Microsoft SC-300 Dumps

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “ provides secure remote access to on-premises applications ” and that apps published through it can have “ Conditional Access policies, including multifactor authentication ” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “ control and limit activities in real time ” and, for SharePoint Online and other Microsoft 365 apps, “ monitor user sessions and block download, cut, copy, and print ” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs . The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)” , there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID). The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM. The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario. As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources. The role responsible for managing these assignments is the User Access Administrator. This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control). The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel” , multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses ) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq " E5 " ) ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation , when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts . In Azure AD, internal users created within the tenant are designated with the attribute user.userType = " Member " , while external or guest accounts from partner organizations have user.userType = " Guest " .

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq " Member " ) .

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq " Member " )

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules” , which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq " Member " )

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Implement and manage user risk policies”, the scenario where “users must be forced to change their password if there is a probability that their identity was compromised” directly maps to the Azure AD Identity Protection “User risk policy.”

In Azure AD Identity Protection, user risk represents the likelihood that an account’s credentials have been compromised. When Azure AD detects a high user risk (for example, leaked credentials, atypical sign-in behavior, or sign-ins from unfamiliar locations), the User Risk Policy can be configured to automatically block access or require the user to reset their password upon the next sign-in.

Before a user can reset their password or complete remediation, they must have a registered authentication method (for password reset and MFA). Therefore, users must first register for multi-factor authentication (MFA) — this registration enables the authentication methods (like phone number or authenticator app) that are also used during password reset verification.

The SC-300 documentation specifically highlights:

“To enforce a password change when a user’s identity risk is high, the user must be registered for MFA, and a user risk policy must be configured to require password change.”

Thus, the correct configuration is:

Users must first register for MFA — to ensure they have verified methods available.

Configure a user risk policy — to automatically trigger password reset upon detection of compromised credentials.

Correct Answers:

Users must first: Register for multi-factor authentication (MFA).

You must configure: A user risk policy.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses ), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq " E5 " ). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

✅ Correct Answer: A. A Dynamic User security group

 The users must first: Register for multi-factor authentication (MFA)

 You must configure: A user risk policy

According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator , when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.

Two types of policies can be created:

Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).

User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).

The documentation specifies:

“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”

Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.

Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.

In Azure AD, license automation is implemented through group-based licensing . The SC-300 materials explain that “you can assign licenses to a group in Azure Active Directory; when you assign a license to a group, all users who are members of the group are assigned that license” . They also clarify that “dynamic group membership uses rules to automatically add or remove users based on user attributes” , which is the recommended way to on-board new populations without manual effort. For licensing, the guide is explicit that “group-based licensing works with security groups and Microsoft 365 Groups” and that “distribution lists are not supported for license assignment” . Administrative Units are described as “a scoping mechanism for delegating administrative permissions to subsets of users and devices” , not a licensing entity. Likewise, Organizational Units (OUs) are on-premises AD containers and “do not control license assignment in Azure AD” .

Given the requirement to allocate licenses automatically to new A. Datum users as they appear, the least-effort, policy-driven approach is to create an Azure AD Dynamic User security group with a membership rule that targets those users (for example, by domain, company attribute, or a synced attribute), then assign the required Microsoft 365/Azure AD licenses to that group. As the documentation notes, “when users join or leave the group based on the rule, licenses are added or removed automatically.”

The SC-300 coverage of Azure AD Connect explains that when you need to bring in a new set of on-premises users or change what is synchronized (for example, adding an additional domain/OU such as ADatum or adjusting filtering), you reopen the Azure AD Connect wizard and choose “Customize synchronization options.” The guide notes that this path lets you “modify directory/OU filtering, add or remove forests, and enable optional sync features” so that only the intended users are synchronized. It contrasts with operational commands: Start-ADSyncSyncCycle merely triggers an immediate delta/full sync of the current configuration; Set-ADSyncScheduler changes the sync cadence or pause/resume behavior; and “Change user sign-in” alters the authentication method (e.g., PHS vs. PTA) but does not control scoping of which users are synced. To meet a requirement to sync the ADatum users according to technical constraints (such as OU/domain selection or feature toggles), you must first configure the scope by running the wizard and selecting Customize synchronization options, then perform/allow a sync cycle to bring those users into Azure AD as defined.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Publish on-premises apps for remote access using Azure AD Application Proxy”, Azure AD Application Proxy enables secure remote access to internal, on-premises web applications without requiring VPN access.

In the scenario, App1 is an on-premises application hosted within the Litware network, and the technical requirements specify that it must be securely accessible to both internal and external users — including Fabrikam guest accounts — through Azure AD authentication.

Microsoft’s official documentation states:

“Azure AD Application Proxy provides secure remote access to on-premises web applications, integrating with Azure AD for single sign-on (SSO) and conditional access policies.”

