Microsoft - SC-300: Microsoft Identity and Access Administrator
Sample Questions
Question: 267
Measured Skill: Implement and manage user identities (20–25%)
A company has a hybrid environment with both on-premises Active Directory and Microsoft Entra ID. An IT administrator notices that users are not syncing anymore from the on-premises directory to the cloud.
You need to make sure that Active Directory and Microsoft Entra ID are in sync.
What is the first step you should take to troubleshoot the issue?| A | Check the network connectivity between the on-premises network and Microsoft Entra ID. |
| B | Check the Microsoft Entra Connect sync configuration. |
| C | Check the Microsoft Entra Connect Health sync status. |
| D | Check the Event Viewer for error messages. |
Correct answer: CExplanation:
As the first step, we should check the Microsoft Entra Connect Health sync status.
Microsoft Entra Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
The information is presented in the Microsoft Entra Connect Health portal. Use the Microsoft Entra Connect Health portal to view alerts, performance monitoring, usage analytics, and other information. Microsoft Entra Connect Health enables the single lens of health for your key identity components in one place.
References:
What is Microsoft Entra Connect?
Monitor Microsoft Entra Connect Sync with Microsoft Entra Connect Health
Question: 268
Measured Skill: Implement authentication and access management (25–30%)
Your organization has an existing Microsoft 365 tenant. The following new end-user devices have been onboarded into your tenant:
You set up a conditional access policy as shown in the exhibits.
The support desk receives complaints that users are unable to access cloud resources due to MFA registration failing.
You need to report which of the new devices have been blocked from accessing cloud resources.
Which three devices does the Conditional Access policy block from accessing cloud resources?
(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)| A | DeviceE |
| B | DeviceF |
| C | DeviceD |
| D | DeviceB |
| E | DeviceA |
| F | DeviceC |
Correct answer: B, E, FExplanation:
The Conditional Access policy grants access for Microsoft Entra hybrid joined devices located in the UK office (DeviceD, DeviceB, DeviceE).
All other devices are not granted access and thus are blocked (Device A, DeviceF, DeviceC).
Reference: What is Conditional Access?
Question: 269
Measured Skill: Implement and manage user identities (20–25%)
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named fabrikam.com. The domain contains an Active Directory Federation Services (AD FS) instance and a member server named Server1 that runs Windows Server.
The domain contains the users shown in the following table.
You have a Microsoft Entra tenant named contoso.com that is linked to a Microsoft 365 subscription.
You establish federation between fabrikam.com and contoso.com by using a Microsoft Entra Connect instance that is configured as shown in the following exhibit.
You perform the following tasks in contoso.com:
- Create a group named Group1.
- Disable User2.
- Enable User3.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | You can add User1 to Group1: Yes
User2 can sign in to Server1: Yes
User3 can sign in to Microsoft 365: Yes |
| B | You can add User1 to Group1: Yes
User2 can sign in to Server1: Yes
User3 can sign in to Microsoft 365: No |
| C | You can add User1 to Group1: Yes
User2 can sign in to Server1: No
User3 can sign in to Microsoft 365: Yes |
| D | You can add User1 to Group1: No
User2 can sign in to Server1: Yes
User3 can sign in to Microsoft 365: No |
| E | You can add User1 to Group1: No
User2 can sign in to Server1: No
User3 can sign in to Microsoft 365: Yes |
| F | You can add User1 to Group1: No
User2 can sign in to Server1: No
User3 can sign in to Microsoft 365: No |
Correct answer: BExplanation:
All three accounts are synched from on-premises Active Directory to Microsoft Entra ID. Even disabled accounts are synchronized.
Because User3 is disabled in on-premises AD, the account in Entra ID is disabled as well. If we would enabled the account on-premises, the account in Entra ID will be enabled on the next sync cycle.
All three changes mentioned in the task are made in the cloud. Authentication for sign-ins to the cloud services take place on-premises. The task states that Microsoft Entra Connect is used to establish federation between fabrikam.com and contoso.com.
User1 is synched to Entra ID and can be added as a member to a cloud-based group.
The account of User2 is disabled in the Entra ID. The user state is not written back to on-premises. User2 can sign-in to on-premises resources (Server1).
The account of User3 is enabled in Entra ID but disabled on-premises. User3 cannot sign-in to on-premises or cloud-based resources.
Note: When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Microsoft Entra services.
References:
Microsoft Entra Connect Sync: Understanding Users, Groups, and Contacts
Implement password hash synchronization with Microsoft Entra Connect Sync
Question: 270
Measured Skill: Implement and manage user identities (20–25%)
You have a Microsoft Entra tenant that has a Microsoft Entra ID P2 service plan. The tenant contains the users shown in the following table.
You have the Device settings shown in the following exhibit.
User1 has the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can join four additional Windows 10 devices to Microsoft Entra ID: Yes
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: Yes
Admin2 is a local administrator on Device3: Yes |
| B | User1 can join four additional Windows 10 devices to Microsoft Entra ID: Yes
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: Yes
Admin2 is a local administrator on Device3: No |
| C | User1 can join four additional Windows 10 devices to Microsoft Entra ID: No
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: Yes
Admin2 is a local administrator on Device3: No |
| D | User1 can join four additional Windows 10 devices to Microsoft Entra ID: No
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: Yes
Admin2 is a local administrator on Device3: Yes |
| E | User1 can join four additional Windows 10 devices to Microsoft Entra ID: No
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: No
Admin2 is a local administrator on Device3: Yes |
| F | User1 can join four additional Windows 10 devices to Microsoft Entra ID: No
Admin1 can set Require Multi-Factor Authentication to register or join devices with Entra ID to Yes: No
Admin2 is a local administrator on Device3: No |
Correct answer: CExplanation:
The maximum number of devices per user is set to 5. The restriction includes joined and registered devices.
To manage a Windows device, you need to be a member of the local administrators group. As part of the Microsoft Entra join process, Microsoft Entra ID updates the membership of this group on a device. You can customize the membership update to satisfy your business requirements. A membership update is, for example, helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device.
At the time of Microsoft Entra join, the following security principals are added to the local administrators group on the device:
- The Microsoft Entra Joined Device Local Administrator and the Global Administrator roles
- The user performing the Microsoft Entra join
References:
Manage device identities using the Microsoft Entra admin center
How to manage the local administrators group on Microsoft Entra joined devices
Question: 271
Measured Skill: Implement and manage user identities (20–25%)
You have an Azure subscription named Sub1 that contains a user named User1.
You need to ensure that User1 can purchase a Microsoft Entra Permissions Management license for Sub1. The solution must follow the principle of least privilege.
Which role should you assign to User1?| A | Global Administrator |
| B | Billing Administrator |
| C | Permissions Management Administrator |
| D | User Access Administrator |
Correct answer: BExplanation:
In Microsoft Azure and Microsoft Entra Permissions Management role assignments grant users permissions to monitor and take action in multicloud environments.
- Global Administrator: Manages all aspects of Microsoft Entra Admin Center and Microsoft services that use Microsoft Entra Admin Center identities.
- Billing Administrator: Performs common billing related tasks like updating payment information.
- Permissions Management Administrator: Manages all aspects of Microsoft Entra Permissions Management.
Reference: Microsoft Entra Permissions Management roles and permissions levels