Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 291:

  You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1.

  A contractor uses the credentials of [email protected].

  You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected].

  What should you do?

  A. Implement Microsoft Entra Connect sync.
  B. Create a guest user account in contoso.com.
  C. Configure the External collaboration settings.
  D. Run the New-MgUser cmdlet.
  B. Create a guest user account in contoso.com.

  ---

  Explanation

  Correct: * Create a guest user account in contoso.com. * Run the New-AzureADMSInvitation cmdlet. [For Microsoft Active Directory] * Run the New-MgInvitation cmdlet. [For Microsoft Entra]

  Incorrect: * Add a custom domain name to contoso.com * Add a WS-Fed identity provider. * Configure the External collaboration settings. * Implement Azure AD Connect. * Implement Microsoft Entra Application Proxy. * Implement Microsoft Entra Connect sync * Run the New-AzADUser cmdlet.

  Note: * New-AzureADMSInvitation.

  This cmdlet is used to invite a new external user to your directory.

  New-MgInvitation Microsoft.Graph.Identity.SignIns Use this API to create a new invitation or reset the redemption status for a guest user who already redeemed their invitation. Invitation adds an external user to the organization

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal

• Question 292:

  You have an Azure subscription that uses Azure AD Privileged Identity Management (PIM).

  You need to identify users that are eligible for the Cloud Application Administrator role.

  Which blade in the Privileged Identity Management settings should you use?

  A. Azure resources
  B. Privileged access groups
  C. Review access
  D. Azure AD roles
  D. Azure AD roles

• Question 293:

  HOTSPOT

  You have a hybrid Microsoft 365 subscription that contains the users show in the following table.

  

  You plan to deploy an on-premises app1. App1 will be registered in Azure AD and will use Azure AD Application Proxy.

  You need to delegate the installation of the Application Proxy connector and ensure that User1 can register App1 in Azure AD. The solution must use the principle of least privilege.

  Which user should perform the installation, and which role should you assign to Users1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 294:

  You have a Microsoft Entra tenant that has a Microsoft Entra ID P2 license. You create a Log Analytics workspace.

  You need to ensure that you can view Microsoft Entra ID audit log information by using Azure Monitor.

  What should you do first?

  A. Create an Microsoft Entra ID workbook.
  B. Modify the Diagnostics settings for Microsoft Entra ID.
  C. Run the update-ngoomain cmdlet.
  D. Run the Update-MgOrganization cmdlet.
  B. Modify the Diagnostics settings for Microsoft Entra ID.

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

• Question 295:

  HOTSPOT

  You have an Azure AD tenant.

  You perform the tasks shown in the following table.

  

  On April 5, an administrator deletes App1, App2, App3, and App4.

  You need to restore the apps and the settings.

  Which apps can you restore on April 16, and which settings can you restore for App4 on April 16? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 296:

  You have a Microsoft 365 subscription.

  You have an Azure subscription that contains an Azure App Service web app named App1.

  You have multiple devices that run Windows and are enrolled in Microsoft Intune.

  You deploy the Global Secure Access client to the devices by using Intune.

  You need to configure private access to App1.

  What should you do next?

  A. Create a remote network.
  B. Configure a traffic forwarding profile.
  C. Deploy a private network connector.
  D. Create an application security group.
  B. Configure a traffic forwarding profile.

  ---

  Explanation

  The Global Secure Access client, an essential component of Global Secure Access, helps organizations manage and secure network traffic on end-user devices. The client's main role is to route traffic that needs to be secured by Global Secure Access to the cloud service. All other traffic goes directly to the network. The Forwarding Profiles, configured in the portal, determine which traffic the Global Secure Access client routes to the cloud service.

  Global Secure Access traffic forwarding profiles You use traffic forwarding profiles in Global Secure Access to apply policies to the network traffic that your organization wants to secure and manage. Network traffic is evaluated against the traffic forwarding policies you configure. The profiles are applied and the traffic goes through the service to the appropriate apps and resources.

  References:

  https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client

  https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding

• Question 297:

  You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

  

  User1 is the owner of Group1.

  You create an access review that has the following settings:

  1. Users to review: Members of a group

  2. Scope: Everyone

  3. Group: Group1

  4. Reviewers: Members (self)

  Which users can perform access reviews for User3?

  A. User1, User2, and User3
  B. User3 only
  C. User1 only
  D. User1 and User2 only
  B. User3 only

• Question 298:

  DRAG DROP

  You have an Azure subscription that is linked to a Microsoft Entra tenant named contoso.com. The subscription contains a group named Group1 and a virtual machine named VM1.

  You need to meet the following requirements:

  1. Enable a system-assigned managed identity for VM1.

  2. Add VM1 to Group1.

  How should you complete the PowerShell script? To answer, drag the appropriate cmdlets to the correct targets. Each cmdlet may be used once, more than once or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  

  ---

  Box 1: Get-AzVM

  Configure managed identities for Azure resources on an Azure VM using PowerShell

  Enable system-assigned managed identity on an existing Azure VM

  To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the Virtual Machine Contributor role assignment. No other Azure AD directory role assignments are required.

  Retrieve the VM properties using the Get-AzVM cmdlet. Then to enable a system-assigned managed identity, use the -IdentityType switch on the Update-AzVM cmdlet:

  $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM

  Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned

  Box 2: Get-AzADServicePrincipal

  Add VM system assigned identity to a group After you have enabled system assigned identity on a VM, you can add it to a group. The following procedure adds a VM's system assigned identity to a group.

  Retrieve and note the ObjectID (as specified in the Id field of the returned values) of the VM's service principal:

  Get-AzADServicePrincipal -displayname "myVM"

  References:

  https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm

• Question 299:

  You have an Azure AD tenant named contoso.com that contains the resources shown in the following table.

  You create a user named Admin 1.

  

  You need to ensure that Admin can enable Security defaults for contoso.com.

  What should you do first?

  A. Configure Identity Governance.
  B. Delete Package1.
  C. Delete CAPolicy1.
  D. Assign Admin1 the Authentication administrator role for Au1
  D. Assign Admin1 the Authentication administrator role for Au1

  ---

  Explanation

  To enable Security defaults for contoso.com, you should first sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. Then, browse to Azure Active Directory > Properties and select Manage security defaults. Set the Enable security defaults toggle to Yes and select Save. After that, you can assign Admin1 the Identity Administrator role for Au1 to enable them to manage security defaults for the tenant.

  https://practical365.com/what-are-azure-ad-security-defaults-and-should-you-use-them/

• Question 300:

  You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1. Site1 hosts PDF files.

  You need to prevent users from printing the files directly from Site1.

  Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

  A. activity policy
  B. access policy
  C. file policy
  D. session policy
  D. session policy