Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 211:

  You have an Azure subscription named Sub1.

  You purchase a Microsoft Entra Permissions Management license.

  You need to onboard Permissions Management.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Implement a Microsoft Entra application proxy.
  B. From Microsoft Entra Permissions Management, configure data collection.
  C. Create a role assignment for Sub1.
  D. From the Microsoft Entra admin center, configure the Diagnostic settings.
  E. From the Microsoft Entra admin center, create an app registration.
  F. From the Azure portal, create a data collection rule (DCR).
  B. From Microsoft Entra Permissions Management, configure data collection.
  E. From the Microsoft Entra admin center, create an app registration.

• Question 212:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.

  You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

  You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

  Solution: You configure password writeback.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

• Question 213:

  HOTSPOT

  Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the objects shown in the following table.

  

  You install Microsoft Entra Connect. You configure the Domain and OU filtering settings as shown in the Domain and OU Filtering exhibit. (Click the Domain and OU Filtering tab.)

  

  You configure the Filter users and devices settings as shown in the Filter Users and Devices exhibit. (Click the Filter Users and Devices tab.)

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  

  

• Question 214:

  You have a Microsoft Entra tenant that contains the users shown in the following table.

  

  You add an enterprise application named App1 and configure the following Self-service settings:

  Allow users to request access to this application: Yes To which group should assigned users be added: Group1 Require approval before granting access to this application: Yes Who is allowed to approve access to this application: User2

  Which users can request access to App1?

  A. User3 only
  B. User2 and User3 only
  C. User1 and User3 only
  D. User1, User2, and User3
  C. User1 and User3 only

  ---

  Explanation

  All users can request access when self-service is enabled. However, users who already have access (that is, are already members of the assigned group) cannot request access again.

  User1 is already a member of Group1, so User1 already has access and cannot request access.

  User2 and User3 are not members of Group1, so both can request access.

  User2, as an approver, can still submit a request but cannot approve their own request.

  References:

  https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow

• Question 215:

  You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server.

  You enable Microsoft Entra login for the virtual machines.

  Users report that they cannot sign in to the virtual machines using their Microsoft Entra credentials.

  You need to ensure that the users can sign in to the virtual machines.

  What should you do first?

  A. Ensure that the virtual machines can access https://enterpriseregistration.windows.net.
  B. Revoke the primary refresh token.
  C. From the Microsoft Entra admin center, delete the device registrations of the virtual machines.
  D. Enable SSH client support for OpenSSH.
  A. Ensure that the virtual machines can access https://enterpriseregistration.windows.net.

• Question 216:

  HOTSPOT

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant.

  You need to ensure that user authentication always occurs by validating passwords against the AD DS domain.

  What should you configure, and what should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Azure AD Pass-through Authentication

  Box 2: Azure AD Connect

  Note: Choose the right authentication method for your Azure Active Directory hybrid identity solution

  Cloud authentication

  When you choose this authentication method, Azure AD handles users' sign-in process. Coupled with single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud authentication, you can choose from two options:

  Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.

  Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud.

  Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.

  It can be enabled via Azure AD Connect.

• Question 217:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.

  You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

  You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

  Solution: You configure pass-through authentication.

  Does this meet the goal?

  A. Yes
  B. No
  A. Yes

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

• Question 218:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

  

  You plan to implement Azure AD Identity Protection.

  Which users can configure the user risk policy, and which users can view the risky users report? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 219:

  You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps.

  You have multiple third-party apps that access the resources in the subscription.

  You need to monitor the access of the third-party apps.

  What should you create?

  A. an access policy
  B. an app permission policy
  C. an OAuth app policy
  D. an endpoint protection policy
  C. an OAuth app policy

  ---

  Explanation

  OAuth apps are third-party apps.

  OAuth app policies enable you to investigate which permissions each app requested and which users authorized them for Microsoft 365, Google Workspace, and Salesforce. You can also mark these permissions as approved or banned.

  Marking them as banned disables the corresponding enterprise application.

  In addition, OAuth app policies allow you to monitor app behavior and generate alerts based on detected risks.

  Incorrect:

  Option A: Access policy Microsoft Defender for Cloud Apps access policies use Conditional Access App Control to provide real-time monitoring and control over access to cloud apps. These policies control access based on user, location, device, and app, but are not specifically used to monitor third-party OAuth app permissions.

  Option B: App permission policy

  Used in Microsoft Teams to control third-party app permissions within Teams, not for monitoring OAuth app access across Microsoft 365.

  Option D: Endpoint protection policy

  Used to protect endpoint devices, not to monitor third-party app access.

  References:

  https://learn.microsoft.com/en-us/defender-cloud-apps/app-permission-policy

  https://learn.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies

• Question 220:

  You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1.

  A contractor uses the credentials of [email protected].

  You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected].

  What should you do?

  A. Implement Microsoft Entra Connect sync.
  B. Add a custom domain name to contoso.com.
  C. Implement Microsoft Entra Application Proxy.
  D. Run the New-MgInvitation cmdlet.
  D. Run the New-MgInvitation cmdlet.

  ---

  Explanation

  Correct: * Create a guest user account in contoso.com. * Run the New-AzureADMSInvitation cmdlet. [For Microsoft Active Directory] * Run the New-MgInvitation cmdlet. [For Microsoft Entra]

  Incorrect: * Add a custom domain name to contoso.com * Add a WS-Fed identity provider. * Configure the External collaboration settings. * Implement Azure AD Connect. * Implement Microsoft Entra Application Proxy. * Implement Microsoft Entra Connect sync * Run the New-AzADUser cmdlet.

  Note: * New-AzureADMSInvitation.

  This cmdlet is used to invite a new external user to your directory.

  New-MgInvitation Microsoft.Graph.Identity.SignIns Use this API to create a new invitation or reset the redemption status for a guest user who already redeemed their invitation. Invitation adds an external user to the organization

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-

  https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mginvitation

  https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation?view=azureadps-2.