Online Access Free SC-300 Exam Questions

No.# B. Azure AD Connect cloud sync between the Azure AD tenant and litware.com

No.# i think this is the right answer!
To enable App Governance integration, follow these steps in the Microsoft Defender for Cloud Apps portal. You need to go to Settings > App governance and enable the feature. Once enabled, you'll be able to manage OAuth-enabled app permissions, detect risky behavior, and secure app access.

No.# N N N

User 1 No
The User Risk = Low. Then User risk policy blocked access.

User 2 No
The Sign-in Risk = Unknown. But it is Confirm Safe so we can ignore this.
The User risk = Medium. The user risk policy block access.

User 3 No

User 3 User Risk is N N N

User 1 No
The User Risk = Low. Then User risk policy blocked access.

User 2 No
The Sign-in Risk = Unknown. But it is Confirm Safe so we can ignore this.
The User risk = Medium. The user risk policy block access.

User 3 No

User 3 User Risk is dismissed, but anonymous IP address risk (this is Sign-in Risk) is still at High level. Hence the sign-in risk policy blocked the access.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#nonpremium-sign-in-risk-detectionsdismissed, but anonymous IP address risk (this is Sign-in Risk) is still at High level. Hence the sign-in risk policy blocked the access.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#nonpremium-sign-in-risk-detections...

No.# The correct answer is C. a client apps condition.

A client apps condition allows you to filter out legacy authentication attempts by specifying the client apps that users are allowed to use to sign in. To block legacy authentication, you can use a client apps condition to exclude all legacy authentication clients.

No.# Wrong answer.

Include: All Users
Exclude: Current User (Admin1 in this case)

Tested in lab.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user

No.# YES

https://learn.microsoft.com/en-us/defender-cloud-apps/app-permission-policy
app selection
O365
Google Workspace
Sale force

No.# B. OAuth app policy:

OAuth app policies in Microsoft Defender for Cloud Apps allow you to control and manage permissions and access granted to third-party cloud apps. You can define policies to monitor or block apps with specific permissions or behaviors. In this scenario, you want to monitor and set an alert condition for apps with high permissions and a certain level of user authorization. OAuth app policies are designed for this kind of control and monitoring.

No.# C. Select require justification on activation
E. Set all assignments to Eligible

No.# Correct answer.
Basically, some administrative roles, by design can only use strong, two-gate password reset policy, regardles of SSPR settings.
User Administrator and Password Administrator will be always forced to use two methods and cannot use security questions.
Securiry Reader and User will use whatever is set under SSPR, so security questions in this case.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

No.# There is not enough information in the question to provide a 100% correct answer. You can assign licences to any group created within the Azure AD portal. These can include security groups, Microsoft 365 groups, and either assigned or dynamic groups. You can even create a dynamic device security group and assign E5 licences to it, which doesn't make sense but is true (I've tested it).

However, the missing bit of information is whether the Microsoft 365 groups have the "SecurityEnabled" attribute set to True. Only M365 groups that have the "SecurityEnabled" attribute set to True can have licences assigned to them. If the group is created in the M365 Admin Centre, then the "SecurityEnabled" attribute is set to False and you can not assign licences to the group. But if the M365 group is created in the Azure AD portal, then the "SecurityEnabled" attribute is set to True and you can assign licences.

For the answer, I would make an assumption that because this is an Identity-related exam testing us on Azure AD topics, that the M365 groups were created in the Azure AD portal and therefore have the "SecurityEnabled" attribute set to True. Which means the correct answer is B - all groups...

No.# Turn on app governance
If your organization satisfies the prerequisites, go to Microsoft 365 Defender > Settings > Cloud Apps > App governance and select Use app governance
https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#turn-on-app-governance

No.# anwser: 3-3-1

No.# For Azure AD Privileged Identity Management (PIM), you can assign eligible roles to Azure AD user accounts but not to Managed Identities, as they are used for service-to-service authentications and do not require interactive access rights like human users.

In the options provided:
- User1 and Guest1 are both types of user accounts (regular and guest, respectively), so they can be added as eligible in PIM.
- Identity1, being a Managed Identity, is not suitable for assignment in PIM.

Therefore, the correct answer is **B. User1 and Guest1 only**.

No.# IMO it's more of a tricky wording and manipulative question, but the answer is correct. In simple word:
1. is about OTP setting: which comes under "External Identities" > All identity providers, Select Email one-time passcode. Link: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure#configure-settings-in-the-portal

2. Question is about self service sign in setting: which comes under External Identities > External collaboration settings---Under Enable guest self-service sign up via user flows, select Yes. Link: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure#configure-settings-in-the-portal

Honestly with more than 27 years in the field, I don't get why some vendors put such memory-specific questions rather than testing concepts and engineers ability to find the required detail when from documentations

No.# To implement the requirement of requiring admin approval for application access to organizational data, you should configure:

B. the User consent settings

Configuring the User consent settings allows you to control whether users can grant consent to applications themselves or if admin approval is required for application access. By setting the User consent settings to "Require admin approval," you ensure that users cannot grant consent to applications accessing organizational data without the approval of an administrator.

Options A, C, and D do not directly address the specific requirement of requiring admin approval for application access. Authentication methods, access packages, and application proxy are related to different aspects of identity and access management, but they do not directly pertain to user consent settings and approval requirements.

No.# Your answer is wrong with the tracked sign ins:

I tested this in my tenant with User1 & User2;

I tried to login with all the passwords in the order thats described in the question.

Then i went to Portal.azure > AAD > Users > User 1 & User 2 > Sign-In Logs:

I got on both users exact 11 sign-in loggings. Every wrong or correct authentication is logged into Azure.

Final answers:

Tracked sign-in: 11
Unlock by: SSPR

No.# logic app and access package

No.# Tried this with all the suggested answer, and none of them can modify the review frequency of Package1. See explanation below.

Security Admin
- Cannot update Policy

Privileged role administrator
- Gets “No access” to Access Packages.

External Identity Provider administrator
- Gets “No access” to Access Packages.

User administrator
- Gets “No access” to Access Packages.

User administrator used to be the right choice for this question. However, things have now changed:
The User Administrator role is no longer allowed to manage catalogs and access packages in Azure AD Entitlement Management. Please transition to the Identity Governance Administrator role to continue managing access without disruption, or go to the Entitlement Management settings page if you need to temporarily opt out.

So, if there is an option in this question to choose Identity Governance Administrator, choose that.

https://learn.microsoft.com/azure/active-directory/governance/identity-governance-overview?WT.mc_id=Portal-Microsoft_Azure_ELMAdmin#appendix---least-privileged-roles-for-managing-in-identity-governance-features...

No.# Answer must be B - Helpdesk Administrators.

From the docs:
Authentication administrator: can reset passwords for non-admins but can't invalidate sessions. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#authentication-administrator

Helpdesk administrator: Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. Invalidating a refresh token forces the user to sign in again. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#helpdesk-administrator

Privileged Authentication Administrator: can reset all passwords (admins & non-admins) but can't invalidate any sessions. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator

Security Operator: can't reset any passwords. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-operator

No.# Correct answer is Server 2, then Azure AD. The password protection proxy is installed on a member server. You enable the banned p/w list in Azure AD, the proxy downloads it and passes it to the DCs in the domain.