Microsoft Identity and Access Administrator: SC-300 Sample Questions

Microsoft offers the SC-300: Microsoft Identity and Access Administrator exam. The Exam SC-300 assesses a candidate’s technical skills in areas including executing identity management solutions, implementing authentication and access management solutions, accomplishing access management for apps, and developing and executing identity governance strategies, among other technical activities. The applicant will become a Microsoft Certified: Identity and Access Administrator Associate after completing the SC-300 exam.The article provides a list of Microsoft Identity and Access Administrator: SC-300 Sample Questions that cover core exam topics including –
- Implement identities in Azure AD (20—25%)
- Implement an authentication and access management (25-30%)
- Implement Access Management for Applications (15-20%)
- Plan and implement Identity Governance in Azure AD (20-25%)
Advanced Sample Questions
What is the primary function of the Azure AD Privileged Identity Management (PIM) service?
- a. To manage access to Azure resources
- b. To manage access to on-premises resources
- c. To manage access to privileged roles and resources in Azure AD and other Microsoft services
- d. To manage access to non-privileged roles and resources in Azure AD and other Microsoft services
Answer: c.
Explanation: To manage access to privileged roles and resources in Azure AD and other Microsoft services. The Azure AD Privileged Identity Management (PIM) service provides a way to manage access to privileged roles and resources in Azure AD and other Microsoft services. With PIM, you can assign just-in-time access to these roles and resources, so that users only have access when they need it, reducing the risk of privilege abuse.
What is the purpose of Azure AD Connect?
- a. To synchronize user accounts and passwords between on-premises directories and Azure AD
- b. To provide single sign-on (SSO) for cloud applications
- c. To manage access to Azure resources
- d. To provide multi-factor authentication (MFA) for Azure AD
Answer: a.
Explanation: To synchronize user accounts and passwords between on-premises directories and Azure AD. Azure AD Connect is a tool that allows you to synchronize user accounts and passwords between on-premises directories and Azure AD. This provides a way to manage user identities in both environments, and enables single sign-on (SSO) for both on-premises and cloud applications.
What is the purpose of Azure AD Identity Protection?
- a. To monitor and detect suspicious sign-in activity and other potential security threats
- b. To manage access to Azure resources
- c. To provide multi-factor authentication (MFA) for Azure AD
- d. To provide single sign-on (SSO) for cloud applications
Answer: a.
Explanation: To monitor and detect suspicious sign-in activity and other potential security threats. Azure AD Identity Protection is a tool that allows you to monitor and detect suspicious sign-in activity and other potential security threats in Azure AD. It uses machine learning algorithms to identify risky sign-in behavior, such as sign-ins from unfamiliar locations or devices, and can be used to block access or require multi-factor authentication (MFA) in response.
What is the purpose of Azure AD Conditional Access?
- a. To manage access to privileged roles and resources in Azure AD and other Microsoft services
- b. To provide single sign-on (SSO) for cloud applications
- c. To provide multi-factor authentication (MFA) for Azure AD
- d. To enforce access policies for cloud and on-premises applications and resources
Answer: d.
Explanation: To enforce access policies for cloud and on-premises applications and resources. Azure AD Conditional Access is a tool that allows you to enforce access policies for cloud and on-premises applications and resources. It provides a way to require multi-factor authentication (MFA), block access, or otherwise restrict access based on factors such as user location, device type, or risk level.
What is the purpose of Azure AD Domain Services?
- a. To provide a domain controller in the cloud
- b. To synchronize user accounts and passwords between on-premises directories and Azure AD
- c. To manage access to Azure resources
- d. To provide multi-factor authentication (MFA) for Azure AD
Answer: a.
Explanation: To provide a domain controller in the cloud. Azure AD Domain Services provides a managed domain controller in the cloud, which allows you to join Azure VMs to a domain, and use domain-based identities to access resources. This provides a way to use traditional on-premises authentication methods in the cloud.
What is the purpose of Azure AD B2C (Business to Consumer)?
- a. To provide a way for businesses to authenticate their employees in Azure AD
- b. To provide a way for customers to authenticate to web and mobile applications using social media or other external identity providers
- c. To provide multi-factor authentication (MFA) for Azure AD
- d. To manage access to Azure resources
Answer: b.
