Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 231:

  You have an Azure subscription that contains an Azure SQL database named db1.

  You deploy an Azure App Service web app named App1 that provides product information to users that connect to App1 anonymously.

  You need to provide App1 with access to db1. The solution must meet the following requirements:

  1. Credentials must only be available to App1.

  2. Administrative effort must be minimized.

  Which type of credentials should you use?

  A. a system-assigned managed identity
  B. an Azure Active Directory (Azure AD) user account
  C. a SQL Server account
  D. a user-assigned managed identity
  A. a system-assigned managed identity

• Question 232:

  HOTSPOT

  You have a Microsoft 365 subscription that contains three users named User1, User2, and User3 and an enterprise app named App1. The subscription contains the devices shown in the following table.

  

  The subscription contains the groups shown in the following table.

  

  You create two Conditional Access policies that have the following settings:

  Name: Policy1 Users:

  1. Include: Group1

  2. Exclude: Group3 Target resources:

  3. Include: All resources Access controls: Block access Name: Policy2 Users:

  4. Include: Group2 Target resources:

  5. Include: App1 Access controls:

  6. Grant access: Require device to be marked as compliant. For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes - User1 can sign in to App1 from Device1.

  Device1 is compliant. User1 is a member of Group1 and Group3. Policy1 includes Group1 and excludes Group3. The exclusion takes precedence. Denied access to all resources will not be applied. No access policy applies to User1. User1 will be able to sign in.

  Note: In Microsoft Entra Conditional Access policies, exclusion takes precedence over inclusion. This means that if a user is a member of both an included group and an excluded group, the exclusion applies.

  Note 2: When no Conditional Access policies are matched for a user, the user is granted access to the resource without any additional access controls or authentication requirements.

  Box 2: Yes - User2 can sign in to App1 from Device2.

  Device2 is compliant. User2 is a member of Group2. Policy2 applies to Group2. Policy2 will grant access if the device is marked as compliant. User2 can sign in to App1 from Device2.

  Box 3: No - User3 can sign in to App1 from Device3.

  Device3 is compliant. User3 is a member of Group1 and Group2. Policy1 applies to Group1. Policy1 will block access to all resources. Policy2 applies to Group2. Policy2 will grant access to User3 from Device3. Policy1 will be applied as it is the most restrictive. Access will be denied.

  Note: In Microsoft Entra Conditional Access, if multiple policies apply to the same user, the most restrictive policy takes precedence.

  References:

  https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups

  https://learn.microsoft.com/en-us/answers/questions/1004659/how-multiple-conditional-access-policies-are-appli

• Question 233:

  You have an Active Directory domain that syncs to a Microsoft Entra tenant.

  The on-premises network contains a VPN server that authenticates to the on-premises Active Directory domain. The VPN server does NOT support Microsoft Entra Multi-Factor Authentication (MFA).

  You need to recommend a solution to provide Microsoft Entra MFA for VPN connections.

  What should you include in the recommendation?

  A. Microsoft EntraApplication Proxy
  B. a Microsoft Entra Password Protection proxy
  C. Network Policy Server (NPS)
  D. a pass-through authentication proxy
  C. Network Policy Server (NPS)

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

• Question 234:

  SIMULATION

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click the username below.

  To enter your password, place your cursor in the Enter password box and click the password below.

  Microsoft 365 Username: [email protected]

  Microsoft 365 Password: 1122334455667788

  If the Microsoft 365 portal does not load successfully in the browser, press CTRL+K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 99999999

  You plan to use access packages to assign access to resources.

  You need to create an access package catalog named Catalog that includes the following resources:

  1. Contoso SharePoint Online site

  2. Mark 8 Project Team group

  3. Salesforce enterprise application

  To complete this task, sign in to the appropriate admin center.

  A. See the explanation below
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See the explanation below

  ---

  Explanation

  

  Plan:

  Part 1: Create a Catalog named Catalog Part 2: Add the Mark 8 Project Team group to Catalog Part 3: Add the Salesforce app to Catalog

  Part 1: Create a Catalog named Catalog A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. An administrator can create a catalog.

  To create a catalog:

  Step 1: Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  Step 2: Browse to Identity governance > Entitlement management > Catalogs.

  Step 3: Select New catalog.

  Step 4: Enter a unique name for the catalog [Enter Catalog] and provide a description.

  Step 5: If you want the access packages in this catalog to be available for users to request as soon as they're created, set Enabled to Yes. [set Enabled to Yes] Step 6: If you want to allow users in external directories from connected organizations to be able to request access packages in this catalog, set Enabled for external users to Yes. The access packages must also have a policy allowing users from connected organizations to request. If the access packages in this catalog are intended only for users already in the directory, then set Enabled for external users to No. [set Enabled for external users to No]

  Step 7: Select Create to create the catalog.

  Part 2: Add the Mark 8 Project Team group to Catalog

  To add resources to a catalog:

  Step 1: Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  Step 2: Browse to Identity governance > Entitlement management > Catalogs.

  Step 3: On the Catalogs page open the catalog you want to add resources to.

  Step 4: On the left menu, select Resources.

  Step 5: Select Add resources.

  Step 6: Select the resource type Groups and Teams, Applications, or SharePoint sites.]

  Step 7: Select one or more resources of the type that you want to add to the catalog.

  Step 8: Select Groups and Teams, and select Mark 8 Project Team group, click Add.

  Part 3: Add the Salesforce app to Catalog

  Step 9: Select Applications, and select the Salesforce app, Click Add.

  These resources can now be included in access packages within the catalog.

  References:

  https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-catalog-create

• Question 235:

  You have a Microsoft 365 E5 subscription that contains a user named User1.

  You need to ensure that User1 can manage Microsoft Entra roles. The solution must use the principle of least privilege.

  Which role should you assign to User1?

  A. Privileged Role Administrator
  B. Identity Governance Administrator
  C. User Administrator
  D. User Access Administrator
  A. Privileged Role Administrator

• Question 236:

  You have a Microsoft 365 tenant.

  The Sign-ins activity report shows that an external contractor signed in to the Exchange admin center.

  You need to review access to the Exchange admin center at the end of each month and block sign-ins if required.

  What should you create?

  A. an access package that targets users outside your directory
  B. an access package that targets users in your directory
  C. a group-based access review that targets guest users
  D. an application-based access review that targets guest users
  C. a group-based access review that targets guest users

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

• Question 237:

  HOTSPOT

  You have an Azure subscription named Sub1 that contains two resource groups named RG1 and RG2. Sub1 contains the users shown in the following table.

  

  Sub1 contains the resources shown in the following table.

  

  You create the role-based access control (RBAC) role assignments shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No NOTE: Each correct selection is worth one point.

  

  

• Question 238:

  You have an Azure Active Directory (Azure AD) tenant named contoso.com.

  You implement entitlement management to provide resource access to users at a company named Fabrikam, Inc. Fabrikam uses a domain named fabrikam.com.

  Fabrikam users must be removed automatically from the tenant when access is no longer required.

  You need to configure the following settings:

  1. Block external user from signing in to this directory: No Remove external user: Yes

  2. Number of days before removing external user from this directory: 90

  What should you configure on the Identity Governance blade?

  A. Access packages
  B. Entitlement management settings
  C. Terms of use
  D. Access reviews
  B. Entitlement management settings

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users

• Question 239:

  You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1.

  A contractor uses the credentials of [email protected].

  You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected].

  What should you do?

  A. Run the New-MgUser cmdlet.
  B. Add a custom domain name to contoso.com.
  C. Run the New-MgInvitation cmdlet.
  D. Implement Microsoft Entra Connect sync.
  C. Run the New-MgInvitation cmdlet.

  ---

  Explanation

  Correct: * Create a guest user account in contoso.com. * Run the New-AzureADMSInvitation cmdlet. [For Microsoft Active Directory] * Run the New-MgInvitation cmdlet. [For Microsoft Entra]

  Incorrect: * Add a custom domain name to contoso.com * Add a WS-Fed identity provider. * Configure the External collaboration settings. * Implement Azure AD Connect. * Implement Microsoft Entra Application Proxy. * Implement Microsoft Entra Connect sync * Run the New-AzADUser cmdlet. * Run the New-MgUser cmdlet.

  Note: * New-AzureADMSInvitation.

  This cmdlet is used to invite a new external user to your directory. New-MgInvitation Microsoft.Graph.Identity.SignIns Use this API to create a new invitation or reset the redemption status for a guest user who already redeemed their invitation. Invitation adds an external user to the organization

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-

  https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mginvitation

  https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation?view=azureadps-2.

• Question 240:

  HOTSPOT

  You need to implement on-premises application and SharePoint Online restrictions to meet the authentication requirements and the access requirements.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/sharepoint/app-enforced-restrictions

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session