SC-300 Microsoft Identity and Access Administrator Free Practice Exam Questions (2025 Updated)

Prepare effectively for your Microsoft SC-300 Microsoft Identity and Access Administrator certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Microsoft SC-300 Premium Access Download Demo

Page: 3 / 4
Total 341 questions

Question # 46

Task 6

You need to implement additional security checks before the members of the Sg-Executive can access any company apps. The members must meet one of the following conditions:

• Connect by using a device that is marked as compliant by Microsoft Intune.

• Connect by using client apps that are protected by app protection policies.

Question # 47

You have a Microsoft Entra tenant that contains an administrative unit named AU1. AU1 is configured for assigned membership.

The tenant contains the users shown in the following table.

For AU1, you update the following configurations:

. Membership type: Dynamic User

· Dynamic membership rule: (user.department -eq "hr")

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Explanation:

HR is a member of AU1: No

User1 is a member of AU1: Yes

User2 is a member of AU1: No

Let’s break this down step by step based on Microsoft Entra ID dynamic membership rules, administrative units, and group membership, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Administrative Units and Dynamic Membership in Microsoft Entra ID:

Administrative Units (AUs):Administrative Units in Microsoft Entra ID are used to delegate administrative tasks to a subset of users, groups, or devices. They allow you to scope administrative roles (e.g., User Administrator) to specific users or groups within the AU.

Membership Types for AUs:

Assigned Membership:Members (users, groups, or devices) are manually added to the AU by an administrator.

Dynamic Membership:Members are automatically added or removed based on a dynamic membership rule, similar to dynamic groups. Dynamic membership for AUs can be applied to users or devices (but not groups directly).

The question states that AU1 is initially configured for assigned membership but is then updated to useDynamic Usermembership with the rule (user.department -eq "HR").

Dynamic Membership Rule:The rule (user.department -eq "HR") means that AU1 will automatically include all users whose department attribute in Microsoft Entra ID is set to "HR". This rule applies to users, not groups or devices, because the membership type is "Dynamic User."

Impact of Changing AU1 to Dynamic Membership:

When AU1’s membership type is changed from assigned to dynamic, the existing assigned memberships (e.g., User2, HR group, IT group) are no longer relevant. Thedynamic rule takes over, and AU1’s membership is determined solely by the rule (user.department -eq "HR").

Dynamic User Membership:Only users whose attributes match the rule will be members of AU1. Groups (like HR and IT) are not evaluated by this rule because the membership type is "Dynamic User," not "Dynamic Group."

Let’s evaluate the users based on the rule:

User1:Department = "HR". The rule (user.department -eq "HR") matches, so User1 will be dynamically added to AU1.

User2:Department = "IT". The rule does not match, so User2 will not be a member of AU1, even though they were previously assigned to AU1 and are a member of the IT group.

Groups (HR and IT):The dynamic membership rule for AU1 applies to users, not groups. Therefore, groups like HR and IT are not directly evaluated by the rule. However, we need toconsider whether group membership in AU1 affects the statements.

Statement 1: HR is a member of AU1:

Analysis:

The HR group is listed in the second table with AU1 as its administrative unit, indicating that it was initially assigned to AU1 when AU1 used assigned membership.

However, AU1’s membership type has been updated to "Dynamic User" with the rule (user.department -eq "HR"). Dynamic User membership applies to users, not groups.

In Microsoft Entra ID, administrative units with dynamic user membership do not include groups as members unless the AU’s membership type is explicitly set to "Dynamic Group" (which is not the case here).

When AU1 was changed to dynamic membership, the HR group would no longer be considered a member of AU1 because the dynamic rule only evaluates users. Groups are not dynamically added to AUs based on user attributes.

Conclusion:The HR group is not a member of AU1 after the change to dynamic membership. Therefore, this statement isNo.

Statement 2: User1 is a member of AU1:

Analysis:

User1 has the department attribute set to "HR" (from the first table).

The dynamic membership rule for AU1 is (user.department -eq "HR"), which matches User1’s department.

Therefore, User1 will be automatically added to AU1 as a member based on the dynamic rule.

