Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 131:

  HOTSPOT

  You have a Microsoft Entra tenant that contains the users shown in the following table.

  

  You have a user risk policy that has the following settings:

  Assignments:

  Include: Group1

  Exclude: Group2

  Sign-in risk: Medium and above Access controls: Grant access: Require password change

  When the users attempt to sign in, user risk levels are detected as shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

• Question 132:

  You have an Azure AD tenant that contains the users shown in the following table.

  

  You need to compare the role permissions of each user. The solution must minimize administrative effort.

  What should you use?

  A. the Microsoft 365 Defender portal
  B. the Microsoft 365 admin center
  C. the Microsoft Entra admin center
  D. the Microsoft Purview compliance portal
  C. the Microsoft Entra admin center

• Question 133:

  HOTSPOT

  You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains two Azure key vaults named KV1 and KV2 that use Azure role-based access control (Azure RBAC). The subscription contains the users shown in the following table.

  

  KV1 contains a secret named Secret1. KV2 contains a secret named Secret2.

  Which users can read the values of each secret? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: User1 and User3 only. Secret1 is in KV1.

  User1

  User1 is a Key Vault Administrator for Sub1.

  Sub1 contains RG1. RG1 contains KV1 and KV2. User1 can read Secret1 and Secret2.

  Note: Key Vault Administrator performs all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the Azure role-based access control permission model.

  User2

  User2 is a Key Vault Reader for RG1.

  RG1 contains KV1 and KV2. User2 cannot read secrets.

  Note: Key Vault Reader reads metadata of key vaults and their certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the Azure role-based access control permission model.

  User3

  User3 is a Key Vault Secrets User for KV1.

  User3 can read Secret1 only.

  Note: Key Vault Secrets User reads secret contents, including the secret portion of a certificate with a private key. Only works for key vaults that use the Azure role-based access control permission model.

  Box 2: User1 only. Secret2 is in KV2.

  References:

  https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

• Question 134:

  You have a Microsoft Entra tenant.

  You have the end-user desktop environments shown in the following table.

  

  You need to deploy Global Secure Access.

  In which environments can you install the Global Secure Access client?

  A. Contractors, Developers, Frontline workers, Office staff, and Senior managers
  B. Frontline workers and Senior managers only
  C. Contractors and Office staff only
  D. Developers, Office staff, and Senior managers only
  D. Developers, Office staff, and Senior managers only

  ---

  Explanation

  1. Office staff - yes The client requires a 64-bit version of Windows 10 or 11 and local administrator credentials for installation or upgrade.

  2. Contractors - No [Not A, not C] To successfully deploy the Global Secure Access client, devices must be either Entra joined or Entra hybrid joined. Microsoft Entra registered devices are not supported.

  3. Frontline workers - No [Not A, not B] Azure Virtual Desktop single-session is supported, but multi-session is not.

  4. Senior Managers - Yes Azure Virtual Desktop single-session is supported.

  5. Developers - Yes Windows 365 is also supported.

  https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-clientReference:

• Question 135:

  You need to resolve the issue of IT_Group1.

  What should you do first?

  A. ecreate the IT_Group1 group
  B. Change the membership type of IT_Group1 to Dynamic Device.
  C. Add an owner to IT_Group1.
  D. Change the membership type of IT_Group1 to Dynamic User.
  B. Change the membership type of IT_Group1 to Dynamic Device.

• Question 136:

  HOTSPOT

  You have an on-premises server named Server1 that runs Windows Server.

  You have a Microsoft Entra tenant that contains an app registration named App1. App1 has Microsoft Graph application permissions.

  You need to configure the environment to support App1. The solution must meet the following requirements:

  1. App1 must be accessible only from the corporate network.

  2. The credentials for App1 must NOT be stored as plain text.

  3. Non-interactive scheduled tasks on Server1 must be able to authenticate to App1.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: A Conditional Access policy

  To restrict access to a Microsoft Entra app registration with Microsoft Graph application permissions to only the corporate network, Conditional Access policies are used. These policies allow administrators to define rules based on various conditions, including network location, to control access to resources.

