SC-300 Exam Dumps - Microsoft Certified: Identity and Access Administrator Associate Questions and Answers

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel”, multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

 User1 can perform an access review for User1: No

 User1 can perform an access review for Managed2: Yes

 User1 can perform an access review for User3: Yes

In this scenario, an access review named Review1 has been configured for Group1, with the following conditions:

Review scope: Teams + Groups

Group: Group1

Scope: All users

Reviewers: Group owner(s)

Fallback reviewers: None

From the configuration, the reviewers of the access review are the owners of Group1 — namely User1 and User4. Therefore, both of these users are authorized to review all members of Group1.

Group1 includes the following members:

User1 (User, also owner)

Managed2 (Managed identity)

Group2 (which includes User3)

Since the scope is set to All users, it includes both internal and external members. However, the SC-300 materials emphasize that reviewers cannot review their own access; Microsoft Learn states:

“Reviewers cannot approve or deny their own access in an access review, even if they are members of the group under review.”

Therefore:

User1 cannot review themselves → No

User1 can review Managed2 → Yes, because Managed2 is a member of Group1

User1 can review User3 → Yes, because User3 is a member of Group2, and Group2 is itself a member of Group1, meaning User3’s membership is indirectly part of the review scope

This behavior aligns with SC-300 guidance that nested group members are included when the review scope is “All users,” and reviewers (owners) can assess all included members except themselves.

In Microsoft Entra ID, Administrative Units (AUs) are logical groupings that allow delegation of administrative permissions over specific subsets of users or groups. This delegation follows scope-based role assignment principles. The Password Administrator role enables resetting user passwords, but only within the assigned scope (either at the AU level or globally).

Let’s analyze the scenario step by step:

Administrative Units and Membership Rules

AU1 includes users where (user.department -eq "Department1") → so User1 and User2 belong to AU1.

AU2 includes users where (user.department -eq "Department2") → so User3 belongs to AU2.

Role Assignments

Admin1: Password Administrator for AU1 → can manage password operations for User1 and User2.

Admin2: Password Administrator for AU2 → can manage password operations for User3.

Admin3: Password Administrator at Global scope → can reset passwords for all users in the tenant.

Access Evaluation

Admin1 → User1: Yes, because User1 is in AU1.

Admin2 → User2: No, because Admin2’s scope (AU2) doesn’t include User2, who is in AU1.

Admin3 → User3: Yes, because Admin3 has global scope and can manage all users.

However, note that Admin2 can only reset User3’s password because User3 belongs to AU2.

Thus, applying SC-300 documentation logic:

“Administrators can perform their role’s permitted actions only on objects within their administrative unit scope, unless their role assignment is global.”

< User1 syncs to the Microsoft Entra tenant: Yes

 User2 syncs to the Microsoft Entra tenant: No

 Group2 syncs to the Microsoft Entra tenant: Yes

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and official Microsoft Learn documentation (“Manage and use custom security attributes in Microsoft Entra ID”), custom security attributes allow administrators to define key-value pairs that can be applied to various Microsoft Entra objects. These attributes can be used for fine-grained access control, app governance, and conditional policies.

Who can create custom security attributes:

Custom security attributes can only be created and managed by users assigned either of these roles:

Global Administrator

Attribute Definition Administrator

The Security Administrator role does not have the permissions required to create or modify attribute schema definitions.

Hence, from the table:

User1 (Global Administrator) ✅

User2 (Attribute Definition Administrator) ✅

User3 (Security Administrator) ❌

Therefore, User1 and User2 only can create custom security attributes.

To which identities can custom security attributes be assigned:

As per Microsoft documentation:

“Custom security attributes can be assigned to supported Microsoft Entra objects, including users, groups, service principals, and managed identities.”

This means attributes can be attached to:

Group objects (Group1) ✅

Managed identities (MI1) ✅

Service principals (Service1) ✅

Thus, the correct assignable identities are Group1, MI1, and Service1 only.

 File1: ✅ User2 and User3 only

 File2: ✅ User3 only

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation on Azure Role-Based Access Control (RBAC) and Storage Account Data Access, Azure roles define what operations a user can perform on storage resources (containers, blobs, file shares, queues, tables, etc.).

