Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 341:

  HOTSPOT

  You have an Azure AD tenant that contains the groups shown in the following table.

  

  You create an access review for Group1 as shown in the following table.

  

  You create an access review for Group2 as shown in the following table.

  

  What is the minimum number of Azure AD Premium P2 licenses required for each group?

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  The correct answer is: Group 1: 500

  Group 2: 1

  Scenario = An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-review.

  Calculation = 50 licenses for each user as self-reviewers.*

  Number of licenses = 50

  * Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant.

  Refer to:

  https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#license-requirements

• Question 342:

  You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following table.

  

  Which objects can you add as members to Group3?

  A. User2 and Group2 only
  B. User2, Group1, and Group2 only
  C. User1, User2, Group1 and Group2
  D. User1 and User2 only
  E. User2 only
  E. User2 only

  ---

  Explanation

  References:

  https://bitsizedbytes.wordpress.com/2018/12/10/distribution-security-and-office-365-groups-nesting/

• Question 343:

  HOTSPOT

  You have a Microsoft Entra tenant that contains the users shown in the following table.

  

  You add the following assignment for the User Administrator role:

  3. Scope type: Directory

  4. Selected members: Group1

  5. Assignment type: Active

  6. Assignments starts August

  15. 2022

  7. Assignment ends: December 15, 2022

  You add the following assignment for the Exchange Administrator role:

  1. Scope type: Directory

  2. Selected members: Group2

  3. Assignment type: Eligible

  4. Assignments starts: October 15, 2022

  5. Assignment ends: January

  15. 2023

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

• Question 344:

  You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains an Azure Cosmos DB database named DB1 and an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 uses a managed identity.

  You need to ensure that AKS1 can access DB1. The solution must meet the following requirements:

  1. Ensure that AKS1 uses the managed identity to access DB1.

  2. Follow the principle of least privilege.

  Which role should you assign to the managed identity of AKS1?

  A. For Sub1, assign the Owner role.
  B. For DB1, assign the Azure Cosmos DB Account Reader Role role.
  C. For RG1, assign the Azure Cosmos DB Data Reader Role role.
  D. For RG1, assign the Reader role.
  B. For DB1, assign the Azure Cosmos DB Account Reader Role role.

• Question 345:

  You have a Microsoft 365 tenant.

  You need to ensure that you tan view Azure Active Directory (Azure AD) audit log information by using Azure Monitor.

  What should you do first?

  A. Run the Get-AzureADAuditDirectoryLogs cmdlet.
  B. Create an Azure AD workbook.
  C. Run the Set-AzureADTenantDetail cmdlet.
  D. Modify the Diagnostics settings for Azure AD.
  D. Modify the Diagnostics settings for Azure AD.

• Question 346:

  HOTSPOT

  You have a Microsoft 365 tenant.

  You need to identify users who have leaked credentials. The solution must meet the following requirements:

  1. Identify sign-ins by users who are suspected of having leaked credentials.

  2. Flag the sign-ins as a high-risk event.

  3. Immediately enforce a control to mitigate the risk, while still allowing the user to access applications.

  What should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

• Question 347:

  You have an Azure subscription named Sub1 that contains a user named User1.

  You need to ensure that User1 can purchase a Microsoft Entra Permissions Management license for Sub1. The solution must follow the principle of least privilege.

  Which role should you assign to User1?

  A. Global Administrator
  B. Billing Administrator
  C. Permissions Management Administrator
  D. User Access Administrator
  B. Billing Administrator

  ---

  Explanation

  How to enable Permissions Management on your Microsoft Entra tenant.

  1. In your browser:

  a. Browse to the Microsoft Entra admin center and sign in to Microsoft Entra ID as at least a *Billing Administrator*. b. If needed, activate the Permissions Management Administrator role in your Microsoft Entra tenant. c. In the Azure portal, select Microsoft Entra Permissions Management, then select the link to purchase a license or begin a trial.

  References:

  https://learn.microsoft.com/en-us/entra/permissions-management/onboard-enable-tenant

• Question 348:

  You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains the groups shown in the following table.

  

  Which groups can you manage by using Privileged Identity Management (PIM)?

  A. Group2 only
  B. Group1 and Group2 only
  C. Group2 and Group4 only
  D. Group1, Group2, and Group3 only
  E. Group1, Group2, Group3, and Group4
  D. Group1, Group2, and Group3 only

  ---

  Explanation

  Group1 - Yes

  Group1 is a security group.

  Any Microsoft Entra security group can be enabled and managed by PIM for Groups.

  Group2 - Yes

  Group2 is a security group and is role-assignable.

  It can be managed by PIM.

  Group3 - Yes

  Group3 is a Microsoft 365 group that is security-enabled.

  Microsoft 365 groups can be managed by PIM for Groups.

  Group4 - No

  Group4 is not security-enabled.

  Only security-enabled groups can be managed by PIM for Groups.

  Note:

  Groups in Microsoft Entra ID can be classified as either role-assignable or non-role-assignable. These are independent properties. Any Microsoft Entra security group and any Microsoft 365 group (except dynamic membership groups and groups synchronized from on-premises environments) can be enabled in PIM for Groups. The group does not have to be role-assignable to be managed by PIM.

  References:

  https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups

• Question 349:

  DRAG DROP

  You have a Microsoft Entra tenant.

  You need to implement protected actions.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

  Select and Place:

  

  

  ---

  To implement Microsoft Entra protected actions, you need to configure Conditional Access policies and authentication contexts, then link those to specific permissions within Microsoft Entra ID. This allows you to enforce additional security requirements, such as multi-factor authentication or compliance checks, before certain actions can be performed.

  Step 1: Create an authentication context

  Configure Conditional Access authentication context: name and description.

  Create a new authentication context: In the Microsoft Entra admin center, navigate to Identity > Protection > Conditional Access > Authentication contexts, and create a new authentication context with a unique name.

  Define authentication requirements: Specify the required authentication methods (e.g., multi-factor authentication, compliant device) for this context.

  Publish the context: Make sure the context is enabled for use in Conditional Access policies.

  Step 2: Create a Conditional Access policy

  Create or update Conditional Access policies: Create a new policy: In the Microsoft Entra admin center, navigate to Identity > Protection > Conditional Access > Policies, and create a new policy.

  Define policy scope: Specify which users, groups, or applications the policy applies to.

  Choose the authentication context: Select the authentication context you configured in Step 1.

  Enable the policy: Set the policy to On or Report-only for testing.

  Step 3: Add the protected actions

  Add protected actions:

  Navigate to Protected actions: In the Microsoft Entra admin center, navigate to Identity > Roles and administrators > Protected actions.

  Add a new protected action: Click Add protected actions and select the authentication context you configured in Step 1.

  Select permissions: Choose the specific permissions you want to protect with the Conditional Access policy.

  Save the protected action: Click Save to link the authentication context and permissions.

• Question 350:

  You create a conditional access policy that blocks access when a user triggers a high-severity sign-in alert.

  You need to test the policy under the following conditions:

  1. A user signs in from another country.

  2. A user triggers a sign-in risk.

  What should you use to complete the test?

  A. the Conditional Access What If tool
  B. sign-ins logs in Azure Active Directory (Azure AD)
  C. the activity logs in Microsoft Defender for Cloud Apps
  D. access reviews in Azure Active Directory (Azure AD)
  A. the Conditional Access What If tool