Free Microsoft SC-300 Practice Exam with Questions & Answers

Name: How to Pass SC-300 Exams
Brand: Examstrack
SKU: sc-300
Price: 40.25 USD
Availability: InStock

Questions 1

You have a Microsoft 365 tenant.

The Sign-ins activity report shows that an external contractor signed in to the Exchange admin center.

You need to review access to the Exchange admin center at the end of each month and block sign-ins if

required.

What should you create?

Options:

an access package that targets users outside your directory

an access package that targets users in your directory

a group-based access review that targets guest users

an application-based access review that targets guest users

Microsoft SC-300 Premium Access

Kai

13-Sep-2025

Examstrack testing engine is a must-have for SC-300 exam preparation. It gave me confidence and ensured my success.

Questions 2

You have a Microsoft 365 ES subscription that contains a user named User1. User1 is eligible for the Application administrator role.

User1 needs to configure a new connector group for an application proxy.

What should you to activate the role for User1?

Options:

the Microsoft Defender for Cloud Apps portal

the Microsoft 365 admin center

the Azure Active Directory admin center

the Microsoft 365 Defender portal

Questions 3

You have an Azure AD tenant.

You need to bulk create 25 new user accounts by uploading a template file.

Which properties are required in the template file?

SC-300 Question 3

Options:

Option A

Option B

Option C

Option D

Questions 4

You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com. Contoso is working on a project with the following two partner companies:

• A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com

• A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabtikam.com

When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message. You can successfully invite a new guest user from fabiikam.com to contoso.com. You need to be able to invite new guest users from adatum.com to contoso.com. What should you configure?

Options:

Verifiable credentials

Named locations

Guest invite settings

Collaboration restrictions

Questions 5

You have a Microsoft 365 E5 subscription.

You create an access review named Review1. Review1 requires that every six months, Microsoft 365 group owners review guest user access to their groups.

You need to ensure that if the group owners fail to review the membership of Review1, guest users ate removed automatically.

Which settings should you configure for Review1?

Options:

Reviewers

Advanced settings

General

Upon completion settings

Questions 6

You have an Azure AD tenant that contains two users named User1 and User2. You plan to perform the following actions:

• Create a group named Group 1.

• Add User1 and User 2 to Group1.

• Assign Azure AD roles to Group1.

You need to create Group1.

Which two settings can you use? Each correct answer presents a complete solution

NOTE: Each correct selection is worth one point

Options:

Group type: Microsoft 365 Membership type: Dynamic User

Group type: Security Membership type: Dynamic Device

Group type Security Membership type: Dynamic User

Group type Security Membership type: Assigned

Group type: Microsoft 365 Membership type: Assigned

Questions 7

You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs.

Yon receive more than 100 email alerts each day for tailed Azure Al) user sign-in attempts.

You need to ensure that a new security administrator receives the alerts instead of you.

Solution: From Azure AD, you create an assignment for the Insights at administrator role.

Does this meet the goal?

Options:

Yes

Questions 8

You have a Microsoft 365 tenant that has 5,000 users. One hundred of the users are executives. The executives have a dedicated support team.

You need to ensure that the support team can reset passwords and manage multi-factorauthentication (MFA) settings for only the executives. The solution must use the principle of least privilege.

Which object type and Azure Active Directory (Azure AD) role should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-300 Question 8

Options:

Questions 9

You have a Microsoft Entra tenant that contains the groups shown in the following table.

SC-300 Question 9

You need to implement Privileged Identity Management (PIM) for the groups.

Which groups can be managed by using PIM?

Options:

Group1 only

Group1 and Group2 only

Group1 and Group3 only

Group3 and Group4 only

Group1. Group2. Group3. and Group4

Questions 10

You have a Microsoft 365 E5 tenant.

You purchase a cloud app named App1.

You need to enable real-time session-level monitoring of App1 by using Microsoft Defender for Cloud Apps.

In which order should you perform the actions? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

SC-300 Question 10

Options:

Answer:

Explanation:

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

Let’s break this down step by step based on Microsoft Defender for Cloud Apps (MDCA) and Microsoft Entra ID integration for enabling real-time session-level monitoring, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Goal: Real-Time Session-Level Monitoring with Microsoft Defender for Cloud Apps:

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) solution that provides visibility, control, and threat protection for cloud applications.