Given that the environment already includes a server (SERVER1) running the Azure AD Application Proxy connector, and that Litware wants to enforce Azure AD Conditional Access and MFA for App1, Azure AD Application Proxy is the correct implementation.

The other options are not suitable:

A. Policy set in Microsoft Endpoint Manager: Used for device compliance and app management, not for publishing on-premises apps.

B. App configuration policy in Endpoint Manager: Used for mobile app configuration (e.g., MAM policies), not for access publishing.

C. App registration in Azure AD: Used for modern cloud or SaaS apps integration, but App1 is on-premises and needs proxy access.

Correct Answer: D. Azure AD Application Proxy

To meet auditing and monitoring requirements, Azure AD must send sign-in logs and audit logs to an external location such as a Log Analytics workspace, Azure Storage account, or Event Hub. This is configured using Diagnostics settings in Azure AD.

According to Microsoft documentation in “Monitor Azure Active Directory activity logs in Azure Monitor” and the SC-300 learning objective “Implement and monitor identity governance” , you must enable diagnostic settings to stream directory logs to a Log Analytics workspace.

The scenario specifies:

“You create a Log Analytics workspace. You need to implement the technical requirements for auditing.”

By configuring Azure AD’s Diagnostics settings, you can:

Send Sign-in logs, Audit logs, and Provisioning logs to Log Analytics.

Correlate identity events with security insights in Azure Sentinel or Microsoft Defender for Cloud Apps.

Microsoft documentation confirms:

“To collect and analyze Azure AD sign-in and audit data, configure diagnostic settings to send logs to Log Analytics.”

Other options do not meet the requirement:

A. Company branding: Only affects login pages, not logging or auditing.

C. External Identities: Controls guest access, not logging.

D. App registrations: Used for app integration, not auditing.

In Azure AD Privileged Identity Management (PIM) for Azure AD roles, the exam materials describe that you tailor how a role (for example, User administrator) is used by editing its Role settings. These settings control activation behavior, including require multi-factor authentication, justification, approval, assignment/activation durations, and notifications . The guide states that administrators can “configure activation requirements and time-bound eligibility on a per-role basis” and “enforce approval workflows and MFA at activation.” Access reviews are used to periodically verify who still needs a role , but they do not implement the operational changes to how the role is activated. Active assignments simply shows and changes who currently holds active/eligible assignments; it does not set policy for the role’s activation behavior. Administrative units scope certain directory tasks, but they are not how you change PIM activation/approval/MFA requirements. Therefore, to meet planned changes for the User administrator role (such as least privilege activation with approval, justification, and MFA), you update PIM → Azure AD roles → User administrator → Role settings. This aligns with the SC-300 objective to “configure PIM settings and policies for Azure AD roles,” ensuring governance by policy rather than ad-hoc assignment.

As per the Microsoft SC-300: Identity and Access Administrator official study materials and Microsoft Learn documentation on “Manage administrative units in Azure Active Directory” , Administrative Units (AUs) are designed to delegate administrative permissions within large organizations based on divisions such as geography or department. They provide scoped administrative control —allowing helpdesk or user administrators to manage users only within a specific subset of the directory, such as a branch office or department.

In this scenario, Contoso’s technical requirement states:

“The helpdesk administrators must be able to manage licenses for only the users in their respective office.”

To fulfill this, you must create an administrative unit for each branch office (e.g., Montreal, London, Seattle) and assign helpdesk administrators scoped to those AUs. This ensures that each helpdesk admin can only manage licenses for the users within their respective office, enforcing the principle of least privilege.

The Azure Active Directory admin center is the correct tool for creating and managing administrative units. SC-300 guidance clarifies that administrative units are Azure AD objects , not on-premises Active Directory objects like Organizational Units (OUs). Therefore, they are created and managed exclusively through the Azure portal , Microsoft Graph , or PowerShell for Azure AD , but the most straightforward interface for exam purposes is the Azure AD admin center .

According to the Microsoft SC-300: Identity and Access Administrator official study guide and Microsoft Learn modules on Azure AD Identity Governance , the correct way to manage user access—especially for scenarios involving both internal and external users—is through Entitlement Management in Azure AD Identity Governance .

Entitlement Management uses access packages to define and automate how users obtain access to resources such as groups, SharePoint sites, and applications. Access packages contain policies that specify who can request access (internal users, external users, or both) and how that access is approved and periodically reviewed. The guide clearly states:

“Access packages provide a structured method to configure and automate access for users, ensuring that access assignments follow the organization’s policy and compliance requirements.”

To enable external collaboration with another organization (such as fabrikam.com ), Microsoft documentation emphasizes that you must create a connected organization . A connected organization represents an external directory or domain whose users can be invited to request access packages or participate in identity governance workflows. The connected organization defines trust boundaries for cross-tenant collaboration, without requiring domain federation or acceptance.

