Practice Free SC-300 Microsoft Identity and Access Administrator Exam Questions Answers With Explanation

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses ), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq " E5 " ). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

? Correct Answer: A. A Dynamic User security group

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Publish on-premises apps for remote access using Azure AD Application Proxy”, Azure AD Application Proxy enables secure remote access to internal, on-premises web applications without requiring VPN access.

In the scenario, App1 is an on-premises application hosted within the Litware network, and the technical requirements specify that it must be securely accessible to both internal and external users — including Fabrikam guest accounts — through Azure AD authentication.

Microsoft’s official documentation states:

“Azure AD Application Proxy provides secure remote access to on-premises web applications, integrating with Azure AD for single sign-on (SSO) and conditional access policies.”

Given that the environment already includes a server (SERVER1) running the Azure AD Application Proxy connector, and that Litware wants to enforce Azure AD Conditional Access and MFA for App1, Azure AD Application Proxy is the correct implementation.

The other options are not suitable:

A. Policy set in Microsoft Endpoint Manager: Used for device compliance and app management, not for publishing on-premises apps.

B. App configuration policy in Endpoint Manager: Used for mobile app configuration (e.g., MAM policies), not for access publishing.

C. App registration in Azure AD: Used for modern cloud or SaaS apps integration, but App1 is on-premises and needs proxy access.

Correct Answer: D. Azure AD Application Proxy

According to the Microsoft SC-300: Identity and Access Administrator official study guide and Microsoft Learn modules on Azure AD Identity Governance , the correct way to manage user access—especially for scenarios involving both internal and external users—is through Entitlement Management in Azure AD Identity Governance .

Entitlement Management uses access packages to define and automate how users obtain access to resources such as groups, SharePoint sites, and applications. Access packages contain policies that specify who can request access (internal users, external users, or both) and how that access is approved and periodically reviewed. The guide clearly states:

“Access packages provide a structured method to configure and automate access for users, ensuring that access assignments follow the organization’s policy and compliance requirements.”

To enable external collaboration with another organization (such as fabrikam.com ), Microsoft documentation emphasizes that you must create a connected organization . A connected organization represents an external directory or domain whose users can be invited to request access packages or participate in identity governance workflows. The connected organization defines trust boundaries for cross-tenant collaboration, without requiring domain federation or acceptance.

In summary:

Access packages configure and automate user access.

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Implement and manage user risk policies”, the scenario where “users must be forced to change their password if there is a probability that their identity was compromised” directly maps to the Azure AD Identity Protection “User risk policy.”

In Azure AD Identity Protection, user risk represents the likelihood that an account’s credentials have been compromised. When Azure AD detects a high user risk (for example, leaked credentials, atypical sign-in behavior, or sign-ins from unfamiliar locations), the User Risk Policy can be configured to automatically block access or require the user to reset their password upon the next sign-in.

Before a user can reset their password or complete remediation, they must have a registered authentication method (for password reset and MFA). Therefore, users must first register for multi-factor authentication (MFA) — this registration enables the authentication methods (like phone number or authenticator app) that are also used during password reset verification.

The SC-300 documentation specifically highlights:

“To enforce a password change when a user’s identity risk is high, the user must be registered for MFA, and a user risk policy must be configured to require password change.”

Thus, the correct configuration is:

Users must first register for MFA — to ensure they have verified methods available.

Configure a user risk policy — to automatically trigger password reset upon detection of compromised credentials.

Correct Answers:

Users must first: Register for multi-factor authentication (MFA).

You must configure: A user risk policy.

? The users must first: Register for multi-factor authentication (MFA)

? You must configure: A user risk policy

According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator , when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.

Two types of policies can be created:

Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).

User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).

The documentation specifies:

“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”

Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.

Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.

As per the Microsoft SC-300: Identity and Access Administrator official study materials and Microsoft Learn documentation on “Manage administrative units in Azure Active Directory” , Administrative Units (AUs) are designed to delegate administrative permissions within large organizations based on divisions such as geography or department. They provide scoped administrative control —allowing helpdesk or user administrators to manage users only within a specific subset of the directory, such as a branch office or department.

In this scenario, Contoso’s technical requirement states:

“The helpdesk administrators must be able to manage licenses for only the users in their respective office.”

To fulfill this, you must create an administrative unit for each branch office (e.g., Montreal, London, Seattle) and assign helpdesk administrators scoped to those AUs. This ensures that each helpdesk admin can only manage licenses for the users within their respective office, enforcing the principle of least privilege.