Explanation: To provide a way for customers to authenticate to web and mobile applications using social media or other external identity providers. Azure AD B2C is a service that allows you to provide secure authentication for web and mobile applications, and enables customers to authenticate using social media or other external identity providers, without requiring them to create and manage a new account.
What is the purpose of Azure AD Application Proxy?
- a. To manage access to Azure resources
- b. To provide single sign-on (SSO) for cloud applications
- c. To enable access to on-premises web applications from the cloud
- d. To provide multi-factor authentication (MFA) for Azure AD
Answer: c.
Explanation: To enable access to on-premises web applications from the cloud. Azure AD Application Proxy is a service that allows you to provide secure remote access to on-premises web applications from the cloud, without requiring a VPN or other complex infrastructure. It enables you to publish these applications to external users, and to control access to them using Azure AD authentication and authorization.
What is the purpose of Azure AD Roles and Administrators?
- a. To manage access to Azure resources
- b. To provide single sign-on (SSO) for cloud applications
- c. To provide multi-factor authentication (MFA) for Azure AD
- d. To manage the roles and permissions of Azure AD administrators
Answer: d.
Explanation: To manage the roles and permissions of Azure AD administrators. Azure AD Roles and Administrators provides a way to manage the roles and permissions of Azure AD administrators, and to delegate administrative tasks to specific users or groups. It provides a set of built-in roles, and allows you to create custom roles to meet your specific needs.
What is the purpose of Azure AD Privileged Access Management (PAM)?
- a. To manage access to privileged roles and resources in Azure AD and other Microsoft services
- b. To synchronize user accounts and passwords between on-premises directories and Azure AD
- c. To provide single sign-on (SSO) for cloud applications
- d. To provide multi-factor authentication (MFA) for Azure AD
Answer: a.
Explanation: To manage access to privileged roles and resources in Azure AD and other Microsoft services. Azure AD Privileged Access Management (PAM) is a service that allows you to manage access to privileged roles and resources in Azure AD and other Microsoft services. It provides a way to assign just-in-time access to these roles and resources, so that users only have access when they need it, reducing the risk of privilege abuse.
What is the purpose of Azure AD Conditional Access?
- a. To provide a way to manage access to Azure resources based on the user’s identity and the state of the device they are using
- b. To synchronize user accounts and passwords between on-premises directories and Azure AD
- c. To provide single sign-on (SSO) for cloud applications
- d. To provide multi-factor authentication (MFA) for Azure AD
Answer: a.
Explanation: To provide a way to manage access to Azure resources based on the user’s identity and the state of the device they are using. Azure AD Conditional Access is a feature that allows you to control access to your Azure resources based on conditions such as the user’s identity, the state of the device they are using, the location they are accessing the resource from, and more. This provides a way to ensure that only authorized users with secure devices can access your resources, and to block access from risky devices or locations.
Basic Sample Questions
Q1)Your Microsoft Exchange organisation makes use of the contoso.com SMTP address space. Several users join up for Azure Active Directory using their contoso.com email address (Azure AD). Gaining access to the self-signed users’ Azure AD tenancy grants you global administrator rights. For self-service sign-up to Microsoft 365 services, you must stop users from creating user accounts in the contoso.com Azure AD tenancy. Which PowerShell cmdlet ought to be execute?
- A. Set-MsolCompanySettings
- B. Set-MsolDomainFederationSettings
- C. Update-MsolfederatedDomain
- D. Set-MsolDomain
Correct Answer: A
Q2)Microsoft Office 365 Enterprise E3 licences are given to 2,500 users. Individual users are given the licences. You can assign Microsoft 365 Enterprise E5 licences to the users from the Groups blade in the Azure Active Directory admin centre. The users’ Office 365 Enterprise E3 licences must be remove with the least amount of administrative work possible. Which should you employ?
- A. the Identity Governance blade in the Azure Active Directory admin center
- B. the Set-AzureAdUser cmdlet
- C. the Licenses blade in the Azure Active Directory admin center
- D. the Set-WindowsProductKey cmdlet
Correct Answer: C
Q3) Contoso.com is the name of your Azure Active Directory (Azure AD) tenant. You want to invite many users to the Azure AD B2B collaboration service. Which two parameters are require to be entered while creating the bulk invite? Part of the solution is provided by each right response.
- A. email address
- B. redirection URL
- C. username
- D. shared key
- E. password
Correct Answer: A an B
Q4)An Azure Active Directory (Azure AD) tenant and your Active Directory forest are synced. You learn that for up to 30 minutes after an Active Directory user account is disabled, the disabled user can still authenticate to Azure AD. When a user account is disabled in Active Directory, you must make sure that it is instantly barred from logging in to Azure AD. You configure password writeback as a solution. Does this meet your goal?
- A. Yes
- B. No
Correct Answer: B
Q5)An Azure Active Directory (Azure AD) tenant and your Active Directory forest are sync. You learn that for up to 30 minutes after an Active Directory user account is disable, the disabled user can still authenticate to Azure AD. When a user account is disable in Active Directory, you must make sure that it is instantly barred from logging in to Azure AD. Solution: Pass-through authentication is set up. Is the objective being met?
- A. Yes
- B. No
Correct Answer: A
Q6)You have an Active Directory forest that is sync with an Azure Active Directory (Azure AD) tenant. You learn that for up to 30 minutes after an Active Directory user account is disabled, the disabled user can still authenticate to Azure AD. When a user account is disable in Active Directory, you must make sure that it is instantly barred from logging in to Azure AD. Configure conditional access policies as a solution. Is the objective being met?
- A. Yes
- B. No
Correct Answer: B
Q7)You have a tenant for Azure Active Directory (Azure AD) called contoso.com that houses App1, an enterprise Azure AD application. [email protected] credentials are use by a contractor. Make sure the contractor has access to App1 by ensuring this. [email protected] must be able to authenticate for the contractor. What ought you to do?
- A. Run the New-AzADUser cmdlet.
- B. Configure the External collaboration settings.
- C. Add a WS-Fed identity provider.
- D. Create a guest user account in contoso.com.
Correct Answer: D
Q8)An Azure Active Directory (Azure AD) tenant with the name contoso.com is connect to the Active Directory forest contoso.com on your network using Azure AD Connect. Users who have the extensionAttribute15 property set to NoSync must not be synchronised. In Azure AD Connect, what should you do?
- A. For the Windows Azure Active Directory connector, create an inbound sync rule.
- B. Create a run profile for Full Import.
- C. Design a rule for the Active Directory Domain Services connector’s inbound synchronisation.
- D. Create a run profile for export.
Correct Answer: C
Q9)An Azure Active Directory (Azure AD) tenant and your Active Directory forest are sync. You learn that for up to 30 minutes after an Active Directory user account is disable, the disabled user can still authenticate to Azure AD. When a user account is disable in Active Directory, you must make sure that it is instantly barred from logging in to Azure AD. You configure Azure AD Password Protection as a solution. Is the objective being met?
- A. Yes
- B. No
Correct Answer: B
Q10)You have a tenant called contoso.com in Azure Active Directory (Azure AD). Make that the cost of Azure AD External Identities is determine by the number of active monthly users (MAU). What settings should you make?
- A. a user flow
- B. the terms of use
- C. a linked subscription
- D. an access review
Correct Answer: C
Q11)You have a tenant for Azure Active Directory (Azure AD) called contoso.com that houses App1, an enterprise Azure AD application. A contractor logs in using [email protected] as their credentials. You must make sure you can grant the contractor access to App1. [email protected] must be able to authenticate for the contractor. What ought you to do?
- A. Execute the cmdlet New-AzureADMSInvitation.
- B. Adjust the parameters for external collaboration.
- C.A WS-Fed identity provider can be added.
- D. Put Azure AD Connect into action.
Correct Answer: A
Q12)Microsoft Office 365 Enterprise E3 licences are given to 2,500 users. Individual users are given the licences. You can assign Microsoft 365 Enterprise E5 licences to the users from the Groups blade in the Azure Active Directory admin centre. The users’ Office 365 Enterprise E3 licences must be removed with the least amount of administrative work possible. Which should you employ?
