SC-300: Microsoft Identity and Access Administrator Part 4
Question #: 214
Topic #: 4
You have an Azure subscription that contains a registered app named App1.
You need to review the sign-in activity for App1. The solution must meet the following requirements:
• Identify the number of failed sign-ins.
• Identify the success rate of sign-ins.
• Minimize administrative effort.
What should you use?
A. Sign-in logs
B. Access reviews
C. Audit logs
D. Usage & insights
Selected Answer: D
Question #: 216
Topic #: 3
You have a Microsoft 365 subscription.
You plan to deploy an app named App1 that will have the following configurations:
• Will be registered in Microsoft Entra
• Will access the signed-in user’s Microsoft Outlook calendar by using the Microsoft Graph API
You need to ensure that App1 can access Microsoft Graph.
What should you use?
A. application permissions
B. delegated permissions
C. a custom role-based access control (RBAC) role
D. a built-in role-based access control (RBAC) role
Selected Answer: B
Question #: 218
Topic #: 4
Your company has an Azure AD tenant that contains a user named User1.
The company has two departments named marketing and finance.
You need to grant permissions to User1 to manage only the users in the marketing department. The solution must ensure that User1 does NOT have permissions to manage the users in the finance department.
What should you create first?
A. a management group
B. an administrative unit
C. a resource group
D. a Microsoft 365 group
Selected Answer: B
Question #: 219
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. a notification through the Microsoft Authenticator app
B. SMS
C. email
D. Windows Hello for Business
Selected Answer: D
Question #: 222
Topic #: 4
You have an Azure AD tenant that contains an access package named Package1 and a user named User1. Package1 is configured as shown in the following exhibit.
You need to ensure that User1 can modify the review frequency of Package1. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Security administrator
B. Privileged role administrator
C. External Identity Provider administrator
D. User administrator
Selected Answer: D
Question #: 224
Topic #: 1
You have the Azure resources shown in the following table.
To which identities can you assign the Contributor role for RG1?
A. User1 only
B. User1 and Group1 only
C. User1 and VM1 only
D. User1, VM1, and App1 only
E. User1, Group1, VM1, and App1
Selected Answer: D
Question #: 225
Topic #: 2
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.
You need to ensure that users can request access to Site1. The solution must meet the following requirements:
• Automatically approve requests from users based on their group membership.
• Automatically remove the access after 30 days.
What should you do?
A. Create a Conditional Access policy.
B. Create an access package.
C. Configure Role settings in Azure AD Privileged Identity Management.
D. Create a Microsoft Defender for Cloud Apps access policy.
Selected Answer: B
Question #: 228
Topic #: 4
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You need to identify which users access Facebook from their devices and browsers. The solution must minimize administrative effort.
What should you do first?
A. Create a Conditional Access policy.
B. Create a Defender for Cloud Apps access policy.
C. Create an app configuration policy in Microsoft Endpoint Manager.
D. From the Microsoft Defender for Cloud Apps portal, unsanction Facebook.
Selected Answer: D
Question #: 229
Topic #: 4
You have an Azure subscription that uses Azure AD Privileged Identity Management (PIM).
You need to identify users that are eligible for the Cloud Application Administrator role.
Which blade in the Privileged Identity Management settings should you use?
A. Azure resources
B. Privileged access groups
C. Review access
D. Azure AD roles
Selected Answer: D
Question #: 230
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You needed to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Groups blade in the Azure Active Directory admin center
B. the Set-AzureAdUser cmdlet
C. the Identity Governance blade in the Azure Active Directory admin center
D. the Licenses blade in the Azure Active Directory admin center
Selected Answer: D
Question #: 231
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. voice
B. an app password
C. security questions
D. a verification code from the Microsoft Authenticator app
Selected Answer: D
Question #: 236
Topic #: 4
You have an Azure AD Premium P2 tenant.
You create a Log Analytics workspace.
You need to ensure that you can view Azure AD audit log information by using Azure Monitor.
What should you do first?
