SC-300 Exam Dumps - Microsoft Certified: Identity and Access Administrator Associate Questions and Answers

The issue described is that disabled on-premises AD accounts can still authenticate to Azure AD for up to 30 minutes. This behavior occurs when Password Hash Synchronization (PHS) is used, as authentication happens directly against the cloud copy of the password hash, which syncs periodically (every 30 minutes by default).

The proposed solution — configuring password writeback — allows users to reset or change their on-premises password from Azure AD (via self-service password reset). However, it does not affect the authentication flow or timing of disabled account status replication between AD and Azure AD.

From Microsoft documentation:

“Password writeback enables users to reset their on-premises passwords from the cloud but does not impact authentication or account disable synchronization.”

Therefore, configuring password writeback does not prevent a disabled user from authenticating in Azure AD until the next sync occurs.

<  GroupA: ✅ User1, Group1, Group2, and Group3 only

 GroupB: ✅ User1, Group1, Group2, and Group4 only

According to the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and the Microsoft Learn module “Manage groups in Azure Active Directory” , group nesting rules in Azure AD depend on group type and membership type .

GroupA is a Security group with an Assigned membership type.

In Azure AD, security groups (whether assigned, dynamic user, or dynamic device) can contain users , devices , and other security groups as members.

However, Microsoft 365 groups cannot be added to a security group because Microsoft 365 groups include collaborative services (SharePoint, Teams, Planner) that rely on unique membership and ownership models.

Therefore, GroupA (security group) can include:

User1 (user) ✅

Group1 (security - assigned) ✅

Group2 (security - dynamic user) ✅

Group3 (security - dynamic device) ✅

❌ Group4 (Microsoft 365 group) — not allowed in a security group.

➤ Correct composition for GroupA: User1, Group1, Group2, and Group3 only.

GroupB is a Microsoft 365 group with an Assigned membership type.

Microsoft 365 groups can include users and security groups as members, but cannot include other Microsoft 365 groups (nested Microsoft 365 groups are not supported).

So GroupB can include:

User1 (user) ✅

Group1 (security - assigned) ✅

Group2 (security - dynamic user) ✅

❌ Group3 (dynamic device) — device groups can’t be members of M365 groups.

Group4 (Microsoft 365 group) ❌ — nesting M365 groups is not supported.

➤ Correct composition for GroupB: User1, Group1, Group2, and Group4 only.

No

Yes

Yes

In Microsoft Entra/Azure RBAC, permissions are granted by role + scope and inherit down the hierarchy (subscription → resource group → resource). The SC-300 materials clarify that the Reader role is “a management-plane role that permits viewing resources but not modifying them or accessing data contents.” Therefore, although Group1 has Reader at Sub1 , User1 (Group1, Group2) cannot read Key Vault secrets in Vault1 because Reader does not grant data-plane access. The study guide also notes for Azure Key Vault with RBAC: “Key Vault Secrets User can read secret contents (get/list) for vaults in the assigned scope.” Since Group2 holds Key Vault Secrets User at RG2 , any member of Group2 (including User2 ) can read secrets in Vault2 (which is in RG2 ). However, that assignment does not extend to RG1 , so it doesn’t help User1 with Vault1 . Finally, SC-300 coverage of built-in roles states: “Owner grants full access to all resources within the scope, including the ability to modify settings and delegate access.” Because Group3 is Owner at RG1 , User3 can manage resources in RG1 , including updating the configuration of VM1 located there.

Result: User1 → No , User2 → Yes , User3 → Yes .

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

The User Administrator role allows management of user accounts, licenses, and group memberships within Azure AD but does not grant access to security configurations, Secure Score dashboards, or improvement actions.

According to Microsoft’s Secure Score documentation:

“Only users with Global Administrator, Security Administrator, or Security Reader roles can access Microsoft Secure Score. To modify improvement action statuses, the user must be a Security Administrator or Global Administrator.”

Therefore, a User Administrator cannot update Secure Score improvement actions.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups > Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.