Microsoft - SC-300: Microsoft Identity and Access Administrator
Sample Questions
Question: 404
Measured Skill: Implement authentication and access management (25–30%)
You have a Microsoft 365 E5 subscription that has a Conditional Access policy named Policy1.
You need to perform the following actions:
- Create a Conditional Access App Control custom policy named Custom1.
- Configure Policy1 to use Custom1.
What should you use to create Custom1, and in which settings of Policy1 should you enable Conditional Access App Control?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Use: Microsoft 365 admin center
Settings: Grant |
| B | Use: Microsoft Defender portal
Settings: Session |
| C | Use: Microsoft Entra admin center
Settings: Target resources |
| D | Use: Microsoft Entra admin center
Settings: Session |
| E | Use: Microsoft Intune admin center
Settings: Filter for devices under Conditions |
| F | Use: Microsoft Purview portal
Settings: Client apps under Conditions |
Correct answer: BExplanation:
Conditional Access app control uses access policies and session policies to monitor and control user app access and sessions in real time, across your organization.
Each policy has conditions to define who (which user or group of users), what (which cloud apps), and where (which locations and networks) the policy is applied to. After you determine the conditions, route your users first to Defender for Cloud Apps. There, you can apply the access and session controls to help protect your data.
To create Microsoft Defender for Cloud Apps access and session policies, you use the Microsoft Defender portal.
To route your users to Defender for Cloud Apps, you use the Session settings in your Conditional Access policy.
References:
Conditional Access app control in Microsoft Defender for Cloud Apps
Use Defender for Cloud Apps Conditional Access app control
Question: 405
Measured Skill: Implement authentication and access management (25–30%)
You have a Microsoft 365 E5 subscription that contains three groups named Group1, Group2, and Group3, and the users shown in the following table.
You create a Conditional Access policy named CA1 that has the following settings:
- Users
- Include
- Exclude
- Users and groups: Group2
- Directory roles: Global Administrator
- Target resources
- Access controls
- Grant: Require multifactor authentication
You create a Conditional Access policy named CA2 that has the following settings:
- Users
- Include
- Exclude
- Target resources
- Access controls
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: Yes
User2 will be prevented from signing in to Microsoft SharePoint Online: Yes
User3 will be prevented from signing in to Microsoft SharePoint Online: Yes |
| B | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: Yes
User2 will be prevented from signing in to Microsoft SharePoint Online: Yes
User3 will be prevented from signing in to Microsoft SharePoint Online: No |
| C | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: No
User2 will be prevented from signing in to Microsoft SharePoint Online: Yes
User3 will be prevented from signing in to Microsoft SharePoint Online: No |
| D | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: No
User2 will be prevented from signing in to Microsoft SharePoint Online: Yes
User3 will be prevented from signing in to Microsoft SharePoint Online: Yes |
| E | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: No
User2 will be prevented from signing in to Microsoft SharePoint Online: No
User3 will be prevented from signing in to Microsoft SharePoint Online: Yes |
| F | User1 will be prompted for multifactor authentication (MFA) when the user signs in to Microsoft SharePoint Online: No
User2 will be prevented from signing in to Microsoft SharePoint Online: No
User3 will be prevented from signing in to Microsoft SharePoint Online: No |
Correct answer: CExplanation:
A Conditional Access policy must include a user, group, or workload identity assignment as one of the signals in the decision process. These identities can be included or excluded from Conditional Access policies. Microsoft Entra ID evaluates all policies and ensures that all requirements are met before granting access.
CA1 includes Group1 and excludes Group2 and Global Administrators (User1). CA1 does not apply to any of the three users.
CA2 includes Group2 and excludes Group3. CA2 does apply to User2 only. CA2 will prevent User2 from signing in to Microsoft SharePoint Online.
Reference: Conditional Access: Users, groups, and workload identities
Question: 406
Measured Skill: Implement authentication and access management (25–30%)
You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains three users named User1, User2 and User3.
You have the devices shown in the following table.
You deploy a virtual machine that has the following configurations:
- Name: VM1
- Resource group: RG1
- Operating system: Windows Server
- Login with Microsoft Entra ID: Enabled
You have the Azure role assignments shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: Yes
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: Yes
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: Yes |
| B | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: Yes
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: Yes
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: No |
| C | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: Yes
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: No
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: Yes |
| D | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: No
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: Yes
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: No |
| E | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: No
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: Yes
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: Yes |
| F | User1 can sign in to VM1 from Device1 by using their Microsoft Entra credentials: No
User2 can sign in to VM1 from Device2 by using their Microsoft Entra credentials: No
User3 can sign in to VM1 from Device3 by using their Microsoft Entra credentials: No |
Correct answer: EExplanation:
Organizations can improve the security of Windows devices in Azure or connected using Azure Arc by integrating with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into supported versions of Windows. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the devices.