Additionally, User1 is a member of the HR group, which was initially assigned to AU1. However, since AU1 now uses dynamic membership, the HR group’s assignment to AU1 is irrelevant. User1’s membership in AU1 is determined solely by the dynamic rule, not their group membership.

Conclusion:User1 is a member of AU1 because their department matches the dynamic rule. Therefore, this statement isYes.

Statement 3: User2 is a member of AU1:

Analysis:

User2 has the department attribute set to "IT" (from the first table).

The dynamic membership rule for AU1 is (user.department -eq "HR"), which does not match User2’s department.

User2 was initially assigned to AU1 (as shown in the first table) and is a member of the IT group, which was also assigned to AU1. However, when AU1’s membership type was changed to "Dynamic User," the assigned memberships (including User2 and the IT group) are no longer relevant.

The dynamic rule only includes users with the department "HR," so User2 is not added to AU1.

Conclusion:User2 is not a member of AU1 because their department does not match the dynamic rule. Therefore, this statement isNo.

Additional Considerations:

If AU1’s membership type were "Dynamic Group" instead of "Dynamic User," we would evaluate whether the HR and IT groups match a group-based rule. However, the question specifies "Dynamic User," so the rule applies to user attributes only.

The initial assigned memberships (e.g., User2, HR group, IT group) are overridden by the dynamic membership rule. Microsoft Entra ID does not retain assigned memberships when an AU or group is converted to dynamic membership.

The HR and IT groups being assigned to AU1 initially does not affect the dynamic membership of users, but it might be relevant for administrative scoping (e.g., if an admin role is scoped to AU1). However, the statements are about membership, not administrative roles.

Conclusion:Based on the dynamic membership rule (user.department -eq "HR") for AU1:

HR group:Not a member of AU1 because dynamic user membership does not apply to groups.

User1:A member of AU1 because their department is "HR," matching the rule.

User2:Not a member of AU1 because their department is "IT," which does not match the rule.Therefore, the answers are:

HR is a member of AU1:No

User1 is a member of AU1:Yes

User2 is a member of AU1:No

[References:, Microsoft Entra ID documentation: "Dynamic membership rules for groups and administrative units" (Microsoft Learn:https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership), Microsoft Entra ID documentation: "Manage administrative units" (Microsoft Learn:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units), Microsoft Identity and Access Administrator (SC-300) exam study guide, which covers dynamic membership rules and administrative units in Microsoft Entra ID., , , ]

Question # 48

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection policies enforced.

You create an Azure Sentinel instance and configure the Azure Active Directory connector.

You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection.

What should you do first?

Add an Azure Sentinel data connector.

Configure the Notify settings in Azure AD Identity Protection.

Create an Azure Sentinel playbook.

Modify the Diagnostics settings in Azure AD.

Question # 49

Your on-premises network contains an Active Directory domain that uses Azure AD Connect to sync with an Azure AD tenant. You need to configure Azure AD Connect to meet the following requirements:

• User sign-ins to Azure AD must be authenticated by an Active Directory domain controller.

• Active Directory domain users must be able to use Azure AD self-service password reset (SSPR).

What should you use for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question # 50

You have a custom cloud app named App1 that is registered in Azure Active Directory (Azure AD).

App1 is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE:Each correct selection is worth one point.

Question # 51

You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com.

Several users use their contoso.com email address for self-service sign-up to 1 Microsoft Entra.

You gain global administrator privileges to the Microsoft Entra tenant that contains the self-signed users.

You need to prevent the users from creating user accounts in the contoso.com 2 Microsoft Entra tenant for self-service sign-up to Microsoft 365 services.

Which PowerShell cmdlet should you run?

Update-MgDomain

Update-MgPolicyAuthorizationPolicy

Update-MgPolicyPermissionGrantPolicyExclude

Update-MgDomainFederationConfiguration

Question # 52

You have an azure subscription that contains a resource group named RG1, RG1 contains two virtual machines named VM1 and VM2 that have Microsoft intra ID login enabled.

The subscription contains the users shown in the following, table.

Which users can sign in to VM1. and which users can sign in to VM?? To answer, select the appropriate options in the answer area. NOTE:

Each correct selection is worth one point.

