SC-300 Exam Dumps - Microsoft Identity and Access Administrator

According to the official Microsoft Identity and Access Administrator (SC-300) Study Guide and the Azure Active Directory documentation under “Enable and configure self-service password reset (SSPR)”, when self-service password reset is enabled, the available authentication methods depend on the user’s role within Azure AD. Specifically, administrative roles require stronger authentication methods than regular users.

The Microsoft documentation states:

“Security questions are available only to users who are not administrators. Any user assigned an administrative role must use secure authentication methods such as email, mobile app, or phone verification.”

This restriction ensures that privileged accounts (e.g., User Administrator, Password Administrator, Global Administrator, Security Administrator, etc.) use stronger, phishing-resistant recovery options.

In the provided table:

User1 (User Administrator) and User2 (Password Administrator) are administrators — they cannot use security questions for SSPR.

User3 (Security Reader) and User4 (User) are non-administrative roles, therefore, they can use security questions when resetting their passwords.

Hence, only User3 and User4 will be required to answer security questions during password reset.

SC-300 teaches that group-based licensing supports security groups and Microsoft 365 groups, with assigned or dynamic user membership. The guide states: “Licenses can be assigned to groups whose members are users ; nested groups aren’t processed and devices cannot be licensed .” Applying this to the table: Group1 (Security-Assigned) and Group2 (Security-Dynamic User) are valid; Group4 (Microsoft 365-Assigned) and Group5 (Microsoft 365-Dynamic User) are also valid. Group3 is a Security-Dynamic Device group and therefore ineligible because “device objects do not receive user licenses.” Consequently, the Office 365 E5 license can be assigned directly to Group1, Group2, Group4, and Group5 only.

Identities with Owner role: Managed1, Managed2, VM1, and VM2 only

Virtual machines assigned to Managed2: VM2 and VM4 only

In Azure RBAC, role assignments can be made to Azure AD security principals , including managed identities (user-assigned and system-assigned) . The SC-300 learning path on Identity Governance and Privileged Access, and the Exam Ref coverage of Azure RBAC, explain that a system-assigned managed identity is a service principal tied to a single resource, and you can assign RBAC at any scope (subscription, resource group, or resource) to that identity. A user-assigned managed identity is an independent Azure resource with its own service principal; it can also be granted roles at the resource group scope. Therefore, the assignable principals for RG1 include the two user-assigned identities ( Managed1 , Managed2 ) and the two VMs that have system-assigned identities ( VM1 , VM2 ). VM3 does not present a system-assigned identity; its access is represented by Managed1 .

For attaching a user-assigned identity to a virtual machine, SC-300 materials note that the identity and the target resource must be in the same region (often phrased as “user-assigned identities are regional; the identity and the resource must share a region”). Since Managed2 is in West US , it can be associated only with West US VMs—here, VM2 and VM4 .

Microsoft Entra ID (Azure AD) supports soft-delete for application objects for 30 days after deletion. The SC-300 materials explain that administrators can recover deleted applications within 30 days ; objects deleted beyond that window become non-recoverable. The guide also distinguishes between the application (app registration) and the service principal (enterprise application) : the app registration contains credentials (client secrets/certificates) and app role definitions , while the tenant’s service principal contains tenant-specific settings such as assignments and self-service configuration . The study content states that recovery operations restore the deleted application object and its schema (including defined app roles and credentials) if performed within the retention window, whereas tenant-scoped assignments and end-user self-service settings are not guaranteed to be recovered because they are specific to the service principal in the tenant.

Applying this: the apps were deleted April 5 and restoration is attempted April 16 , which is inside the 30-day window. However, the exam scenario emphasizes the timing of tenant-side updates in March; App1’s updates are older than 30 days by April 16 , so it falls outside the reliable recovery period for those settings, while App2–App4 remain within it. For App4 , the restorability applies to the application object contents— app roles and the client secret —not the tenant-specific Users and groups assignments or Self-service configuration. Hence: Apps = App2, App3, and App4 only ; App4 settings = App roles and Client secret only .

