What SC-300 Questions and Answers feature?

When registering an application in Azure Active Directory (Azure AD) for authentication, one of the key configuration items is the redirect URI. According to Microsoft Identity Platform Documentation and the SC-300 official study guide, the redirect URI (or reply URL) specifies where Azure AD should send the authorization code or access token after a successful sign-in.

The guide explains:

“During app registration, Azure AD requires a redirect URI to identify where authentication responses are sent. For web apps, this must be a valid HTTPS endpoint where your app listens for responses from the Azure AD authorization endpoint.”

In contrast:

The executable name, bundle ID, and package name are identifiers relevant to desktop or mobile app packaging and are not part of Azure AD web app registration configuration.

Only the redirect URI ensures proper return of authentication tokens in OAuth 2.0 and OpenID Connect flows.

Thus, when registering a .NET web app (App1) for Azure AD authentication, you must configure the redirect URI to handle token responses securely.

In SC-300 materials covering Microsoft Entra application identities and managed identities for Azure resources, an app you register in the tenant is represented for access control by a service principal: “An application registration creates an application object in its home tenant and a corresponding service principal in any tenant where the app is used. The service principal is the identity used for sign-in, consent, and authorization to resources.” This aligns with App1 being a registered app that must authenticate to Storage by Microsoft Entra; the principal you grant roles to on the storage account is the service principal of that app.

For App2, the requirement is to access Storage “by using a single Microsoft Entra identity” while the workload runs on two VMs (VM1 and VM2). SC-300 explains: “A user-assigned managed identity is an independent Azure resource. You can assign the same user-assigned identity to one or more Azure resources.” In contrast, “A system-assigned managed identity is enabled on a single Azure resource and is deleted with that resource.” Because App2 must share one identity across multiple hosts, the correct choice is a user-assigned managed identity, which provides a single, reusable identity whose lifecycle is separate from VM1 and VM2 and can be granted Storage roles once and used by both machines.

According to the Microsoft SC-300 Study Guide, Exam Ref SC-300, and Microsoft Entra External Collaboration (B2B) documentation, the configuration of External collaboration settings in Azure AD determines how guest users can access directory data and who can invite them into the tenant.

Let’s analyze each requirement in context:

“Guest users must be prevented from querying staff email addresses.”

To achieve this, Azure AD provides the setting Guest user access restrictions, which defines what a guest can see in the directory. The most restrictive setting ensures that guest users can only see their own profile details and no other users or groups.

✅ Therefore, select:

“Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).”

This prevents guests from discovering internal directory data such as email addresses of staff members or group memberships.

“Guest users must be able to access the tenant only if they are invited by User1.”

User1 has the User Administrator role. This role is included among the “specific admin roles” allowed to invite guest users when the setting is configured appropriately.

To meet the requirement that only User1 (or other admins) can invite guests, you must configure:

✅ “Only users assigned to specific admin roles can invite guest users.”

This restricts invitation privileges to admin roles (such as Global Administrator, User Administrator, etc.) and prevents ordinary users or guests from inviting others.

“Guests should not be able to self-enroll.”

Azure AD B2B allows self-service sign-up through user flows (Identity Experience Framework). Enabling this feature would let external users sign up themselves — which violates the condition that guests must be invited by User1 only.

✅ Therefore, set Enable guest self-service sign-up via user flows = No.

Setting

Value

Guest user access restrictions

Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

Guest invite restrictions

Only users assigned to specific admin roles can invite guest users

Enable guest self-service sign-up via user flows

No

📘 Microsoft Official Documentation Reference (SC-300 Content):

“To prevent guests from seeing other users in the directory, configure guest user access restrictions to ‘most restrictive.’

To control who can invite guests, use the setting that limits invitations to users with admin roles.

To disallow self-service guest access, disable user flows for external sign-up.”