Microsoft SC-300 Online Practice Questions and Exam Preparation

Microsoft SC-300 Online Questions & Answers

• Question 381:

  You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com.

  Contoso is working on a project with the following two partner companies:

  A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com.

  A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.

  When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.

  You can successfully invite a new guest user from fabnkam.com to contoso.com.

  You need to be able to invite new guest users from adatum.com to contoso.com.

  What should you configure?

  A. Guest invite settings
  B. Verifiable credentials
  C. Named locations
  D. Collaboration restrictions
  D. Collaboration restrictions

  ---

  Explanation

  Allow or block invitations to B2B users from specific organizations.

  External collaboration settings let you specify what roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains, and options for restricting what external guest users can see in your Microsoft Entra directory. The following options are available:

  *-> Allow or block domains: You can use collaboration restrictions to allow or deny invitations to the domains you specify.

  Note:

  Also:

  * Determine guest user access: Microsoft Entra External ID allows you to restrict what external guest users can see in your Microsoft Entra directory. For example, you can limit guest users' view of group memberships, or allow guests to view only their own profile information.

  * Specify who can invite guests: By default, all users in your organization, including B2B collaboration guest users, can invite external users to B2B collaboration. If you want to limit the ability to send invitations, you can turn invitations on or off for everyone, or limit invitations to certain roles.

  * Enable guest self-service sign-up via user flows: For applications you build, you can create user flows that allow a user to sign up for an app and create a new guest account. You can enable the feature in your external collaboration settings, and then add a self-service sign-up user flow to your app.

  References:

  https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure

• Question 382:

  You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.

  From the Groups blade in the Microsoft Entra admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.

  You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.

  What should you use?

  A. the Set-MgUserLicense Cmdlet
  B. the Identity Governance blade in the Microsoft Entra admin center
  C. the Set-WindowsProductKey Cmdlet
  D. the Administrative units blade in the Microsoft Entra admin center
  A. the Set-MgUserLicense Cmdlet

  ---

  Explanation

  To efficiently remove Microsoft Office 365 Enterprise E3 licenses from 2,500 users, you can utilize the Set-MgUserLicense cmdlet from the Microsoft Graph PowerShell module. This cmdlet allows administrators to manage user licenses programmatically, enabling bulk operations with minimal administrative effort.

  1. Connect to Microsoft Graph: Connect-Graph -Scopes User.ReadWrite.All

  2. Retrieve the SKU ID for the E3 License: $e3Sku = Get-MgSubscribedSku | Where-Object

  {$_.SkuPartNumber -eq "ENTERPRISEPACK"} 3. Identify Users with E3 Licenses:

  $usersWithE3 = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($e3Sku.SkuId))" 4. Remove E3 Licenses from Users: foreach ($user in $usersWithE3) { Set-MgUserLicense -UserId $user.Id -RemoveLicenses @($e3Sku.SkuId) }

  References:

  https://learn.microsoft.com/en-us/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell?view=o365-worldwide

• Question 383:

  SIMULATION

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click the username below.

  To enter your password, place your cursor in the Enter password box and click the password below.

  Microsoft 365 Username: [email protected]

  Microsoft 365 Password: 1122334455667788

  If the Microsoft 365 portal does not load successfully in the browser, press CTRL+K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 99999999

  You need to assign a Windows 10/11 Enterprise E3 license to the sg-Retail group.

  To complete this task, sign in to the appropriate admin center.

  A. See the explanation below
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See the explanation below

  ---

  Explanation

  

  To assign a license to a group

  Step 1: Sign in to the Microsoft Entra admin center as at least a License Administrator.

  Step 2: Browse to Identity > Billing > Licenses.

  Step 3: Select the name of the license plan [Select Windows 10/11 Enterprise E3 license] you want to assign to the group.

  Step 4: On the Product page, select Assign.

  Step 5: On the Assign page, select Users and groups, and then search for and select the group you're assigning the license. [Select the sg-Retail group]

  Step 6: Select Assignment options, make sure you have the appropriate license options turned on, and then select OK.

  The Assign license page updates to show that a user is selected and that the assignments are configured.

  Step 7: Select Assign.

  The group is added to the list of licensed groups and all of the members have access to the included Microsoft Entra services.

  References:

  https://learn.microsoft.com/en-us/entra/fundamentals/license-users-groups

• Question 384:

  You have a Microsoft 365 tenant.

  All users have computers that run Windows 10. Most computers are company-owned and joined to Azure Active Directory (Azure AD). Some computers are user-owned and are only registered in Azure AD.

