SC-300: Microsoft Identity and Access Administrator Study Guide
SC-300 (Microsoft Identity and Access Administrator) validates your ability to design and operate identity and access in Microsoft Entra ID, covering identity provisioning, authentication, application access, and identity governance. It targets identity administrators, security engineers, and IT professionals who manage Entra ID tenants, Conditional Access, and privileged access. The exam is 120 minutes, scored 1000 with 700 to pass, and draws from roughly 644 question scenarios.
Domain 1: Implement Identities in Microsoft Entra ID
- A UPN suffix used for cloud sign-in must be a verified, internet-routable domain; non-routable suffixes such as contoso.local cannot be used, so add an alternate routable UPN suffix in Active Directory Domains and Trusts, update users, then resync.
- Entra Connect has three sign-in options: Password Hash Synchronization (PHS), Pass-through Authentication (PTA), and Federation with AD FS; Seamless SSO can be layered on PHS or PTA but not on federation.
- PHS stores a hash-of-a-hash of the on-prem password in Entra ID and is the recommended default; it also enables leaked-credential detection in Identity Protection.
- Federation with AD FS keeps credential validation entirely on-premises (no password material in the cloud) and returns only a token; PHS can be enabled alongside AD FS as a backup authentication method and for disaster recovery.
- When an on-prem account disable is not reflected in the cloud, the most common cause is a stalled sync scheduler; check the Synchronization Service Manager for errors and confirm the delta sync is running (default sync cycle is every 30 minutes).
- Microsoft Entra Cloud Sync uses a lightweight provisioning agent and supports multiple disconnected AD forests; a single classic Entra Connect server can also use multiple AD connectors to sync multiple forests.
- Accidental delete prevention (default threshold 500 objects) blocks a sync run if it would delete more objects than the threshold, protecting against mass deletions.
- Administrative units (AUs) scope directory roles to a subset of users; e.g., assigning Helpdesk Administrator scoped to a regional AU lets a local admin reset only that region's passwords with no tenant-wide authority.
- Only administrators scoped to an administrative unit (or tenant-level role holders) can modify its members; AU membership can be assigned manually or dynamically via membership rules.
- Dynamic membership groups use rules such as user.department -eq "Finance"; dynamic membership requires Microsoft Entra ID P1 and a group's membership type is fixed at creation (you cannot switch a static group to dynamic).
- Custom security attributes are defined and managed in the Microsoft Entra admin center and require the Attribute Definition Administrator / Attribute Assignment Administrator roles; they support attribute-based access control and filtering.
- Break-glass (emergency access) accounts should be at least two cloud-only Global Administrator accounts excluded from all Conditional Access policies, using long complex passwords stored securely, with sign-in alerts monitored.
- Cross-tenant access settings control B2B inbound and outbound collaboration; allowing a partner domain in external collaboration settings, plus trust settings, can let partner users join shared Teams channels (B2B direct connect) without a guest object in your tenant.
- Microsoft Intune Mobile Application Management (MAM) without enrollment protects corporate data inside specific apps on personal (BYOD) devices without enrolling the whole device.
Domain 2: Implement Authentication and Access Management
- Conditional Access policies combine assignments (users, target resources, conditions) with access controls (grant/session); a policy with no matching condition simply does not apply and imposes no requirement.
- Authentication strength is a grant control that requires a specific credential class; the built-in Phishing-resistant MFA strength permits only FIDO2 security keys, Windows Hello for Business, and certificate-based authentication.
- Sign-in frequency is a session control; pairing a named location with a longer sign-in frequency (e.g., 12 hours) reduces MFA-fatigue prompts on trusted shared kiosks.
- Conditional Access conditions include sign-in risk and user risk (Identity Protection), device platform, client apps, locations, and risk-based controls; risk policies require Entra ID P2.
- To block legacy authentication, target client apps = Exchange ActiveSync clients and Other clients with Grant = Block access, because legacy protocols cannot perform modern MFA.
- Self-Service Password Reset (SSPR): enable for the target scope, set 'number of methods required to reset' (1 or 2), and offer multiple available methods; office phone is only selectable as an SSPR method when populated and enabled by admin.