A User account in Microsoft Entra must be added to a role assignment in Azure before the user is allowed to sign in to Azure virtual machines or Arc-connected Windows Server. The same roles are used for both Azure virtual machines and Arc-enabled Windows Server.
Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.
Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.
References:
Sign in to Windows virtual machine in Azure or Arc-enabled Windows Server, using Microsoft Entra ID and Azure Roles Based Access Control
Remote Desktop client overview
Question: 407
Measured Skill: Implement authentication and access management (25–30%)
You have an Azure subscription that contains two resource groups named RG1 and RG2, a storage account named storage1.
You assign roles for the subscription as shown in the following table.
You assign roles for RG1 as shown in the following table.
You assign roles for storage1 as shown in the following exhibit.
Roles are NOT assigned for other Azure resources.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can read the data stored in storage1: Yes
User2 can create a virtual network in RG2: Yes
User3 can assign roles for storage1: Yes |
| B | User1 can read the data stored in storage1: Yes
User2 can create a virtual network in RG2: Yes
User3 can assign roles for storage1: No |
| C | User1 can read the data stored in storage1: No
User2 can create a virtual network in RG2: Yes
User3 can assign roles for storage1: No |
| D | User1 can read the data stored in storage1: No
User2 can create a virtual network in RG2: Yes
User3 can assign roles for storage1: Yes |
| E | User1 can read the data stored in storage1: No
User2 can create a virtual network in RG2: No
User3 can assign roles for storage1: Yes |
| F | User1 can read the data stored in storage1: No
User2 can create a virtual network in RG2: No
User3 can assign roles for storage1: No |
Correct answer: EExplanation:
User1 has the Reader role at the subscription level and the Reader and Data Access role for RG1 assigned. The Reader role is a control plane role which lets User1 read the configuration of storage1 but not the content of storage1.
The Reader and Data Access role allows User1 read/write access to all data contained in a storage account via access to storage account keys. However, because storage1 is located in RG2, the role permissions do not apply to storage1.
User2 has Contributor permissions for RG1. User2 can create a virtual network in RG1 but not in RG2.
User3 has the User Access Administrator role assigned for storage1. The User Access Administrator role can assign roles. This role is specifically designed to manage access to Azure resources, including assigning roles to other users, groups, or service principals.
References:
Azure built-in roles
Assign Azure roles using the Azure portal
Question: 408
Measured Skill: Plan and implement workload identities (20–25%)
You have an Azure subscription named Sub1 that contains an Azure key vault named Vault1 and an Azure Automation account named Automation1.
You need to ensure that Automation1 can access Vault1. The solution must meet the following requirements:
- Ensure that if Automation1 is deleted, the permissions granted for Vault1 will be removed automatically.
- Ensure that runbooks created in Automation1 can read secret values stored in Vault1.
- Follow the principle of least privilege.
What should you configure for Automation1, and which built-in role should Automation1 use to access Vault1?
(To answer, select the appropriate options in the answer area. NOTE: Each correct answer is worth one point.)
| A | For Automation1, configure: A service account
Role: Key Vault Crypto User |
| B | For Automation1, configure: A system-assigned managed identity
Role: Key Vault Secrets User |
| C | For Automation1, configure: A user-assigned managed identity
Role: Key Vault Reader |
| D | For Automation1, configure: An app registration
Role: Key Vault Crypto Officer |
| E | For Automation1, configure: An app registration
Role: Key Vault Secrets Officer |
| F | For Automation1, configure: An enterprise application
Role: Key Vault Reader |
Correct answer: BExplanation:
A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Manual handling of secrets and certificates are a known source of security issues and outages. Managed identities eliminate the need for developers to manage these credentials. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
There are two types of managed identities:
System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:
- A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
- By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.
- You authorize the managed identity to have access to one or more services.
- The name of the system-assigned service principal is always the same as the name of the Azure resource it's created for. For a deployment slot, the name of its system-assigned managed identity is
<app-name>/slots/<slot-name>.
User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:
- A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.
- User-assigned managed identities can be used by multiple resources.
- You authorize the managed identity to have access to one or more services.
User-assigned managed identities, which are provisioned independently from compute and can be assigned to multiple compute resources, are the recommended managed identity type for Microsoft services.
The Key Vault Secrets User role is the least privileged role that allows to read secret contents including secret portion of a certificate with private key.
The following table shows the Azure built-in roles for Key Vault data plane operations:
References:
What is managed identities for Azure resources?
Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control