SC-300 Exam Dumps - Microsoft Certified: Identity and Access Administrator Associate Questions and Answers

SC-300 coverage of Azure AD B2B collaboration states that to grant an external person access to your enterprise application, you invite them as a guest using their existing identity (such as a Microsoft account like user1@outlook.com). The documentation emphasizes that B2B “lets you collaborate with external users by adding them to your directory as guest users using their existing credentials.” Once invited, the guest can authenticate in their home identity provider and be assigned to the target enterprise application (App1) through app role assignment or group membership. You do not need to create a new managed user or add a WS-Federation identity provider for Outlook.com; Azure AD natively supports Microsoft Accounts for B2B invitations, controlled by External collaboration settings (which generally allow invitations to any domain by default). Consequently, to ensure the contractor can authenticate as user1@outlook.com and access App1, you should create a guest user (invite) in the contoso.com tenant and assign that guest to App1.

In SC-300, publishing an on-premises web app to Azure AD users is performed with Azure AD Application Proxy. The exam materials and Microsoft curriculum explain that you deploy an Application Proxy connector on a Windows Server joined to your on-premises network, which brokers requests to internal apps such as an ASP.NET site. The connector is designed for perimeter-friendly deployments: “Application Proxy connectors only make outbound connections to the Application Proxy service” and “no inbound ports need to be opened in the firewall.” Because the connector initiates the session to Azure over TLS, the firewall requirement is simply to permit the connector’s outbound HTTPS to the service endpoints. This aligns with the least-exposure pattern emphasized in Identity Governance: you avoid publishing inbound listener rules and still support Azure AD features like Conditional Access and MFA at the cloud edge. Alternatives in the list do not meet the publishing requirement: the Password Protection DC agent and Password Protection proxy service are for banned-password enforcement, and Web Application Proxy in Windows Server is a different reverse-proxy technology not required when using Azure AD Application Proxy. Therefore, to publish App1 securely to Azure AD users, install Azure AD Application Proxy on Server4 and allow outbound HTTPS from Server4 through Firewall1.

In Azure AD Privileged Identity Management (PIM), administrators manage, activate, and review eligible and active assignments for Azure AD roles, Azure resources, and privileged access groups.

To identify users who are eligible for a specific Azure AD role — such as Cloud Application Administrator — you must navigate to the Azure AD roles blade under PIM.

Path:

Azure AD → Privileged Identity Management → Azure AD roles → Roles → Select “Cloud Application Administrator” → View “Eligible assignments”.

From Microsoft’s official documentation:

“To view eligible assignments for Azure AD roles, use the Azure AD roles blade within Privileged Identity Management. This lists users who are eligible or active for each role.”

According to the Microsoft SC-300 study guide and Microsoft Learn documentation on Azure Monitor and Azure AD integration, the Insights Administrator role provides permissions to access Azure AD insights, reports, and monitoring data — but it does not control alert delivery or action groups in Azure Monitor.

The problem states that the administrator is receiving too many alert emails generated by Azure Monitor for failed sign-ins, and the goal is to redirect these alerts to another administrator.

However, assigning the Insights Administrator role only allows the new user to view and analyze sign-in logs or usage reports; it does not affect alert notifications or recipients configured within Azure Monitor’s action group system.

Therefore, this action does not meet the goal, since alert delivery is controlled at the Azure Monitor action group level, not by Azure AD roles.

✅ Correct Answer: B. No

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn documentation under “Add and configure custom domains in Microsoft 365”, when an organization acquires a new Microsoft 365 tenant, it starts with a default domain such as contoso.onmicrosoft.com. To use a friendly and company-branded domain like contoso.com for email and user principal names (UPNs), administrators must follow a specific sequence of steps to integrate the custom domain into Azure AD/Microsoft 365.

First, register the custom domain in Azure Active Directory. This action adds contoso.com to your tenant and prepares Microsoft 365 to validate ownership.

After adding the domain, Microsoft 365 provides a TXT record to add to your DNS zone (at your registrar or DNS host). This record proves that your organization owns the domain.

Once the TXT record is published and propagated, return to the Microsoft 365 admin center or use PowerShell to verify the domain. This step confirms domain ownership and completes the domain setup.

Finally, after verification, set contoso.com as the primary domain. Doing this ensures that all newly created users automatically receive user principal names (email addresses) ending in @contoso.com.

Microsoft documentation states:

“After verifying ownership of the custom domain, you can set it as the default (primary) domain for new users in Microsoft 365.”

