SC-300: Microsoft Identity and Access Administrator Part 3
Question #: 142
Topic #: 3
You have an Azure subscription.
You are evaluating enterprise software as a service (SaaS) apps.
You need to ensure that the apps support automatic provisioning of Azure AD users.
Which specification should the apps support?
A. OAuth 2.0
B. WS-Fed
C. SCIM 2.0
D. LDAP 3
Selected Answer: C
Question #: 143
Topic #: 2
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the conditional access policies shown in the following table.
You need to evaluate which policies will be applied to User1 when User1 attempts to sign-in from various IP addresses.
Which feature should you use?
A. Access reviews
B. Identity Secure Score
C. The What If tool
D. the Microsoft 365 network connectivity test tool
Selected Answer: C
Question #: 145
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. an app password
B. voice
C. Windows Hello for Business
D. security questions
Selected Answer: C
Question #: 146
Topic #: 1
You have an Azure Active Directory (Azure AD) tenant that: contains a user named User1.
You need to ensure that User1 can create new catalogs and add1 resources to the catalogs they own.
What should you do?
A. From the Roles and administrators blade, modify the Groups administrator role.
B. From the Roles and administrators blade, modify the Service support administrator role.
C. From the Identity Governance blade, modify the Entitlement management settings.
D. From the Identity Governance blade, modify the roles and administrators for the General catalog.
Selected Answer: C
Question #: 147
Topic #: 3
You have an Azure AD tenant and a .NET web app named App1.
You need to register App1 for Azure AD authentication.
What should you configure for App1?
A. the executable name
B. the bundle ID
C. the package name
D. the redirect URI
Selected Answer: D
Question #: 148
Topic #: 1
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant.
Users sign in to computers that run Windows 10 and are joined to the domain.
You plan to implement Azure AD Seamless Single Sign-On (Azure AD Seamless SSO).
You need to configure the Windows 10 computers to support Azure AD Seamless SSO.
What should you do?
A. Configure Sign-in options from the Settings app.
B. Enable Enterprise State Roaming.
C. Modify the Local intranet Zone settings.
D. Install the Azure AD Connect Authentication Agent.
Selected Answer: C
Question #: 149
Topic #: 4
You have an Azure Active Directory (Azure AD) tenant named Contoso that contains a terms of use (Toll) named Terms1 and an access package. Contoso users collaborate with an external organization named Fabrikam. Fabrikam users must accept Terms1 before being allowed to use the access package.
You need to identify which users accepted or declined Terms1.
What should you use?
A. sign-in logs
B. the Usage and Insights report
C. provisioning logs
D. audit logs
Selected Answer: D
Question #: 150
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. a notification through the Microsoft Authenticator app
B. security questions
C. voice
D. Windows Hello for Business
Selected Answer: D
Question #: 151
Topic #: 2
You create a conditional access policy that blocks access when a user triggers a high-severity sign-in alert.
You need to test the policy under the following conditions:
✑ A user signs in from another country.
✑ A user triggers a sign-in risk.
What should you use to complete the test?
A. the Conditional Access What If tool
B. sign-ins logs in Azure Active Directory (Azure AD)
C. the activity logs in Microsoft Defender for Cloud Apps
D. access reviews in Azure Active Directory (Azure AD)
Selected Answer: A
Question #: 153
Topic #: 4
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
User1 is the owner of Group1.
You create an access review that has the following settings:
✑ What to review: Teams + Groups
✑ Scope: All users
✑ Group: Group1
✑ Reviewers: Users review their own access
Which users can perform access reviews for User3?
A. User1 only
B. User3 only
C. User1 and User2 only
D. User1, User2, and User3
Selected Answer: B
Question #: 154
Topic #: 1
Your company has two divisions named Contoso East and Contoso West. The Microsoft 365 identity architecture for both divisions is shown in the following exhibit.
You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the Contoso West tenant. The solution must not require additional Microsoft 365 licenses.
What should you do?
A. Configure Azure AD Application Proxy in the Contoso West tenant.
B. Invite the Contoso East users as guests in the Contoso West tenant.
C. Deploy a second Azure AD Connect server to Contoso East and configure the server to sync the Contoso East Active Directory forest to the Contoso West tenant.
D. Configure the existing Azure AD Connect server in Contoso East to sync the Contoso East Active Directory forest to the Contoso West tenant.
Selected Answer: B
Question #: 155
Topic #: 3
You have an Azure AD tenant.
You discover that a large number of new apps were added to the tenant.
You need to implement an approval process for new enterprise applications.
What should you do?
A. From the Microsoft Defender for Cloud Apps portal, create a Cloud Discovery anomaly detection policy.
B. From the Microsoft Entra admin center, configure the Admin consent settings.
C. From the Microsoft Defender for Cloud Apps portal, configure an app connector.
D. From the Microsoft Entra admin center, configure an access review.
Selected Answer: B
Question #: 159
Topic #: 3
You have a Microsoft 365 E5 subscription.
You purchase the app governance add-on license.
You need to enable app governance integration.
Which portal should you use?
A. the Microsoft Defender for Cloud Apps portal
B. the Microsoft 365 admin center
C. Microsoft 365 Defender
D. the Azure Active Directory admin center
E. the Microsoft Purview compliance portal
Selected Answer: C
Question #: 162
Topic #: 1
You have a Microsoft 365 tenant.
You currently allow email clients that use Basic authentication to connect to Microsoft Exchange Online.
You need to ensure that users can connect to Exchange only from email clients that use Modern authentication protocols.
What should you implement?
A. an OAuth policy in Microsoft Defender for Cloud Apps
B. a conditional access policy in Azure Active Directory (Azure AD)
C. a compliance policy in Microsoft Endpoint Manager
D. an application control profile in Microsoft Endpoint Manager
Selected Answer: B
Question #: 163
Topic #: 3
Your company purchases a new Microsoft 365 E5 subscription and an app named App1.
You need to create a Microsoft Defender for Cloud Apps access policy for App1.
What should you do you first?
A. Configure a Conditional Access policy to use app-enforced restrictions.
B. Configure a Token configuration for App1.
C. Add an API permission for App1.
D. Configure a Conditional Access policy to use Conditional Access App Control.
Selected Answer: D
Question #: 166
Topic #: 2
You have an Azure subscription that contains an Azure SQL database named db1.
You deploy an Azure App Service web app named App1 that provides product information to users that connect to App1 anonymously.
You need to provide App1 with access to db1. The solution must meet the following requirements:
• Credentials must only be available to App1.
• Administrative effort must be minimized.
Which type of credentials should you use?
A. a system-assigned managed identity
B. an Azure Active Directory (Azure AD) user account
C. a SQL Server account
D. a user-assigned managed identity
Selected Answer: A
Question #: 169
Topic #: 1
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You have an administrative unit named Au1. Group1, User2, and User3 are members of Au1.
User5 is assigned the User administrator role for Au1.
For which users can User5 reset passwords?
A. User1, User2, and User3
B. User1 and User2 only
C. User3 and User4 only
D. User2 and User3 only
Selected Answer: D
Question #: 170
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.
You deploy an Azure subscription and enable Microsoft 365 Defender.
You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Google Workspace app connector.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 171
Topic #: 2
You have an Azure subscription that contains the custom roles shown in the following table.
You need to create a custom Azure subscription role named Role3 by using the Azure portal. Role3 will use the baseline permissions of an existing role.
Which roles can you clone to create Role3?
A. Role2 only
B. built-in Azure subscription roles only
C. built-in Azure subscription roles and Role2 only
D. built-in Azure subscription roles and built-in Azure AD roles only
E. Role1, Role2, built-in Azure subscription roles, and built-in Azure AD roles
Selected Answer: C
Question #: 172
Topic #: 4
You have an Azure AD tenant that contains two users named User1 and User2.
You plan to perform the following actions:
• Create a group named Group1.
• Add User1 and User2 to Group1.
• Assign Azure AD roles to Group1.
You need to create Group1.
Which two settings can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Group type: Microsoft 365 –
Membership type: Assigned
B. Group type: Security –
Membership type: Assigned
C. Group type: Security –
Membership type: Dynamic User
D. Group type: Microsoft 365 –
Membership type: Dynamic User
E. Group type: Security –
Membership type: Dynamic Device
Selected Answer: AB
Question #: 173
Topic #: 1
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create a dynamic user group and configure the following rule syntax.
user.usageLocation -in [“US”,”AU”] -and (user.department -eq “Sales”) -and -not (user.jobTitle -eq “Manager”) –or (user. jobTitle -eq “SalesRep”)
Which users will be added to the group?
A. User1 only
B. User2 only
C. User3 only
D. User1 and User2 only
E. User1 and User3 only
F. User1, User2, and User3
Selected Answer: D
Question #: 174
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.
You deploy an Azure subscription and enable Microsoft 365 Defender.
You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Microsoft Azure app connector.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 175
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. Windows Hello for Business
B. an app password
C. security questions
D. email
Selected Answer: A
Question #: 177
Topic #: 1
You have an Azure AD tenant that contains a user named User1.
User1 needs to manage license assignments and reset user passwords.
Which role should you assign to User1?
A. Helpdesk administrator
B. Billing administrator
C. License administrator
D. User administrator
Selected Answer: D
Question #: 178
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.
