Free Microsoft SC-300 Practice Exam with Questions & Answers | Set: 4

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage synchronization for Azure AD”, Azure AD Connect Cloud Sync is the preferred solution when you need to synchronize objects from multiple Active Directory (AD DS) forests without establishing forest trusts.

The scenario specifies that trust relationships must NOT be established between adatum.com and litware.com, but A. Datum must still sync the AD DS users and groups of litware.com to their existing Azure AD tenant (adatum.com).

The SC-300 training materials clarify:

“Azure AD Connect cloud sync enables syncing from multiple AD forests to a single Azure AD tenant without the need for forest trusts or a full Azure AD Connect installation in each forest.”

Unlike staging mode (which provides a standby sync server for failover) or extending the same Azure AD Connect instance to another domain (which requires trust relationships and network connectivity between forests), Azure AD Connect Cloud Sync uses lightweight agents and does not depend on forest trust.

Therefore, to meet the requirement of syncing Litware’s AD DS to A. Datum’s Azure AD tenant without creating a trust, the correct choice is to configure Azure AD Connect Cloud Sync between the Azure AD tenant and the litware.com domain.

For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.

In Azure AD Privileged Identity Management (PIM), the SC-300 materials explain that role assignment type determines how a user obtains permissions. An eligible assignment means the user requests activation when needed; an active assignment grants continuous permissions. As the guide states, “Eligible assignments require the user to activate the role for just-in-time access, while active assignments grant standing access.” To allow users of the User administrator role to request the role when needed, you must set assignments to Eligible rather than active.

The same objective also calls for ensuring this capability is available “for up to one year.” In PIM role configuration, the duration of an eligibility is controlled by the Expire eligible assignments after policy. The documentation describes that administrators can “configure the maximum duration for eligible assignments by setting ‘Expire eligible assignments after’ to a specific period (for example, months up to one year).” Therefore, you must modify the “Expire eligible assignments after” setting to the required period.

No requirement mentions activation justification or ticket metadata; those are optional controls used to add context to activations. Consequently, the two actions that directly satisfy the stated technical requirement are: set all assignments to Eligible (C) and configure “Expire eligible assignments after” (D).

HR is a member of AU1: No

User1 is a member of AU1: Yes

User2 is a member of AU1: No

Let’s break this down step by step based on Microsoft Entra ID dynamic membership rules, administrative units, and group membership, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Administrative Units and Dynamic Membership in Microsoft Entra ID:

Administrative Units (AUs):Administrative Units in Microsoft Entra ID are used to delegate administrative tasks to a subset of users, groups, or devices. They allow you to scope administrative roles (e.g., User Administrator) to specific users or groups within the AU.

Membership Types for AUs:

Assigned Membership:Members (users, groups, or devices) are manually added to the AU by an administrator.

Dynamic Membership:Members are automatically added or removed based on a dynamic membership rule, similar to dynamic groups. Dynamic membership for AUs can be applied to users or devices (but not groups directly).

The question states that AU1 is initially configured for assigned membership but is then updated to useDynamic Usermembership with the rule (user.department -eq "HR").

Dynamic Membership Rule:The rule (user.department -eq "HR") means that AU1 will automatically include all users whose department attribute in Microsoft Entra ID is set to "HR". This rule applies to users, not groups or devices, because the membership type is "Dynamic User."

Impact of Changing AU1 to Dynamic Membership:

When AU1’s membership type is changed from assigned to dynamic, the existing assigned memberships (e.g., User2, HR group, IT group) are no longer relevant. Thedynamic rule takes over, and AU1’s membership is determined solely by the rule (user.department -eq "HR").

Dynamic User Membership:Only users whose attributes match the rule will be members of AU1. Groups (like HR and IT) are not evaluated by this rule because the membership type is "Dynamic User," not "Dynamic Group."

Let’s evaluate the users based on the rule:

User1:Department = "HR". The rule (user.department -eq "HR") matches, so User1 will be dynamically added to AU1.

User2:Department = "IT". The rule does not match, so User2 will not be a member of AU1, even though they were previously assigned to AU1 and are a member of the IT group.

Groups (HR and IT):The dynamic membership rule for AU1 applies to users, not groups. Therefore, groups like HR and IT are not directly evaluated by the rule. However, we need toconsider whether group membership in AU1 affects the statements.

Statement 1: HR is a member of AU1:

Analysis:

The HR group is listed in the second table with AU1 as its administrative unit, indicating that it was initially assigned to AU1 when AU1 used assigned membership.