Let’s analyze the data provided:

Name

Type

Contents

cont1

Container

File1

share1

File share

File2

User

Role

Scope

User1

Reader

Sub1

User2

Reader

Sub1

User2

Storage Blob Data Reader

storage1

User3

Storage Contributor

storage1

Reader (at Subscription Scope):

Grants read-only access to Azure resource metadata, but not the data within storage (no blob or file content access).

Therefore, User1 and User2 (via Reader) can see the storage account in the portal but cannot read file contents.

Storage Blob Data Reader:

Grants read-only access to blob data in containers.

Applies only to Azure Blob storage (containers), not file shares.

Therefore, User2 can read File1 (in cont1) but not File2 (in share1).

Storage Contributor:

Grants full read/write access to both Blob and File shares data in the storage account.

Therefore, User3 can read File1 and File2.

Azure AD External Identities (B2B) uses Monthly Active Users (MAU) billing. The SC-300 content explains that to enable MAU-based pricing, the Azure AD tenant must be linked to an Azure subscription so that usage can be metered and billed. The configuration is performed in Azure AD → External Identities → All settings → Linked subscription, where administrators associate the tenant with a subscription and resource group. Only after this association do External Identities sign-ins count against MAU rather than per-user licenses. Access reviews (A) and terms of use (B) are governance features that do not affect billing. User flows (D) are specific to Azure AD B2C and are unrelated to enabling MAU billing for B2B External Identities. The study guide highlights: “To use MAU billing for External Identities, link your Azure AD tenant to an Azure subscription so guest usage is charged per monthly active user.” Therefore, the correct prerequisite to ensure MAU billing is configuring a linked subscription.

Comprehensive and Detailed In-Depth Explanation:

Let’s break this down step by step based on Microsoft Defender for Cloud Apps (MDCA)integration with third-party web gateways, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Scenario and Requirements:

Microsoft 365 E5 subscription:This subscription includes Microsoft Defender for Cloud Apps, which provides the necessary licensing for integrating with third-party web gateways.

Third-party web gateway named Gateway1:A web gateway (e.g., a Secure Web Gateway like Zscaler, Netskope, or Symantec) is deployed to manage and secure internet traffic. The question does not specify the vendor, but the process for integration with MDCA is generally the same for supported gateways.

Requirement:Integrate Gateway1 with Microsoft Defender for Cloud Apps to ensure that data (e.g., traffic logs, events) flows automatically to MDCA for analysis, visibility, and policy enforcement. The solution must also minimize administrative effort.

Microsoft Defender for Cloud Apps supports integration with third-party web gateways to provide visibility into cloud app usage, detect shadow IT, and enforce security policies. This integration typically involves collecting logs from the gateway for analysis in MDCA.

How Microsoft Defender for Cloud Apps Integrates with Third-Party Web Gateways:

MDCA can integrate with third-party web gateways by collecting logs that contain traffic data (e.g., user activity, app usage, IP addresses). This allows MDCA to analyze the data and provide insights into cloud app usage, detect threats, and enforce policies.

The primary method for integrating a third-party web gateway with MDCA is toadd a log collector. This involves:

Configuring the web gateway to send logs to a log collector (e.g., via Syslog or FTP).

Setting up a log collector in MDCA to receive and process these logs.

Once configured, the log collector automatically pulls logs from the web gateway, ensuring that data flows to MDCA for analysis.

This method supports automatic data flow and minimizes administrative effort because, after the initial setup, the log collection process runs continuously without manual intervention.

Analyzing the Options:

A. Add a data source:

In Microsoft Defender for Cloud Apps, "data sources" typically refer to sources of user activity data, such as Microsoft Entra ID audit logs, Microsoft 365 audit logs, or other Microsoft services. Adding a data source in MDCA is used to import user activity data for correlation with cloud app usage, but it is not the mechanism for integrating a third-party web gateway.

Third-party web gateways are not considered "data sources" in MDCA; instead, they are integrated via log collectors.

Conclusion:This option is incorrect because adding a data source does not facilitate integration with a third-party web gateway like Gateway1.

B. Create an app registration:

Creating an app registration in Microsoft Entra ID is typically used to integrate cloud apps with MDCA for session control (e.g., via Conditional Access App Control) or to enable API-based logcollection for supported apps (e.g., Salesforce, Box).

However, a third-party web gateway like Gateway1 is not a cloud app that requires an app registration. Web gateways are network appliances or services that manage traffic, and their integration with MDCA involves log collection, not app registration.

