Free Microsoft SC-300 Practice Exam with Questions & Answers

According to the Microsoft SC-300: Identity and Access Administrator Study Guide, the enforcement of Modern Authentication for Microsoft 365 services such as Exchange Online is achieved through Conditional Access policies. Conditional Access allows you to block legacy authentication protocols (such as POP, IMAP, SMTP, and MAPI over HTTP) that use Basic Authentication, and require Modern Authentication (OAuth 2.0) instead.

Microsoft Learn explains that you can configure a policy that “blocks access requests using legacy authentication clients” under Conditions → Client apps and select “Other clients (legacy authentication clients)” to enforce Modern Authentication. Defender for Cloud Apps OAuth policies and Intune app/compliance policies do not control authentication protocols at the tenant level.

According to the Microsoft SC-300 official exam reference and Microsoft’s official documentation, Azure AD Password Protection provides password policy enforcement and banned password protection for both cloud and on-premises environments.

The solution requires two primary components:

Domain Controllers (DC Agents) — enforce password policies within the domain.

Proxy Service (Azure AD Password Protection Proxy) — communicates with Azure AD to download the latest password policies and banned password lists and then shares them with the DC agents.

In the scenario, Server1 and Server2 are domain controllers that already have Azure AD Password Protection installed but cannot communicate with the internet directly. That means they rely on the proxy service running on a separate server to connect securely to Azure AD.

To ensure high availability, Microsoft recommends deploying at least two proxy servers. This ensures continuous synchronization of the password policy even if one proxy fails.

From the Microsoft documentation:

“For redundancy, deploy at least two proxy servers. The proxy service retrieves the global and custom banned password lists from Azure AD and replicates them to all domain controllers running the DC agent.”

Thus, installing the Azure AD Password Protection proxy service on Server4 ensures service continuity if one of the proxy servers fails.

The User Administrator role allows management of user accounts, licenses, and group memberships within Azure AD but does not grant access to security configurations, Secure Score dashboards, or improvement actions.

According to Microsoft’s Secure Score documentation:

“Only users with Global Administrator, Security Administrator, or Security Reader roles can access Microsoft Secure Score. To modify improvement action statuses, the user must be a Security Administrator or Global Administrator.”

Therefore, a User Administrator cannot update Secure Score improvement actions.

In the SC-300 materials covering Azure AD MFA configuration, Microsoft distinguishes between Notifications (which control whether the Microsoft Authenticator sends push prompts) and Fraud alert settings (which determine what happens when a user reports an unexpected prompt). The study guide notes that notifications “enable push approvals to the app,” but this does not take action when a user reports a suspicious prompt. To satisfy the requirement “block the users automatically when they report an MFA request they didn’t initiate,” you must use Fraud alert options. The documentation states that administrators can “allow users to submit fraud alerts” and “block users who report fraud” so that “reported accounts are immediately blocked until an administrator unblocks them.” These options are part of the tenant’s MFA service settings, not the Notifications section. In other words, simply configuring Notifications won’t automatically block users who tap Report in Microsoft Authenticator; you must explicitly enable the setting to block users upon fraud reports. Therefore, the proposed solution—changing Notifications settings—does not meet the goal. The correct approach is to enable Fraud alert and select Block users who report fraud, ensuring automatic protection when users report unexpected MFA prompts.

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

When you plan to onboard a third-party SaaS application (App1) to Microsoft Defender for Cloud Apps (MDA/MCAS) and need to enforce session control policies such as monitoring or restricting downloads, the application must first be integrated with Microsoft Entra ID through Single Sign-On (SSO).

According to the Microsoft SC-300: Identity and Access Administrator study guide and official documentation, session controls in Defender for Cloud Apps depend on Conditional Access App Control, which only works with apps federated through Microsoft Entra ID (SSO-enabled). This integration allows Conditional Access to apply real-time monitoring and control of user sessions by routing the app’s authentication through Entra ID.

Here’s the required sequence outlined in the SC-300 materials:

Configure SSO for App1 in Microsoft Entra admin center.

Create a Conditional Access policy with “Use Conditional Access App Control.”

The policy then redirects sessions through Defender for Cloud Apps to enforce session controls (e.g., block download, monitor activity).