You deploy an Azure subscription and enable Microsoft 365 Defender.
You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Amazon Web Services app connector.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 179
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. voice
B. Windows Hello for Business
C. email
D. security questions
Selected Answer: B
Question #: 182
Topic #: 3
Your company purchases a Microsoft 365 E5 subscription.
A user named User1 is assigned the Security Administrator role.
You need to ensure that User1 can create Microsoft Defender for Cloud Apps session policies.
What should you do first?
A. Create a Conditional Access policy and select Require app protection policy.
B. Create a Conditional Access policy and select Use Conditional Access App Control.
C. Assign the Cloud Application Administrator role to User1.
D. Assign the Cloud App Security Administrator role to User1.
Selected Answer: D
Question #: 183
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Set-MsolUserLicense cmdlet
B. the Set-AzureADGroup cmdlet
C. the Set-WindowsProductKey cmdlet
D. the Administrative units blade in the Azure Active Directory admin center
Selected Answer: A
Question #: 185
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to a group that includes all the users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Set-AzureADGroup cmdlet
B. the Identity Governance blade in the Azure Active Directory admin center
C. the Set-WindowsProductKey cmdlet
D. the Set-MsolUserLicense cmdlet
Selected Answer: D
Question #: 186
Topic #: 3
You have an Azure subscription that contains a user named User1.
The App registration settings for the Azure AD tenant are configured as shown in the following exhibit.
User1 builds an ASP.NET web app named App1.
You need to ensure that User1 can register App1. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Application Developer
B. Cloud App Security Administrator
C. Cloud Application Administrator
D. Application Administrator
Selected Answer: A
Question #: 192
Topic #: 3
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You plan to increase app security for the subscription.
You need to identify which apps do NOT require user authentication.
What should you do in the Microsoft 365 Defender portal?
A. Review the cloud app catalog.
B. Create an OAuth policy and review alerts.
C. Create a snapshot Cloud Discovery report.
D. Create a discovered app query.
Selected Answer: A
Question #: 193
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You needed to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Groups blade in the Azure Active Directory admin center
B. the Set-AzureADGroup cmdlet
C. the Identity Governance blade in the Azure Active Directory admin center
D. the Set-MsolUserLicense cmdlet
Selected Answer: A
Question #: 194
Topic #: 4
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Azure AD roles. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Privileged role administrator
B. Identity Governance Administrator
C. User administrator
D. User Access Administrator
Selected Answer: A
Question #: 195
Topic #: 2
You have an Azure Active Directory (Azure AD) tenant.
You configure self-service password reset (SSPR) by using the following settings:
• Require users to register when signing in: Yes
• Number of methods required to reset: 1
What is a valid authentication method available to users?
A. a smartcard
B. a mobile app code
C. a mobile app notification
D. an email to an address outside your organization
Selected Answer:
Question #: 198
Topic #: 2
You create a new Microsoft 365 E5 tenant.
You need to ensure that when users connect to the Microsoft 365 portal from an anonymous IP address, they are prompted to use multi-factor authentication (MFA).
What should you configure?
A. a sign-in risk policy
B. a user risk policy
C. an MFA registration policy
Selected Answer: A
Question #: 199
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure AD tenant.
You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.
You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.
Solution: You configure conditional access policies.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 206
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create a user named User1.
You need to ensure that User1 can update the status of Identity Secure Score improvement actions.
Solution: You assign the User Administrator role to User1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 207
Topic #: 3
You have an Azure subscription that contains a storage account named storage1 and a web app named WebApp1. WebApp1 uses a system-assigned managed identity.
You need to ensure that WebApp1 can read and write files to storage1 by using the system-assigned managed identity.
What should you configure for storage1 in the Azure portal?
A. data protection
B. a shared access signature (SAS)
C. the Access control (IAM) settings
D. the File share settings
E. access keys
Selected Answer: C
Question #: 210
Topic #: 4
You have a Microsoft 365 E5 subscription that contains a user named User1. User is eligible for the Application administrator role.
User1 needs to configure a new connector group for an application proxy.
What should you use to activate the role for User1?
A. the Microsoft Defender for Cloud Apps portal
B. the Microsoft 365 admin center
C. the Azure Active Directory admin center
D. the Microsoft 365 Defender portal
Selected Answer: C
Question #: 211
Topic #: 2
You have an Azure subscription that contains a user named User1.
You need to meet the following requirements:
• Prevent User1 from being added as an owner of newly registered apps.
• Ensure that User1 can manage the application proxy settings.
• Ensure that User1 can register apps.
• Use the principle of least privilege.
Which role should you assign to User1?
A. Application developer
B. Cloud application administrator
C. Service support administrator
D. Application administrator
Selected Answer: D