Real-time session-level monitoring allows MDCA to inspect and control user activities within a cloud app (App1 in this case) during active sessions. This requires integration with Microsoft Entra ID and the use of Conditional Access policies to route sessions through MDCA for monitoring.

The Microsoft 365 E5 tenant includes licenses for Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, which are necessary for this functionality.

Step-by-Step Analysis of the Actions:To enable real-time session-level monitoring, the actions must be performed in a logical order that aligns with Microsoft’s recommended workflow for integrating a cloud app with MDCA.

Step 1: Register App1 in Microsoft Entra ID.

Before App1 can be monitored by MDCA, it must be registered as an application in Microsoft Entra ID. This step involves adding App1 to the tenant’s enterprise applications, which allows Microsoft Entra ID to manage authentication and authorization for the app.

Registering the app in Microsoft Entra ID enables single sign-on (SSO) and allows the app to be governed by Conditional Access policies, which is a prerequisite for session-level monitoring.

This is the first step because none of the other actions can proceed without App1 being recognized by Microsoft Entra ID.

Step 2: Create a conditional access policy that has session controls configured.

Microsoft Defender for Cloud Apps integrates with Microsoft Entra ID Conditional Access to enforce session-level monitoring. A Conditional Access policy must be created to target App1 and include session controls that route user sessions through MDCA.

In the Conditional Access policy, under "Session" controls, you enable the option "Use Conditional Access App Control," which integrates with MDCA. This allows MDCA to monitor and control the session in real time.

This step must come after registering the app in Microsoft Entra ID because the Conditional Access policy needs to target an existing app. It must also precede the MDCA-specific steps because the session control integration sets up the connection between Microsoft Entra ID and MDCA.

Step 3: From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

After the Conditional Access policy routes sessions to MDCA, you need to configure App1within MDCA by modifying its Connected apps settings. This step involves ensuring that App1 is properly connected to MDCA, which may include configuring API connectors or verifying that MDCA can monitor the app’s activities.

This step is necessary to ensure MDCA has the necessary permissions and configurations to monitor App1. It comes after the Conditional Access policy because the policy enables the integration, and now MDCA needs to be set up to handle the app.

Step 4: From Microsoft Defender for Cloud Apps, create a session policy.

Finally, you create a session policy in MDCA to define the real-time monitoring and control rules for App1. A session policy in MDCA allows you to monitor user activities (e.g., file downloads, data sharing) and apply actions (e.g., block, notify) based on predefined conditions.

This step is the last because it relies on the previous steps: the app must be registered, the Conditional Access policy must route sessions to MDCA, and the Connected apps settings must be configured for MDCA to recognize App1. Only then can you define session policies to enforce real-time monitoring.

Why This Order?

The order ensures a logical flow:

Registering the app in Microsoft Entra ID establishes the app’s identity in the tenant.

The Conditional Access policy enables the integration with MDCA by routing sessions through it.

Modifying the Connected apps settings in MDCA ensures the app is properly set up for monitoring.

Creating a session policy in MDCA defines the specific monitoring and control rules for real-time session-level monitoring.

Deviating from this order would result in errors. For example, creating a session policy in MDCA before registering the app in Microsoft Entra ID would fail because MDCA wouldn’t recognize the app.

Additional Considerations:

The Microsoft 365 E5 license includes Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, so no additional licensing is required for this scenario.

If App1 is not a supported app for MDCA’s app connectors, additional steps (e.g., using a custom app connector) might be needed, but the question implies App1 can be monitored with the standard process.

Session policies in MDCA can include actions like blocking downloads or requiring step-up authentication, which are applied in real time during the user’s session.

Conclusion:The correct order to enable real-time session-level monitoring of App1 using Microsoft Defender for Cloud Apps is:

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

[References:, Microsoft Defender for Cloud Apps documentation: "Session control with Microsoft Defender for Cloud Apps" (Microsoft Learn:https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy), Microsoft Entra ID Conditional Access documentation: "Session controls in Conditional Access" (Microsoft Learn:https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session), Microsoft Identity and Access Administrator (SC-300) exam study guide, which covers integrating Microsoft Defender for Cloud Apps with Microsoft Entra ID for session-level monitoring., , , , , ]

Exam Code: SC-300

Certification Provider: Microsoft

Exam Name: Microsoft Identity and Access Administrator

Last Update: Oct 30, 2025

Questions: 341