- A. the Administrative units blade in the Azure Active Directory admin center
- B. the Set-AzureAdUser cmdlet
- C. the Groups blade in the Azure Active Directory admin center
- D. the Set-MsolUserLicense cmdlet
Correct Answer: D
Q13)You have a tenant for Azure Active Directory (Azure AD). You must upload a template file in order to create 25 new user accounts in bulk. Which attributes must be present in the template file in SC-300?
- A. displayName, identityIssuer, usageLocation, and userType
- B. accountEnabled, givenName, surname, and userPrincipalName
- C. accountEnabled, displayName, userPrincipalName, and passwordProfile
- D. accountEnabled, passwordProfile, usageLocation, and userPrincipalName
Correct Answer: C
Q14)An Azure Active Directory (Azure AD) tenant and an on-premises Active Directory domain are both present in your network. Users log in to Windows 10 PCs that are join to the domain. You want to use Seamless Single Sign-On with Azure AD (Azure AD Seamless SSO). The Windows 10 computers must be set up to enable Azure AD Seamless SSO. What ought you to do?
- A. Configure Sign-in options from the Settings app.
- B. Enable Enterprise State Roaming.
- C. Modify the Intranet Zone settings.
- D. Install the Azure AD Connect Authentication Agent.
Correct Answer: C
Q15)There is a user name User1 in your Azure Active Directory (Azure AD) tenant. You must make sure User1 can add resources to the catalogues they possess and build new ones. What ought you to do in SC-300?
- A. Change the Groups administrator role on the Roles and administrators blade.
- B. Change the Service support administrator role on the Roles and administrators blade.
- C. Change the Entitlement management settings from the Identity Governance blade.
- D. Change the administrators and roles for the General catalogue in the Identity Governance blade.
Correct Answer: C
Q16)An Azure Active Directory (Azure AD) tenant and an on-premises Active Directory domain are both present in your network. Users log in to Windows 10 PCs that are join to the domain. You want to use Seamless Single Sign-On with Azure AD (Azure AD Seamless SSO). The Windows 10 computers must be set up to enable Azure AD Seamless SSO. What ought you to do?
- A. Configure Sign-in options from the Settings app.
- B. Enable Enterprise State Roaming.
- C. Modify the Local intranet Zone settings.
- D. Install the Azure AD Connect Authentication Agent.
Correct Answer: A
Q17)You set up a new Microsoft 365 tenant to utilise contoso.com as its default domain name. Use conditional access policies to make sure you can manage who has access to Microsoft 365 resources. What ought to you start with?
- A. Disable the User consent settings.
- B. Disable Security defaults.
- C. Configure a multi-factor authentication (MFA) registration policy.
- D. Configure password protection for Windows Server Active Directory.
Correct Answer: B
Q18)Microsoft 365 is a tenant of your business. 300 people work at the company’s phone centre. The call center’s users may utilise a different computer every day and share desktop computers. The call centre computers are NOT set for biometric identification. Mobile phones are not allow at the call centre with the users. The call centre users must be subject to multi-factor authentication (MFA) in order to access Microsoft 365 services. What should the solution contain in SC-300?
- A. a named network location
- B. the Microsoft Authenticator app
- C. Windows Hello for Business authentication
- D. FIDO2 tokens
Correct Answer: D
Q19)You have a tenant called contoso.com in Azure Active Directory (Azure AD). Policies governing conditional access are applied to all users that run applications that are register in Azure AD. The users must not be allow to use legacy authentication. What ought to be cover by the conditional access policies to weed out attempts at legacy authentication in SC-300?
- A. a cloud apps or actions condition
- B. a user risk condition
- C. a client apps condition
- D. a sign-in risk condition
Correct Answer: C
Q20)Your Azure Active Directory (Azure AD) tenancy already exists. You look at the report on danger detections. What form of risk detection is consider a user risk in SC-300?
- A. impossible travel
- B. anonymous IP address
- C. atypical travel
- D. leaked credentials
Correct Answer: D