In summary:

Access packages configure and automate user access.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance  >  Entitlement management  >  Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Implement and manage Application Proxy for on-premises apps” , Azure AD Application Proxy requires that the connector installation be performed by a user with either the Global Administrator or Application Administrator or Cloud Application Administrator role.

Part 1 — User that should perform the installation The Application Proxy connector must be installed by a user who can register and manage applications in Azure AD. The documentation specifies that both Application Administrator and Cloud Application Administrator roles can perform Application Proxy connector installation. Since the question requires adherence to the principle of least privilege, Admin3 (Cloud Application Administrator) is the most appropriate user — because this role grants the required permissions without the broader rights of the Global Administrator.

“Cloud Application Administrator can create, manage, and delegate enterprise applications and Application Proxy connectors, without tenant-wide permissions.”

✅ Therefore, Admin3 should perform the installation.

Part 2 — Role for User1 After the connector is installed, User1 needs to register App1 in Azure AD. The role required to register and configure application registrations is the Application Developer role.

According to Microsoft documentation:

“Users assigned the Application Developer role can register applications in Azure AD and manage app registrations they own.”

This role is the least privileged role that allows creating new application registrations, unlike Application Administrator or Cloud Application Administrator, which can manage all apps tenant-wide.

✅ Therefore, assign User1 the role of Application Developer.

In Microsoft Defender for Cloud Apps, OAuth app policies monitor and control third-party applications that have OAuth permissions to your Microsoft 365 environment. They allow administrators to review app permissions, detect over-privileged apps, and revoke access where needed.

This aligns with the SC-300 topic “Monitor and manage app permissions in Defender for Cloud Apps” , which states:

“OAuth app policies allow you to detect risky applications connected via OAuth authorization and monitor app access to your organizational data.”

Yes

NO

No

This question tests understanding of Azure Managed Identities — both system-assigned and user-assigned — and their regional restrictions and role assignment capabilities.

Let’s break it down carefully based on official Microsoft documentation and SC-300 study material:

VM1 Region: East US

System-assigned Managed Identity: Disabled (so we can only use user-assigned identities)

Managed Identities available:

Managed1 – East US

Managed2 – East US

Managed3 – West US

???? Step 1: Understanding the setup

???? Step 2: Regional assignment rule According to Microsoft documentation:

“A user-assigned managed identity can be used only by resources in the same Azure region as the managed identity.”

That means:

A VM in East US can use user-assigned managed identities that are also located in East US only.

A VM in East US cannot use a user-assigned managed identity created in West US.

Therefore:

✅ Managed2 (East US) → can be assigned to VM1 (East US).

❌ Managed3 (West US) → cannot be assigned to VM1 (East US).

???? Step 3: Role assignment capability The question also includes:

“You can assign VM1 the Owner role for RG1.”

Per Azure RBAC design and SC-300 guidelines:

Azure roles (such as Owner, Contributor, Reader) can only be assigned to Azure AD security principals, which include users, groups, service principals, and managed identities — but not to Azure resources themselves (like a VM directly).

Therefore, you cannot assign a role to VM1 as an object; you can only assign roles to VM1’s managed identity (if it had one enabled).

Since VM1’s system-assigned identity is disabled and the user-assigned identity (Managed1) already attached cannot represent the VM itself for new role assignments, VM1 cannot directly hold the Owner role for RG1.

In the SC-300 materials on Microsoft Entra PIM for Azure resources and Azure Key Vault authorization, you’re guided to use Azure RBAC (data-plane roles)—not legacy access policies—when you need time-bound, approvable, least-privilege access managed through PIM. The guide explains that PIM can make users Eligible or Active for Azure resource roles and that Key Vault provides specific data actions via built-in RBAC roles. For secrets, the roles are scoped to a vault (and can be further restricted by resource scope) and are purpose-built:

Key Vault Secrets Officer — described as allowing a user to “create, read, update, and delete secrets” without granting key or certificate permissions. This precisely satisfies User1’s requirement to read and update Secret1 while keeping scope limited to secrets (least privilege compared to broader Owner/Contributor).

Key Vault Secrets User — documented to “read secret contents” only. This matches User2’s requirement to read the contents of the secrets stored in Vault2 while preventing modification or management actions.

The SC-300 coverage stresses that RBAC roles for Key Vault separate permissions for keys, secrets, and certificates, enabling least privilege and PIM governance (eligible/activation, approvals, MFA, and just-in-time) for access to sensitive data.

According to the Microsoft SC-300 Study Guide and official Microsoft Learn modules “Monitor and maintain Azure AD” and “Implement and manage identity governance”, different log types and reports within Azure Active Directory provide distinct insights for security and compliance management.