- Identity Protection user risk can be remediated by a secure password change after MFA; an admin can also dismiss user risk in the portal to reset the risk level.
- To exempt specific users (frequent travelers, an executive) from a policy, add them to an exclusion group referenced in the policy rather than disabling the policy entirely; always keep break-glass accounts excluded.
- Protecting the Microsoft Azure Management cloud app with a policy requiring MFA secures access to the Azure portal, Azure CLI, PowerShell, and ARM.
- Windows Hello for Business hybrid certificate trust requires a PKI with a certificate enrollment policy issuing WHfB certificates; cloud Kerberos trust is the simpler modern alternative that avoids per-device certificates.
- Temporary Access Pass (TAP) is a time-limited passcode configurable as single-use or multi-use, used to bootstrap passwordless methods or recover access when a user has no other method.
- Entra ID data residency is set at the tenant level by the geography chosen at tenant creation and cannot be changed per user; meeting an EU data-location requirement means provisioning a separate tenant in the Europe geography.
- Microsoft Entra Password Protection's custom banned-password list applies in the cloud by default; to enforce it against on-premises AD password changes you deploy the Password Protection proxy and DC agents on-premises.
- To force registration of security info or MFA, target the user action 'Register security information' in Conditional Access with appropriate conditions; per-policy controls can also require a compliant device for sensitive groups like Finance.
Domain 3: Implement Access Management for Applications
- An app registration is the global, single definition of an application (object lives in the home tenant); a service principal is the per-tenant local instance created when the app is added or consented to in a tenant.
- Delegated permissions act on behalf of a signed-in user and are limited to that user's rights; application permissions (app-only) operate at tenant scope and always require admin consent.
- Low-impact delegated permissions such as User.Read can be self-consented by users; higher-impact permissions like Mail.Send typically require admin consent under tenant consent policy.
- A daemon or background service with no signed-in user uses the OAuth 2.0 client credentials flow with application permissions (e.g., Calendars.Read) and authenticates with a client secret or, preferably, a client certificate.
- Certificate credentials are more secure than client secrets because the private key never leaves the client and is not transmitted; secrets and certificates are managed under App registration > Certificates & secrets.
- Microsoft Entra modern auth protocols are OpenID Connect and OAuth 2.0 (OIDC for authentication/identity, OAuth 2.0 for authorization/access tokens).
- Microsoft Entra Application Proxy publishes internal web apps externally with no inbound firewall ports; the on-prem connector makes only outbound connections and Entra ID performs pre-authentication.
- Application Proxy SSO to a Kerberos/IWA app uses Kerberos Constrained Delegation (KCD) so the connector obtains a Kerberos ticket on the user's behalf for the back-end application.
- To control who can access an enterprise application, set 'Assignment required?' to Yes and assign specific users or groups; otherwise all users in the tenant can access it.
- Admin consent is granted in the Enterprise applications > Permissions blade; revoking an app's tenant-wide grant is also done by removing the consent there.
- Restricting user consent (consent policy) commonly allows users to consent only to low-impact permissions from verified-publisher apps, routing everything else to an admin consent workflow.
- SAML SSO validates the assertion signature with Entra ID's token-signing certificate; when that certificate rotates, update the app by downloading the new Federation Metadata XML (or providing the new metadata URL / signing certificate).
- Microsoft Entra External ID (formerly Azure AD B2C) handles customer-facing sign-up with custom user flows, branding, and external identity providers such as Google and Facebook, keeping consumer identities separate from employees.
- To expose a custom API, define OAuth 2.0 scopes (delegated permissions) under 'Expose an API'; optional claims and access-token configuration are set in the app registration's Token configuration / manifest.
Domain 4: Plan and Implement Identity Governance
- Entitlement management bundles resources (groups, Teams, SharePoint sites, apps) into an access package; users request it from a self-service catalog, governed by assignment policies, approval workflows, and expiration.
- An access-package assignment policy with a fixed expiration (e.g., 6 months) automatically removes all of the package's access when the term ends; managed under Identity Governance > Entitlement management > Catalogs > Access packages.
