Online Access Free SC-300 Exam Questions

No.# B. Azure AD Connect cloud sync between the Azure AD tenant and litware.com

No.# Turn on app governance
If your organization satisfies the prerequisites, go to Microsoft 365 Defender > Settings > Cloud Apps > App governance and select Use app governance
https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#turn-on-app-governance

No.# E is the correct answer because access to resources in Azure is dealt with through Azure Role-Based Access Control (RBAC). This allows fine-grained access management for Azure. System-assigned managed identities can be assigned roles through IAM settings of a resource, granting them permissions to perform certain actions.

To access files in Azure Storage, you would assign the Storage Blob Data Reader role for read access and the Storage Blob Data Contributor role for write access to the managed identity in the IAM settings.

Here's the Microsoft documentation needed about granting access using RBAC and Azure AD identities: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

No.# Actually I think correct answers are:
All users
Assigned user in users and groups blade
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-configure

No.# Went to my tenant, tried creating access package under resource Roles with teams and sharepoint site and it is saying No groups in Default catalog, however, there is a checkbox which allows all groups and teams NOT in default catalog to show up, so technically I CAN create access package without creating a catalog first, but this is MS and question says "First" so I pick D, Create a catalog

No.# 1) No
2) Yes (although the request is from a trusted location, that doesn't mean the MFA prompt will be bypassed! If there was CA policy configured to require MFA with the trusted locations EXCLUDED, then the user would not get the MFA prompt)
3) No (request is coming from the IP that is added to the MFA trusted IPs list in the legacy MFA portal https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx)

No.# - Key Vault Crypto Officer
- Key Vault Certificates Officer
Key Vault Crypto Officer: Perform any action on the keys of a key vault, except manage permissions.
Key Vault Certificates Officer: Perform any action on the certificates of a key vault, except manage permissions.
Key Vault Secrets Officer: Perform any action on the secrets of a key vault, except manage permissions.
Ref:
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.

No.# A. From Secret1, configure the Access control (1AM) settings

No.# Answer should be "B".
The question is simply asking "WHICH OF THESE GROUPS CAN BE ASSIGNED A LICENSE?"
The answer, is ALL OF THEM.
It doesn't matter if a Device Group can't USE an E5 license. That's not the question. The question is can the group be assigned the license. The answer is yes, yes it can.

I tested in my lab env with E5 licensing.

ALL GROUPS CAN BE ASSIGNED AN E5 LICENSE, regardless of if that license will be used properly. Of course, a device can't be assigned E5 licensing. That license wouldn't get used if assigned to a Device Group, BUT, you can still assign it to that group.

No.# Y-Y-N

No.# 1. User1 is set as eligible, not active.
2. Approvers are not able to approve their own role activation requests.
3. Assignment expires on 31 Jan at 23:59. Full stop.

No.# Identities with Owner role:
The Owner role can indeed be assigned across regions. Therefore, the correct answer is:
"Managed1, Managed2, VM1, VM2, and VM3 only"

This is because all of these identities (Managed1, Managed2, VM1, VM2, and VM3) can be assigned the Owner role for RG1, regardless of their location.

Virtual machines assigned to Managed2:
User-assigned managed identities can be used across multiple Azure regions within the same Azure AD tenant. Therefore, Managed2 (located in West US) can be assigned to VMs in any region. The correct answer is:
"VM1, VM2, VM3, and VM4"

This is because Managed2 can be assigned to all VMs listed, regardless of their location.

No.# To meet the requirements for creating the custom roles, you need to assign the following resource provider permissions:

Role1: Create or delete instances of Azure Container Apps
Microsoft.App: This resource provider includes the necessary permissions to manage Azure Container Apps1.
Role2: Enforce adaptive network hardening rules
Microsoft.Security: This resource provider includes the necessary permissions to manage and enforce adaptive network hardening rules2.

No.# To ensure that users can only provide consent to apps that require low impact permissions, you should configure permission classifications in your Azure AD tenant.

Configuring permission classifications allows you to classify the permissions requested by apps into different impact levels, such as low, medium, or high. By assigning the appropriate impact level to each permission, you can control which apps users are allowed to consent to based on the impact level of the requested permissions

No.# Device1 is not Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
So, User1 cannot access Site1 from Device1. The answer is No.

Device2 is Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1. However, User2 is not a member of Group1, so CAPolicy1 doesn’t apply.
User2 is a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User2 can successfully authenticate using MFA.
So, User2 can access Site1 from Device2. The answer is Yes.

Device3 is Azure AD registered and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
However, User3 is also a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User3 can successfully authenticate using MFA.
So, User3 can access Site1 from Device3. The answer is Yes.

No.# A. FIDO2 security keys, can only be added in Manage mode. Question says "You enable combined registration in interrupt mode."
B. Hardware token – You cannot register with hardware token.
C. Email is supported.
D. Windows Hello for Business is not supported.
E. Microsoft Authenticator app is supported.

No.# a Dynamic User security group I meant C**

No.# You cannot assign licenses to an Administrative Unit, only a Group, see here https://learn.microsoft.com/en-us/answers/questions/955831/can-licenses-be-directly-assigned-to-an-administra.html
A must be the correct answer

No.# C. a Dynamic User security group

No.# require admin approval for application access to organizational data.

To deny user consent for Azure applications, that can be done via User consent settings.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal