Online Access Free SC-300 Exam Questions

No.# I have tried as well and could add all the groups. The answer is B. We don't have much informations so it is difficult...

No.# Just sharing my thoughts.
1. NO - Only direct members will have access. Approved users will be added to Group 1.
2. Yes - The approver will automatically become owner of the Group 1 after self service is configured.
3. NO - Visible to users is NO. So no one will be able to see the app.

No.# You cannot manage the following classic subscription administrator roles in Privileged Identity Management:

Account Administrator
Service Administrator
Co-Administrator

No.# From the Azure Active Directory admin center, create a Conditional Access policy.

No.# App1 - Service principal (Enterprise app) https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser
App2 - UAMI https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

No.# Option to edit job title appears greyed out for on-premise synced users, usage location can be modified
I would go for the following answers
1. User2 and User3 only
2. User1, User2 and user3

No.# D. Configure a Conditional Access policy to use Conditional Access App Control.

No.# B. Billing Administrator

No.# A. FIDO2 security keys, can only be added in Manage mode. Question says "You enable combined registration in interrupt mode."
B. Hardware token – You cannot register with hardware token.
C. Email is supported.
D. Windows Hello for Business is not supported.
E. Microsoft Authenticator app is supported.

No.# The correct action to replace all permissions granted to **User1** with read-only permissions using **Microsoft Entra Permissions Management** is:

**C. From the Permissions subtab, use a quick action.**

Using a quick action allows you to efficiently adjust the permissions with minimal administrative effort. You can revoke current permissions and assign read-only access using predefined roles, making it the simplest method for this scenario.

No.# signing in to the server running Microsoft Entra Connect Sync using an account that is a member of the ADSyncAdmins security group.
Launch the Synchronization Rules Editor from the Start menu.
In the editor, create an inbound synchronization rule to filter out (not synchronize) all users where extensionAttribute15 has the value NoSync.
Apply the necessary filter conditions to exclude these users during synchronization 1.

No.# It’s a new Azure tenant, so security defaults are enabled. With security defaults, Microsoft Authenticator is the default authentication method.

No.# D. the Set-MsolUserLicense cmdlet
OR the Licenses blade in the Azure Active Directory admin center

No.# MFA for sign-in risk, SSPR for user risk

No.# Device1 is not Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
So, User1 cannot access Site1 from Device1. The answer is No.

Device2 is Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1. However, User2 is not a member of Group1, so CAPolicy1 doesn’t apply.
User2 is a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User2 can successfully authenticate using MFA.
So, User2 can access Site1 from Device2. The answer is Yes.

Device3 is Azure AD registered and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
However, User3 is also a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User3 can successfully authenticate using MFA.
So, User3 can access Site1 from Device3. The answer is Yes

No.# When you set the assignment type to "Eligible," it means that users will not have permanent access to the role but will be eligible for it. They will need to activate the role when required, and it won't be active by default. This approach allows you to enforce just-in-time access, meaning that users will only have access to the Security administrator role when they request and activate it through PIM. Once their role activation period ends, they will lose access to the role automatically.

No.# You can create an access review for Security and Microsoft 365 groups, but dynamic device groups are not eligible for access reviews.

Evaluation of Groups:
Group1 (Security, Assigned): Eligible.
Group2 (Security, Dynamic User): Eligible.
Group3 (Security, Dynamic Device): Not eligible (device groups can't have access reviews).
Group4 (Microsoft 365, Assigned): Eligible.
Group5 (Microsoft 365, Dynamic User): Eligible.
Correct answer:
D. Group1, Group2, Group4, and Group5 only.

No.# User 3 and 4 not affected

https://learn.microsoft.com/en-us/microsoft-365/solutions/groups-naming-policy?view=o365-worldwide#admin-override

Some administrators are exempted from these policies, across all group workloads and endpoints, so that they can create groups with these blocked words and with their desired naming conventions. The following are the list of administrator roles exempted from the group naming policy.

Global admin

Partner Tier 1 Support

Partner Tier 2 Support

User account admin

No.# The entitlement management settings page is where you configure the settings for managing access to resources in your Azure AD tenant. This includes settings for external users, such as whether to allow them to sign in and how long to keep their accounts active after their access is no longer required.

No.# Correct answer C. I tested all 3 in my lab and they were all blocked.