 Feature: An MFA registration policy

 Grace period: 14 days

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation under “Plan, implement, and manage multifactor authentication (MFA)”, when an organization wants to require users to register for multi-factor authentication methods (such as Microsoft Authenticator, phone number, or email), this is managed through the MFA registration policy within Azure AD Identity Protection.

This feature is called “Combined security information registration” or MFA registration policy, and it allows administrators to enforce users to register for MFA and Self-Service Password Reset (SSPR). The policy defines which users are required to register and sets a grace period — the amount of time a user can postpone registration after first being prompted.

From the Microsoft official exam reference:

“The MFA registration policy allows users to postpone registration for a defined grace period. The default and maximum supported value is 14 days.”

During the grace period, users can skip the registration prompt but will be reminded every time they sign in until they complete registration or the grace period expires. Once the 14-day period ends, users must register their authentication methods before accessing resources.

Therefore, based on Microsoft’s SC-300 study materials and Azure AD documentation:

The correct feature used to enforce this is An MFA registration policy.

The standard and maximum grace period before users must complete registration is 14 days.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Implement and Manage Microsoft Entra Connect”, when organizations need authentication to always validate user passwords directly against the on-premises Active Directory Domain Services (AD DS) environment, the correct configuration is Pass-through Authentication (PTA).

Here’s why:

Pass-through Authentication (PTA) ensures that when a user attempts to sign in to Microsoft Entra ID (formerly Azure AD), their credentials are not validated in the cloud. Instead, the authentication request is securely passed to an on-premises authentication agent, which validates the credentials against the on-premises AD DS domain controller in real time.

This configuration provides an immediate reflection of on-premises account states — if an account is disabled, locked, or the password is changed, those changes take effect instantly for cloud authentication as well.

To configure PTA, you must use Microsoft Entra Connect, which is the hybrid identity synchronization tool that links on-premises directories to Microsoft Entra ID. During Entra Connect setup, administrators can choose between Password Hash Synchronization, Pass-through Authentication, or Federation as the sign-in method.

Microsoft documentation explicitly states:

“Pass-through Authentication allows users to sign in to both on-premises and cloud-based applications using the same passwords. Authentication occurs against your on-premises Active Directory.”

Therefore, to meet the requirement that authentication always validates passwords against the on-premises AD DS domain:

The requirement specifies that:

Users must sign in using Microsoft Entra credentials,

Multi-factor authentication must be out-of-band,

Password sign-ins must be prevented.

According to Microsoft Learn: “Configure passwordless authentication in Microsoft Entra ID” and the SC-300 Exam Ref, the two supported passwordless and MFA-capable authentication methods that satisfy these conditions are:

Microsoft Authenticator app — Supports passwordless sign-in using push notifications, providing both identity verification and multi-factor authentication in a single step.

FIDO2 Passkey — Enables secure passwordless authentication through hardware security keys or device-bound passkeys that rely on public key cryptography and satisfy MFA requirements when configured properly.

Both methods eliminate password usage entirely and integrate with Microsoft Entra for strong identity assurance.

Windows Hello for Business is passwordless but limited to Windows devices (VM1 is Linux). Temporary Access Pass (TAP) is a bootstrap mechanism for enrolling in passwordless sign-in, not a long-term solution. SMS authentication, while MFA-capable, still requires passwords for primary authentication and doesn’t meet the passwordless requirement.

Azure RBAC roles on a scope (subscription, resource group, resource) can be assigned to Azure AD security principals: users, groups, and service principals (which includes enterprise applications and managed identities). The SC-300 content states: “RBAC roles can be assigned to users, groups, and applications (service principals), including system-assigned managed identities created for Azure resources.” In the table, User1 (user), Group1 (security group), VM1 (a VM with system-assigned managed identity), and App1 (an enterprise application service principal) are all valid principals. Therefore, all four can be assigned the Contributor role at the RG1 scope. This enables least-privilege delegation to workloads (VM1/App1) and to people (User1/Group1) without granting broader directory roles.

When granting external users (such as contractors) access to Microsoft Entra resources like enterprise applications, the correct method is to invite them as guest users.

The Microsoft SC-300 Study Guide states:

“To collaborate with external users who authenticate using their existing accounts (e.g., Outlook.com, Gmail, or another Entra tenant), you must invite them as guest users using the Microsoft Graph API or the New-MgInvitation PowerShell cmdlet.”

In this scenario, the contractor uses user1@outlook.com, which is a personal Microsoft account. The New-MgInvitation cmdlet creates a guest user in the tenant that links to their external identity for authentication.