Other options do not achieve the initial requirement:

A. Cloud Discovery only identifies unsanctioned apps but cannot apply session controls.

B. Traffic forwarding profile applies to Global Secure Access, not SaaS onboarding.

D. OAuth app policy targets API permissions, not real-time session enforcement.

Comprehensive and Detailed In-Depth Explanation:

Let’s break this down step by step based on Microsoft Entra Internet Access, Global Secure Access, and the requirements for routing internet traffic from on-premises devices, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Scenario and Requirements:

On-premises devices running Windows or Linux:The devices are located in an on-premises environment (e.g., a corporate office or branch) and run either Windows or Linux operating systems.

Microsoft 365 E5 subscription:This subscription includes Microsoft Entra ID P2 and Microsoft Entra Internet Access, which are part of the Global Secure Access suite. This provides the necessary licensing for the solution.

Microsoft Entra Internet Access:This is a Secure Web Gateway (SWG) solution that securesinternet and SaaS app access by routing traffic through Microsoft’s Security Service Edge (SSE) for policy evaluation (e.g., web content filtering, Conditional Access).

Requirement:All on-premises devices must route their internet traffic through Global Secure Access for security policy evaluation. Global Secure Access is the unified framework for Microsoft Entra Internet Access and Microsoft Entra Private Access, providing a centralized way to manage network traffic security.

How Global Secure Access Routes Internet Traffic:

Global Secure Access can route internet traffic in two primary ways:

Global Secure Access Client:This client is installed on individual devices (e.g., Windows, macOS, Android, iOS) and routes traffic from the device to Microsoft’s SSE for policy evaluation. The client is user-aware and integrates with Microsoft Entra ID for identity-based policies.

Remote Network:This method creates an IPsec tunnel between an on-premises network (e.g., a branch office) and Microsoft’s SSE. All internet-bound traffic from devices in the network is routed through the tunnel for security policy evaluation, without requiring a client on each device.

The question involvesmultiple on-premises devicesrunning Windows or Linux, which suggests a network-level solution may be more practical than installing a client on each device, especially since Linux support for the Global Secure Access client is limited.

According to the Microsoft SC-300 Study Guide and official Microsoft Learn modules “Monitor and maintain Azure AD” and “Implement and manage identity governance”, different log types and reports within Azure Active Directory provide distinct insights for security and compliance management.

Sign-in logs:The Sign-in logs provide detailed information on authentication attempts in Azure AD, including user identity, application accessed, authentication status, IP address, and geographical location. These logs help identify unusual sign-in patterns or possible compromise by tracking where and from which IP addresses users are accessing resources. The SC-300 documentation states:

“Sign-in logs in Azure AD enable administrators to analyze user authentication attempts, track IPs, and review sign-in locations to detect anomalies and secure identities.”

Audit logs:The Audit logs record changes within Azure AD, such as user creation, role assignments, application registration, or service principal modifications. These logs allow administrators to trace “who did what and when,” which is essential for compliance auditing and operational transparency.

“Audit logs in Azure AD capture directory-level changes, including updates to users, groups, applications, and service principals.”

Identity Secure Score:The Identity Secure Score in Microsoft Entra (formerly Azure AD) provides a security posture assessment for your organization’s identity configuration. It offers improvement recommendations to strengthen protection, including MFA enforcement, Conditional Access, and privileged identity management.

“Identity Secure Score helps organizations assess their security configuration against Microsoft best practices and provides actionable improvement recommendations.”

According to the Microsoft SC-300 Study Guide and the official Microsoft Learn module: “Manage user accounts in Microsoft Entra ID”, when a user account is deleted from Microsoft Entra ID (formerly Azure AD), the deleted user object is soft-deleted and retained in the Deleted Users container for 30 days.

During this retention period, the user can be restored with all associated attributes, such as group memberships and licenses, unless a permanent (hard) delete is performed before the 30-day period ends. After the 30-day soft-delete retention period expires, the user object and all related data are permanently removed from the tenant and cannot be recovered.

Microsoft documentation states:

“When a user is deleted, the account is retained in a soft-deleted state for 30 days. During that time, an administrator can restore the user from the Azure portal or by using PowerShell.”

To perform the restoration, the least privileged role that has this permission is the User Administrator.

The User Administrator can:

Restore deleted users.

Reset passwords for non-admin users.

Create, edit, and delete standard user accounts.

Higher-level roles (e.g., Global Administrator or Privileged Role Administrator) also have this ability but are not required — thus, User Administrator is the least privileged appropriate role.