Microsoft Identity and Access Administrator - SC-300 Exam Practice Test
You have an Azure AD tenant
You configure User consent settings to allow users to provide consent to apps from verified publishers.
You need to ensure that the users can only provide consent to apps that require low impact permissions.
What should you do?
You configure User consent settings to allow users to provide consent to apps from verified publishers.
You need to ensure that the users can only provide consent to apps that require low impact permissions.
What should you do?
Correct Answer: A
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it as a result these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create a user named User1.
You need to ensure that User1 can update the status of identity Secure Score improvement actions.
Solution: You assign the User Administrator role to User1.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it as a result these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create a user named User1.
You need to ensure that User1 can update the status of identity Secure Score improvement actions.
Solution: You assign the User Administrator role to User1.
Does this meet the goal?
Correct Answer: A
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You need to identify which users access Facebook from their devices and browsers. The solution must minimize admini strative effort.
What should you do first?
You need to identify which users access Facebook from their devices and browsers. The solution must minimize admini strative effort.
What should you do first?
Correct Answer: B
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
Your company has two divisions named Contoso East and Contoso West. The Microsoft 365 identity architecture tor both divisions is shown in the following exhibit.
You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the Contoso West tenant. The solution must not require additional Microsoft 3G5 licenses.
What should you do?
You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the Contoso West tenant. The solution must not require additional Microsoft 3G5 licenses.
What should you do?
Correct Answer: B
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Conditional Access policies. You need to block access to cloud apps when a user is assessed as high risk.
Which type of policy should you create in the Microsoft Defender for Cloud Apps?
Which type of policy should you create in the Microsoft Defender for Cloud Apps?
Correct Answer: A
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have a Microsoft Entra tenant that contains the users shown in the following table.
The tenant contains the Microsoft 365 groups shown in the following table.
You create an access review named Access1 that has the following settings:
* Select what to review: Teams + Groups
* Review scope: All Microsoft groups with guest users
* Scope: Guest users only
* Select reviewers: Users review their own access
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
The tenant contains the Microsoft 365 groups shown in the following table.
You create an access review named Access1 that has the following settings:
* Select what to review: Teams + Groups
* Review scope: All Microsoft groups with guest users
* Scope: Guest users only
* Select reviewers: Users review their own access
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
You have an Azure Active Directory (Azure AD) tenant that has an Azure Active Directory Premium Plan 2 license. The tenant contains the users shown in the following table.
You have the Device Settings shown in the following exhibit.
User1 has the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE:Each correct selection is worth one point.
You have the Device Settings shown in the following exhibit.
User1 has the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE:Each correct selection is worth one point.
Correct Answer:
Explanation:
< User1 can join four additional Windows 10 devices to Azure AD. # No
2# # Admin1 can set "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" to Yes. # Yes
3# # Admin2 is a local administrator on Device3. # No
This scenario draws from Module: Manage device identities in Azure Active Directory in the Microsoft SC-
300 Official Study Guide and Microsoft Learn content.
Statement 1: User1 can join four additional Windows 10 devices to Azure AD - NO In the Device Settings, the "Maximum number of devices per user" is configured as 5. User1 already has one Azure AD joined device (Device1) and three Azure AD registered devices (Device2, Device3, Device4). Since both Azure AD joined and Azure AD registered devices count toward the same limit, User1 has already registered 4 devices.
This means they can add only one more, not four additional Windows 10 devices. Therefore, the statement is No.
Microsoft documentation states: "The maximum number of devices per user setting applies collectively to all Azure AD-joined and Azure AD- registered devices." Statement 2: Admin1 can set Devices to be Azure AD joined or Azure AD registered require MFA to Yes - YES The Cloud Device Administrator role (Admin1's role) has the delegated permissions to manage device settings in Azure AD, including enforcing MFA requirements for device registration and join operations. The role allows management of the Azure AD device configuration blade, including toggling settings like MFA for join/register, join limits, and device ownership policies. Therefore, Admin1 can enable the MFA requirement for device join/registration.
As per Microsoft Learn: "Cloud Device Administrator can manage all aspects of device settings, including device join and registration MFA requirements." Statement 3: Admin2 is a local administrator on Device3 - NO Admin2 holds the Device Administrator role.
However, per Microsoft's documentation, only Azure AD-joined Windows 10 devices grant local administrator rights to users in the Device Administrator role. Azure AD-registered devices (such as Device3) are personal devices that do not have local administrator assignment through Azure AD roles. Since Device3 is Azure AD registered, not joined, Admin2 is not a local admin on it.
Microsoft guidance clarifies: "Users assigned to the Device Administrator role are added as local administrators only on Azure AD-joined devices, not on Azure AD-registered or hybrid devices."
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than o ne correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it as a result these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscriptio n.
You create a user named User1.
You need to ensure that User1 can update the status of identity Secure Score improvement actions.
Solution: You assign the SharePoint Administrator role to User1
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it as a result these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscriptio n.
You create a user named User1.
You need to ensure that User1 can update the status of identity Secure Score improvement actions.
Solution: You assign the SharePoint Administrator role to User1
Does this meet the goal?