The Azure Active Directory admin center is the correct tool for creating and managing administrative units. SC-300 guidance clarifies that administrative units are Azure AD objects , not on-premises Active Directory objects like Organizational Units (OUs). Therefore, they are created and managed exclusively through the Azure portal , Microsoft Graph , or PowerShell for Azure AD , but the most straightforward interface for exam purposes is the Azure AD admin center .

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses ) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq " E5 " ) ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “ provides secure remote access to on-premises applications ” and that apps published through it can have “ Conditional Access policies, including multifactor authentication ” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “ control and limit activities in real time ” and, for SharePoint Online and other Microsoft 365 apps, “ monitor user sessions and block download, cut, copy, and print ” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel” , multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook ? Used for visualization and reporting, not detection.

C. Add data connectors ? Used to ingest data sources; this is already configured.

D. Add a playbook ? Used for automated response, not for detection logic configuration.

? Correct Answer: A. Customize the Azure Sentinel rule logic

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs . The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation , when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts . In Azure AD, internal users created within the tenant are designated with the attribute user.userType = " Member " , while external or guest accounts from partner organizations have user.userType = " Guest " .

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq " Member " ) .

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq " Member " )

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules” , which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

? Correct Answer:

(user.objectId -ne null) and (user.userType -eq " Member " )

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)” , there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID). The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM. The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario. As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources. The role responsible for managing these assignments is the User Access Administrator. This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control). The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

? To manage Azure AD built-in role assignments ? Privileged role administrator

? To manage Azure built-in role assignments ? User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.

According to the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and Microsoft Learn documentation on Azure AD roles and permissions , the Cloud Application Administrator role provides privileges to manage applications while enforcing the principle of least privilege.

The scenario requires:

Preventing User1 from being added as an owner of newly registered apps.

Allowing User1 to manage Application Proxy settings (used for publishing on-premises apps through Azure AD).

Allowing User2 to register new applications.

Application Administrator: Can create and manage all app registrations and enterprise apps, and can add owners — too permissive for this requirement.

Cloud Application Administrator: Can manage applications, including Application Proxy settings, but cannot assign application owners or grant broad permissions.

Application Developer: Can only register and manage own applications.

Service Support Administrator: Provides service health access — not relevant here.

Role Comparison (from Microsoft documentation): Thus, to let User1 manage Application Proxy and prevent assigning ownership of new apps, Cloud Application Administrator is the correct and least-privileged choice.

To allow User1 to purchase a Microsoft Entra Permissions Management license, you need to grant them the permission to perform billing or purchase operations. Microsoft documentation for Microsoft Entra Permissions Management states that to activate a trial or purchase a license, you must have Billing Administrator permissions.

Specifically, under the “Enabling Permissions Management” section, Microsoft says:

“Sign in as a Global Administrator … In the Entra ID portal … select Microsoft Entra Permissions Management, then select the link to purchase a license or begin a trial.”

And in the product roles and permissions documentation, Microsoft lists “Billing Administrator” as a built-in role that performs billing related tasks like managing payment information and also mentions that to activate (i.e. purchase) Permissions Management you require Billing Administrator role.

Assigning Global Administrator (option D) is too broad and would violate principle of least privilege. Permissions Management Administrator allows managing the product after it ' s enabled, but doesn ' t grant purchase rights. User Access Administrator is an Azure role that grants permissions to manage role assignments but not purchase licenses. Thus the minimal correct role is Billing Administrator .

SC-300 materials explain that Conditional Access (CA) evaluates assignments (who/what) and conditions/exclusions before applying grant controls. Policy CA1 targets Group1 and requires MFA, but explicitly excludes Global Administrator and Group2. User1 is in Group1 and holds the Global Administrator role, so the directory-role exclusion means CA1 does not apply and no other policy targets User1 ? no MFA prompt. Policy CA2 targets Group2 and blocks access to all cloud apps, with an exclusion for Group3. User2 is in Group2 and not in Group3, so CA2 applies and blocks SharePoint Online sign-in. User3 is in Group2 and Group3; because Group3 is excluded from CA2, the block does not apply. User3 is not in Group1, so CA1 doesn’t apply either; therefore, User3 can sign in normally. The SC-300 guidance also notes that exclusions take precedence over inclusions, and block access is an enforcing control when a matching policy applies, while policies are evaluated independently with the most restrictive applicable outcome applied per user and sign-in.

To ensure VM1 can retrieve the values of secrets stored in Vault1 while minimizing administrative effort, you should assign an Azure role to VM1 .

