequency + Conditional Access App Control) to block download, satisfying the SC-300 guidance for selective data exfiltration protection.

In Azure AD Connect, filtering which users synchronize is achieved via synchronization rules. The SC-300 study content explains that to exclude objects based on an on-premises attribute (for example, extensionAttribute15=NoSync), you create an inbound rule on the Active Directory Domain Services (AD DS) connector. Inbound rules control the flow of data from AD DS into the metaverse, where you can use a scoping filter to mark objects as filtered (often via the cloudFiltered projection), preventing them from being provisioned to Azure AD. The official guidance highlights that inbound rules on the AD DS connector are used for attribute-based filtering and that export or run profiles (Full Import/Export) do not define logic; they only execute the configured rules. Therefore, to stop users with extensionAttribute15=NoSync from syncing, you create an inbound synchronization rule on the AD DS connector with a condition on that attribute to exclude those users from synchronization.

In Azure AD B2B bulk invitations, the portal and CSV workflow require two core fields: the external user’s email address and the Invite Redirect URL that determines where the guest is sent to redeem the invitation. The study guide notes that the bulk invite template “must include the guest’s email address” and that “InviteRedirectUrl is required to define the post-invite redemption target (such as MyApps or a specific app).” Usernames and passwords are not supplied for B2B guests because “guest accounts authenticate with their home identity provider,” and there is no shared key involved in the invitation. Therefore, the only mandatory parameters to successfully process a bulk B2B invite are the email address of each guest and the redirection URL used during invitation redemption.

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs. The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

According to Microsoft Learn: “Configure Attribute-Based Access Control (ABAC) for Azure resources”, ABAC allows you to assign access permissions based on resource attributes and user attributes (claims).

Currently, ABAC is available for Azure Storage (Blob and Queue) and Azure Key Vault (limited preview for specific scenarios). However, the generally available and supported ABAC implementation as per SC-300 and Azure documentation is for Azure Storage accounts.

This means that you can use ABAC in storage1 to grant fine-grained access (for example, based on object tags or user department claims) while resources like VM1, App1, and Vault1 still rely on traditional RBAC (role-based access control).

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq "E5") ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel”, multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)”, there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID).The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM.The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario.As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources.The role responsible for managing these assignments is the User Access Administrator.This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control).The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation, when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts. In Azure AD, internal users created within the tenant are designated with the attribute user.userType = "Member", while external or guest accounts from partner organizations have user.userType = "Guest".

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq "Member").

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq "Member")

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules”, which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq "Member")

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “provides secure remote access to on-premises applications” and that apps published through it can have “Conditional Access policies, including multifactor authentication” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “control and limit activities in real time” and, for SharePoint Online and other Microsoft 365 apps, “monitor user sessions and block download, cut, copy, and print” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.