A. Modify the Diagnostics settings for Azure AD.
B. Run the Update-MgOrganization cmdlet.
C. Run the Update-MgDomain cmdlet.
D. Create an Azure AD workbook.
Selected Answer: A
Question #: 237
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create a user named User1.
You need to ensure that User1 can update the status of Identity Secure Score improvement actions.
Solution: You assign the SharePoint Administrator role to User1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 239
Topic #: 1
You have an Azure AD tenant that contains a user named Admin1.
You need to ensure that Admin1 can perform only the following tasks:
• From the Microsoft 365 admin center, create and manage service requests.
• From the Microsoft 365 admin center, read and configure service health.
• From the Azure portal, create and manage support tickets.
The solution must minimize administrative effort.
What should you do?
A. Create an administrative unit and add Admin1.
B. Enable Azure AD Privileged Identity Management (PIM) for Admin1.
C. Assign Admin1 the Helpdesk Administrator role.
D. Create a custom role and assign the role to Admin1.
Selected Answer: C
Question #: 240
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You need to identify which users access Facebook from their devices and browsers. The solution must minimize administrative effort.
What should you do first?
A. From the Microsoft 365 Defender portal, unsanction Facebook.
B. Create a Defender for Cloud Apps access policy.
C. Create an app configuration policy in Microsoft Intune.
D. Create a Conditional Access policy.
Selected Answer: B
Question #: 243
Topic #: 4
You have a Microsoft 365 subscription that contains the users shown in the following table.
From the tenant, you configure a naming policy for groups.
Which users are affected by the naming policy?
A. User2 only
B. User3only
C. User2 and User3 only
D. User3 and User4 only
E. User1, User2, and User3 only
F. User1, User2, User3, and User4
Selected Answer: D
Question #: 244
Topic #: 4
You have an Azure subscription that contains the users shown in the following table.
You need to implement Azure AD Privileged Identity Management (PIM).
Which users can use PIM to activate their role permissions?
A. Admin1 only
B. Admin2 only
C. Admin3 only
D. Admin1 and Admin2 only
E. Admin2 and Admin3 only
F. Admin1, Admin2, and Admin3
Selected Answer: C
Question #: 245
Topic #: 1
You have a Microsoft 365 tenant that uses the domain named fabrikam.com. The Guest invite settings for Azure Active Directory (Azure AD) are configured as shown in the exhibit. (Click the Exhibit tab.)
A user named bsmith@fabrikam.com shares a Microsoft SharePoint Online document library to the users shown in the following table.
Which users will be emailed a passcode?
A. User2 only
B. User1 only
C. User1 and User2 only
D. User1, User2, and User3
Selected Answer: A
Question #: 246
Topic #: 2
A user named User1 receives an error message when attempting to access the Microsoft Defender for Cloud Apps portal.
You need to identify the cause of the error. The solution must minimize administrative effort.
What should you use?
A. Log Analytics
B. sign-in logs
C. audit logs
D. provisioning logs
Selected Answer: B
Question #: 248
Topic #: 2
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Yammer.
You need prevent users from signing in to Yammer from high-risk locations.
What should you do in the Microsoft Defender for Cloud Apps portal?
A. Create an access policy.
B. Create an activity policy.
C. Unsanction Yammer.
D. Create an anomaly detection policy.
Selected Answer: A
Question #: 249
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Administrative units blade in the Azure Active Directory admin center
B. the Set-MsolUserLicense cmdlet
C. the Groups blade in the Azure Active Directory admin center
D. the Set-WindowsProductKey cmdlet
Selected Answer: B
Question #: 252
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. SMS
B. email
C. security questions
D. a verification code from the Microsoft Authenticator app
Selected Answer: D
Question #: 253
Topic #: 4
You have an Azure AD tenant.
You plan to implement Azure AD Privileged Identity Management (PIM).
Which roles can you manage by using PIM?
A. Global Administrator only
B. Global Administrator and Security Administrator only
C. Global Administrator, Security Administrator, and Security Contributor only
D. Account Administrator, Global Administrator, Security Administrator, and Security Contributor only
Selected Answer: B
Question #: 254
Topic #: 2
You have an Azure Active Directory (Azure AD) tenant.