Conclusion:This option is incorrect because creating an app registration is not relevant to integrating a web gateway with MDCA.

C. Create a snapshot report:

A snapshot report in MDCA is a manual process where an administrator uploads a log file (e.g., a CSV or JSON file) from a third-party service to analyze cloud app usage. This is a one-time, manual process used for discovery (e.g., to identify shadow IT).

The requirement specifies that data must flow "automatically" to Defender for Cloud Apps, and a snapshot report does not meet this requirement because it requires manual uploads each time. It also does not minimize administrative effort due to the ongoing manual intervention.

Conclusion:This option is incorrect because creating a snapshot report does not enable automatic data flow and increases administrative effort.

D. Add a log collector:

Adding a log collector in Microsoft Defender for Cloud Apps is the standard method for integrating third-party web gateways. MDCA supports log collection from many web gateways (e.g., Zscaler, Netskope, Symantec) via Syslog or FTP.

Process:

In the Microsoft Defender for Cloud Apps portal, navigate toSettings > Log collectors.

Add a new log collector, specifying the protocol (e.g., Syslog over TCP/UDP or FTP) and the details of the web gateway (e.g., IP address, port).

Configure Gateway1 to send logs to the log collector (this step is done on the Gateway1 side, typically by the network team).

Once set up, the log collector automatically collects logs from Gateway1 and processes them in MDCA for analysis.

Automatic Data Flow:The log collector ensures that data flows automatically to MDCA, meeting the first requirement.

Minimize Administrative Effort:After the initial setup, the log collector runs continuously without manual intervention, minimizing administrative effort.

Conclusion:This option is correct because adding a log collector is the first step to integrate Gateway1 with MDCA, ensuring automatic data flow and minimizing administrative effort.

Why "Add a log collector" is the First Step:

The question asks for the first step to integrate Gateway1 with Microsoft Defender for Cloud Apps. Adding a log collector is the initial action in MDCA to enable log collection from a third-party web gateway.

Subsequent steps (not asked in the question) would include configuring Gateway1 to send logs to the log collector, but this is done outside MDCA (e.g., in Gateway1’s management console). The question focuses on the action in MDCA, making "Add a log collector" the correct first step.

Additional Considerations:

The question does not specify the vendor of Gateway1, but Microsoft Defender for Cloud Apps supports log collection from many third-party web gateways (e.g., Zscaler, Netskope, Symantec, Cisco Umbrella). The process is the same regardless of the vendor, as long as the gateway supports Syslog or FTP log export.

If Gateway1 were not a supported web gateway, additional steps (e.g., custom log parsing) might be required, but the question implies Gateway1 can be integrated using standard methods.

The Microsoft 365 E5 subscription includes Microsoft Defender for Cloud Apps, so no additional licensing is required.

Conclusion:To integrate Gateway1 with Microsoft Defender for Cloud Apps, ensuring that data flows automatically and minimizing administrative effort, the first step is toadd a log collectorin MDCA. This sets up the infrastructure to receive logs from Gateway1, enabling automatic data flow for analysis. Therefore, the correct answer isD.

In this scenario, users already have Office 365 E3 licenses assigned individually, and you’ve now assigned Microsoft 365 E5 licenses through a group-based license assignment. The goal is to remove the E3 licenses from each user with the least administrative effort.

The SC-300 study guide and Microsoft documentation on “Manage license assignment in Azure AD” explain that when licenses are assigned both individually and through groups, the group assignment does not automatically remove the direct user-assigned licenses. To remove the individually assigned license programmatically, the Set-MgUserLicense cmdlet (Microsoft Graph PowerShell) is used.

The documentation states:

“Use the Set-MgUserLicense cmdlet to add or remove product licenses for users. You can specify the license plan to remove using the -RemoveLicenses parameter.”

Set-MgUserLicense -UserId user@domain.com -RemoveLicenses "O365_ENTERPRISE_E3"

A. the Set-KindohsProductKcy cmdlet:This is not a valid Microsoft 365 or Graph cmdlet (appears to be a distractor).

B. the Update-MgGroup cmdlet:Used to modify group properties — not for managing user licenses.

D. the Update-MgUser cmdlet:Updates user object attributes (e.g., display name) but cannot assign or remove licenses.

✅ Correct Answer: C. the Set-MgUserLicense cmdlet.