Sign-in logs: The Sign-in logs provide detailed information on authentication attempts in Azure AD, including user identity, application accessed, authentication status, IP address, and geographical location. These logs help identify unusual sign-in patterns or possible compromise by tracking where and from which IP addresses users are accessing resources. The SC-300 documentation states:

“Sign-in logs in Azure AD enable administrators to analyze user authentication attempts, track IPs, and review sign-in locations to detect anomalies and secure identities.”

Audit logs: The Audit logs record changes within Azure AD, such as user creation, role assignments, application registration, or service principal modifications. These logs allow administrators to trace “who did what and when,” which is essential for compliance auditing and operational transparency.

“Audit logs in Azure AD capture directory-level changes, including updates to users, groups, applications, and service principals.”

Identity Secure Score: The Identity Secure Score in Microsoft Entra (formerly Azure AD) provides a security posture assessment for your organization’s identity configuration. It offers improvement recommendations to strengthen protection, including MFA enforcement, Conditional Access, and privileged identity management.

“Identity Secure Score helps organizations assess their security configuration against Microsoft best practices and provides actionable improvement recommendations.”

According to the Microsoft SC-300 Study Guide and Microsoft Defender for Cloud Apps documentation , an access policy in Microsoft Defender for Cloud Apps (MCAS) enables administrators to enforce real-time session control and conditional access based on user risk or session context. These policies integrate directly with Azure AD Conditional Access and Microsoft Defender for Identity signals to determine when a user’s session should be allowed, monitored, or blocked.

The documentation specifies:

“Access policies are used to control user access and session activities in real-time. You can use these policies to block access, require session control, or limit downloads when risk conditions such as ‘user risk = high’ are detected.”

In this case, since the requirement is to block access to cloud apps when a user is assessed as high risk, an access policy in Defender for Cloud Apps must be used. Other options are not applicable because:

OAuth app policy controls permissions granted to third-party apps.

Anomaly detection policy detects unusual activities but does not block access.

Activity policy monitors specific user actions within apps.

No

No

Yes

a) When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.

b) Tested in lab, existing owners will be replaced. Also direct assignment (resource owner) is path of least privilege. (replicated in test)

c) Application setting ' visible to users ' is set to No, then no users see this application on their My Apps portal and O365 launcher.

Reference

According to the Microsoft SC-300: Identity and Access Administrator Study Guide, Azure AD Enterprise Application Self-service configuration determines how users can request access, who approves it, and whether access is automatically granted. Let’s analyze each statement based on the exhibits:

Members of Group3 can access App1 without approval from User1 — NO In the Group1 exhibit, Group1 contains User1, User4, and Group3 . In the App1 Self-Service exhibit, it shows that “Require approval before granting access” is set to Yes, and User1 is designated as the approver. Therefore, even though Group3 members might indirectly be part of Group1, access requests to App1 must still be approved by User1 before being granted.

After configuring self-service, the owner of Group1 is User1 — NO The PowerShell command Get-AzureADGroupOwner clearly shows that Admin (not User1) is the owner of Group1. Configuring self-service for an application does not change group ownership; it only defines how access requests are handled. Ownership of Group1 remains with Admin.

App1 appears in the Microsoft 365 app launcher of User4 — YES In the App1 Properties exhibit, the “User assignment required” setting is set to Yes. This means only assigned users (directly or via groups) can see and access the application. Since Group1 is configured as the target group for user assignment and User4 is a member of Group1, User4 will see App1 in their Office 365 app launcher after assignment approval.

This logic follows Microsoft Learn documentation:

“When a user is assigned to an enterprise application (either directly or through group membership), the application appears in the user ' s Office 365 app launcher once access is granted.”

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn content under “Manage Azure AD tenants and configure tenant properties”, self-service sign-up (also known as viral sign-up) allows users to create accounts in an existing Azure AD tenant using an email domain associated with that tenant. This feature lets external or ungoverned users create identities if it is not explicitly disabled, which can cause unauthorized account creation in the organization’s namespace.

To stop users from performing self-service sign-ups using the organization’s verified domain (e.g., contoso.com), administrators must disable the AllowEmailVerifiedUsers setting in Azure Active Directory using PowerShell. This configuration change prevents users from automatically creating accounts with the organization’s domain when registering for Microsoft 365 or other Azure services.

The cmdlet used to configure tenant-level settings like this is Set-MsolCompanySettings from the MSOnline module.

The specific PowerShell command would be:

Set-MsolCompanySettings -AllowEmailVerifiedUsers $false

This command disables self-service sign-up for email-verified users, ensuring that only administrators can create accounts in the tenant.

Other cmdlets in the options serve different purposes:

Set-MsolDomainFederationSettings – Used for configuring federation settings for a domain.