1. Managed Identities and Key Vault Access: VM1 has a system-assigned managed identity . This identity acts as a Service Principal in Microsoft Entra ID (formerly Azure AD). To access Key Vault secrets, this identity must be granted permissions on the Key Vault.

2. Permission Models (RBAC vs. Access Policies): Azure Key Vault supports two permission models:

Azure role-based access control (Azure RBAC): The recommended, modern authorization system. It allows you to manage access to Key Vault keys, secrets, and certificates centrally using Azure IAM (Identity and Access Management), just like other Azure resources. It provides fine-grained access control and integrates with PIM (Privileged Identity Management).

Vault access policy: The legacy model where permissions are defined within the Key Vault ' s own " Access policies " blade.

3. Why " Assign an Azure role " (Option D) is the Correct First Step:

Minimizing Administrative Effort: Using Azure RBAC is the recommended best practice for minimizing effort because it unifies access management across Azure resources.

The Action: To grant the required access (reading secrets) under the RBAC model, you must assign a specific role to the managed identity. The appropriate role is Key Vault Secrets User , which grants permission to read secret contents (Get and List operations) without granting administrative privileges (adhering to Least Privilege).

Scenario Analysis: While older Key Vaults defaulted to Access Policies, new vaults and the " minimize effort " requirement point towards the RBAC model. Option A ( " Configure the Resource access settings " ) is vague and likely refers to the " Access configuration " or " Access policies " blade, but " Assign an Azure role " is the definitive action to grant access in the modern RBAC workflow. If the vault were in Access Policy mode, one would typically " Add an access policy, " but that specific option is not listed, reinforcing that RBAC (Option D) is the intended path.

Documentation Extract:

" Azure RBAC is an authorization system built on Azure Resource Manager that provides centralized access management of Azure resources... The Azure RBAC model allows users to set permissions on different scope levels... To grant access to a specific user, group, or application... assign a role. For example, the Key Vault Secrets User role allows a user to read secret contents. " (Source: Microsoft Learn - Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control)

< ? GroupA: ? User1, Group1, Group2, and Group3 only

? GroupB: ? User1, Group1, Group2, and Group4 only

According to the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and the Microsoft Learn module “Manage groups in Azure Active Directory” , group nesting rules in Azure AD depend on group type and membership type .

GroupA is a Security group with an Assigned membership type.

In Azure AD, security groups (whether assigned, dynamic user, or dynamic device) can contain users , devices , and other security groups as members.

However, Microsoft 365 groups cannot be added to a security group because Microsoft 365 groups include collaborative services (SharePoint, Teams, Planner) that rely on unique membership and ownership models.

Therefore, GroupA (security group) can include:

User1 (user) ?

Group1 (security - assigned) ?

Group2 (security - dynamic user) ?

Group3 (security - dynamic device) ?

? Group4 (Microsoft 365 group) — not allowed in a security group.

? Correct composition for GroupA: User1, Group1, Group2, and Group3 only.

GroupB is a Microsoft 365 group with an Assigned membership type.

Microsoft 365 groups can include users and security groups as members, but cannot include other Microsoft 365 groups (nested Microsoft 365 groups are not supported).

So GroupB can include:

User1 (user) ?

Group1 (security - assigned) ?

Group2 (security - dynamic user) ?

? Group3 (dynamic device) — device groups can’t be members of M365 groups.

Group4 (Microsoft 365 group) ? — nesting M365 groups is not supported.

? Correct composition for GroupB: User1, Group1, Group2, and Group4 only.

By default, only Global Administrators and Identity Governance Administrators can create catalogs in Azure AD Entitlement Management. To delegate this ability to other users such as User1, you must modify the Entitlement Management Settings in the Identity Governance blade.

Microsoft documentation and the SC-300 exam guide note:

“In the Entitlement management settings, you can configure who can create new catalogs and manage catalog ownership.”

Therefore, granting User1 the permission to create catalogs and add resources requires configuring entitlement management settings—not changing role assignments in the Roles and administrators blade.

This scenario is based on how Azure AD Multi-Factor Authentication (MFA) statuses transition between Disabled , Enabled , and Enforced states, as documented in the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn – Configure and deploy MFA in Azure Active Directory .

Let’s analyze the details step-by-step using the exhibits:

Initial MFA Configuration (February 1, 2021)

User1: Disabled

User2: Enabled

User3: Enforced

MFA Policy Setting

“Allow users to remember multi-factor authentication on devices they trust” is enabled .

