Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 271:

  Your company purchases a new Microsoft 365 E5 subscription and an app named App1.

  You need to create a Microsoft Defender for Cloud Apps access policy for App1.

  What should you do you first?

  A. Configure a Conditional Access policy to use app-enforced restrictions.
  B. Configure a Token configuration for App1.
  C. Add an API permission for App1.
  D. Configure a Conditional Access policy to use Conditional Access App Control.
  D. Configure a Conditional Access policy to use Conditional Access App Control.

  ---

  Explanation

  Access policies in Microsoft Defender for Cloud Apps

  Prerequisites to using access policies * Azure AD Premium P1 license, or the license required by your identity provider (IdP) solution *-> The relevant apps should be deployed with Conditional Access App Control

  Make sure you have configured your IdP solution to work with Defender for Cloud Apps, as follows: For Azure AD Conditional Access, see Configure integration with Azure AD For other IdP solutions, see Configure integration with other IdP solutions

  References:

  https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad

• Question 272:

  DRAG DROP

  Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.

  The company is developing a web service named App1.

  You need to ensure that App1 can use Microsoft Graph to read directory data in contoso.com.

  Which three actions should yon perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them In the correct order.

  Select and Place:

  

  

• Question 273:

  You have a Microsoft Entra tenant.

  You open the risk detections report.

  Which risk detection type is classified as a user risk?

  A. impossible travel
  B. anonymous IP address
  C. atypical travel
  D. leaked credentials
  D. leaked credentials

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

• Question 274:

  HOTSPOT

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. Contoso.com contains the identities shown in the following table.

  

  You have a Microsoft Entra tenant that contains a user named User1.

  You deploy Microsoft Entra Cloud Sync and configure a scoping filter by using the following string:

  CN=Group1,OU=OU1,DC=contoso,DC=com.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes - Contoso\User1 syncs from contoso.com to the tenant.

  User1 is in Group1. User1 is in OU1.

  Note:

  The filter is for Group1 and OU1.

  Box 2: No - Contoso\User2 syncs from contoso.com to the tenant.

  User2 is in OU2. User2 is in Group2. Group2 is in OU1. Group2 is a member of Group1.

  Box 3: Yes - Contoso\Group1 syncs from contoso.com to the tenant.

  Group1 is in OU1.

  Note: You can use multiple filtering options at the same time. For example, you can use OU-based filtering to only include objects in one OU. At the same time, you can use attribute-based filtering to filter the objects further. When you use multiple filtering methods, the filters use a logical "AND" between the filters.

  References:

  https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering

• Question 275:

  You have a Microsoft Entra ID tenant that contains a user named Admin1.

  You need to ensure that Admin1 can perform only the following tasks:

  From the Microsoft 365 admin center, create and manage service requests.

  From the Microsoft 365 admin center, read and configure service health.

  From the Azure portal, create and manage support tickets.

  The solution must minimize administrative effort.

  What should you do?

  A. Create an administrative unit and add Admin1.
  B. Enable Microsoft Entra Privileged Identity Management (PIM) for Admin1.
  C. Assign Admin1 the Helpdesk Administrator role.
  D. Create a custom role and assign the role to Admin1.
  D. Create a custom role and assign the role to Admin1.

• Question 276:

  You have an Azure Active Directory (Azure AD) Azure AD tenant.

  You need to bulk create 25 new user accounts by uploading a template file.

  Which properties are required in the template file?

  A. displayName, identityIssuer, usageLocation, and userType
  B. accountEnabled, givenName, surname, and userPrincipalName
  C. accountEnabled, displayName, userPrincipalName, and passwordProfile
  D. accountEnabled, passwordProfile, usageLocation, and userPrincipalName
  C. accountEnabled, displayName, userPrincipalName, and passwordProfile

• Question 277:

  HOTSPOT

  You have a Microsoft Entra tenant that contains 1,000 users. All the users are assigned Microsoft Entra Suite licenses.

  You perform the following actions:

  1. Deploy Global Secure Access.

  2. Create a Global Secure Access security profile named Profile1.

  3. Create the following Conditional Access policies:

  Name:CApolicy1

  Target resources: All internet resources with Global Secure Access

  Name: CApolicy2

  Session: Use Global Secure Access security profile: Profile1

  To which Global Secure Access traffic forwarding profile is CApolicy1 linked, and to which traffic forwarding profile does Profile1 apply?

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: CApolicy1 is linked to - Microsoft traffic profile and Internet access profile

  Microsoft traffic profile: This profile is used to secure and monitor traffic specifically destined for Microsoft services, such as Microsoft 365. Security profiles can be applied to this traffic by using Conditional Access.

  Internet access profile: This profile handles general internet traffic and secures access to SaaS apps and public internet resources. Like the Microsoft traffic profile, security profiles are linked to this to apply security policies.

  Incorrect: Private access profile: This profile is used to route traffic to private internal resources (on-premises or in the cloud). While Conditional Access is used with private access, the policy targets a specific enterprise application representation of the private access infrastructure (referred to as a Global Secure Access application or included in All cloud apps), rather than linking a security profile to the private access profile itself as is done with the Internet and Microsoft traffic profiles.

  Box 2: Profile1 applies to - Internet access profile

  The Global Secure Access security profile is linked to the Internet access profile (also referred to as All internet resources with Global Secure Access in the Conditional Access policy target resources). It is used for securing and monitoring general internet traffic.

  Security profiles are a grouping of web content filtering policies that can be assigned, or linked, with Microsoft Entra Conditional Access policies.

  When configuring the Conditional Access policy, the Target resources condition is set to All internet resources with Global Secure Access, which corresponds to the Internet access profile.

  In the Session controls of the same Conditional Access policy, the specific security profile is selected under the Use Global Secure Access security profile option. This enforces the security filtering policies (for example, blocking malicious sites or specific categories) on all traffic matching the Internet access profile.

  References:

  https://learn.microsoft.com/en-us/entra/global-secure-access/concept-universal-conditional-access

• Question 278:

  You have an Azure subscription that contains the resources shown in the following table.

  

  You need to grant permissions to the resources by using attribute-based access control (ABAC).

  To which resource can you grant permissions?

  A. Vault1
  B. VM1
  C. App1
  D. storage 1
  D. storage 1

• Question 279:

  You have on-premises Linux devices.

  You have a Microsoft 365 E5 subscription.

  You plan to configure Global Secure Access Internet Access.

  You need to ensure that the devices can connect to Global Secure Access.

  What should you do?

  A. Configure the Adaptive Access settings.
  B. Install the Azure Connected Machine agent on the devices.
  C. Create a remote network.
  D. Deploy a private network connector.
  B. Install the Azure Connected Machine agent on the devices.

  ---

  Explanation

  To connect Linux devices to Global Secure Access (GSA) for Internet Access with Microsoft 365 E5, you must install the Azure Connected Machine agent on the Linux machines to onboard them to Azure Arc, then configure Conditional Access policies in Microsoft Entra ID to enforce GSA by using a traffic forwarding profile for Internet Access. This integrates the devices, making their traffic visible and securable via GSA, ensuring they route through the GSA service as intended, even without a traditional VPN client.

  Step-by-step guide:

  1. Activate Global Secure Access in Microsoft Entra ID.

  2. Onboard Linux devices via

  Azure Arc:

  Install the Azure Connected Machine agent on your on-premises Linux devices. This connects your devices to Azure Arc, allowing Microsoft Entra ID to manage them.

  3. Create a traffic forwarding profile.

  4. Configure Conditional Access (CA) policy.

  References:

  https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access

• Question 280:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant that has the default App registrations settings. The tenant contains the users shown in the following table.

  

  You purchase two cloud apps named App1 and App2. The global administrator registers App1 in Azure AD.

  You need to identify who can assign users to App1, and who can register App2 in Azure AD.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.