SC-300: Microsoft Identity and Access Administrator Practice Exam

What the SC-300 exam covers

• Implement Identities in Microsoft Entra ID162 questions
• Implement Authentication and Access Management150 questions
• Implement Access Management for Applications144 questions
• Plan and Implement Identity Governance145 questions

Free SC-300 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 601.

1. Question 1Implement Identities in Microsoft Entra ID

   Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. Several users have UPN suffixes that use a non-routable domain (contoso.local). You need to ensure these users can sign in to Microsoft 365 services after synchronization. What should you do?

   • AConfigure Microsoft Entra Connect to use the sAMAccountName as the sign-in identifier
   • BAdd a custom domain name to Microsoft Entra ID that matches contoso.local and verify it
   • CChange the mail attribute for each user to a routable domain and use that as the primary identifier
   • DAdd an alternate routable UPN suffix in Active Directory Domains and Trusts, update affected user accounts, then synchronizeCorrect
   ✓ Correct answer: D

   Microsoft Entra ID requires that the UPN suffix be a verified, internet-routable domain, so a non-routable suffix such as contoso.local cannot be used for cloud sign-in. The fix is to add an alternate UPN suffix that matches a public domain you own in Active Directory Domains and Trusts, switch the affected users to that suffix, and then let Entra Connect synchronize the corrected userPrincipalName. After sync the cloud UPN is routable and works for Microsoft 365 authentication. This keeps the on-premises and cloud identities aligned without changing the sign-in model.

   Why the other options are wrong

   • AConfiguring Entra Connect to use sAMAccountName is wrong because the cloud sign-in identifier must be a UPN-formatted, routable name, and sAMAccountName is a flat NetBIOS-style value that Entra ID does not accept for authentication.
   • BAdding contoso.local as a custom domain is wrong because Entra ID can only verify domains you can prove ownership of through public DNS, and a non-routable .local namespace has no public DNS to add the verification record to.
   • CChanging the mail attribute is wrong because the mail attribute is not the sign-in identifier; Entra ID authenticates against userPrincipalName, so editing mail does not make the account usable for sign-in.
2. Question 2Implement Identities in Microsoft Entra ID

   Fabrikam Inc has multiple departments that need to be represented in Microsoft Entra ID for dynamic group membership and attribute-based access control. The identity administrator wants to add a custom property called 'CostCenter' to user objects. What should the administrator use?

   • AAdministrative units
   • BCustom security attributesCorrect
   • CUser properties in the Microsoft Entra admin center
   • DDirectory extensions via Microsoft Entra Connect
   ✓ Correct answer: B

   Custom security attributes are the appropriate feature for adding custom properties like "CostCenter" to user objects. They are specifically designed for storing custom organizational data that can be used in Conditional Access and other access control policies.

   Why the other options are wrong

   • AAdministrative units are incorrect because they organize users, not add custom properties.
   • CUser properties in the admin center are incorrect because they are limited to standard properties.
   • DDirectory extensions via Entra Connect are incorrect because they synchronize custom AD attributes, not cloud-only custom properties.
3. Question 3Implement Identities in Microsoft Entra ID

   Which write-back capability is supported by Microsoft Entra Connect to synchronize cloud changes back to on-premises Active Directory?

   • AConditional Access policy write-back
   • BPassword write-backCorrect
   • CApplication registration write-back
   • DUser creation write-back
   ✓ Correct answer: B

   Password write-back is the capability that allows password changes made in the cloud (through SSPR or admin reset) to be synchronized back to on-premises Active Directory. This is the primary write-back feature supported by Microsoft Entra Connect.

   Why the other options are wrong

   • AConditional Access policy write-back is incorrect because policies are cloud-only.
   • CApplication registration write-back is incorrect because applications are not synced back.
   • DUser creation write-back is incorrect because Entra Connect does not create users in on-premises AD.
4. Question 4Implement Authentication and Access Management

   Humongous Insurance requires that all privileged administrators use phishing-resistant MFA when accessing the Azure portal. Which authentication strength should you configure in the Conditional Access policy?

   • AMultifactor authentication strength (built-in)
   • BPasswordless MFA strength (built-in)
   • CPhishing-resistant MFA strength (built-in)Correct
   • DA custom authentication strength requiring SMS and password
   ✓ Correct answer: C

   Authentication strength offers a built-in Phishing-resistant MFA strength that permits only phishing-resistant methods such as FIDO2 security keys, Windows Hello for Business, and certificate-based authentication. Selecting this built-in strength in a Conditional Access policy for the Azure Management app enforces exactly the requirement that privileged admins use phishing-resistant MFA. It is the precise control for this scenario.

   Why the other options are wrong

   • AMultifactor authentication strength (built-in) is wrong because it accepts any MFA method, including phishable ones like SMS, so it does not enforce phishing resistance.
   • BPasswordless MFA strength (built-in) is wrong because, while stronger than basic MFA, it is not the strength specifically defined to require phishing-resistant methods.
   • DA custom strength requiring SMS and password is wrong because SMS is explicitly phishable, so such a combination is not phishing-resistant.
5. Question 5Implement Authentication and Access ManagementSelect all that apply

   You are configuring cross-tenant access settings for B2B collaboration. Which two settings can you configure per external organization? (Choose two.)

   • ATenant deletion policies
   • BOutbound access settingsCorrect
   • CPassword complexity requirements
   • DInbound access settingsCorrect
   ✓ Correct answer: B, D

   Cross-tenant access settings consist of both outbound and inbound configurations. Outbound settings control which external organizations your users can access and what resources. Inbound settings control which external organizations can access your resources and under what restrictions. These define bilateral trust boundaries between tenants.