Update-MsolFederatedDomain – Used to update or repair federation trust settings.

Set-MsolDomain – Used to configure domain-specific properties (e.g., authentication type).

As per Microsoft’s official documentation:

“To prevent users from self-service sign-up using your organization’s verified domain, set AllowEmailVerifiedUsers to $false using Set-MsolCompanySettings.”

According to Microsoft’s SC-300 Exam Guide and Microsoft Learn module: Manage Identity Governance in Azure AD , the removal and lifecycle management of external users (B2B guests) within Azure Active Directory’s Entitlement Management are configured through Entitlement management settings under the Identity Governance blade.

In scenarios where external partners (such as Fabrikam) are granted access via access packages , administrators can define lifecycle settings to ensure that when access is no longer required, the users are automatically removed from the directory. The Entitlement Management directory settings control two specific parameters:

Block external user from signing in to this directory — determines whether external users can still sign in after access expiration.

Remove external user — enables automatic deletion of the guest account after a specified number of days.

Number of days before removing external user — defines the delay period (in this case, 90 days).

Microsoft documentation states:

“To automatically remove external users from your directory after access expires, configure the Entitlement management settings. You can set whether to block sign-in and specify how many days after access expiration the user should be removed.”

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Implement and Manage Microsoft Entra Connect” , when organizations need authentication to always validate user passwords directly against the on-premises Ac tive Directory Domain Services (AD DS) environment, the correct configuration is Pass-through Authentication (PTA).

Here’s why:

Pass-through Authentication (PTA) ensures that when a user attempts to sign in to Microsoft Entra ID (formerly Azure AD), their credentials are not validated in the cloud. Instead, the authentication request is securely passed to an on-premises authentication agent, which validates the credentials against the on-premises AD DS domain controller in real time.

This configuration provides an immediate reflection of on-premises account states — if an account is disabled, locked, or the password is changed, those changes take effect instantly for cloud authentication as well.

To configure PTA, you must use Microsoft Entra Connect, which is the hybrid identity synchronization tool that links on-premises directories to Microsoft Entra ID. During Entra Connect setup, administrators can choose between Password Hash Synchronization, Pass-through Authentication, or Federation as the sign-in method.

Microsoft documentation explicitly states:

“Pass-through Authentication allows users to sign in to both on-premises and cloud-based applications using the same passwords. Authentication occurs against your on-premises Active Directory.”

Therefore, to meet the requirement that authentication always validates passwords against the on-premises AD DS domain:

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Entra ID (Azure AD) documentation , sign-in logs are the primary source for diagnosing and troubleshooting authentication and access issues for Azure AD–integrated services, including Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) .

The sign-in logs record all user authentication attempts — successful and failed — along with critical details such as:

User identity (User Principal Name)

Application name (in this case, “Microsoft Cloud App Security” or “Microsoft Defender for Cloud Apps”)

IP address and device details

Conditional Access policy outcomes

Failure reasons (e.g., MFA requirement, denied by Conditional Access, invalid token, etc.)

These logs can be accessed directly from the Microsoft Entra admin center → Monitoring → Sign-in logs .

They allow administrators to quickly identify why a user was unable to access a specific cloud service , without needing to configure or collect extra data sources.

Other log types do not fit this scenario:

Audit logs record changes (e.g., policy updates, role assignments) but not authentication attempts.

Provisioning logs track synchronization and provisioning events from connected applications.

Log Analytics is a log aggregation workspace; it’s not the first-line diagnostic tool and requires extra configuration.

Hence, to identify the cause of User1’s access error with minimal administrative effort , the correct choice is sign-in logs .

The issue in the exhibit is that all review notifications go to Megan Bowen because she is the fallback reviewer, and the system cannot determine each user’s manager. According to Microsoft documentation:

“If you choose ‘Manager’ as the reviewer type, Azure AD uses the ‘manager’ attribute from each user’s profile. If this attribute is not configured, the fallback reviewer receives the request.”

By modifying the IT administrator user accounts to assign the correct manager attribute, Azure AD can route each department’s review to its corresponding manager automatically. This satisfies the requirement without needing separate access reviews.

✅ Correct Answer: A. Yes

According to Microsoft Identity Governance documentation and the SC-300 study guide, entitlement management in Azure AD allows you to manage access to resources like SharePoint Online sites, Teams, groups, and applications through access packages . However, before an access package can be created, the administrator must first define a catalog .

A catalog is the logical container that holds all the resources (such as groups, Teams, and SharePoint sites) that can be made available in access packages. The process for entitlement management begins with catalog creation, followed by adding resources, then creating access packages that assign roles for those resources. Therefore, the first step to managing Site1 (SharePoint site) and Team1 (Microsoft Teams team) within entitlement management is to create a catalog and add those resources to it.