However, AU1’s membership type has been updated to "Dynamic User" with the rule (user.department -eq "HR"). Dynamic User membership applies to users, not groups.

In Microsoft Entra ID, administrative units with dynamic user membership do not include groups as members unless the AU’s membership type is explicitly set to "Dynamic Group" (which is not the case here).

When AU1 was changed to dynamic membership, the HR group would no longer be considered a member of AU1 because the dynamic rule only evaluates users. Groups are not dynamically added to AUs based on user attributes.

Conclusion:The HR group is not a member of AU1 after the change to dynamic membership. Therefore, this statement isNo.

Statement 2: User1 is a member of AU1:

Analysis:

User1 has the department attribute set to "HR" (from the first table).

The dynamic membership rule for AU1 is (user.department -eq "HR"), which matches User1’s department.

Therefore, User1 will be automatically added to AU1 as a member based on the dynamic rule.

Additionally, User1 is a member of the HR group, which was initially assigned to AU1. However, since AU1 now uses dynamic membership, the HR group’s assignment to AU1 is irrelevant. User1’s membership in AU1 is determined solely by the dynamic rule, not their group membership.

Conclusion:User1 is a member of AU1 because their department matches the dynamic rule. Therefore, this statement isYes.

Statement 3: User2 is a member of AU1:

Analysis:

User2 has the department attribute set to "IT" (from the first table).

The dynamic membership rule for AU1 is (user.department -eq "HR"), which does not match User2’s department.

User2 was initially assigned to AU1 (as shown in the first table) and is a member of the IT group, which was also assigned to AU1. However, when AU1’s membership type was changed to "Dynamic User," the assigned memberships (including User2 and the IT group) are no longer relevant.

The dynamic rule only includes users with the department "HR," so User2 is not added to AU1.

Conclusion:User2 is not a member of AU1 because their department does not match the dynamic rule. Therefore, this statement isNo.

Additional Considerations:

If AU1’s membership type were "Dynamic Group" instead of "Dynamic User," we would evaluate whether the HR and IT groups match a group-based rule. However, the question specifies "Dynamic User," so the rule applies to user attributes only.

The initial assigned memberships (e.g., User2, HR group, IT group) are overridden by the dynamic membership rule. Microsoft Entra ID does not retain assigned memberships when an AU or group is converted to dynamic membership.

The HR and IT groups being assigned to AU1 initially does not affect the dynamic membership of users, but it might be relevant for administrative scoping (e.g., if an admin role is scoped to AU1). However, the statements are about membership, not administrative roles.

Conclusion:Based on the dynamic membership rule (user.department -eq "HR") for AU1:

HR group:Not a member of AU1 because dynamic user membership does not apply to groups.

User1:A member of AU1 because their department is "HR," matching the rule.

User2:Not a member of AU1 because their department is "IT," which does not match the rule.Therefore, the answers are:

HR is a member of AU1:No

User1 is a member of AU1:Yes

User2 is a member of AU1:No

The SC-300 exam section “Implement Conditional Access” and the Azure AD Terms of Use documentation explain that Terms of Use must be enforced using Azure AD Conditional Access. The policy ensures users cannot access Microsoft 365 resources until they accept the presented terms. Conditional Access provides the “Require terms of use” control under Access Controls → Grant.

The study guide states:

“Administrators can require users to accept organization terms of use by including a Terms of Use control in a Conditional Access policy. Access is denied until acceptance.”

Microsoft Cloud App Security and Endpoint Manager policies (Options A, B, D) are unrelated — they cannot enforce user acceptance before access. The only supported method is through Azure AD Conditional Access.

✅ Correct Answer: C. a conditional access policy in Azure AD

The retention period for Microsoft Entra (Azure AD) sign-in logs depends on the license (Free, P1, P2). Microsoft’s data retention documentation states that with a Microsoft Entra ID P1 license, sign-in data is retained for 30 days.

The relevant table in the “Microsoft Entra data retention” documentation shows:

With Entra ID P1 or P2: sign-in activity is retained for 30 days

(With Free tier, sign-in logs are retained for 7 days)

Therefore, under your scenario (tenant has ID P1 license), the logs are available for 30 days.

The AWS connector in Microsoft Defender for Cloud Apps is designed to integrate activity logs, user authentication data, and app permissions granted through OAuth. This connector enables monitoring of OAuth token use, identity federation events, and cross-service authentication.