You open the risk detections report.
Which risk detection type is classified as a user risk?
A. impossible travel
B. anonymous IP address
C. malicious IP address
D. Azure AD threat intelligence
Selected Answer: D
Question #: 255
Topic #: 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Update-MgGroup cmdlet
B. the Licenses blade in the Azure Active Directory admin center
C. the Set-WindowsProductKey cmdlet
D. the Administrative units blade in the Azure Active Directory admin center
Selected Answer: B
Question #: 256
Topic #: 1
You have an Azure AD tenant that contains the users shown in the following table.
You need to compare the role permissions of each user. The solution must minimize administrative effort.
What should you use?
A. the Microsoft 365 Defender portal
B. the Microsoft 365 admin center
C. the Microsoft Entra admin center
D. the Microsoft Purview compliance portal
Selected Answer: B
Question #: 257
Topic #: 4
You have a Microsoft 365 tenant.
In Microsoft Entra ID, you configure the terms of use.
You need to ensure that only users who accept the terms of use can access the resources in the tenant. Other users must be denied access.
What should you configure?
A. Terms and conditions in Microsoft Intune
B. an access policy in Microsoft Defender for Cloud Apps
C. a conditional access policy in Microsoft Entra ID
D. a compliance policy in Microsoft Intune
Selected Answer: C
Question #: 258
Topic #: 2
You have a Microsoft Entra tenant.
You need to query risky user activity for the tenant.
How long will the logs of risky user activity be retained?
A. 30 days
B. 60 days
C. 90 days
D. 180 days
Selected Answer: C
Question #: 259
Topic #: 1
You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com.
Several users use their contoso.com email address for self-service sign-up to Azure AD.
You gain global administrator privileges to the Azure AD tenant that contains the self-signed users.
You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services.
Which PowerShell cmdlet should you run?
A. Update-MgOrganization
B. Update-MgPolicyPermissionGrantPolicyExclude
C. Update-MgDomain
D. Update-MgDomainFederationConfiguration
Selected Answer: B
Question #: 260
Topic #: 2
You have an Azure AD Tenant.
You configure self-service password reset (SSPR) by using the following settings:
• Require users to register when signing in: Yes
• Number of methods required to reset: 1
What is a valid authentication method available to users?
A. an FIDO2 security token
B. a mobile app code
C. a Microsoft Teams chat
D. a Windows Hello PIN
Selected Answer: B
Question #: 261
Topic #: 4
You have a Microsoft 365 E5 subscription that contains a user named User1. User1 is eligible for the Application Administrator role.
User1 needs to configure a new connector group for an application proxy.
What should you use to activate the role for User1?
A. the Microsoft 365 Defender portal
B. the Microsoft 365 admin center
C. the Microsoft Intune admin center
D. the Azure Active Directory admin center
Selected Answer: D
Question #: 264
Topic #: 4
Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a certification authority (CA) named CA1.
You have an Azure AD tenant.
You need to implement certificate-based authentication in Azure AD. The solution must ensure that users can sign in by using certificates issued by CA1. What should you do first?
A. Deploy an Azure key vault.
B. Add CA1 as a Certificate Authority to the Microsoft Entra ID tenant.
C. Enable auto-enrollment for CA1.
D. Deploy Windows Hello for Business.
Selected Answer: B
Question #: 265
Topic #: 2
You have an Azure AD tenant that contains the users shown in the following table.
You enable self-service password reset (SSPR) for all the users and configure SSPR to require security questions as the only authentication method.
Which users must use security questions when resetting their password?
A. User4 only
B. User3 and User4 only
C. User1 and User4 only
D. User1, User3, and User4 only
E. User1, User2, User3, and User4
Selected Answer: B
Question #: 266
Topic #: 4
You have accounts for the following cloud platforms:
• Azure
• Alibaba Cloud
• Amazon Web Services (AWS)
• Google Cloud Platform (GCP)
You configure an Azure subscription to use Microsoft Entra Permissions Management to manage the permissions in Azure only.
