Microsoft - SC-300: Microsoft Identity and Access Administrator
Sample Questions
Question: 195
Measured Skill: Plan and implement identity governance in Azure AD (20–25%)
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. The AD DS domain contains the organizational units (OUs) shown in the following table.
You need to create a break-glass account named BreakGlass.
Where should you create BreakGlass, and which role should you assign to BreakGlass?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Location: Azure AD
Role: Owner |
| B | Location: Azure AD
Role: Global Administrator |
| C | Location: OU1
Role: Global Administrator |
| D | Location: OU1
Role: Billing Administrator |
| E | Location: OU2
Role: Privileged Role Administrator |
| F | Location: OU2
Role: Owner |
Correct answer: BExplanation:
It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in or activate another user's account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization.
Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. Microsoft recommends that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.
Why use an emergency access account
An organization might need to use an emergency access account in the following situations:
- The user accounts are federated, and federation is currently unavailable because of a cell-network break or an identity-provider outage. For example, if the identity provider host in your environment has gone down, users might be unable to sign in when Azure AD redirects to their identity provider.
- The administrators are registered through Azure AD Multi-Factor Authentication, and all their individual devices are unavailable or the service is unavailable. Users might be unable to complete Multi-Factor Authentication to activate a role. For example, a cell network outage is preventing them from answering phone calls or receiving text messages, the only two authentication mechanisms that they registered for their device.
- The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
- Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
Create emergency access accounts
Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
Reference: Manage emergency access accounts in Azure AD
Question: 196
Measured Skill: Implement access management for applications (15–20%)
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You add an enterprise application named App1 to Azure AD and set User1 as the owner of App1.
App1 requires admin consent to access Azure AD before the app can be used.
You configure the Admin consent requests settings as shown in the following exhibit.
Admin1, Admin2, Admin3, and User1 are added as reviewers.
Which users can review and approve the admin consent requests?| A | Admin1 only |
| B | Admin1, Admin2 and Admin3 only |
| C | Admin1, Admin2, and User1 only |
| D | Admin1 and Admin2 only |
| E | Admin1, Admin2, Admin3, and User1 |
Correct answer: DExplanation:
The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
To approve requests, a reviewer must have the permissions required to grant admin consent for the application requested. Simply designating them as a reviewer doesn't elevate their privileges.
To grant tenant-wide admin consent, you need:
- An Azure AD user account with one of the following roles:
- Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
- Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).
- A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.
References:
Configure the admin consent workflow
Grant tenant-wide admin consent to an application
Question: 197
Measured Skill: Implement authentication and access management (25–30%)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Conditional Access policies.
You need to block access to cloud apps when a user is assessed as high risk.
Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?| A | Access policy |
| B | OAuth app policy |
| C | Anomaly detection policy |
| D | Activity policy |
Correct answer: AExplanation:
An access policy is the best possible answer option. Microsoft Defender for Cloud Apps access policies enable real-time monitoring and control over access to cloud apps based on user, location, device, and app.
Note: We don't neet to makes use Microsoft Defender for Cloud Apps to block access to cloud apps when a user is assessed as high risk. We could use an Identity Protection User-risk policy only or a Conditional Access policy only to achive the goal.
Reference: Access policies in Microsoft Defender for Cloud Apps
Question: 198
Measured Skill: Implement access management for applications (15–20%)
Your company has an Azure AD tenant that contains the users shown in the following table.
You have the app registrations shown in the following table.
A company policy prevents changes to user permissions.
Which user can create appointments in the calendar of each user at the company?| A | User1 |
| B | User2 |
| C | User3 |
| D | User4 |
Correct answer: BExplanation:
Keine der Azure RBAC-Rollen berechtigt für Schreibzugriffe auf die Kalender der Benutzer des Unternehmens.
Die delegierte Berechtigung Calendars.Read ermöglicht einer App, Kalenderdaten im Namen des angemeldeten Benutzers zu lesen.
Die Anwendungsberechtigung Calendars.ReadWrite ermöglicht einer App, Kalenderdaten in allen Kalendern ohne einen angemeldeten Benutzer zu erstellen, zu lesen, zu aktualisieren und zu löschen.
Der folgende Microsoft Learn-Artikel enthält weitere Informationen zum Thema:
Microsoft Graph-Berechtigungsreferenz
Question: 199
Measured Skill: Implement identities in Azure AD (20–25%)
You have an Azure AD tenant that contains the groups shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
(NOTE: Each correct selection is worth one point.)
| A | You can add a managed identity to Group2 only.
You can add an Azure AD cloud user to All Company, Group1, and Group2 only. |
| B | You can add a managed identity to All Company and Group1 only.
You can add an Azure AD cloud user to Group2, Group3, and Group4 only . |
| C | You can add a managed identity to Group2, Group3, and Group4 only.
You can add an Azure AD cloud user to All Company, Group1, and Group2 only. |
| D | You can add a managed identity to All Company, Group1, and Group2 only.
You can add an Azure AD cloud user to Group2 only. |
| E | You can add a managed identity to All Company, Group1, Group2, Group3, and Group4.
You can add an Azure AD cloud user to All Company and Group1 only. |
| F | You can add a managed identity to All Company, Group1, Group2, Group3, and Group4.
You can add an Azure AD cloud user to All Company, Group1, Group2, Group3, and Group4. |
Correct answer: AExplanation:
Managed identities can be added to any groups of type Security that are created in the cloud, are security-enabled, and have a membership type of Assigned. Microsoft 365 Groups cannot contain managed identities as members.
Manually adding cloud users directly to groups is only possible for groups that were created in the cloud and have the membership type "Assigned".