Which users can sign in to VM1, and which users can sign in to VM2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question # 53

You have an Azure Active Directory (Azure AD) tenant.

You need to review the Azure AD sign-ins log to investigate sign ins that occurred in the past.

For how long does Azure AD store events in the sign-in log?

14 days

30 days

90 days

365 days

Question # 54

You have a Microsoft 365 E5 subscription and an Azure subscription. You need to meet the following requirements:

• Ensure that users can sign in to Azure virtual machines by using their Microsoft 365 credentials.

• Delegate the ability to create new virtual machines.

What should you use for each requirement? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Question # 55

You have Microsoft Entra tenant that contains a group named Group3 and an administrative unit named Department1.

Department has the users shown in the Users exhibit. (Click the Users tab.)

Department1 has the groups shown in the Groups exhibit (Click the Groups tab.)

The User Administrator role assignments are shown in the Assignments exhibit. (Click the Assignments tab.)

The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Question # 56

You have a Microsoft Entra tenant.

You need to query risky user activity for the tenant.

How long will the logs of risky user activity be retained?

30 days

60 days

90 days

180 days

Question # 57

You have a Microsoft 365 E5 subscription. The subscription contains 500 devices that run Windows

You deploy the Global Secure Access client to the devices.

You need to prevent users from accessing httpsy/contoso.com from the devices

Which three actions should you perform in sequence? To answer move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Question # 58

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it as a result, these questions will not appear in the review screen.

You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.

You deploy an Azure subscription and enable Microsoft 365 Defender

You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.

Solution: From the Microsoft 365 Defender portal, you add the Microsoft Azure app connector.

Does this meet the goal?

Yes

Question # 59

You have a new Microsoft 365 tenant that uses a domain name of contoso.onmicrosoft.com.

You register the name contoso.com with a domain registrar.

You need to use contoso.com as the default domain name for new Microsoft 365 users.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Question # 60

You have accounts for the following cloud platforms:

• Azure

• Alibaba Cloud

• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)

You configure an A2ure subscription to use Microsoft Entra Permissions Management to manage the permissions in Azure only. Which additional cloud platforms can be managed by using Permissions Management?

AWS only

Alibaba Cloud and AWS only

Alibaba Cloud and GCP only

AWS and GCP only

Alibaba Cloud, AWS, and GCP

Question # 61

You have an Azure AD tenant that contains a user named User1. User1 is assigned the User Administrator role.

You need to configure External collaboration settings for the tenant to meet the following requirements: |

*Guest users must be prevented from querying staff email addresses.

*Guest users must be able to access the tenant only if they are invited by User1.

Which three settings should you configure? To answer, select the appropriate settings in the answer area.

Question # 62

You have a Microsoft 365 tenant.

In Azure Active Directory (Azure AD), you configure the terms of use.

You need to ensure that only users who accept the terms of use can access the resources in the tenant. Other

users must be denied access.

What should you configure?

an access policy in Microsoft Cloud App Security.

Terms and conditions in Microsoft Endpoint Manager.

a conditional access policy in Azure AD

a compliance policy in Microsoft Endpoint Manager

Question # 63

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.

You need to ensure that User1 can create new catalogs and add resources to the catalogs they own.

What should you do?

From the Roles and administrators blade, modify the Service support administrator role.

From the identity Governance blade, modify the Entitlement management settings.

From the Identity Governance blade, modify the roles and administrators for the General catalog

From the Roles and administrators blade, modify the Groups administrator role.

Question # 64

You have an Azure subscription that contains the following virtual machine

Name: VM1

Azure region: East US

System-assigned managed identity: Disabled

You create the managed identities shown in the following table.

You perform the following actions:

• Assign Managed1 to VM1.

• Create a resource group named RG1 in the West US region.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Question # 65

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant.

You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

Solution: You configure Azure AD Password Protection.

Does this meet the goal?

Yes

Microsoft SC-300 Premium Access Download Demo

Page: 3 / 4
Total 341 questions

Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: s2p65

SC-300 Microsoft Identity and Access Administrator Free Practice Exam Questions (2025 Updated)

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

The Answer Is: