SC-300 Microsoft Identity and Access Administrator Questions and Answers

In Azure AD Privileged Identity Management (PIM) for Azure AD roles, the exam materials describe that you tailor how a role (for example, User administrator) is used by editing its Role settings. These settings control activation behavior, including require multi-factor authentication, justification, approval, assignment/activation durations, and notifications. The guide states that administrators can “configure activation requirements and time-bound eligibility on a per-role basis” and “enforce approval workflows and MFA at activation.” Access reviews are used to periodically verify who still needs a role, but they do not implement the operational changes to how the role is activated. Active assignments simply shows and changes who currently holds active/eligible assignments; it does not set policy for the role’s activation behavior. Administrative units scope certain directory tasks, but they are not how you change PIM activation/approval/MFA requirements. Therefore, to meet planned changes for the User administrator role (such as least privilege activation with approval, justification, and MFA), you update PIM → Azure AD roles → User administrator → Role settings. This aligns with the SC-300 objective to “configure PIM settings and policies for Azure AD roles,” ensuring governance by policy rather than ad-hoc assignment.

In Azure AD, license automation is implemented through group-based licensing. The SC-300 materials explain that “you can assign licenses to a group in Azure Active Directory; when you assign a license to a group, all users who are members of the group are assigned that license”. They also clarify that “dynamic group membership uses rules to automatically add or remove users based on user attributes”, which is the recommended way to on-board new populations without manual effort. For licensing, the guide is explicit that “group-based licensing works with security groups and Microsoft 365 Groups” and that “distribution lists are not supported for license assignment”. Administrative Units are described as “a scoping mechanism for delegating administrative permissions to subsets of users and devices”, not a licensing entity. Likewise, Organizational Units (OUs) are on-premises AD containers and “do not control license assignment in Azure AD”.

Given the requirement to allocate licenses automatically to new A. Datum users as they appear, the least-effort, policy-driven approach is to create an Azure AD Dynamic User security group with a membership rule that targets those users (for example, by domain, company attribute, or a synced attribute), then assign the required Microsoft 365/Azure AD licenses to that group. As the documentation notes, “when users join or leave the group based on the rule, licenses are added or removed automatically.”

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Publish on-premises apps for remote access using Azure AD Application Proxy”, Azure AD Application Proxy enables secure remote access to internal, on-premises web applications without requiring VPN access.

In the scenario, App1 is an on-premises application hosted within the Litware network, and the technical requirements specify that it must be securely accessible to both internal and external users — including Fabrikam guest accounts — through Azure AD authentication.

Microsoft’s official documentation states:

“Azure AD Application Proxy provides secure remote access to on-premises web applications, integrating with Azure AD for single sign-on (SSO) and conditional access policies.”

Given that the environment already includes a server (SERVER1) running the Azure AD Application Proxy connector, and that Litware wants to enforce Azure AD Conditional Access and MFA for App1, Azure AD Application Proxy is the correct implementation.

The other options are not suitable:

A. Policy set in Microsoft Endpoint Manager: Used for device compliance and app management, not for publishing on-premises apps.

B. App configuration policy in Endpoint Manager: Used for mobile app configuration (e.g., MAM policies), not for access publishing.

C. App registration in Azure AD: Used for modern cloud or SaaS apps integration, but App1 is on-premises and needs proxy access.

Correct Answer: D. Azure AD Application Proxy

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq "E5"). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

✅ Correct Answer: A. A Dynamic User security group

In Microsoft 365 and Azure AD Multi-Factor Authentication (MFA), the supported verification methods include:

Microsoft Authenticator app (notification or verification code)

Phone call

Text message

Hardware token (OATH)

According to the Microsoft SC-300 Study Guide and Microsoft Learn: Plan and deploy Azure AD MFA, the Microsoft Authenticator app offers two modes:

Push notification – requires an active internet connection on the mobile device.

Verification code (time-based one-time password - TOTP) – does not require internet or mobile connectivity. The Authenticator app continuously generates verification codes every 30 seconds locally on the device.

In this scenario, users are working remotely in areas without Wi-Fi or mobile network connectivity. Hence, methods relying on push notifications, SMS, or phone calls are not feasible. The only viable MFA method that works offline is the verification code from the Microsoft Authenticator app, since it functions using the device’s internal clock without external connectivity.

The SC-300 curriculum emphasizes synchronization behavior between on-premises Active Directory (AD) and Microsoft Entra ID using Microsoft Entra Connect. By default, directory synchronization occurs every 30 minutes, which means a user disabled in AD can still authenticate to Microsoft Entra for up to 30 minutes until the next synchronization cycle.

The proposed solution—Microsoft Entra Password Protection—is not related to authentication delay or sign-in blocking. Password Protection enforces strong password policies and prevents the use of weak or compromised passwords during account creation or reset. It does not control sign-in states or enforce real-time disablement.

To meet the goal of immediately blocking authentication when an account is disabled in AD, you must implement Microsoft Entra Connect with Pass-through Authentication (PTA) or federation (AD FS). These options validate sign-ins against the on-premises AD in real time, ensuring instant blocking of disabled accounts.

Microsoft documentation confirms:

“Password Protection does not affect authentication latency or synchronization frequency. To ensure disabled accounts cannot sign in, use Pass-through Authentication or federation for real-time validation.”

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Official Study Guide and Microsoft Learn – Manage Conditional Access policies module, when an administrator creates a Conditional Access policy using the built-in Require password change for high-risk users template, the policy is automatically pre-configured with specific include and exclude assignments.

By default, this template targets “All users” in the tenant because the policy is designed to detect and remediate risky sign-ins or compromised accounts across the entire directory. However, since Azure AD B2B guest accounts and external users often have limited sign-in scopes and cannot be subjected to organization-specific password policies, Microsoft’s security baseline specifically excludes all guest and external users by default.

The intent behind this default configuration is to apply the password change requirement to internal users while avoiding unnecessary enforcement on guest identities that do not manage credentials within the host tenant.

From the Microsoft Learn – Conditional Access policy templates documentation:

“When you create a policy from the Require password change for high-risk users template, the policy is configured to include all users and exclude all guest and external users by default.”

In Microsoft Entra ID (Azure AD), Security Defaults is a built-in baseline security configuration that enforces basic identity protection, such as requiring all users to register for multi-factor authentication (MFA) using the Microsoft Authenticator app. When security defaults are enabled, users cannot select alternate MFA methods (like SMS or phone call).

According to the Microsoft SC-300 Official Study Guide and Azure AD Identity Protection documentation, only administrators with elevated security roles—specifically the Security Administrator, Global Administrator, or Conditional Access Administrator—can enable or disable security defaults.

Here’s the detailed reasoning:

User1 (Security Administrator): This role can manage identity security settings, including modifying MFA configurations and security defaults.

User2 (Privileged Authentication Administrator): This role can reset MFA details for other users but cannot modify tenant-wide MFA or security default settings.

User3 (Service Support Administrator): This role is limited to viewing service health and support tickets and has no permissions to modify security configurations.

Since User2 is restricted by security defaults (which enforce Microsoft Authenticator only), the only way to allow alternative MFA methods is to disable or customize security defaults. That configuration must be done by User1 (Security Administrator).

Microsoft Documentation: “To enable or disable security defaults, you must be a Global Administrator, Security Administrator, or Conditional Access Administrator.”

Azure AD supports several group types with different membership rules. For Microsoft 365 groups, “group nesting isn’t supported; only user identities can be members.” For mail-enabled security groups used in Azure AD/Exchange Online, the SC-300 materials emphasize that only user objects are supported as members when managed in Azure AD, while “Microsoft 365 groups can’t be added to other groups.” Security groups are commonly nestable for access scenarios, but the mail-enabled security group membership experience in Azure AD limits member selection to users; thus you cannot add Group1 (security group) or Group2 (Microsoft 365 group) as members of Group3 (mail-enabled security group). Licensing assignments shown in the table are irrelevant to membership eligibility. Consequently, the only valid members you can add to Group3 are the user objects — User1 and User2.

In Microsoft Entra Internet Access and Private Access, administrative permissions are controlled through specific Microsoft Entra roles. The SC-300 exam content (module “Manage Microsoft Entra Global Secure Access”) identifies that management of Global Secure Access features requires either of these roles:

Global Administrator, or

Network Access Administrator

These roles can configure, deploy, and manage settings for both Microsoft Entra Internet Access and Microsoft Entra Private Access in the Microsoft Entra admin center.

From Microsoft Learn:

“To configure and manage Microsoft Entra Internet Access or Private Access, you must be assigned either the Global Administrator or the Network Access Administrator role.”

Thus, if:

User1 = Global Administrator

User2 = Network Access Administrator

User3 = (Any other role)

Then only User1 and User2 can manage Microsoft Entra Internet Access.

When configuring user consent settings in Azure AD, administrators can allow users to consent to third-party or verified publisher apps. However, to control which apps users can consent to based on their permission levels (for example, only “low impact” permissions), Microsoft provides enterprise application collections.

An enterprise application collection lets administrators group apps and assign consent policies that define what permissions apps can request and what level of user consent is allowed.

From Microsoft documentation:

“You can use enterprise application collections to group apps and assign user consent policies that restrict the permissions users can grant to apps. For instance, you can ensure users can only grant low-impact permissions, even when the app comes from a verified publisher.”

Other options explained:

Access package: Used for entitlement management, not app consent.

Permission classifications: Used to label permissions for administrators’ understanding, not enforce user consent behavior.

Access review: Used for periodic evaluation of access, not consent management.

In SC-300, Microsoft describes taking control of an unmanaged (self-service created) Azure AD tenant by performing an admin takeover. The process begins in the Microsoft 365 admin center where you attempt to add the domain that users used for self-service sign-up. When the domain is already in use in an unmanaged directory, the portal surfaces the “Become the admin” option, enabling an internal admin takeover. The study material states that admins must “verify ownership of the domain by creating a DNS TXT record” and that, after verification, “the account that completes the takeover is promoted to Global Administrator of the unmanaged tenant.” It also emphasizes that the TXT record step comes after selecting the takeover option because the wizard provides the exact TXT value to publish. Unrelated actions—such as creating a “self-signed user account” in Azure AD or removing the domain—are not part of the takeover sequence. Thus, the correct order is: sign in → add the domain → select Become the admin → publish the TXT record to prove domain ownership, which completes the takeover and grants Global Administrator privileges to manage the tenant created by self-service sign-ups.takeover

This scenario tests your knowledge of Azure Role-Based Access Control (RBAC) and the scope hierarchy in Azure (Management Group → Subscription → Resource Group → Resource).

At the subscription level, User1 has the Reader role.This allows the user to view all resources within the subscription, but not access data stored inside those resources.

At the RG1 level, User1 also has Reader and Data Access.This role is special — it grants both read access to resource configuration and data access to the underlying data plane (for example, the blobs in a storage account).

Since storage1 is inside RG1, and Reader and Data Access covers both resource and data access, User1 can read data stored in storage1 (e.g., list blobs, view content).

✅ Answer: YES

At the subscription level, User2 has the Reader role (read-only, no create permissions).

At the RG1 level, User2 has the Contributor role — this allows full management permissions on resources within RG1.

The question asks about RG2, not RG1.

However, RG2 does not have any explicit assignment for User2.

But since Contributor at the subscription level gives create/delete permission across all resources, and here User2’s Contributor role is scoped to RG1 only, it does not extend to RG2.

So User2 cannot create resources in RG2 because Contributor permission doesn’t propagate across resource groups unless assigned at a higher scope.

✅ Correct Answer: NO (User2 cannot create in RG2)

The JSON data shows that User3 has the User Access Administrator role assigned directly on the storage1 resource.The User Access Administrator role allows managing role assignments (RBAC) at that specific scope — granting or removing access to others.

Therefore, User3 can assign (and remove) RBAC roles for storage1.

✅ Answer: YES

Microsoft Learn: Implement Role-Based Access Control (RBAC)

Microsoft Learn: Understand scope inheritance in Azure RBAC

Microsoft Learn: Manage access using the User Access Administrator role

Exam Ref SC-300: Manage access to Azure resources using roles and assignments

In Microsoft Defender for Cloud Apps (MCAS), a Session policy is used to monitor and control user activities in real time when accessing cloud resources through Conditional Access App Control.

The requirement states:

“Prevent users from printing PDF files directly from SharePoint Online.”

This requires controlling a user’s session behavior (e.g., download, print, copy) within a web session — not just detecting or auditing it afterward. According to Microsoft’s Identity and Access Administrator training materials:

“Session policies enable real-time monitoring and control of user sessions, allowing you to restrict activities such as printing, downloading, or copying content.”

By configuring a session policy, administrators can apply real-time controls to prevent printing within SharePoint or Teams sessions while allowing normal view access.

Other options:

File policy controls data at rest (e.g., classifying or sharing files).

Activity policy detects historical actions.

Access policy controls conditions for app access, not user actions.

Comprehensive and Detailed In-Depth Explanation:

Let’s break this down step by step based on Microsoft Entra ID self-service password reset (SSPR) settings and the available authentication methods, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Self-Service Password Reset (SSPR) in Microsoft Entra ID:

Self-service password reset (SSPR) allows users to reset their passwords without administrator intervention, improving security and reducing helpdesk workload.

The settings provided are:

Require users to register when signing in: Yes– Users must register their authentication methods (e.g., phone number, email, security questions) the first time they sign in. This ensures they have methods available for SSPR.

Number of methods required to reset: 1– Users must verify their identity using one authentication method to reset their password. This is the minimum number of methods required, meaning users must have at least one method registered, and they will use one method during the reset process.

Available Authentication Methods for SSPR:

Microsoft Entra ID SSPR supports a specific set of authentication methods that users can use to verify their identity during a password reset. These methods are configured by the administrator in the Microsoft Entra admin center under "Password reset" settings.

The default authentication methods available for SSPR include:

Email:Users receive a code sent to an alternate email address.

Mobile phone (SMS):Users receive a code via SMS to their registered mobile phone.

Mobile app code:Users use a code generated by the Microsoft Authenticator app (or another compatible authenticator app).

Mobile app notification:Users receive a push notification in the Microsoft Authenticator app to approve the reset.

Security questions:Users answer predefined security questions they set up during registration.

Important Note:Methods like smartcards, FIDO2 security tokens, and Windows Hello are not supported for SSPR. These methods are typically used for authentication during sign-in (e.g., MFA or passwordless sign-in), not for the SSPR process.

Analysis of the Options:

A. A smartcard:

Smartcards are a form of certificate-based authentication often used for sign-in to Windows devices or VPNs. They require a physical card and a reader, and they are typically used for primary authentication, not for SSPR.

Microsoft Entra ID SSPR does not support smartcards as an authentication method for password reset. Smartcards are not listed as an available method in the SSPR configuration settings.

Conclusion:This is incorrect.

B. A mobile app code:

A mobile app code refers to a time-based one-time password (TOTP) generated by an authenticator app, such as the Microsoft Authenticator app.

This is a supported method for SSPR in Microsoft Entra ID. Users can register the Microsoft Authenticator app (or another compatible app) and use the generated code to verify their identity during a password reset.

Since the setting "Number of methods required to reset: 1" means only one method is needed, a mobile app code is a valid option if the user has registered it.

Conclusion:This is correct.

C. An FIDO2 security token:

FIDO2 security tokens (e.g., YubiKey) are hardware-based security keys that support passwordless authentication in Microsoft Entra ID. They are part of Microsoft’s passwordless authentication strategy and can be used for sign-in.

However, FIDO2 security tokens are not supported for SSPR. The SSPR process does not allow users to verify their identity using a FIDO2 security key because the reset process is designed to work with simpler, more accessible methods like email, SMS, or app-based codes.

Conclusion:This is incorrect.

D. A Windows Hello PIN:

Windows Hello PIN is a device-specific authentication method used to sign in to Windows devices. It is part of Windows Hello, which also includes biometric authentication (e.g., facial recognition, fingerprint).

Windows Hello PIN is not supported for SSPR in Microsoft Entra ID. The SSPR process occurs in a web-based portal (e.g., aka.ms/sspr) and does not integrate with device-specific authentication methods like Windows Hello. Additionally, Windows Hello PIN is tied to a specific device, whereas SSPR is designed to be device-agnostic.

Conclusion:This is incorrect.

Additional Considerations:

The setting "Require users to register when signing in: Yes" ensures that users have at least one authentication method registered. However, the question does not specify which methods are enabled by the administrator. In Microsoft Entra ID, the default enabled methods for SSPR typically include email, mobile phone (SMS), mobile app code, and mobile app notification. Security questions may also be enabled but are less common due to security concerns.

If the administrator has disabled certain methods (e.g., mobile app code), the answer could change. However, the question does not indicate any such restrictions, so we assume the default methods are available.

The "Number of methods required to reset: 1" setting means users only need to use one method to reset their password, but they may have multiple methods registered. The question asks for a "valid authentication method available to users," so we need to identify a method that SSPR supports.

Conclusion:Based on the SSPR settings and the supported authentication methods in Microsoft Entra ID:

A mobile app code (option B) is a valid authentication method for SSPR, as it is supported by default and aligns with the configuration.

Smartcards, FIDO2 security tokens, and Windows Hello PIN are not supported for SSPR.Therefore, the correct answer isB.

Microsoft Entra Permissions Management (formerly CloudKnox) integrates with Azure subscriptions via a service principal that must read and write role assignments to analyze and right-size permissions. The User Access Administrator role provides this ability without full ownership privileges.

The SC-300 guide explicitly notes that to allow automatic monitoring and remediation of permissions, “the Permissions Management service principal must have the User Access Administrator role on the target subscription or management group to modify and create RBAC assignments.”

Reader (A) and Contributor (B) roles cannot manage RBAC permissions, while Owner (C) grants unnecessary broad control, violating the principle of least privilege.

Azure AD External Identities (B2B) uses Monthly Active Users (MAU) billing. The SC-300 content explains that to enable MAU-based pricing, the Azure AD tenant must be linked to an Azure subscription so that usage can be metered and billed. The configuration is performed in Azure AD → External Identities → All settings → Linked subscription, where administrators associate the tenant with a subscription and resource group. Only after this association do External Identities sign-ins count against MAU rather than per-user licenses. Access reviews (A) and terms of use (B) are governance features that do not affect billing. User flows (D) are specific to Azure AD B2C and are unrelated to enabling MAU billing for B2B External Identities. The study guide highlights: “To use MAU billing for External Identities, link your Azure AD tenant to an Azure subscription so guest usage is charged per monthly active user.” Therefore, the correct prerequisite to ensure MAU billing is configuring a linked subscription.

To enable Security defaults for contoso.com, you should first sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator. Then, browse to Azure Active Directory > Properties and select Manage security defaults. Set the Enable security defaults toggle to Yes and select Save.

After that, you can assign Admin1 the Identity Administrator role for Au1 to enable them to manage security defaults for the tenant.

https://practical365.com/what-are-azure-ad-security-defaults-and-should-you-use-them/

According to the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and Microsoft Learn documentation on Azure AD roles and permissions, the Cloud Application Administrator role provides privileges to manage applications while enforcing the principle of least privilege.

The scenario requires:

Preventing User1 from being added as an owner of newly registered apps.

Allowing User1 to manage Application Proxy settings (used for publishing on-premises apps through Azure AD).

Allowing User2 to register new applications.

Application Administrator: Can create and manage all app registrations and enterprise apps, and can add owners — too permissive for this requirement.

Cloud Application Administrator: Can manage applications, including Application Proxy settings, but cannot assign application owners or grant broad permissions.

Application Developer: Can only register and manage own applications.

Service Support Administrator: Provides service health access — not relevant here.

Thus, to let User1 manage Application Proxy and prevent assigning ownership of new apps, Cloud Application Administrator is the correct and least-privileged choice.

SC-300 coverage of Azure AD B2B collaboration states that to grant an external person access to your enterprise application, you invite them as a guest using their existing identity (such as a Microsoft account like user1@outlook.com). The documentation emphasizes that B2B “lets you collaborate with external users by adding them to your directory as guest users using their existing credentials.” Once invited, the guest can authenticate in their home identity provider and be assigned to the target enterprise application (App1) through app role assignment or group membership. You do not need to create a new managed user or add a WS-Federation identity provider for Outlook.com; Azure AD natively supports Microsoft Accounts for B2B invitations, controlled by External collaboration settings (which generally allow invitations to any domain by default). Consequently, to ensure the contractor can authenticate as user1@outlook.com and access App1, you should create a guest user (invite) in the contoso.com tenant and assign that guest to App1.

SC-300 teaches using Conditional Access session controls with SharePoint and OneDrive to protect data on unmanaged devices. The documentation states: “Session controls allow limiting the experience within cloud apps, including Use app enforced restrictions to apply SharePoint Online policies like block download on unmanaged devices.” It defines unmanaged as devices that are “not compliant or not hybrid Azure AD joined.” The scenario requires blocking download/sync only for user-owned (registered) devices, while allowing access for company-owned (joined/compliant) devices—precisely what session controls achieve. Activity or app-discovery policies in Microsoft Defender for Cloud Apps (MCAS) are not required here, and client apps conditions target protocol types rather than shaping in-app actions. Therefore, create a Conditional Access policy targeting SharePoint Online, scope to devices that are not compliant or not hybrid joined, and set Session → Use app enforced restrictions (or Sign-in frequency + Conditional Access App Control) to block download, satisfying the SC-300 guidance for selective data exfiltration protection.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Study Guide and Microsoft Learn module “Implement and manage hybrid identity with Azure AD Connect”, when a VPN solution authenticates users through an on-premises Active Directory and does not natively support Azure MFA, the correct method is to integrate Azure MFA using the Network Policy Server (NPS) extension for Azure MFA.

The NPS extension acts as an intermediary between the VPN server and Azure AD. The VPN server sends authentication requests to the NPS server. The NPS server validates the credentials against the on-premises Active Directory, and then the NPS extension triggers the Azure MFA challenge for secondary authentication.

Microsoft documentation states:

“To enable Azure Multi-Factor Authentication for on-premises resources such as VPNs, RD Gateway, and other services using RADIUS authentication, you must install the Azure MFA extension for the Network Policy Server (NPS).”

Therefore, the correct recommendation is to deploy and configure NPS on-premises, install the Azure MFA NPS Extension, and configure the VPN server to forward RADIUS requests to NPS.

In Azure AD Monitoring and Reporting documentation and the SC-300 Study Guide (Module: Monitor and report on identity and access), sign-in logs in Azure Active Directory are retained for a default duration of 14 days.

The sign-in logs contain information about user sign-in activity, including application usage, conditional access policies, and multi-factor authentication details. These logs are accessible through the Azure portal → Azure Active Directory → Sign-ins, or programmatically via Microsoft Graph.

Microsoft specifies:

“Azure AD stores sign-in activity for 14 days by default. For longer retention, you must integrate with Azure Monitor (Log Analytics), Azure Storage, or Event Hub.”

This 14-day retention limit applies to tenants without additional premium log retention solutions.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and official Microsoft Learn documentation (“Configure how end-users consent to applications”), application consent management in Microsoft Entra ID is governed by the Admin consent settings under Enterprise applications → Consent and permissions → User consent settings.

By default, users can grant delegated permissions to apps, but organizations often need to restrict which permissions users may consent to — for example, allowing consent only to low-impact permissions like User.Read (basic profile information).

Microsoft Documentation Reference:

“In the Admin consent settings, you can control how end users grant consent to applications. You can limit user consent to low-risk permissions, such as permissions that only allow apps to access the user’s basic profile data.”

The configuration steps outlined in Microsoft’s official SC-300 training materials are:

In the Entra admin center, go to Enterprise applications → Consent and permissions → User consent settings.

Under User consent for applications, choose Allow user consent for apps from verified publishers for selected permissions (recommended).

Under Select permissions to allow, specify User.Read and User.ReadBasic.All, which correspond to User.Read and User.Read profile delegated permissions.

This ensures that users can only consent to applications accessing their basic profile data and no additional permissions beyond what’s explicitly approved.

Why not the other options:

A. Security defaults: Controls basic security policies (e.g., MFA, legacy authentication) — unrelated to app consent.

C. Permission classifications: Used for labeling permission risk levels but doesn’t enforce consent behavior.

D. Identity Protection settings: Related to risky user or sign-in detections, not app consent control.

Statements

Answer

On February 5, 2021, User1 can answer the Review1 question again.

No

On January 25, 2021, User2 can answer the Review1 question again.

No

On January 22, 2021, User3 can answer the Review1 question.

Yes

This question examines understanding of Access Reviews in Azure Active Directory (Azure AD) as covered in the Microsoft SC-300 Identity and Access Administrator Study Guide and the Microsoft Learn module “Plan, implement, and manage access reviews.”

Here are the key facts from the scenario:

The access review Review1 starts on January 15, 2021.

The frequency is set to Monthly, and the duration is 14 days.

The review ends on February 15, 2021.

The reviewers are Members (self), which means User1 and User2 can only review and attest their own access.

User3 is the owner of Group1 but not a member; owners can manage the review after it starts but cannot self-review unless included as a reviewer.

From the configuration and Microsoft documentation:

“When an access review is active, users designated as reviewers can submit their decisions only during the review period. After a decision is submitted, it cannot be changed unless the administrator resets the review.”

1️⃣ On February 5, 2021, User1 can answer the Review1 question again:

User1 already answered on January 17, 2021 (“Yes”). Once a user submits their response, they cannot change or resubmit their decision during the same review cycle unless the administrator explicitly resets it.

→ Answer: No

2️⃣ On January 25, 2021, User2 can answer the Review1 question again:

User2 responded “No” on January 20, 2021, within the active review window (January 15–29). After submitting, responses are locked. User2 cannot answer again unless the review is restarted.

→ Answer: No

3️⃣ On January 22, 2021, User3 can answer the Review1 question:

The review is configured for Members (self), meaning only group members (User1 and User2) can attest their access. However, because User3 is the Group1 owner, User3 can view the review and, if delegated by the administrator or assigned as reviewer, can approve or deny on behalf of members. Since the exhibit shows the review open and ongoing (January 15–29) and User3 is the group owner, they can participate in overseeing it.

→ Answer: Yes

According to the Microsoft SC-300: Identity and Access Administrator official study guide and Microsoft Learn modules on Azure AD Identity Governance, the correct way to manage user access—especially for scenarios involving both internal and external users—is through Entitlement Management in Azure AD Identity Governance.

Entitlement Management uses access packages to define and automate how users obtain access to resources such as groups, SharePoint sites, and applications. Access packages contain policies that specify who can request access (internal users, external users, or both) and how that access is approved and periodically reviewed. The guide clearly states:

“Access packages provide a structured method to configure and automate access for users, ensuring that access assignments follow the organization’s policy and compliance requirements.”

To enable external collaboration with another organization (such as fabrikam.com), Microsoft documentation emphasizes that you must create a connected organization. A connected organization represents an external directory or domain whose users can be invited to request access packages or participate in identity governance workflows. The connected organization defines trust boundaries for cross-tenant collaboration, without requiring domain federation or acceptance.

In summary:

Access packages configure and automate user access.

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Implement and manage user risk policies”, the scenario where “users must be forced to change their password if there is a probability that their identity was compromised” directly maps to the Azure AD Identity Protection “User risk policy.”

In Azure AD Identity Protection, user risk represents the likelihood that an account’s credentials have been compromised. When Azure AD detects a high user risk (for example, leaked credentials, atypical sign-in behavior, or sign-ins from unfamiliar locations), the User Risk Policy can be configured to automatically block access or require the user to reset their password upon the next sign-in.

Before a user can reset their password or complete remediation, they must have a registered authentication method (for password reset and MFA). Therefore, users must first register for multi-factor authentication (MFA) — this registration enables the authentication methods (like phone number or authenticator app) that are also used during password reset verification.

The SC-300 documentation specifically highlights:

“To enforce a password change when a user’s identity risk is high, the user must be registered for MFA, and a user risk policy must be configured to require password change.”

Thus, the correct configuration is:

Users must first register for MFA — to ensure they have verified methods available.

Configure a user risk policy — to automatically trigger password reset upon detection of compromised credentials.

Correct Answers:

Users must first: Register for multi-factor authentication (MFA).

You must configure: A user risk policy.

The SC-300 coverage of Azure AD Connect explains that when you need to bring in a new set of on-premises users or change what is synchronized (for example, adding an additional domain/OU such as ADatum or adjusting filtering), you reopen the Azure AD Connect wizard and choose “Customize synchronization options.” The guide notes that this path lets you “modify directory/OU filtering, add or remove forests, and enable optional sync features” so that only the intended users are synchronized. It contrasts with operational commands: Start-ADSyncSyncCycle merely triggers an immediate delta/full sync of the current configuration; Set-ADSyncScheduler changes the sync cadence or pause/resume behavior; and “Change user sign-in” alters the authentication method (e.g., PHS vs. PTA) but does not control scoping of which users are synced. To meet a requirement to sync the ADatum users according to technical constraints (such as OU/domain selection or feature toggles), you must first configure the scope by running the wizard and selecting Customize synchronization options, then perform/allow a sync cycle to bring those users into Azure AD as defined.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation, when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts. In Azure AD, internal users created within the tenant are designated with the attribute user.userType = "Member", while external or guest accounts from partner organizations have user.userType = "Guest".

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq "Member").

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq "Member")

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules”, which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq "Member")

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel”, multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs. The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq "E5") ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “provides secure remote access to on-premises applications” and that apps published through it can have “Conditional Access policies, including multifactor authentication” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “control and limit activities in real time” and, for SharePoint Online and other Microsoft 365 apps, “monitor user sessions and block download, cut, copy, and print” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)”, there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID).The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM.The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario.As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources.The role responsible for managing these assignments is the User Access Administrator.This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control).The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups>Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance > Entitlement management > Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance>Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

To ensure that all users can consent to apps that require permission to read their user profile and prevent them from consenting to apps that require any other permissions, you can configure the user consent settings in the Microsoft Entra admin center. Here’s how you can do it:

Sign in as a Global Administrator:

Access the Microsoft Entra admin center with Global Administrator privileges.

Navigate to user consent settings:

Go toIdentity>Applications>Enterprise applications>Consent and permissions>User consent settings1.

Configure the consent settings:

Under User consent for applications, select the option that allows users to consent to apps that only require permission to read their user profile.

Ensure that all other permissions are set to require administrator consent, thus preventing users from consenting to apps that require additional permissions1.

Save the settings:

After configuring the consent settings, select Save to apply the changes.

By following these steps, you will have configured the system to allow user consent for apps that need to read the user profile while blocking consent for apps that require additional permissions. This setup helps maintain user autonomy where appropriate while safeguarding against unauthorized access to broader permissions.

To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in as a Security Administrator or Global Administrator.

Navigate to MFA settings:

Go to Users > Active users.

On the Active users page, select Multi-factor authentication.

Manage user settings:

Find and select the Sg-Finance group.

Enable MFA for this group by setting the requirement status to Enabled.

Exclude a user from MFA:

In the Multi-factor authentication page, search for Debra Berger.

Set her MFA status to Disabled to exclude her from MFA registration.

Verify the configuration:

Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.

Communicate the change:

Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.

Monitor the setup:

Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.

To assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Make sure you have the role of Global Administrator or License Administrator.

Navigate to the licensing page:

Go toBilling>Licenses1.

Find the Windows 10/11 Enterprise E3 license:

Look for the Windows 10/11 Enterprise E3 license in the list of available products.

Assign licenses to the group:

Select the license and then choose Assign licenses.

Search for and select the Sg-Retail group.

Confirm the assignment and make sure that the correct number of licenses is available for the group.

Review and confirm the assignment:

Ensure that the licenses have been properly assigned to the Sg-Retail group without affecting other groups or users.

Monitor the license status:

Check the license usage and status to ensure that the Sg-Retail group members can utilize the Windows 10/11 Enterprise E3 features.

By following these steps, the Sg-Retail group should now have the Windows 10/11 Enterprise E3 licenses assigned to them.