Online Access Free SC-300 Exam Questions

No.# In the M365 admin center, only users can be added to the mail-enabled security group.
You can only add licensed users to the group, unlicensed users won't even show up on the member select page.

No.# AzureAD and Global Admin
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#how-to-create-an-emergency-access-account

No.# https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score#read-and-write-roles

With read and write access, you can make changes and directly interact with identity secure score.

* Global Administrator
* Security Administrator
* Exchange Administrator
* SharePoint Administrator

No.# 1. Publish App1.
2. Create a conditional access policy that has session controls configured.
3. From MCAS modify the Connected apps settings
4. From MCAS create a session policy
Reference - https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-blocking-data-downloads-via-microsoft-cloud-app/ba-p/326357

No.# The answer is Use2 only. I just tested. You can't assign the users with no license. 100%

No.# I work on a least privilege when it comes to roles. User Administrator has much more access than this user seems to need. I would assign both the Help Desk Administrator role and the License Administrator role to the user. This allows them to do exactly what they need to and nothing more.

No.# C
To configure security defaults in your directory, you must be assigned at least the Security Administrator role. By default the first account in any directory is assigned a higher privileged role known as Global Administrator.

Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults. (Imply that Conditional Access policies has conflict with security defaults)

No.# Just sharing my thoughts.
1. NO - Only direct members will have access. Approved users will be added to Group 1.
2. Yes - The approver will automatically become owner of the Group 1 after self service is configured.
3. NO - Visible to users is NO. So no one will be able to see the app.

No.# he correct answer is B. OAuth app policy.

An OAuth app policy is a type of policy that allows you to control the permissions and access of third-party apps that use OAuth to connect to your cloud apps, such as Microsoft 365, Google Workspace, and Salesforce. You can create an OAuth app policy based on various criteria, such as the app name, the permission level, the number of users who authorized the app, and the group memberships of those users. You can also set an alert action for the policy, which will notify you when an app meets the conditions you specified. For example, you can create an OAuth app policy that will alert you when there are apps that require a high permission level and are authorized by more than 20 users1.

No.# RBAC : Virtual Machine User Login
RBAC : VM Contributor

No.# The selected reviewers can act on (review, block, deny) new admin consent requests. All users can block and deny admin consent requests, but only users with the Global, Application, or Cloud application administrator role can grant admin consent.

No.# The current answer Y, Y, N is correct.
Box 1: Yes, because User1 has not yet accepted the terms on Device1.
Box 2: Yes, because User1 has not yet accepted the terms on Device2. User1 will be prompted to register the device before the terms can be accepted.
Box 3: No, because User1 has already accepted the terms on Device3. The terms do not expire until December 10 and then monthly after that

No.# To meet the requirements for creating the custom roles, you need to assign the following resource provider permissions:

Role1: Create or delete instances of Azure Container Apps
Microsoft.App: This resource provider includes the necessary permissions to manage Azure Container Apps1.
Role2: Enforce adaptive network hardening rules
Microsoft.Security: This resource provider includes the necessary permissions to manage and enforce adaptive network hardening rules2.

No.# From the Azure Active Directory admin center, create a Conditional Access policy.

No.# Service1 support OAuth for Authentication & authorization, however service1 is published in Azure AD gallery, hence we will use An enterprise application in Azure AD blade to register for SSO.
for second point, we can use conditional Access policy to restrict.

No.# To ensure that users can only provide consent to apps that require low impact permissions, you should configure permission classifications in your Azure AD tenant.

Configuring permission classifications allows you to classify the permissions requested by apps into different impact levels, such as low, medium, or high. By assigning the appropriate impact level to each permission, you can control which apps users are allowed to consent to based on the impact level of the requested permissions

No.# To ensure that only users who accept the terms of use can access the resources in your Microsoft 365 tenant, you should configure a conditional access policy in Azure AD.

A conditional access policy allows you to define specific conditions and requirements for user access to resources based on various factors such as user location, device, and user actions. By configuring a conditional access policy, you can enforce the acceptance of terms of use as a prerequisite for accessing resources in your Microsoft 365 tenant.

No.# This is what I think:
1 - No. Although 10.10.0.0/16 is a named trusted location, it's a private IP range and won't function correctly, so user 1 won't match the condition of CA policy 1. In addition, user 1 has per-user MFA disabled, it won't be prompted for MFA.
2 - Yes. User2's source IP is 10.10.1.160, the public IP of which is in the range of 20.93.15.0/24, which isn't a trusted MFA range. Besides, User2 is a per-user MFA-enforced user. Therefore, User2 will be prompted for MFA.
3 - No. The public IP address of 192.168.1.20 is in the space of 193.17.17.0/24, which is an MFA-trusted IP range. Although user2 is a per-user MFA-enforced user, it won't be prompted for MFA.

No.# User 3 is a User Admin. So,
Box 1: 2
Why: By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced.

Box 2: Email, phone and Microsoft Authenticator only
Email,Phone,MFA selection can be chosen except Security Questions. Admins can't use it for SSPR.
Why: The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions.
A two-gate policy applies in the following circumstances:
.....
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator

Source:https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

No.# Create and manage access reviews for Access package
Global administrator
Identity Governance administrator
Catalog owner (for the access package)
Access package manager (for the access package)