  Box 2: User-assigned managed identity

  It is possible to use a managed identity to configure non-interactive scheduled tasks on an on-premises server to authenticate with an application that has Microsoft Graph application permissions within a Microsoft Entra tenant. This involves leveraging a user-assigned managed identity, granting it the necessary permissions to access Microsoft Graph, and then configuring the scheduled task to utilize that identity for authentication.

  References:

  https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions

  https://docs.azure.cn/en-us/app-service/configure-authentication-provider-aad

• Question 137:

  You have a Microsoft Entra tenant.

  You need to identify sign-in patterns and authentication success rates.

  Which report should you use?

  A. Audit logs
  B. Sign-in logs
  C. Access reviews
  D. Usage reports
  B. Sign-in logs

  ---

  Explanation

  Sign-in logs provide detailed information about authentication attempts and success rates.

• Question 138:

  You have a Microsoft Entra ID tenant that contains a user named User1.

  The App registration settings for the tenant are configured as shown in the following exhibit.

  

  User1 builds an ASP.NET web app named App1.

  You need to ensure that User1 can register App1. The solution must use the principle of least privilege.

  Which role should you assign to User1?

  A. Application Developer
  B. Cloud App Security Administrator
  C. Cloud Application Administrator
  D. Application Administrator
  A. Application Developer

  ---

  Explanation

  Application Developer

  Can create application registrations independent of the "Users can register applications" setting.

  Incorrect:

  Application Administrator

  Can create and manage all aspects of app registrations and enterprise applications.

  Cloud Application Administrator

  This is a privileged role. Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

  Cloud App Security Administrator

  Users with this role have full permissions in Microsoft Defender for Cloud Apps. They can add administrators, create and manage policies and settings, upload logs, and perform governance actions.

• Question 139:

  HOTSPOT

  You have an Azure subscription named Sub1 that contains an Azure key vault named Vault1 and an Azure Automation account named Automation1.

  You need to ensure that Automation1 can access Vault1. The solution1 must meet the following requirements:

  1. Ensure that if Automation1 is deleted, the permissions granted for Vault1 will be removed automatically.

  2. Ensure that runbooks created in Automation1 can read secret values stored in Vault1.

  3. Follow the principle of least privilege.

  What should you configure for Automation1, and which built-in role should Automation1 use to access Vault1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct answer is worth one point.

  

  

  ---

  Box 1: A system-assigned managed identity.

  Ensure that if Automation1 is deleted, the permissions granted for Vault1 will be removed automatically.

  When an Azure resource with a system-assigned managed identity is deleted, the managed identity is also automatically deleted. This ensures that the identity is not orphaned and that the resource is no longer able to use it. The deletion is tied directly to the lifecycle of the resource, meaning if the resource is gone, so is the associated managed identity.

  Box 2: Key Vault Secrets User.

  Ensure that runbooks created in Automation1 can read secret values stored in Vault1.

  To read Azure Key Vault secrets, you'll need to assign the Key Vault Secrets User role. This role grants the necessary permissions to access and use the secrets stored in Key Vault. The Key Vault Reader role also allows users to read metadata of Key Vaults, but not the secret contents themselves.

  Key Vault Secrets User Read secret contents including secret portion of a certificate with private key. Only works for key vaults that use the 'Azure role-based access control' permission model.

  Incorrect:

  Key Vault Secrets Officer [not following the principle of least privilege] Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.

  Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.

  https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

  https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guidReference:

• Question 140:

  Your company has a Microsoft Entra tenant that contains a user named User1.

  The company has two departments named marketing and finance.

  You need to grant permissions to User1 to manage only the users in the marketing department. The solution must ensure that User1 does NOT have permissions to manage the users in the finance department.

  What should you create first?

  A. a management group
  B. an administrative unit
  C. a resource group
  D. a Microsoft 365 group
  B. an administrative unit

  ---

  Explanation

  An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.

  Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

  References:

  https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units