SC-300 Microsoft Identity and Access Administrator Exam

Sample Questions and Answers

How can you restrict access to Azure AD resources based on geographic location?

A) Use Named Locations in Conditional Access policies
B) Assign licenses based on country
C) Use password policies
D) Use device compliance policies

Answer: A) Use Named Locations in Conditional Access policies
Explanation: Named Locations enable location-based access control.

What is Azure AD Connect primarily used for?

A) Synchronizing on-premises AD objects to Azure AD
B) Managing Conditional Access policies
C) Enabling MFA
D) Publishing applications

Answer: A) Synchronizing on-premises AD objects to Azure AD
Explanation: Azure AD Connect syncs user accounts, groups, and other objects.

Which authentication method does Azure AD use when enabling password hash synchronization?

A) Hash of the user’s password is synced and used for authentication in Azure AD
B) Passwords are stored in plain text
C) Passwords are sent to Microsoft via email
D) Passwords are not synced

Answer: A) Hash of the user’s password is synced and used for authentication in Azure AD
Explanation: Password hash synchronization hashes the password and syncs it securely.

 

Which feature in Azure AD allows for authentication of users through social accounts like Google or Facebook?

A) Azure AD B2C
B) Azure AD B2B
C) Azure AD Domain Services
D) Azure AD Connect

Answer: A) Azure AD B2C
Explanation: Azure AD B2C is designed for consumer identity and access management, allowing authentication through social identity providers.

What is the purpose of an Azure AD Access Package in entitlement management?

A) Bundles resources and policies for users to request access easily
B) Assigns licenses to users
C) Configures MFA settings
D) Syncs on-premises identities

Answer: A) Bundles resources and policies for users to request access easily
Explanation: Access packages help manage access lifecycle for external and internal users.

Which of the following can be used to protect an Azure AD privileged role from permanent assignment?

A) Azure AD Privileged Identity Management (PIM)
B) Azure AD Identity Protection
C) Conditional Access policies
D) Self-service password reset

Answer: A) Azure AD Privileged Identity Management (PIM)
Explanation: PIM enables just-in-time access and approval workflows to reduce risks.

What does the Azure AD risk-based conditional access feature analyze?

A) Sign-in risk based on unusual or suspicious sign-in activities
B) Device compliance only
C) User group membership
D) License assignments

Answer: A) Sign-in risk based on unusual or suspicious sign-in activities
Explanation: It evaluates various signals to detect risky sign-ins.

What is the function of an Azure AD tenant?

A) Represents an instance of Azure AD for an organization
B) Syncs users to on-premises AD
C) Assigns licenses
D) Hosts Azure virtual machines

Answer: A) Represents an instance of Azure AD for an organization
Explanation: The tenant is a dedicated Azure AD instance that contains users, groups, and applications.

Which Azure AD role can manage Conditional Access policies?

A) Security Administrator
B) Global Reader
C) Billing Administrator
D) User Administrator

Answer: A) Security Administrator
Explanation: Security Administrators have permissions to manage Conditional Access policies.

What is the recommended MFA method for better security and user experience?

A) Microsoft Authenticator app with push notifications
B) SMS text messages
C) Email verification
D) Voice call

Answer: A) Microsoft Authenticator app with push notifications
Explanation: It’s more secure and less vulnerable to attacks than SMS or voice.

What type of token does Azure AD issue after a successful authentication to represent user identity information?

A) ID Token
B) Access Token
C) Refresh Token
D) Security Token

Answer: A) ID Token
Explanation: The ID token contains claims about the user for the client application.

What is the minimum role needed to create and manage Azure AD Conditional Access policies?

A) Security Administrator
B) User Administrator
C) Global Reader
D) Billing Administrator

Answer: A) Security Administrator
Explanation: Security Administrator role grants permissions to configure Conditional Access.

What is the purpose of Azure AD Application Proxy connectors?

A) To securely publish on-premises applications to users outside the corporate network
B) To synchronize users between Azure AD and on-premises AD
C) To assign licenses to users
D) To reset user passwords

Answer: A) To securely publish on-premises applications to users outside the corporate network
Explanation: Connectors provide secure remote access to internal apps.

Which Azure AD feature enables users to delegate access to their resources to applications?

A) OAuth 2.0 delegated permissions
B) SAML 2.0 authentication
C) Azure AD B2B collaboration
D) Conditional Access policies

Answer: A) OAuth 2.0 delegated permissions
Explanation: OAuth 2.0 allows users to grant applications limited access to their resources.

What is the main benefit of using Microsoft Cloud App Security in conjunction with Azure AD?

A) It provides additional visibility and control over cloud app usage and data
B) It manages device enrollment
C) It syncs passwords
D) It assigns licenses

Answer: A) It provides additional visibility and control over cloud app usage and data
Explanation: It enhances security posture by monitoring cloud apps.