This aligns with Microsoft documentation, which states:

“Before creating an access package, you must have a catalog that contains the resources to be made available for assignment.”

In Azure AD Entitlement Management , the tenant-level lifecycle settings govern what happens to external users when their last access package assignment ends. The SC-300 materials explain that when “Block external users from signing in to this directory = Yes,” a guest whose final assignment expires or is removed is immediately blocked from sign-in to the resource directory. With “Remove external user = Yes” and a configured period (here 30 days ), the guest account is deleted from the directory after that interval provided the user has no other active access package assignments . These lifecycle actions are tied to access package assignments , not to unrelated memberships or role grants that were not delivered via entitlement management.

Applying the timelines: Guest1 and Guest2 received Package1 on Mar 1 with an assignment expiration of Apr 1 . On Apr 1 , their last assignment ended, so they were blocked the same day, and then removed after 30 days —on or about May 1 . Therefore, on May 5 , neither Guest1 nor Guest2 remains in the directory . The fact that Guest1 was granted a Reports reader role on Mar 2 does not prevent lifecycle removal because it is not an access package assignment . Guest3 , however, was invited on Apr 1 and added to the All Company group on Apr 4 outside of entitlement management; since there was no access package assignment to expire , the lifecycle removal policy does not apply , so Guest3 is still present on May 5 .

In Azure AD B2B bulk invitations, the portal and CSV workflow require two core fields: the external user’s email address and the Invite Redirect URL that determines where the guest is sent to redeem the invitation. The study guide notes that the bulk invite template “must include the guest’s email address” and that “InviteRedirectUrl is required to define the post-invite redemption target (such as MyApps or a specific app).” Usernames and passwords are not supplied for B2B guests because “guest accounts authenticate with their home identity provider,” and there is no shared key involved in the invitation. Therefore, the only mandatory parameters to successfully process a bulk B2B invite are the email address of each guest and the redirection URL used during invitation redemption.

With Email one-time passcode (OTP) for guests enabled, the SC-300 materials describe OTP as an authentication method “used for B2B guest users who do not have, or cannot use, an Azure AD or Microsoft account to complete sign-in.” In the scenario: User1@contoso.com is already a guest in the tenant and will authenticate using their home directory; no OTP is sent. User3@fabrikam.com is an internal member of the same tenant and therefore does not receive a guest OTP. User2@outlook.com has never accessed resources in the tenant; when the library is shared, the tenant sends a guest invitation. With OTP enabled, the service provides a passcode by email to complete authentication when a straightforward federated or previously established sign-in path is not available for the invitee. Hence, under the guest invite/OTP configuration shown, User2 is the user who will be emailed a one-time passcode.

In Microsoft 365 and Azure AD Multi-Factor Authentication (MFA), the supported verification methods include:

Microsoft Authenticator app (notification or verification code)

Phone call

Text message

Hardware token (OATH)

According to the Microsoft SC-300 Study Guide and Microsoft Learn: Plan and deploy Azure AD MFA , the Microsoft Authenticator app offers two modes:

Push notification – requires an active internet connection on the mobile device.

Verification code (time-based one-time password - TOTP) – does not require internet or mobile connectivity. The Authenticator app continuously generates verification codes every 30 seconds locally on the device.

In this scenario, users are working remotely in areas without Wi-Fi or mobile network connectivity. Hence, methods relying on push notifications, SMS, or phone calls are not feasible. The only viable MFA method that works offline is the verification code from the Microsoft Authenticator app , since it functions using the device’s internal clock without external connectivity.

 User1 must use multifactor authentication (MFA) when signing in to Microsoft 365 apps. = Yes

 User2 must use multifactor authentication (MFA) when signing in to Microsoft 365 apps. = Yes

 User3 must use multifactor authentication (MFA) when signing in to Microsoft 365 apps. = No

Comprehensive and Detailed Explanation with all Microsoft SC-300: Identity and Access Administrator documents : =

In Conditional Access, enforcement is determined by Assignments → Users or workload identities (which specify who the policy applies to) and Target resources (which specify what apps/resources are protected). When a policy’s Grant control is set to Require multifactor authentication , all identities included in the policy’s user assignment scope must perform MFA when accessing the targeted resources. Being a member of multiple groups does not weaken enforcement; if a user is in any included group, the policy applies. Conversely, users not included in the policy’s user assignment scope are not prompted by that policy, even if they hold privileged roles. Holding the Global Administrator role does not automatically force MFA unless the tenant uses Security defaults or a Conditional Access policy targets that admin account or its group.

Applying this to the scenario: Policy1 targets All cloud apps (so the apps side is universal), and—given the group context—its user assignment is scoped to Group1 . User1 (Group1) and User2 (Group1 and Group2) are both in scope and therefore must perform MFA. User3 is only in Group2 ; since Group2 is not within the policy’s user assignment, Policy1 does not apply to User3, despite the Global Administrator role. Hence: Yes for User1, Yes for User2, and No for User3.

