Online Access Free SC-300 Exam Questions

No.# Correct.
Box1: An access package POLICY in Identity Governance
Access Package Policy specifies the policy by which subjects may request or be assigned an access package via an access package assignment.
While Access PackageAssignment is an assignment of an access package to a particular subject for a period of time.

Box2: The external Collaboration settings in Azure AD
Portal > Azure AD > External Identities> External collaboration Settings > Collaboration restrictions > Deny invitation to specified domains

Source: https://learn.microsoft.com/en-us/graph/api/resources/entitlementmanagement-overview?view=graph-rest-1.0

No.# “ license allocation for new users MUST be assigned automatically based on the location of the user”

That implies more than ONE dynamic group and the answer "a Dynamic User security group" doesn't meet that requirement. Multiple dynamic groups would.

"The helpdesk administrators must be able to manage licenses for ONLY the users in their respective office".

An AU meets that requirement, then you could now create multiple dynamic groups to support the first license requirement.

No.# server 4
The standalone Authentication Agents can be installed on any Windows Server 2016 or later, with TLS 1.2 enabled. The server needs to be on the same Active Directory forest as the users whose passwords you need to validate.

No.# To configure security defaults in your directory, you must be assigned at least the Security Administrator role. By default the first account in any directory is assigned a higher privileged role known as Global Administrator.

Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults. (Imply that Conditional Access policies has conflict with security defaults)

No.# Box 1: 500 license for their core internal users.

GUESTS < 50K = free, ID Governance Free while the ID Governance feature is in preview for External ID

Box 2: 1
GUESTS < 50K = free, ID Governance Free while the ID Governance feature is in preview for External ID

https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#how-is-external-id-licensed

No.# Explanation:
The following authentication methods are available for SSPR (self-service password reset)
- app notification
- Mobile app code
- Email
- Mobile phone
- Office phone (available only for tenants with paid subscriptions)
- Security questions

No.# When administrators require one method be used to reset a password, verification code is the only option available.
When administrators require two methods be used to reset a password, users are able to use notification OR verification code in addition to any other enabled methods.
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks

No.# Should it be AB instead of BE?

To require justification need assignment to be Eligible instead of Active

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

No.# No, No, Yes

Admin1 has a only the permissions on Department1 administrative unit.
User3 and User4 are not assigned to Department1, so Admin1 has no permissions to reset passwords.

Group3 is not assigned to Department1.

Admin3 has permissions for the entire Directory.

No.# Location: Azure AD
Role: Global Administrator

Explanation: A break-glass account is a highly privileged account meant to be used in emergency situations where normal administration cannot be performed. As such, it should be created directly in Azure AD so it's not dependent on the on-premises AD DS domain. The Global Administrator role will provide the broadest level of permissions to address potential emergency issues. Remember, such accounts should be protected with strong, complex passwords, ideally stored securely off-line, and should only be used for temporary and emergency purposes.

No.# To control access to Microsoft 365 resources by using conditional access policies, you should first disable Security defaults. This is because Security defaults are a set of basic identity and access management features that are automatically enabled for new tenants. They are not compatible with conditional access policies.

After disabling Security defaults, you can then configure conditional access policies to control access to Microsoft 365 resources

No.# Yup, App Registration by any Users is enabled by default on a new directory. Question itself states default app registration, which means user in that directory including guest users can register applications. Answer is correct!

No.# Yup, App Registration by any Users is enabled by default on a new directory. Question itself states default app registration, which means user in that directory including guest users can register applications. Answer is correct!

No.# went to my tenant, tried creating access package under resource Roles with teams and sharepoint site and it is saying No groups in Default catalog, however, there is a checkbox which allows all groups and teams NOT in default catalog to show up, so technically I CAN create access package without creating a catalog first, but this is MS and question says "First" so I pick D, Create a catalog

No.# user2 uses app2, which is the only app with readWrite

No.# The correct answer is B. 30 days.

Azure AD P1 tenants store sign-in logs for 30 days. After 30 days, the logs are deleted.

If you need to store sign-in logs for longer than 30 days, you can export them to an Azure Storage account or use Azure Monitor to archive them.

No.# 8 hours
Global administrators and privileged role administrators
Norte : If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.

No.# User 3 it is because the Reviewers are obviously 'self', meaning that the users can review their own role based assignments

No.# B is indeed the correct answer.

NPS (Network Policy and Access Service) is like a middle man between the VPN client and Azure MFA. The NPS role is installed on a domain-joined server or the domain controller and is configured to authenticate and authorize RADIUS requests from the VPN client.

The VPN should be configured to use RADIUS authentication and point to the NPS server.

The MFA NPS extension is installed anywhere but the VPN server. When a user/VPN client attempts to authenticate, it sends a RADIUS request to the NPS server through the VPN which performs the primary authentication and then triggers the NPS Extension for secondary authentication.

No.# The answer is simple. Answer is correct. Why? Because nested group do not inherit licenses.