- Connected organizations define external Entra/partner directories whose users are allowed to request access packages, enabling governed B2B collaboration.
- Access reviews recertify membership/access on a schedule (e.g., quarterly or 90-day recurrence); choosing reviewers as group owners or self-review, with auto-apply results, automatically removes access when reviewers decline or do not respond.
- For guest governance, combine a recurring access review of inactive guests (auto-remove) with a terms of use policy enforced via a Conditional Access grant control requiring ToU acceptance for the target app.
- Privileged Identity Management (PIM) makes roles eligible rather than permanently assigned; users activate just-in-time, and PIM requires Entra ID P2.
- PIM role settings govern activation behavior: maximum activation duration (e.g., 2 hours), require approval and named approvers, require justification, and require MFA on activation; eligible assignment duration (e.g., 6 months) is also set here.
- PIM applies to both Entra ID directory roles and Azure resource roles, each with their own role settings for maximum activation duration and approval.
- The Conditional Access Administrator role lets a security team member create and manage Conditional Access policies without holding Global Administrator.
- HR-driven provisioning uses Microsoft Entra inbound provisioning from Workday (or SuccessFactors) with attribute mappings and scoping filters to create, update, and disable accounts from the system of record.
- Lifecycle Workflows automate joiner, mover, and leaver tasks (such as generating a Temporary Access Pass for a new hire or disabling/removing accounts on departure) on schedule or triggered by attribute changes.
- A Temporary Access Pass can be generated as part of onboarding so a new employee can register passwordless credentials before their first sign-in.
- Access package roles include catalog owner and access package manager, which delegate who can build and manage packages within a catalog without tenant-wide admin rights.
- Auto-apply (auto-remove) on access reviews and the access-package expiration are the two governance mechanisms that automatically revoke access without manual intervention when access is no longer justified.
SC-300 exam tips
- Read each scenario for the explicit constraint that eliminates options - phrases like 'passwords must never be stored in the cloud' (forces federation over PHS) or 'no inbound firewall ports' (forces Application Proxy) are the deciding clue.
- Know the licensing tiers cold: Conditional Access and dynamic groups need Entra ID P1, while Identity Protection risk policies, PIM, and access reviews need Entra ID P2 - wrong-tier answers are common distractors.
- Distinguish app registration vs service principal, and delegated vs application permissions, before answering any app-access question; these two pairs underpin most Domain 3 items.
- For Conditional Access questions, evaluate assignments and conditions first - if no condition matches, the policy does not apply and requires nothing, which is frequently the correct trap answer.
- When two requirements appear in one scenario (e.g., recertify guests AND require ToU acceptance), expect a two-part answer using two distinct features rather than a single control.
Study guide FAQ
How is the SC-300 exam structured and scored?
It is roughly 120 minutes with multiple-choice, multi-select, case studies, and sometimes drag-and-drop or yes/no series. It is scored on a 1000-point scale with 700 required to pass, and questions are weighted across the four identity domains rather than counted equally.
Do I need hands-on Microsoft Entra ID experience to pass?
Yes. SC-300 is heavily scenario-based and assumes practical familiarity with the Microsoft Entra admin center - configuring Conditional Access, PIM, entitlement management, app registrations, and Entra Connect. Studying definitions alone is rarely enough; practice in a trial tenant is strongly recommended.
Which authentication method should I choose by default - PHS, PTA, or federation?
Microsoft recommends Password Hash Synchronization (PHS) for most organizations because it is simple, resilient, and enables leaked-credential detection. Choose Pass-through Authentication when on-prem password validation is required without storing hashes in the cloud, and federation (AD FS) only when an explicit requirement such as 'credentials must never leave on-premises' applies.
What is the difference between access reviews, PIM, and entitlement management?
Access reviews recertify existing access on a schedule (auto-removing it if not approved); PIM provides just-in-time, time-bound activation of privileged roles with approval and justification; entitlement management lets users request bundled resources (access packages) through a self-service catalog with approval and expiration. All three are Entra ID Governance / P2 features and are frequently combined in scenarios.