Which additional cloud platforms can be managed by using Permissions Management?
A. AWS only
B. Alibaba Cloud and AWS only
C. Alibaba Cloud and GCP only
D. AWS and GCP only
E. Alibaba Cloud, AWS, and GCP
Selected Answer: D
Question #: 267
Topic #: 1
You have an Azure AD tenant that contains the external user shown in the following exhibit.
You update the email address of the user.
You need to ensure that the user can authenticate by using the updated email address.
What should you do for the user?
A. Modify the Authentication methods settings.
B. Reset the password.
C. Revoke the active sessions.
D. Reset the redemption status.
Selected Answer: D
Question #: 268
Topic #: 4
You have three Azure subscriptions that are linked to a single Microsoft Entra tenant.
You need to evaluate and remediate the risks associated with highly privileged accounts. The solution must minimize administrative effort.
What should you use?
A. Global Secure Access
B. Privileged Identity Management (PIM)
C. Microsoft Entra Permissions Management
D. Microsoft Entra Verified ID
Selected Answer: B
Question #: 269
Topic #: 1
You have an Azure AD tenant.
You need to ensure that only users from specific external domains can be invited as guests to the tenant.
Which settings should you configure?
A. External collaboration settings
B. All identity providers
C. Cross-tenant access settings
D. Linked subscriptions
Selected Answer: A
Question #: 270
Topic #: 2
You have an Azure AD tenant.
You need to implement smart lockout with a lockout threshold of 10 failed sign-ins.
What should you configure in the Azure AD admin center?
A. Authentication strengths
B. Password protection
C. User risk policy
D. Sign-in risk policy
Selected Answer: B
Question #: 271
Topic #: 4
You have an Azure subscription named Sub1 that uses Microsoft Entra Permissions Management. Sub1 contains a user named User1. User1 is granted multiple permissions across Sub1.
You need to replace all the permissions granted to User1 with read-only permissions. The solution must minimize administrative effort.
What should you do on the Remediation tab in Permissions Management?
A. From the Role/Policy Template subtab, create a template.
B. From the My Requests subtab, create a new request.
C. From the Roles/Policies subtab, create a role.
D. From the Permissions subtab, use a quick action.
Selected Answer: D
Question #: 272
Topic #: 2
You configure a new Microsoft 365 tenant to use a default domain name of contoso.com.
You need to ensure that you can control access to Microsoft 365 resources by using conditional access policies.
What should you do first?
A. Disable Security defaults.
B. Configure password protection for the Azure AD tenant.
C. Configure a multi-factor authentication (MFA) registration policy.
D. Disable the User consent settings.
Selected Answer: A
Question #: 273
Topic #: 1
You have an Azure AD tenant that contains a user named User1 and a Microsoft 365 group named Group1. User1 is the owner of Group1.
You need to ensure that User1 is notified every three months to validate the guest membership of Group1.
What should you do?
A. Configure the External collaboration settings.
B. Create an access review.
C. Configure an access package.
D. Create a group expiration policy.
Selected Answer: B
Question #: 275
Topic #: 4
You have an Azure subscription that contains a user named User1. The subscription is onboarded to Microsoft Entra Permissions Management.
You need to provide User1 with access to Permissions Management. The solution must meet the following requirements:
• Follow the principle of least privilege.
• Minimize administrative effort.
What should you do first?
A. From the Role/Policy Template subtab of Permissions Management, create a template.
B. From the Microsoft Entra admin center, create a security group.
C. From the My Requests subtab of Permissions Management, create a new request.
D. From the Microsoft Entra admin center, assign a role to User1.
Selected Answer: B
Question #: 276
Topic #: 2
You have a Microsoft 365 tenant.
An on-premises Active Directory domain is configured to sync with the Azure AD tenant. The domain contains the servers shown in the following table.
The domain controllers are prevented from communicating to the internet.
You implement Azure AD Password Protection on Server1 and Server2.