From the official Microsoft Learn content:

“When the AWS app connector is added, Defender for Cloud Apps collects OAuth activity and permissions information to detect anomalous behavior or excessive app permissions.”

This fulfills the requirement to monitor OAuth authentication requests from AWS and its associated accounts. Therefore, adding the AWS app connector meets the goal.

In this scenario, users already have Office 365 E3 licenses assigned individually, and you’ve now assigned Microsoft 365 E5 licenses through a group-based license assignment. The goal is to remove the E3 licenses from each user with the least administrative effort.

The SC-300 study guide and Microsoft documentation on “Manage license assignment in Azure AD” explain that when licenses are assigned both individually and through groups, the group assignment does not automatically remove the direct user-assigned licenses. To remove the individually assigned license programmatically, the Set-MgUserLicense cmdlet (Microsoft Graph PowerShell) is used.

The documentation states:

“Use the Set-MgUserLicense cmdlet to add or remove product licenses for users. You can specify the license plan to remove using the -RemoveLicenses parameter.”

Set-MgUserLicense -UserId user@domain.com -RemoveLicenses "O365_ENTERPRISE_E3"

A. the Set-KindohsProductKcy cmdlet:This is not a valid Microsoft 365 or Graph cmdlet (appears to be a distractor).

B. the Update-MgGroup cmdlet:Used to modify group properties — not for managing user licenses.

D. the Update-MgUser cmdlet:Updates user object attributes (e.g., display name) but cannot assign or remove licenses.

✅ Correct Answer: C. the Set-MgUserLicense cmdlet.

This scenario tests your knowledge of Azure Role-Based Access Control (RBAC) and the scope hierarchy in Azure (Management Group → Subscription → Resource Group → Resource).

At the subscription level, User1 has the Reader role.This allows the user to view all resources within the subscription, but not access data stored inside those resources.

At the RG1 level, User1 also has Reader and Data Access.This role is special — it grants both read access to resource configuration and data access to the underlying data plane (for example, the blobs in a storage account).

Since storage1 is inside RG1, and Reader and Data Access covers both resource and data access, User1 can read data stored in storage1 (e.g., list blobs, view content).

✅ Answer: YES

At the subscription level, User2 has the Reader role (read-only, no create permissions).

At the RG1 level, User2 has the Contributor role — this allows full management permissions on resources within RG1.

The question asks about RG2, not RG1.

However, RG2 does not have any explicit assignment for User2.

But since Contributor at the subscription level gives create/delete permission across all resources, and here User2’s Contributor role is scoped to RG1 only, it does not extend to RG2.

So User2 cannot create resources in RG2 because Contributor permission doesn’t propagate across resource groups unless assigned at a higher scope.

✅ Correct Answer: NO (User2 cannot create in RG2)

The JSON data shows that User3 has the User Access Administrator role assigned directly on the storage1 resource.The User Access Administrator role allows managing role assignments (RBAC) at that specific scope — granting or removing access to others.

Therefore, User3 can assign (and remove) RBAC roles for storage1.

✅ Answer: YES

Microsoft Learn: Implement Role-Based Access Control (RBAC)

Microsoft Learn: Understand scope inheritance in Azure RBAC

Microsoft Learn: Manage access using the User Access Administrator role

Exam Ref SC-300: Manage access to Azure resources using roles and assignments

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Manage External Identities”, when granting external users (such as contractors) access to Azure AD resources, the recommended method is to invite them as guest users (B2B collaboration users) into your Azure AD tenant.

The New-AzureADMSInvitation cmdlet is the PowerShell command used to create an Azure AD B2B guest invitation. It sends an invitation to an external user (such as user1@outlook.com) and, upon acceptance, creates a corresponding guest user account in the tenant (for example, user1_outlook.com#EXT#@contoso.com). This account can then be assigned to enterprise applications like App1.

From Microsoft documentation:

“To provide external users access to resources in your organization, invite them as guests using Azure AD B2B collaboration. You can do this by running the New-AzureADMSInvitation cmdlet or via the Azure portal.”

B. Configure the External collaboration settings:These settings define collaboration policies (who can invite guests, restrictions, etc.) but do not invite users themselves.

C. Add a WS-Fed identity provider:This is used to federate another identity provider (e.g., ADFS or another Azure AD tenant), not to onboard an individual external user.

D. Implement Azure AD Connect:This tool synchronizes on-premises directories with Azure AD; it’s not relevant for external users from Outlook.com.

✅ Correct Answer: A. Run the New-AzureADMSInvitation cmdlet.