Microsoft Entra Permissions Management (formerly CloudKnox) integrates with Azure subscriptions via a service principal that must read and write role assignments to analyze and right-size permissions. The User Access Administrator role provides this ability without full ownership privileges.

The SC-300 guide explicitly notes that to allow automatic monitoring and remediation of permissions, “the Permissions Management service principal must have the User Access Administrator role on the target subscription or management group to modify and create RBAC assignments.”

Reader (A) and Contributor (B) roles cannot manage RBAC permissions, while Owner (C) grants unnecessary broad control, violating the principle of least privilege.

This scenario is based on how Azure AD Multi-Factor Authentication (MFA) statuses transition between Disabled , Enabled , and Enforced states, as documented in the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn – Configure and deploy MFA in Azure Active Directory .

Let’s analyze the details step-by-step using the exhibits:

Initial MFA Configuration (February 1, 2021)

User1: Disabled

User2: Enabled

User3: Enforced

MFA Policy Setting

“Allow users to remember multi-factor authentication on devices they trust” is enabled .

“Number of days users can trust devices for” is 20 days . This means that once a user completes MFA on a trusted device, they won’t be prompted again for 20 days on that same device.

User Sign-in Activity:

User1: Signs in on Feb 2 and again on Feb 21

User2: Signs in on Feb 5

User3: Already in Enforced state (so continuous MFA enforcement applies)

State Transitions per Microsoft Documentation:

Disabled: User cannot register or use MFA.

Enabled: User is registered for MFA but not yet required at every sign-in. Once they complete registration, they remain Enabled until admin enforces it.

Enforced: User must use MFA at every sign-in.

Timeline Evaluation:

User1 was initially Disabled , so even though they sign in multiple times (Feb 2 and Feb 21), MFA remains disabled unless the admin manually changes the setting — therefore, User1 = Disabled .

User2 was Enabled on Feb 1, and signed in on Feb 5 — this allows them to register for MFA (move from Enabled → Enforced ) once registration completes. By Feb 26, they would be in Enforced state.

User3 was already Enforced from the start, and their state remains unchanged.

Thus, by February 26, 2021 , the MFA status should be:

User1: Disabled

User2: Enforced

User3: Enforced

This matches Option B exactly.

Microsoft references (Azure AD MFA Overview):

“Enabled users move to Enforced when they complete MFA registration. Enforced users must use MFA every time they sign in.”

ï‚· User1 can sign in by using multi-factor authentication (MFA): No

ï‚· User2 can sign in by using multi-factor authentication (MFA): No

ï‚· User3 can sign in from an anonymous IP address: No

This scenario is based on Azure AD Identity Protection and its two core conditional access mechanisms:

User risk policy — evaluates the probability that a user ' s identity might be compromised.

Sign-in risk policy — evaluates the probability that a sign-in attempt might not be performed by the legitimate user.

Let’s analyze step-by-step based on the tables provided:

Risk level: Low

User risk policy: Applies to Low and above (so Low, Medium, and High users).

Control: Block access.

Action performed: Confirm user compromised. Confirming a user as compromised keeps or increases their risk level until the user is remediated (i.e., password reset). Because the policy blocks access for any user risk “Low and above,” User1’s sign-in is blocked, and MFA will not be prompted — access is denied.

🔹 User1 ✅ User1 MFA sign-in: No

Initial risk level: Medium

Actions performed:

Confirm sign-in safe → clears that sign-in’s risk.

Confirm user compromised → elevates user risk back to “High.”

Policies applied:

User risk policy (Low and above): Blocks access.

Sign-in risk policy: Applies only to High sign-ins (not relevant here).

🔹 User2 Since User2’s user risk is set to High after confirming compromised, the User risk policy blocks access for “Low and above.”

Therefore, MFA is not allowed (the session is denied outright).

✅ User2 MFA sign-in: No

User risk: High

Action performed: Dismiss user risk → resets the user risk to “No risk.”

Sign-in policy: High sign-in risk → block access. If User3 signs in from an anonymous IP, Azure AD Identity Protection detects this as a High sign-in risk (per Microsoft documentation). Since the sign-in risk policy blocks all high sign-ins, access will be blocked.

🔹 User3 ✅ User3 anonymous IP sign-in: No