   Why the other options are wrong

   • ATenant deletion policies is incorrect because this is not part of cross-tenant access settings.
   • CPassword complexity requirements is incorrect because this is an internal password policy, not cross-tenant.
6. Question 6Implement Access Management for Applications

   You are configuring Microsoft Entra application proxy for an on-premises web application. The application uses Integrated Windows Authentication (IWA). Which single sign-on method should you configure in the application proxy settings?

   • Aeader-based SSO
   • BAML-based SSO
   • Cassword-based SSO
   • Derberos Constrained Delegation (KCD)Correct
   ✓ Correct answer: D

   When publishing an Integrated Windows Authentication app through application proxy, single sign-on to the backend is achieved with Kerberos Constrained Delegation. The connector, after Entra ID pre-authentication, requests a Kerberos ticket on the user's behalf so the IWA app accepts the user without a second prompt. KCD is the SSO method built for Kerberos/IWA applications behind application proxy.

   Why the other options are wrong

   • AHeader-based SSO is wrong because it is used for apps that consume identity via HTTP headers (often with a third-party access manager), not Kerberos-based IWA apps.
   • BSAML-based SSO is wrong because the backend app uses Windows Integrated Authentication, not SAML federation.
   • CPassword-based SSO is wrong because it replays stored form credentials and is not the mechanism for Kerberos/IWA single sign-on.
7. Question 7Plan and Implement Identity GovernanceSelect all that apply

   You are configuring an entitlement management catalog. Which two resource types can you add to a catalog for inclusion in access packages? (Choose two.)

   • AAzure storage accounts
   • BMicrosoft Entra security groupsCorrect
   • CEnterprise applicationsCorrect
   • DAzure virtual machines
   ✓ Correct answer: B, C

   Entitlement management catalogs are containers of resources that can be included in access packages. The supported resource types include Microsoft Entra security groups (which can grant group membership), Microsoft 365 groups, SharePoint Online sites, enterprise applications (SaaS and custom applications), and Microsoft Entra roles. These resources define what users receive when they are assigned an access package.

   Why the other options are wrong

   • AAzure storage accounts is incorrect because Azure storage accounts are infrastructure resources not managed through entitlement management. Access to Azure resources is managed through Azure RBAC, not entitlement management catalogs.
   • DAzure virtual machines is incorrect because virtual machines are Azure infrastructure resources. Entitlement management focuses on access to applications, groups, and sites, not individual infrastructure assets. VM access is managed through Azure subscriptions and RBAC.
8. Question 8Plan and Implement Identity Governance

   You need to automatically remove guest user access if their access is not reviewed within 30 days. Which access review setting should you configure?

   • ASet 'If reviewers don't respond' to 'Remove access'
   • BEnable auto-apply results
   • CSet the review frequency to 30 days
   • DBoth A and C must be configured togetherCorrect
   ✓ Correct answer: D

   To automatically remove guest access when it is not reviewed within 30 days, two access review settings must work in combination. The 30-day duration or recurrence establishes the timeframe, and the 'If reviewers don't respond' action set to 'Remove access' defines what happens to users left unreviewed when that period ends. Neither setting alone produces the intended automatic removal, so both must be configured together.

   Why the other options are wrong

   • ASetting 'If reviewers don't respond' to 'Remove access' alone defines the automatic action applied to unreviewed users, but on its own it does not establish the 30-day timeframe that determines when that action triggers, so the timing remains undefined.
   • BEnable auto-apply results only ensures that the review's decisions are applied automatically after the review period rather than requiring manual application, so it does not by itself govern the outcome for reviewers who never respond.
   • CSetting the review frequency or duration to 30 days alone establishes the timeframe of the review, but on its own it does not specify what happens to users whose access goes unreviewed, so no automatic removal occurs without the corresponding action setting.
9. Question 9Implement Access Management for Applications

   A team is planning Implement procedures for Implement Access Management for Applications. What should they prioritize?

   • AAvoid automation to maintain direct hands-on control
   • BPerform all changes manually through the management console
   • CAutomate repeatable processes using infrastructure as codeCorrect
   • DUse undocumented ad-hoc scripts maintained by one person
   ✓ Correct answer: C

   When planning application implementation procedures, the recommended approach is to automate repeatable processes using infrastructure as code. This ensures consistent, version-controlled configurations.

   Why the other options are wrong

   • AAvoid automation to maintain direct hands-on control is incorrect because automation improves consistency.
   • BPerform all changes manually through the management console is incorrect because manual changes do not scale.
   • DUse undocumented ad-hoc scripts maintained by one person is incorrect because undocumented scripts lack maintainability.
10. Question 10Implement Authentication and Access ManagementSelect all that apply

    A consultant is reviewing the token protection configuration at Litware Inc. Which two actions should be performed to optimize the implementation? (Choose two.)

    • ADisable token protection monitoring
    • Bauthentication context
    • CWindows Hello for BusinessCorrect
    • DMicrosoft Authenticator
    • Epasswordless authenticationCorrect
    ✓ Correct answer: C, E

    Litware Inc should optimize token protection by implementing Windows Hello for Business as a secure credential and passwordless authentication to eliminate password-related token vulnerabilities. These reduce token exposure through credential modernization.

    Why the other options are wrong

    • ADisable token protection monitoring is incorrect because monitoring is essential for security verification.
    • BAuthentication context is incorrect because while important, it's separate from token protection.
    • DMicrosoft Authenticator is incorrect because it's a specific authentication app, not a core token protection optimization.

SC-300 practice exam FAQ