Correct Answer: A
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have a Microsoft 365 subscription.
You plan to deploy an app named App1 that will have the following configurations:
* Will be registered in Microsoft Entra
* Will run as a service wit hout user interaction
* Will collect audit logs associated with user sign-ins
* Will access resources by using the Microsoft Graph API
You need to ensure that App1 can access Microsoft Graph.
What should you use?
You plan to deploy an app named App1 that will have the following configurations:
* Will be registered in Microsoft Entra
* Will run as a service wit hout user interaction
* Will collect audit logs associated with user sign-ins
* Will access resources by using the Microsoft Graph API
You need to ensure that App1 can access Microsoft Graph.
What should you use?
Correct Answer: A
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1 is assigned the Security administrator role.
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of nonadministrative users. The solution m ust use the principle of least privilege.
Which role should you assign to SecAdmin1?
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of nonadministrative users. The solution m ust use the principle of least privilege.
Which role should you assign to SecAdmin1?
Correct Answer: B
Vote an answer
Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).
You have an Azure subscription that contains the resources shown in the following table.
The subscription uses Privileged Identity Management (PIM).
You need to configure the following access controls by using PIM:
* Ensure that User1 can read and update Secret1.
* Ensure that User2 can read the contents of the secrets stored in Vault2.
The solution must follow the principle of least privilege.
Which authorization method should you use for each user? To answer, drag the appropriate authorization methods to the correct users. Each authorization method may be used once, more than once, or not at all. You may need to drag the split bar be tween panes or scroll to view content.
NOTE: Each correct selection is worth one point.
The subscription uses Privileged Identity Management (PIM).
You need to configure the following access controls by using PIM:
* Ensure that User1 can read and update Secret1.
* Ensure that User2 can read the contents of the secrets stored in Vault2.
The solution must follow the principle of least privilege.
Which authorization method should you use for each user? To answer, drag the appropriate authorization methods to the correct users. Each authorization method may be used once, more than once, or not at all. You may need to drag the split bar be tween panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
In the SC-300 materials on Microsoft Entra PIM for Azure resources and Azure Key Vault authorization, you' re guided to use Azure RBAC (data-plane roles)-not legacy access policies-when you need time-bound, approvable, least-privilege access managed through PIM. The guide explains that PIM can make users Eligible or Active for Azure resource roles and that Key Vault provides specific data actions via built-in RBAC roles. For secrets, the roles are scoped to a vault (and can be further restricted by resource scope) and are purpose-built:
* Key Vault Secrets Officer - described as allowing a user to "create, read, update, and delete secrets" without granting key or certificate permissions. This precisely satisfies User1's requirement to read and update Secret1 while keeping scope limited to secrets (least privilege compared to broader Owner
/Contributor).
* Key Vault Secrets User - documented to "read secret contents" only. This matches User2's requirement to read the contents of the secrets stored in Vault2 while preventing modification or management actions.
The SC-300 coverage stresses that RBAC roles for Key Vault separate permissions for keys, secrets, and certificates, enabling least privilege and PIM governance (eligible/activation, approvals, MFA, and just-in- time) for access to sensitive data.
You have Microsoft Entra tenant.
You need to configure the following External Identities features:
* B2B collaboration
* Monthly active users (MAU)-based pricing
Which two settings should you configure? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
You need to configure the following External Identities features:
* B2B collaboration
* Monthly active users (MAU)-based pricing
Which two settings should you configure? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
According to the official Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation ("Manage External Identities in Microsoft Entra ID") , External Identities in Microsoft Entra ID allow organizations to collaborate securely with users outside the organization using features like B2B collaboration and B2C self-service sign-up.
Let's analyze the two required configurations:
* B2B Collaboration: The External collaboration settings page is where administrators configure how external users (guests) interact with internal resources. This includes settings for guest user invitations, collaboration restrictions, redemption policies, and access permissions for B2B users. Microsoft documentation clearly states:
"Use External collaboration settings to manage the behavior and restrictions of B2B collaboration users in your directory." Therefore, to enable or adjust B2B collaboration, you must configure External collaboration settings.
* Monthly Active Users (MAU)-based pricing: Microsoft Entra External Identities pricing is based on Monthly Active Users (MAU), which must be linked to an Azure subscription for billing purposes. This configuration is found under Linked subscriptions. Microsoft's documentation explains:
"To enable MAU-based billing for your External Identities, you must link your Microsoft Entra tenant to an Azure subscription under the 'Linked subscriptions' option." Linking the subscription allows Microsoft to bill based on the number of active external users each month, aligning with the MAU pricing model.
Therefore:
* B2B collaboration # External collaboration settings
* MAU-based pricing # Linked subscriptions
You have an Azure subscription that contains an Azure Automation account named Automation1.
You need to grant Automation1 access to Azure resources. The solution must meet the following requirements:
* Ensure that any permissions granted to Automation1 are removed when the account is deleted.
* Minimize administrative effort.
What should you use?
You need to grant Automation1 access to Azure resources. The solution must meet the following requirements:
* Ensure that any permissions granted to Automation1 are removed when the account is deleted.
* Minimize administrative effort.
What should you use?
Correct Answer: C
Vote an answer