What kind of Azure AD group is best suited for managing permissions for resources accessed by users outside your organization?

A) Security group with guest users
B) Distribution group
C) Dynamic group with internal users only
D) Office 365 group

Answer: A) Security group with guest users
Explanation: Security groups can contain guest users for external access.

Which of the following is a federated identity provider supported by Azure AD?

A) Active Directory Federation Services (AD FS)
B) Microsoft Outlook
C) Microsoft Teams
D) Power BI

Answer: A) Active Directory Federation Services (AD FS)
Explanation: AD FS allows federation of identities with Azure AD for SSO.

What feature allows users to authenticate using biometrics or PIN on Windows 10 devices?

A) Windows Hello for Business
B) Azure AD Connect
C) Conditional Access
D) Azure AD B2C

Answer: A) Windows Hello for Business
Explanation: Provides strong, passwordless authentication options.

What is the primary purpose of Azure AD B2B collaboration?

A) To provide secure access for external users to your organization’s resources
B) To manage consumer sign-ins
C) To synchronize passwords from on-premises AD
D) To manage device compliance

Answer: A) To provide secure access for external users to your organization’s resources
Explanation: B2B collaboration securely shares apps and data with partners.

What is the function of an Access Token in Azure AD?

A) Grants applications permission to access resources on behalf of a user
B) Contains user profile information
C) Is used for license assignment
D) Resets user passwords

Answer: A) Grants applications permission to access resources on behalf of a user
Explanation: Access tokens are used for authorization.

Which of the following is not a recommended practice for managing privileged accounts in Azure AD?

A) Assign permanent Global Administrator rights to all admins
B) Use Privileged Identity Management for just-in-time access
C) Enable MFA for privileged roles
D) Use access reviews regularly

Answer: A) Assign permanent Global Administrator rights to all admins
Explanation: Permanent admin rights increase security risks.

What is the Azure AD feature that automatically blocks sign-ins from suspicious IP addresses?

A) Azure AD Identity Protection
B) Azure AD Connect
C) Conditional Access policies
D) Azure AD Domain Services

Answer: A) Azure AD Identity Protection
Explanation: It can automatically block risky sign-ins based on IP reputation.

What protocol does Azure AD primarily use for SSO in SaaS applications?

A) SAML 2.0
B) FTP
C) SMTP
D) DHCP

Answer: A) SAML 2.0
Explanation: SAML 2.0 is widely used for single sign-on in SaaS apps.

Which Azure AD role allows viewing sign-in and audit logs but cannot change settings?

A) Global Reader
B) Security Administrator
C) User Administrator
D) Global Administrator

Answer: A) Global Reader
Explanation: Global Reader has read-only access to Azure AD information.

What feature can help organizations comply with data protection regulations by ensuring access is granted only to necessary users?

A) Access Reviews
B) Azure AD Connect
C) Azure AD B2C
D) Application Proxy

Answer: A) Access Reviews
Explanation: Access reviews validate and certify user access periodically.

What is the maximum number of users supported in an Azure AD dynamic group?

A) 50,000
B) 10,000
C) 1,000
D) Unlimited

Answer: A) 50,000
Explanation: Dynamic groups support up to 50,000 members.

Which of the following methods can be used to provision users from Azure AD to a SaaS app?

A) SCIM (System for Cross-domain Identity Management)
B) FTP
C) SMTP
D) OAuth

Answer: A) SCIM (System for Cross-domain Identity Management)
Explanation: SCIM automates user provisioning and de-provisioning.

Which Azure AD role is responsible for resetting passwords for all users?

A) Password Administrator
B) Global Administrator
C) User Administrator
D) Billing Administrator

Answer: A) Password Administrator
Explanation: Password Admins can reset passwords for non-admin users.

Which Azure AD license plan includes Identity Protection and Privileged Identity Management?

A) Azure AD Premium P2
B) Azure AD Free
C) Azure AD Basic
D) Microsoft 365 Business Basic

Answer: A) Azure AD Premium P2
Explanation: Premium P2 includes advanced security features.

What is the purpose of Azure AD Seamless Single Sign-On (SSO)?

A) Automatically signs users in when they are on their corporate network without typing passwords again
B) Requires MFA every sign-in
C) Synchronizes passwords to Azure AD
D) Disables guest access

Answer: A) Automatically signs users in when they are on their corporate network without typing passwords again
Explanation: It improves user experience on domain-joined devices.

What is the recommended way to secure administrative access to Azure AD?

A) Enable MFA and use Privileged Identity Management for just-in-time access
B) Assign permanent Global Administrator role without MFA
C) Use password synchronization only
D) Disable Conditional Access policies

Answer: A) Enable MFA and use Privileged Identity Management for just-in-time access
Explanation: This is best practice to reduce attack surfaces.