“Number of days users can trust devices for” is 20 days . This means that once a user completes MFA on a trusted device, they won’t be prompted again for 20 days on that same device.

User Sign-in Activity:

User1: Signs in on Feb 2 and again on Feb 21

User2: Signs in on Feb 5

User3: Already in Enforced state (so continuous MFA enforcement applies)

State Transitions per Microsoft Documentation:

Disabled: User cannot register or use MFA.

Enabled: User is registered for MFA but not yet required at every sign-in. Once they complete registration, they remain Enabled until admin enforces it.

Enforced: User must use MFA at every sign-in.

Timeline Evaluation:

User1 was initially Disabled , so even though they sign in multiple times (Feb 2 and Feb 21), MFA remains disabled unless the admin manually changes the setting — therefore, User1 = Disabled .

User2 was Enabled on Feb 1, and signed in on Feb 5 — this allows them to register for MFA (move from Enabled ? Enforced ) once registration completes. By Feb 26, they would be in Enforced state.

User3 was already Enforced from the start, and their state remains unchanged.

Thus, by February 26, 2021 , the MFA status should be:

User1: Disabled

User2: Enforced

User3: Enforced

This matches Option B exactly.

Microsoft references (Azure AD MFA Overview):

“Enabled users move to Enforced when they complete MFA registration. Enforced users must use MFA every time they sign in.”

As outlined in the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and Microsoft Learn – Monitor and Analyze Sign-ins in Azure AD , the Azure AD Sign-ins log retains sign-in events for a limited duration depending on the tenant’s licensing tier.

For the default Azure AD Free , Office 365 , and Azure AD Premium P1/P2 tiers, the standard retention period for sign-in logs is 14 days . This means that administrators can query, review, or export sign-in data only for sign-ins that occurred within the past 14 days using the Azure portal , Microsoft Graph API , or Azure AD PowerShell .

The documentation specifies:

“Azure AD stores audit and sign-in events for up to 14 days in the Azure portal. For longer retention, you must integrate with Azure Monitor, Log Analytics, or export to a SIEM solution.”

This information is reinforced in the SC-300 training under the “Implement and monitor identity governance” and “Monitor and troubleshoot Azure AD” modules, which highlight that organizations requiring extended historical data must configure diagnostic settings to forward logs to Azure Log Analytics, Azure Storage, or Event Hubs.

Hence, without additional configuration, Azure AD keeps sign-in logs for 14 days by default — after which they are automatically purged.

? Correct Answer: A. 14 days

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Entra ID (Azure AD) documentation , sign-in logs are the primary source for diagnosing and troubleshooting authentication and access issues for Azure AD–integrated services, including Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) .

The sign-in logs record all user authentication attempts — successful and failed — along with critical details such as:

User identity (User Principal Name)

Application name (in this case, “Microsoft Cloud App Security” or “Microsoft Defender for Cloud Apps”)

IP address and device details

Conditional Access policy outcomes

Failure reasons (e.g., MFA requirement, denied by Conditional Access, invalid token, etc.)

These logs can be accessed directly from the Microsoft Entra admin center ? Monitoring ? Sign-in logs .

They allow administrators to quickly identify why a user was unable to access a specific cloud service , without needing to configure or collect extra data sources.

Other log types do not fit this scenario:

Audit logs record changes (e.g., policy updates, role assignments) but not authentication attempts.

Provisioning logs track synchronization and provisioning events from connected applications.

Log Analytics is a log aggregation workspace; it’s not the first-line diagnostic tool and requires extra configuration.

Hence, to identify the cause of User1’s access error with minimal administrative effort , the correct choice is sign-in logs .

HR is a member of AU1: No

User1 is a member of AU1: Yes

User2 is a member of AU1: No

Let’s break this down step by step based on Microsoft Entra ID dynamic membership rules, administrative units, and group membership, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Administrative Units and Dynamic Membership in Microsoft Entra ID:

Administrative Units (AUs):Administrative Units in Microsoft Entra ID are used to delegate administrative tasks to a subset of users, groups, or devices. They allow you to scope administrative roles (e.g., User Administrator) to specific users or groups within the AU.

Membership Types for AUs:

Assigned Membership:Members (users, groups, or devices) are manually added to the AU by an administrator.

Dynamic Membership:Members are automatically added or removed based on a dynamic membership rule, similar to dynamic groups. Dynamic membership for AUs can be applied to users or devices (but not groups directly).

The question states that AU1 is initially configured for assigned membership but is then updated to useDynamic Usermembership with the rule (user.department -eq " HR " ).

Dynamic Membership Rule:The rule (user.department -eq " HR " ) means that AU1 will automatically include all users whose department attribute in Microsoft Entra ID is set to " HR " . This rule applies to users, not groups or devices, because the membership type is " Dynamic User. "

Impact of Changing AU1 to Dynamic Membership:

When AU1’s membership type is changed from assigned to dynamic, the existing assigned memberships (e.g., User2, HR group, IT group) are no longer relevant. Thedynamic rule takes over, and AU1’s membership is determined solely by the rule (user.department -eq " HR " ).

Dynamic User Membership:Only users whose attributes match the rule will be members of AU1. Groups (like HR and IT) are not evaluated by this rule because the membership type is " Dynamic User, " not " Dynamic Group. "

Let’s evaluate the users based on the rule:

User1:Department = " HR " . The rule (user.department -eq " HR " ) matches, so User1 will be dynamically added to AU1.

User2:Department = " IT " . The rule does not match, so User2 will not be a member of AU1, even though they were previously assigned to AU1 and are a member of the IT group.

Groups (HR and IT):The dynamic membership rule for AU1 applies to users, not groups. Therefore, groups like HR and IT are not directly evaluated by the rule. However, we need toconsider whether group membership in AU1 affects the statements.

Statement 1: HR is a member of AU1:

Analysis:

The HR group is listed in the second table with AU1 as its administrative unit, indicating that it was initially assigned to AU1 when AU1 used assigned membership.

However, AU1’s membership type has been updated to " Dynamic User " with the rule (user.department -eq " HR " ). Dynamic User membership applies to users, not groups.

In Microsoft Entra ID, administrative units with dynamic user membership do not include groups as members unless the AU’s membership type is explicitly set to " Dynamic Group " (which is not the case here).

When AU1 was changed to dynamic membership, the HR group would no longer be considered a member of AU1 because the dynamic rule only evaluates users. Groups are not dynamically added to AUs based on user attributes.

Conclusion:The HR group is not a member of AU1 after the change to dynamic membership. Therefore, this statement isNo.

Statement 2: User1 is a member of AU1:

Analysis:

User1 has the department attribute set to " HR " (from the first table).

The dynamic membership rule for AU1 is (user.department -eq " HR " ), which matches User1’s department.

Therefore, User1 will be automatically added to AU1 as a member based on the dynamic rule.

Additionally, User1 is a member of the HR group, which was initially assigned to AU1. However, since AU1 now uses dynamic membership, the HR group’s assignment to AU1 is irrelevant. User1’s membership in AU1 is determined solely by the dynamic rule, not their group membership.

Conclusion:User1 is a member of AU1 because their department matches the dynamic rule. Therefore, this statement isYes.

Statement 3: User2 is a member of AU1:

Analysis:

User2 has the department attribute set to " IT " (from the first table).

The dynamic membership rule for AU1 is (user.department -eq " HR " ), which does not match User2’s department.

User2 was initially assigned to AU1 (as shown in the first table) and is a member of the IT group, which was also assigned to AU1. However, when AU1’s membership type was changed to " Dynamic User, " the assigned memberships (including User2 and the IT group) are no longer relevant.

The dynamic rule only includes users with the department " HR, " so User2 is not added to AU1.

Conclusion:User2 is not a member of AU1 because their department does not match the dynamic rule. Therefore, this statement isNo.

Additional Considerations:

If AU1’s membership type were " Dynamic Group " instead of " Dynamic User, " we would evaluate whether the HR and IT groups match a group-based rule. However, the question specifies " Dynamic User, " so the rule applies to user attributes only.

The initial assigned memberships (e.g., User2, HR group, IT group) are overridden by the dynamic membership rule. Microsoft Entra ID does not retain assigned memberships when an AU or group is converted to dynamic membership.

The HR and IT groups being assigned to AU1 initially does not affect the dynamic membership of users, but it might be relevant for administrative scoping (e.g., if an admin role is scoped to AU1). However, the statements are about membership, not administrative roles.

Conclusion:Based on the dynamic membership rule (user.department -eq " HR " ) for AU1:

HR group:Not a member of AU1 because dynamic user membership does not apply to groups.

User1:A member of AU1 because their department is " HR, " matching the rule.

User2:Not a member of AU1 because their department is " IT, " which does not match the rule.Therefore, the answers are:

HR is a member of AU1:No

User1 is a member of AU1:Yes

User2 is a member of AU1:No

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage synchronization with Microsoft Entra Connect” , when Microsoft Entra Connect synchronizes user objects between on-premises Active Directory (AD) and Microsoft Entra ID (formerly Azure AD), each user must have unique proxyAddresses attributes across the directory.

The proxyAddresses attribute represents all the email aliases (SMTP addresses) associated with a user. The synchronization process verifies these values to ensure they are not duplicated among multiple user objects. If two or more objects in AD share the same SMTP address, the synchronization process generates an error, typically reported as a “Duplicate Attribute” conflict.

In the provided scenario:

User1 (proxyAddresses: user1@contoso.com, sales@contoso.com)

User2 (proxyAddresses: user2@contoso.com, user.2@contoso.com, service@contoso.com)

User3 (proxyAddresses: user3@contoso.com, sales@contoso.com)

After updating the proxy addresses:

User1 ? admin@contoso.com

User2 ? sales@contoso.com

Because sales@contoso.com is now used by both User2 and User3, the sync process detects a duplicate SMTP address. This causes synchronization errors for User2 and User1 if any other duplicates exist.

User3, with unique attributes, synchronizes successfully.

The SC-300 reference under “Manage synchronization errors using Microsoft Entra Connect Health” confirms:

“If two or more objects contain the same value for attributes marked as unique (such as proxyAddresses or userPrincipalName), Microsoft Entra Connect synchronization fails for those objects until the conflict is resolved.”

Based on the official Microsoft SC-300 study guide and Microsoft Entra ID (Azure AD) licensing documentation, the licensing requirement for Access Reviews depends on who is being reviewed and how the review is configured .

Access reviews are an Azure AD Premium P2 feature (included in Microsoft 365 E5), and the licensing model specifies that:

“Each user who is part of an access review (either being reviewed or reviewing) must have an Azure AD Premium P2 license, except in cases where guest users are reviewed by internal reviewers — in that case, only the reviewers require a license.”

Let’s analyze each configuration:

Members: 500 internal + 25 guest users = 525 total members.

Review Type: Teams + Groups

Review Scope: All users

Reviewers: Users review own access

Group1 Since all users (internal and guest) review their own access, every member is considered an active participant in the review. Therefore, each of the 525 members (500 internal + 25 guests) must have an Azure AD Premium P2 license.

? Group1 = 525 licenses required

Members: 295 internal + 100 guest users = 395 total members.

Review Type: Teams + Groups

Review Scope: Guest users only

Reviewers: Group owner

Group2 Here, only guest users are being reviewed, and the reviewer is the group owner (User2). Since the guest users don’t require licenses when being reviewed by an internal reviewer, only the group owner (User2) needs a P2 license.

? Group2 = 1 license required

???? According to Microsoft Licensing Guidance (SC-300 Official Content):

“If guest users review their own access, each guest requires a P2 license. If the review is conducted by an internal user (owner or admin), only that reviewer requires the license.”

In Azure AD, Diagnostics settings control the forwarding of logs (sign-ins, audit logs, and provisioning logs) to external services such as Log Analytics, Event Hub, or Storage accounts. However, they do not control who receives alert notifications.

The SC-300 and Microsoft Learn documentation for Azure AD activity monitoring and alerts specifies that alert recipients are managed through Azure Monitor Alert Rules. These rules define the conditions for generating alerts and the action groups (email, SMS, webhook, etc.) that receive them.

To assign a new security administrator as the recipient, you must modify the action group in Azure Monitor, not the diagnostics settings. Adjusting the diagnostics settings only affects log destinations, not alert routing.

Therefore, modifying diagnostics settings would not meet the goal of redirecting alerts to another user.

In Azure RBAC, when creating a custom role through the Azure portal, you can only clone from existing roles of the same scope type. Since Role3 is an Azure subscription-level custom role, it can be cloned only from subscription-level roles—either built-in subscription roles (like Owner, Contributor, Reader) or other custom subscription roles.

Azure AD roles (directory roles) cannot be cloned to create subscription roles because they operate at a completely different control plane (Azure AD vs Azure Resource Manager).

Thus, from the given table:

Role1 = Azure AD role ? cannot be cloned.

Role2 = Azure subscription role ? can be cloned.