SC-300 teaches that group-based licensing supports security groups and Microsoft 365 groups, with assigned or dynamic user membership. The guide states: “Licenses can be assigned to groups whose members are users ; nested groups aren’t processed and devices cannot be licensed .” Applying this to the table: Group1 (Security-Assigned) and Group2 (Security-Dynamic User) are valid; Group4 (Microsoft 365-Assigned) and Group5 (Microsoft 365-Dynamic User) are also valid. Group3 is a Security-Dynamic Device group and therefore ineligible because “device objects do not receive user licenses.” Consequently, the Office 365 E5 license can be assigned directly to Group1, Group2, Group4, and Group5 only.

In Azure AD Identity Protection, risk detections are classified into sign-in risks and user risks . According to Microsoft’s SC-300 Study Guide and Identity Protection documentation , a user risk represents the probability that an account has been compromised . Microsoft aggregates multiple sign-in signals and applies its threat intelligence algorithms to determine whether a user’s identity may be at risk.

Among the listed options, Password spray , Anonymous IP address , and Unfamiliar sign-in properties are sign-in risk detections , while Azure AD threat intelligence is the only type classified as a user risk detection .

Microsoft Docs states: “User risk detections are generated by Azure AD threat intelligence when Microsoft detects that user credentials appear to be compromised.”

<  Authentication by the domain controller: Pass-through authentication

 SSPR: Password writeback

As per the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn documentation for Azure AD Connect, the scenario involves two key requirements:

User sign-ins to Azure AD must be authenticated by an Active Directory domain controller.

In Azure AD hybrid identity configurations, there are three main authentication methods:

Password hash synchronization (PHS): Azure AD verifies the password hash stored in the cloud.

Pass-through authentication (PTA): Authentication requests are passed from Azure AD to on-premises domain controllers using an agent, ensuring that the on-premises AD performs the actual verification.

Federation with AD FS: Redirects authentication to Active Directory Federation Services.

Since the requirement specifies that authentication must occur by an Active Directory domain controller, Pass-through authentication (PTA) is the correct option. This method ensures the user ' s password validation happens directly against the on-premises domain controller, not the cloud.

Active Directory domain users must be able to use Azure AD self-service password reset (SSPR).

To allow users to reset their passwords in Azure AD and have those changes synchronized back to on-premises Active Directory, the Password writeback feature must be enabled in Azure AD Connect.

This feature securely writes password changes from Azure AD (including SSPR actions) back to the on-premises AD DS environment.

From Microsoft’s official text:

“To enable users to reset their on-premises passwords through Azure AD SSPR, enable the Password writeback feature in Azure AD Connect.”

Therefore, based on Microsoft SC-300 documentation:

Authentication by the domain controller: Pass-through authentication

SSPR: Password writeback

In Microsoft Entra ID (Azure AD), the per-user device cap is controlled in Devices > Device settings. The SC-300 materials describe that administrators can configure “Users may join devices to Azure AD” and the “Maximum number of devices per user” . The guide notes that this limit defaults to five and is used to “control how many devices a user can join or register in Azure AD”; when users reach the limit, “they cannot add additional devices until the limit is increased or an existing device is removed.” For scenarios like field or sales staff who use multiple devices, the study content recommends adjusting this value to meet business needs. Because A. Datum’s sales users hit the current cap and a requirement states “Increase the maximum number of devices that can be joined or registered to Azure AD to 10,” the fix is to change the tenant’s Device settings—not User settings, Access reviews, or Security defaults. This aligns with the exam objective to configure device settings for Azure AD join and registration and addresses the precise symptom reported by users.

For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage synchronization for Azure AD” , Azure AD Connect Cloud Sync is the preferred solution when you need to synchronize objects from multiple Active Directory (AD DS) forests without establishing forest trusts .

The scenario specifies that trust relationships must NOT be established between adatum.com and litware.com , but A. Datum must still sync the AD DS users and groups of litware.com to their existing Azure AD tenant (adatum.com).

The SC-300 training materials clarify:

“Azure AD Connect cloud sync enables syncing from multiple AD forests to a single Azure AD tenant without the need for forest trusts or a full Azure AD Connect installation in each forest.”

Unlike staging mode (which provides a standby sync server for failover) or extending the same Azure AD Connect instance to another domain (which requires trust relationships and network connectivity between forests), Azure AD Connect Cloud Sync uses lightweight agents and does not depend on forest trust.

Therefore, to meet the requirement of syncing Litware’s AD DS to A. Datum’s Azure AD tenant without creating a trust , the correct choice is to configure Azure AD Connect Cloud Sync between the Azure AD tenant and the litware.com domain.

Answer is

This question asks you to apply the stated Technical Requirements for Self-Service Password Reset (SSPR) to complete the form. The specific scenario about " User3 " is a distraction, as the configuration applies to all users.

The relevant technical requirements are:

" Users must provide one authentication method to reset their password by using SSPR. "

This directly dictates the value for the Number of authentication methods required , which is 1 .

" Available methods must include: Email, Phone, Security questions, The Microsoft Authenticator app "

This lists all the options that are configured to be available for SSPR, which determines the value for Authentication methods that can be used : Email , Phone , Security   questions , The   Microsoft   Authenticator   app .

The requirement is:

“Require admin approval for application access to organizational data.”

According to the Microsoft SC-300 exam guide and Microsoft documentation on “Configure consent settings for applications”, Azure AD provides User consent settings under Enterprise applications → Consent and permissions to control how applications can request permissions to access organizational data.

By default, users can consent to allow apps to access organizational data on their behalf, which can create security risks. To ensure tighter control, administrators can:

Disable user consent entirely, or

Require admin consent workflow so that when users try to grant an app access, it must first be approved by an administrator.

The SC-300 study materials explicitly describe:

“To require administrator approval before an app can access organizational data, configure the User consent settings to use the admin consent workflow.”

This aligns perfectly with the stated requirement — to ensure admin approval is required before apps gain access to organizational data.

Other options are incorrect:

Authentication methods manage MFA and SSPR, not app consent.

Access packages are part of Identity Governance for resource access, not app consent.

Application Proxy publishes on-premises apps, not related to app consent permissions.

Azure AD External collaboration settings govern who can bring guests into the tenant. The SC-300 content specifies: “External collaboration settings let you control who can invite guests (Anyone, Members, Guests, or Only admins and users in the Guest Inviter role) and whether guests can invite.” It also highlights: “To restrict guest invitations to administrators or designated inviters, configure External collaboration to ‘Only admins and users in the Guest Inviter role’ and disable guest-to-guest invitations if required.” Because the problem states that “Anyone in the organization can invite guest users, including other guests and non-administrators,” the remediation is to tighten External collaboration settings so only approved roles (e.g., Global admins, Guest Inviter, or specific administrators) can invite. Access reviews address periodic entitlement verification, Conditional Access enforces sign-in/session policies, and Continuous Access Evaluation relates to token lifetime/signal-based revocation; none of these change who can send guest invitations. Adjusting External collaboration settings directly resolves the issue and aligns with the requirement that “only users that are assigned specific admin roles can invite guest users.”

In Azure AD Privileged Identity Management (PIM), the SC-300 materials explain that role assignment type determines how a user obtains permissions. An eligible assignment means the user requests activation when needed; an active assignment grants continuous permissions. As the guide states, “Eligible assignments require the user to activate the role for just-in-time access, while active assignments grant standing access.” To allow users of the User administrator role to request the role when needed , you must set assignments to Eligible rather than active.

The same objective also calls for ensuring this capability is available “for up to one year.” In PIM role configuration, the duration of an eligibility is controlled by the Expire eligible assignments after policy. The documentation describes that administrators can “configure the maximum duration for eligible assignments by setting ‘Expire eligible assignments after’ to a specific period (for example, months up to one year).” Therefore, you must modify the “Expire eligible assignments after” setting to the required period.

No requirement mentions activation justification or ticket metadata; those are optional controls used to add context to activations. Consequently, the two actions that directly satisfy the stated technical requirement are: set all assignments to Eligible (C) and configure “Expire eligible assignments after” (D) .

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn “Implement and manage Azure AD Identity Protection” module, Azure AD Identity Protection detects two primary categories of risks: user risks and sign-in risks.

User Risk Policy: A user risk represents the probability that a user ' s identity (credentials) has been compromised. Examples of user risk signals include leaked credentials , unusual sign-ins from different geographies , or sign-ins from infected devices . The Exam Ref SC-300 specifically lists “leaked credentials detected on the dark web or other compromised repositories” as the main trigger for a user risk policy. Such a policy can automatically force password change or enforce MFA to remediate the threat.

Sign-in Risk Policy: A sign-in risk reflects the likelihood that a specific authentication attempt is not performed by the legitimate user. Sign-in risk is based on context, such as sign-ins from suspicious browsers , anonymous IP addresses (like TOR networks) , or impossible travel sce narios . The SC-300 documentation highlights these examples as conditions best handled with a sign-in risk policy, where conditional access can block or require MFA for the risky sign-in attempt.

Therefore:

Leaked credentials are addressed through a User Risk Policy, since the account itself is compromised.

Sign-ins from suspicious browsers and access from anonymous IP addresses are handled through Sign-in Risk Policies, as they relate to risky sessions rather than compromised identities.