Microsoft - SC-300: Microsoft Identity and Access Administrator
Sample Questions
Question: 222
Measured Skill: Plan and implement workload identities (20–25%)
You have an Azure subscription.
You are evaluating enterprise software as a service (SaaS) apps.
You need to ensure that the apps support automatic provisioning of Azure AD users.
Which specification should the apps support?| A | OAuth 2.0 |
| B | WS-Fed |
| C | SCIM 2.0 |
| D | LDAP 3 |
Correct answer: CExplanation:
Microsoft Entra application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning a Microsoft Entra user into SaaS applications like Dropbox, Salesforce, ServiceNow, and many more.
Microsoft Entra ID also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. The table below provides a mapping of protocols to connectors supported.
To help automate provisioning and deprovisioning, apps expose proprietary user and group APIs. User management in more than one app is a challenge because every app tries to perform the same actions. For example, creating or updating users, adding users to groups, or deprovisioning users. Often, developers implement these actions slightly different. For example, using different endpoint paths, different methods to specify user information, and different schema to represent each element of information.
To address these challenges, the System for Cross-domain Identity Management (SCIM) specification provides a common user schema to help users move into, out of, and around apps. SCIM is becoming the de facto standard for provisioning and, when used with federation standards like Security Assertions Markup Language (SAML) or OpenID Connect (OIDC), provides administrators an end-to-end standards-based solution for access management.
Reference: What is app provisioning in Microsoft Entra ID?
Question: 223
Measured Skill: Plan and implement workload identities (20–25%)
You have a hybrid Microsoft 365 subscription that contains the users shown in the following table.
You plan to deploy an on-premises app named App1. App1 will be registered in Azure AD and will use Azure AD Application Proxy.
You need to delegate the installation of the Application Proxy connector and ensure that User1 can register App1 in Azure AD. The solution must use the principle of least privilege.
Which user should perform the installation, and which role should you assign to User1?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | User that should perform the installation: Admin1
Assign User1 the role of: Application Administrator |
| B | User that should perform the installation: Admin1
Assign User1 the role of: Global Administrator |
| C | User that should perform the installation: Admin2
Assign User1 the role of: Cloud Application Administrator |
| D | User that should perform the installation: Admin3
Assign User1 the role of: Application Developer |
| E | User that should perform the installation: Admin3
Assign User1 the role of: Application Administrator |
| F | User that should perform the installation: Admin4
Assign User1 the role of: Cloud Application Administrator |
Correct answer: CExplanation:
Users in the Application Administrator role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings.
Users in the Cloud Application Administrator role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations.
References:
Application Administrator
Cloud Application Administrator
Question: 224
Measured Skill: Implement and manage user identities (20–25%)
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
The users are assigned the roles shown in the following table.
For which users can User1 and User4 reset passwords?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | User1: User3 only
User4: User3 and User5 only |
| B | User1: User2 and User5 only
User4: User2 and User3 only |
| C | User1: User3 and User5 only
User4: User3 only |
| D | User1: User2, User3, and User5 only
User4: User1, User2, and User3 only |
| E | User1: User3, User4, and User5 only
User4: User1, User2, and User3 only |
| F | User1: User3, User4, and User5
User4: User3 only |
Correct answer: FExplanation:
User1 is a Password Administrator for the entire organization. User1 can reset the passwords of all Non-Administrators, Directory Readers, Guest Inviters, and Password Administrators within the organization.
User4 is a Password Administrator for the administrative unit AU1. User4 can reset the passwords of all non-ndministrators within AU1. Password admins scoped to an administrative unit cannot reset passwords for any admin accounts.
References:
Who can reset passwords
Roles that can be assigned with administrative unit scope
Question: 225
Measured Skill: Plan and implement identity governance (20–25%)
You have an Azure subscription that contains a registered app named App1.
You need to review the sign-in activity for App1. The solution must meet the following requirements:
- Identify the number of failed sign-ins.
- Identify the success rate of sign-ins.
- Minimize administrative effort.
What should you use?| A | Sign-in logs |
| B | Access reviews |
| C | Audit logs |
| D | Usage & insights |
Correct answer: DExplanation:
With the Microsoft Entra Usage and insights reports, you can get an application-centric view of your sign-in data. Usage & insights includes a report on authentication methods, service principal sign-ins, and application credential activity. You can find answers to the following questions:
- What are the top used applications in my organization?
- What applications have the most failed sign-ins?
- What are the top sign-in errors for each application?
- What was the date of the last sign-in for an application?
References:
Usage and insights in Microsoft Entra ID
What are Microsoft Entra sign-in logs?
Question: 226
Measured Skill: Plan and implement identity governance (20–25%)
You have an Azure subscription.
Microsoft Entra ID logs are sent to a Log Analytics workspace.
You need to query the logs and graphically display the number of sign-ins per user.
How should you complete the query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: extend
P2: render |
| B | P1: extend
P2: print |
| C | P1: project
P2: print |
| D | P1: project
P2: extend |
| E | P1: summarize
P2: print |
| F | P1: summarize
P2: render |
Correct answer: FExplanation:
The summarize operator produces a table that aggregates the content of the input table. The render operator instructs the user agent to render a visualization of the query results.
References:
KQL query examples
summarize operator
render operator