Therefore, the correct option is C

In the SC-300 materials covering Azure AD MFA configuration, Microsoft distinguishes between Notifications (which control whether the Microsoft Authenticator sends push prompts) and Fraud alert settings (which determine what happens when a user reports an unexpected prompt). The study guide notes that notifications “enable push approvals to the app,” but this does not take action when a user reports a suspicious prompt. To satisfy the requirement “block the users automatically when they report an MFA request they didn’t initiate,” you must use Fraud alert options. The documentation states that administrators can “allow users to submit fraud alerts” and “block users who report fraud” so that “reported accounts are immediately blocked until an administrator unblocks them.” These options are part of the tenant’s MFA service settings, not the Notifications section. In other words, simply configuring Notifications won’t automatically block users who tap Report in Microsoft Authenticator; you must explicitly enable the setting to block users upon fraud reports. Therefore, the proposed solution—changing Notifications settings—does not meet the goal. The correct approach is to enable Fraud alert and select Block users who report fraud, ensuring automatic protection when users report unexpected MFA prompts.

Conditional Access policies control access based on conditions such as user risk, device state, or application context. They do not directly affect account authentication or respond to disabled account states in Active Directory.

If a user’s on-premises account is disabled, Azure AD still allows cached credentials to authenticate until the next sync (if using PHS). Conditional Access cannot force immediate disablement — it only acts after successful authentication attempts.

From Microsoft Learn:

“Conditional Access evaluates access after authentication and cannot prevent sign-in for disabled or deleted accounts during synchronization delay.”

Therefore, Conditional Access does not meet the goal of instantly preventing authentication when an AD account is disabled.

? Correct Answer: B. No

SC-300 materials describe FIDO2 security keys as a passwordless method that works well for shared workstations and environments where phones are not permitted. The documentation explains that “FIDO2 security keys are phishing-resistant, standards-based credentials that allow users to sign in with a portable hardware device” and that “the user performs a gesture on the key (PIN or biometrics) to complete authentication.” It further clarifies that “Azure AD passwordless methods (FIDO2 security keys, Windows Hello for Business, Authenticator) satisfy strong authentication requirements and can meet MFA prompts.” Because the call-center computers don’t have biometrics and phones are prohibited, Authenticator and Windows Hello for Business are unsuitable. A named network location does not provide MFA by itself. By issuing FIDO2 keys (tokens) to agents, you meet the MFA requirement with a factor the user has (the key) plus a secure local gesture (PIN), which SC-300 documents as accepted for Azure AD strong/MFA.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn module: “Discover and manage shadow IT” within Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) , the Cloud app catalog is the authoritative reference database that contains detailed risk assessments of thousands of cloud applications discovered within your organization.

Each application in the cloud app catalog is automatically evaluated against a large set of security and compliance criteria — over 80 risk factors including authentication requirements , encryption standards , data ownership , regulatory compliance , and certifications . This catalog helps administrators identify which discovered or sanctioned applications do not require user authentication , which is a critical factor when evaluating application risk posture.

From the Microsoft 365 Defender portal , administrators can open Defender for Cloud Apps ? Cloud Discovery ? Cloud app catalog . Within this interface, you can filter and sort apps by authentication type , specifically reviewing those listed with “No authentication” or “Not supported” . This allows quick identification of unsecured or unauthenticated apps that could pose risks to enterprise data and identity protection.

Microsoft’s documentation emphasizes:

“The Cloud app catalog provides detailed information about each discovered application, including whether the app supports user authentication and what authentication methods are required.”

Options A and B (queries and reports) are used for analyzing discovered app traffic data, not intrinsic app properties. Option C (OAuth policy) monitors app permissions, not authentication requirements.

To Answer this question accurately, we must analyze the Combined Security Information Registration experience in Interrupt Mode for a new user within an Azure AD (Microsoft Entra ID) tenant where both MFA and SSPR are enabled.

1. Understanding Combined Registration in Interrupt Mode: According to Microsoft documentation on Combined security information registration , this feature allows users to register their security methods for both Azure AD Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) in a single, unified step.

Interrupt Mode triggers when a user signs in and a policy (like Identity Protection or Conditional Access) requires them to register security information immediately.

Because the question states SSPR is enabled and MFA is enforced , the user is required to register methods that satisfy both policies.

2. Validating the Methods (Options Analysis):

Option E: The Microsoft Authenticator app (Correct): The Microsoft Authenticator app is the primary and most recommended method in the combined registration flow. It satisfies the strong authentication requirement for MFA and can also be used for SSPR . Microsoft documentation explicitly lists the Microsoft Authenticator app as a supported method that users can register during the combined experience.