  You need to prevent users who connect to Microsoft SharePoint Online on their user-owned computer from downloading or syncing files. Other users must NOT be restricted.

  Which policy type should you create?

  A. a Microsoft Cloud App Security activity policy that has Microsoft Office 365 governance actions configured
  B. an Azure AD conditional access policy that has session controls configured
  C. an Azure AD conditional access policy that has client apps conditions configured
  D. a Microsoft Cloud App Security app discovery policy that has governance actions configured
  B. an Azure AD conditional access policy that has session controls configured

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad

• Question 385:

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs user accounts with a Microsoft 365 E5 subscription.

  You need to ensure that on-premises account lockout policies are applied to Microsoft Entra sign-ins.

  What should you configure?

  A. Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO)
  B. Microsoft Entra Cloud Sync
  C. password hash synchronization
  D. pass-through authentication
  D. pass-through authentication

  ---

  Explanation

  Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory. This feature is an alternative to Microsoft Entra password hash synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead.

  References:

  https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta

• Question 386:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains a Microsoft Teams team named Team1 and two Microsoft 365 groups named Group1 and Group2. The subscription contains the users shown in the following table.

  

  You create an access package that has the following settings:

  - Name: Package1

  - Resource roles:

  o Team1: Owner

  - Users who can request access: For users in your directory o Specific Users and Groups: Group1

  - Require approval: Yes

  o Require requestor justification: No

  o How many stages: 1

  o First Approver: Team1, User3

  o Require approver justification: Yes

  - Enable new requests: Yes

  - Expiration:

  o Access package assignments expire: 7 days o Users can request specific timeline: Yes

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes - User1 can gain access to Team1 by requesting Package1.

  User1 is member of Group1.

  Users who can request access: For users in your directory.

  Specific Users and Groups: Group1

  Box 2: No - User2 can gain access to Team1 by requesting Package1. User2 is not member of Group1. Only members of Group1 can request access.

  Box 3: No - User3 can approve their own request for Package1.

  User3 is member of Group1. User3 is Global Administrator. Group1 can request access. User3 is also First Approver. However, Approvers are not able to approve their own role activation requests.

  References:

  https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-approval-policy

• Question 387:

  You need to configure the detection of multi staged attacks to meet the monitoring requirements.

  What should you do?

  A. Customize the Azure Sentinel rule logic.
  B. Create a workbook.
  C. Add an Azure Sentinel playbook.
  D. Add Azure Sentinel data connectors.
  A. Customize the Azure Sentinel rule logic.

• Question 388:

  HOTSPOT

  You have an Azure Active Directory (Azure AD) tenant that contains an administrative unit named Department1.

  Department1 has the users shown in the Users exhibit. (Click the Users tab.)

  

  Department1 has the groups shown in the Groups exhibit. (Click the Groups tab.)

  

  Department1 has the user administrator assignments shown in the Assignments exhibit. (Click the Assignments tab.)

  

  The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

• Question 389:

  You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1.

  A contractor uses the credentials of [email protected].

  You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected].

  What should you do?

  A. Add a custom domain name to contoso.com.
  B. Configure the External collaboration settings.
  C. Create a guest user account in contoso.com.
  D. Add a WS-Fed identity provider.
  C. Create a guest user account in contoso.com.

  ---

  Explanation

  Correct: * Create a guest user account in contoso.com. * Run the New-AzureADMSInvitation cmdlet.

  Incorrect: * Add a custom domain name to contoso.com * Add a WS-Fed identity provider. * Configure the External collaboration settings. * Implement Azure AD Connect. * Run the New-AzADUser cmdlet.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-

  https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation?view=azureadps-2.

• Question 390:

  You have a Microsoft 365 tenant.

  All users have mobile phones and Windows 10 laptops.

  The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity.

  While working from the remote locations, the users connect their laptop to a wired network that has internet access.

  You plan to implement multi-factor authentication (MFA).

  Which MFA authentication method can the users use from the remote location?

  A. Windows Hello for Business
  B. an app password
  C. a notification through the Microsoft Authenticator app
  D. security questions
  A. Windows Hello for Business

  ---

  Explanation

  In scenarios where users operate from remote locations lacking Wi-Fi and mobile phone connectivity, traditional MFA methods like app notifications or SMS are impractical. Windows Hello for Business offers a suitable solution by providing a passwordless sign-in experience that utilizes biometrics (such as facial recognition or fingerprint) or a PIN. This method does not depend on external networks or devices, making it ideal for users with only wired internet access.

  References:

  https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods