Free SC-300 Sample Questions — Microsoft Identity and Access Administrator

You have a Microsoft 365 E5 subscription. You create an access review named Review1. Review1 requires that every six months, Microsoft 365 group owners review guest user access to their groups. You need to ensure that if the group owners fail to review the membership of Review1, guest users are removed automatically. Which settings should you configure for Review1?

• A. Reviewers
• B. General
• C. Advanced settings
• D. Upon completion settings

You have an Azure subscription that contains a virtual machine named VM1 and an Azure key vault named Vault1. VM1 has a system-assigned managed identity. You need to ensure that VM1 can retrieve the values of secrets stored in Vault1. The solution must minimize administrative effort. What should you do first?

• A. Configure the Resource access settings for Vault1
• B. Configure the permissions model for Vault1
• C. Add a user-assigned managed identity to VM1
• D. Assign an Azure role to VM1

You have an Azure AD tenant. You need to implement smart lockout with a lockout threshold of 10 failed sign-ins. What should you configure in the Azure AD admin center?

• A. Authentication strengths
• B. Password protection
• C. User risk policy
• D. Sign-in risk policy

You have a Microsoft 365 E5 subscription. You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains a user named User1. You plan to deploy Microsoft Entra Permissions Management. You need to ensure that User1 can onboard the Azure subscription to Permissions Management. The solution must follow the principle of least principle. Which Microsoft Entra role should you assign to User1?

• A. Permissions Management Administrator
• B. Global Administrator
• C. Security Administrator
• D. Application Administrator

You create a new Microsoft 365 E5 tenant. You need to ensure that when users connect to the Microsoft 365 portal from an anonymous IP address, they are prompted to use multi-factor authentication (MFA). What should you configure?

• A. a sign-in risk policy
• B. a user risk policy
• C. an MFA registration policy

You have a Microsoft 365 subscription. You plan to deploy an app named App1 that will have the following configurations: • Will be registered in Microsoft Entra • Will access the signed-in user's Microsoft Outlook calendar by using the Microsoft Graph API You need to ensure that App1 can access Microsoft Graph. What should you use?

• A. application permissions
• B. delegated permissions
• C. a custom role-based access control (RBAC) role
• D. a built-in role-based access control (RBAC) role

You have a Microsoft 365 E5 subscription. Users authorize third-party cloud apps to access their data. You need to configure an alert that will be triggered when an app requires high permissions and is authorized by more than 20 users. Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

• A. anomaly detection policy
• B. OAuth app policy
• C. access policy
• D. activity policy

You have an Azure subscription named Sub1 that uses Microsoft Entra Permissions Management. Sub1 contains a user named User1. User1 is granted multiple permissions across Sub1. You need to replace all the permissions granted to User1 with read-only permissions. The solution must minimize administrative effort. What should you do on the Remediation tab in Permissions Management?

• A. From the Role/Policy Template subtab, create a template
• B. From the My Requests subtab, create a new request
• C. From the Roles/Policies subtab, create a role
• D. From the Permissions subtab, use a quick action

You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users. From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users. You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort. What should you use?

• A. the Identity Governance blade in the Azure Active Directory admin center
• B. the Set-AzureAdUser cmdlet
• C. the Licenses blade in the Azure Active Directory admin center
• D. the Set-WindowsProductKey cmdlet

You have an Azure subscription that contains a resource group named RG1 and four users named User1, User2, User3, and User4. You plan to assign the users the following roles for RG1: • User1: Reader • User2: Contributor • User3: Storage Blob Data Reader • User4: Virtual Machine Contributor You are evaluating the use of attribute-based access control (ABAC). Which user's role will support the use of ABAC?

• A. User1
• B. User2
• C. User3
• D. User4

You have an Azure Active Directory (Azure AD) tenant. You configure self-service password reset (SSPR) by using the following settings: ✑ Require users to register when signing in: Yes ✑ Number of methods required to reset: 1 What is a valid authentication method available to users?

• A. an email to an address outside your organization
• B. a smartcard
• C. an FID02 security token
• D. a Microsoft Teams chat

You have an Azure AD tenant that contains a user named User1 and a registered app named App1. User1 deletes the app registration of App1. You need to restore the app registration. What is the maximum number of days you have to restore the app registration from when it was deleted?

• A. 14
• B. 30
• C. 60
• D. 180

You have an Azure Active Directory Premium P2 tenant. You create a Log Analytics workspace. You need to ensure that you can view Azure Active Directory (Azure AD) audit log information by using Azure Monitor. What should you do first?

• A. Run the Set-AzureADTenantDetail cmdlet
• B. Create an Azure AD workbook
• C. Modify the Diagnostics settings for Azure AD
• D. Run the Get-AzureADAuditDirectoryLogs cmdlet

You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users. From the Groups blade in the Microsoft Entra admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users. You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort. What should you use?

• A. the Set-MgUserLicense cmdlet
• B. the Identity Governance blade in the Microsoft Entra admin center
• C. the Groups blade in the Microsoft Entra admin center
• D. the Update-MgGroup cmdlet

You have a Microsoft 365 E5 subscription that contains a user named User1. User1 is eligible for the Application Administrator role. User1 needs to configure a new connector group for an application proxy. What should you use to activate the role for User1?

• A. the Microsoft 365 Defender portal
• B. the Microsoft 365 admin center
• C. the Microsoft Intune admin center
• D. the Azure Active Directory admin center

You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com. Several users use their contoso.com email address for self-service sign-up to Azure AD. You gain global administrator privileges to the Azure AD tenant that contains the self-signed users. You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services. Which PowerShell cmdlet should you run?

• A. Update-MgOrganization
• B. Update-MgPolicyPermissionGrantPolicyExclude
• C. Update-MgDomain
• D. Update-MgDomainFederationConfiguration

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection policies enforced. You create an Azure Sentinel instance and configure the Azure Active Directory connector. You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection. What should you do first?

• A. Add a Microsoft Sentinel data connector
• B. Configure the Notify settings in Azure AD Identity Protection
• C. Create a Microsoft Sentinel playbook
• D. Modify the Diagnostics settings in Azure AD

You have a Microsoft Entra tenant. You need to create a Conditional Access policy to manage administrative access to the tenant. The solution must ensure that administrators are authenticated by using a phishing-resistant multi-factor authentication (MFA) method. Which three authentication methods should you include in the solution? Each correct answer presents a complete solution.

• A. Windows Hello for Business
• B. an FIDO2 security key
• C. certificate-based authentication (multi-factor)
• D. voice call
• E. SMS
• F. email OTP
• G. certificate-based authentication (single-factor)
• H. Microsoft Authenticator

You have a Microsoft 365 subscription. You need to ensure that users can grant enterprise applications access to their profile. The solution must ensure that the users can consent only to the User.Read and profile delegated permissions. What should you configure first?

• A. Identity Protection settings
• B. Permission classifications
• C. Admin consent settings
• D. Security defaults

You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1. A contractor uses the credentials of [email protected]. You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected]. What should you do?

• A. Add a custom domain name to contoso.com.
• B. Configure the External collaboration settings
• C. Create a guest user account in contoso.com.
• D. Add a WS-Fed identity provider