You deploy a new server named Server4 that runs Windows Server 2022.
You need to ensure that Azure AD Password Protection will continue to work if a single server fails.
What should you implement on Server4?
A. Azure AD Connect
B. Azure AD Application Proxy
C. Password Change Notification Service (PCNS)
D. the Azure AD Password Protection proxy service
Selected Answer: D
Question #: 279
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. voice
B. email
C. security questions
D. a verification code from the Microsoft Authenticator app
Selected Answer: D
Question #: 284
Topic #: 1
You have an Azure subscription named Sub1 that contains a user named User1.
You need to ensure that User1 can purchase a Microsoft Entra Permissions Management license for Sub1. The solution must follow the principle of least privilege.
Which role should you assign to User1?
A. Global Administrator
B. Billing Administrator
C. Permissions Management Administrator
D. User Access Administrator
Selected Answer: B
Question #: 285
Topic #: 2
You have an Azure AD tenant that has multi-factor authentication (MFA) enforced and self-service password reset (SSPR) enabled.
You enable combined registration in interrupt mode.
You create a new user named User1.
Which two authentication methods can User1 use to complete the combined registration process? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a FIDO2 security key
B. a hardware token
C. a one-time passcode email
D. Windows Hello for Business
E. the Microsoft Authenticator app
Selected Answer: CE
Question #: 287
Topic #: 1
You have an Azure subscription that contains a user named User1 and two resource groups named RG1 and RG2.
You need to ensure that User1 can perform the following tasks:
• View all resources.
• Restart virtual machines.
• Create virtual machines in RG1 only.
• Create storage accounts in RG1 only.
What is the minimum number of role-based access control (RBAC) role assignments required?
A. 1
B. 2
C. 3
D. 4
Selected Answer: B
Question #: 288
Topic #: 4
You have an Azure subscription.
You need to use Microsoft Entra Permissions Management to automatically monitor permissions and create and implement right-size roles. The solution must follow the principle of least privilege.
Which role should you assign to the service principal of Permissions Management?
A. User Access Administrator
B. Contributor
C. Reader
D. Owner
Selected Answer: A
Question #: 290
Topic #: 1
You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com.
Contoso is working on a project with the following two partner companies:
• A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com.
• A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.
When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.
You can successfully invite a new guest user from fabnkam.com to contoso.com.
You need to be able to invite new guest users from adatum.com to contoso.com.
What should you configure?
A. Guest invite settings
B. Verifiable credentials
C. Named locations
D. Collaboration restrictions
Selected Answer: D
Question #: 291
Topic #: 1
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. SMS
B. Windows Hello for Business
C. voice
D. a notification through the Microsoft Authenticator app
Selected Answer: B
Question #: 292
Topic #: 1
You have an Azure subscription that contains a user-assigned managed identity named Managed1 in the East US Azure region. The subscription contains the resources shown in the following table.
Which resources can use Managed1 as their identity?
A. WebApp1 only
B. storage1 and WebApp1 only
C. VM1 and WebApp1 only
D. VM1, storage1, and WebApp1
Selected Answer: D
Question #: 293
Topic #: 4
You have an Azure subscription, a Google Cloud Platform (GCP) account, and an Amazon Web Services (AWS) account.
You need to recommend a solution to assess the risks associated with privilege assignments across all the platforms. The solution must minimize administrative effort.
What should you include in the recommendation?
A. Microsoft Sentinel
B. Microsoft Entra ID Protection
C. Microsoft Defender for Cloud Apps
D. Microsoft Entra Permissions Management
Selected Answer: D
Question #: 294
Topic #: 2
You have a Microsoft 365 tenant.
You currently allow email clients that use Basic authentication to connect to Microsoft Exchange Online.
You need to ensure that users can connect to Exchange Online only from email clients that use Modern authentication protocols.
What should you implement?
A. a conditional access policy in Azure AD
B. a compliance policy in Microsoft Intune
C. an OAuth policy in Microsoft Defender for Cloud Apps
D. an application control profile in Microsoft Intune
Selected Answer: A