Option C: A one-time passcode email (Correct): While Email is not a valid method for Azure AD MFA (primary authentication), it is a supported and common method for SSPR .

Documentation Extract: " Users can register the following methods... Email (SSPR only). "

Since the question specifies that SSPR is enabled , the combined registration wizard requires the user to register SSPR methods in addition to MFA methods. Therefore, registering an email address to receive a one-time passcode is a valid step User1 can take to complete the portion of the combined registration process related to SSPR.

Option A: A FIDO2 security key (Incorrect for Initial Registration):

Documentation Extract: " User registration of FIDO2 security keys... relies on the combined registration experience. Users must have already registered at least one Azure AD Multi-Factor Authentication method. "

Because User1 is a new user (and likely does not have a Temporary Access Pass specified), they cannot use a FIDO2 key to complete the initial registration interrupt. They must first register a standard MFA method (like the Authenticator app) before they can add a FIDO2 key via the " Manage " mode (Security Info page).

Option B: A hardware token (Incorrect): Hardware OATH tokens are not self-registered by the user in the combined registration portal. They must be uploaded and assigned by an administrator via a CSV file. Therefore, User1 cannot " use " this method to complete the self-service registration process.

Option D: Windows Hello for Business (Incorrect): Windows Hello for Business (WHfB) is provisioned at the device level (via Windows Settings or OOBE), not through the web-based Combined Registration interrupt wizard. Additionally, WHfB typically requires the user to have already completed MFA registration to provision the credential.

Conclusion: The only two methods from the list that a new user can actively register and use to complete the web-based Combined Registration interrupt wizard (satisfying both MFA and SSPR requirements) are the Microsoft Authenticator app (for MFA/SSPR) and Email (for SSPR).

The retention period for Microsoft Entra (Azure AD) sign-in logs depends on the license (Free, P1, P2). Microsoft’s data retention documentation states that with a Microsoft Entra ID P1 license, sign-in data is retained for 30 days.

The relevant table in the “Microsoft Entra data retention” documentation shows:

With Entra ID P1 or P2: sign-in activity is retained for 30 days

(With Free tier, sign-in logs are retained for 7 days)

Therefore, under your scenario (tenant has ID P1 license), the logs are available for 30 days.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance  >  Entitlement management  >  Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups > Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in as a Security Administrator or Global Administrator.

Navigate to MFA settings:

Go to Users  >  Active users.

On the Active users page, select Multi-factor authentication.

Manage user settings:

Find and select the Sg-Finance group.

Enable MFA for this group by setting the requirement status to Enabled.

Exclude a user from MFA:

In the Multi-factor authentication page, search for Debra Berger.

Set her MFA status to Disabled to exclude her from MFA registration.

Verify the configuration:

Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.

Communicate the change:

Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.

Monitor the setup:

Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.

To assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Make sure you have the role of Global Administrator or License Administrator.

Navigate to the licensing page:

Go toBilling > Licenses1.

Find the Windows 10/11 Enterprise E3 license:

Look for the Windows 10/11 Enterprise E3 license in the list of available products.

Assign licenses to the group:

Select the license and then choose Assign licenses.

Search for and select the Sg-Retail group.

Confirm the assignment and make sure that the correct number of licenses is available for the group.

Review and confirm the assignment:

Ensure that the licenses have been properly assigned to the Sg-Retail group without affecting other groups or users.

Monitor the license status:

Check the license usage and status to ensure that the Sg-Retail group members can utilize the Windows 10/11 Enterprise E3 features.

By following these steps, the Sg-Retail group should now have the Windows 10/11 Enterprise E3 licenses assigned to them.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance > Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

To ensure that all users can consent to apps that require permission to read their user profile and prevent them from consenting to apps that require any other permissions, you can configure the user consent settings in the Microsoft Entra admin center. Here’s how you can do it:

Sign in as a Global Administrator:

Access the Microsoft Entra admin center with Global Administrator privileges.

Navigate to user consent settings:

Go toIdentity > Applications > Enterprise applications > Consent and permissions > User consent settings1.

Configure the consent settings:

Under User consent for applications, select the option that allows users to consent to apps that only require permission to read their user profile.

Ensure that all other permissions are set to require administrator consent, thus preventing users from consenting to apps that require additional permissions1.

Save the settings:

After configuring the consent settings, select Save to apply the changes.

By following these steps, you will have configured the system to allow user consent for apps that need to read the user profile while blocking consent for apps that require additional permissions. This setup helps maintain user autonomy where appropriate while safeguarding against unauthorized access to broader permissions.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.