SC-300 Exam Dumps - Microsoft Identity and Access Administrator

First create: ✅ An Azure Automation account

Distribute Catalog1 by using: ✅ An access package

According to the Microsoft SC-300 study guide and Microsoft Entra Identity Governance documentation, when creating custom extensions for Entitlement Management catalogs, the extensions must be hosted in an Azure Automation account. This automation account provides the execution environment for scripts or runbooks that perform external actions when certain events occur, such as user assignments or access removals.

Entitlement Management in Microsoft Entra (formerly Azure AD) allows administrators to automate user access lifecycle processes through access packages. These packages are distributed to internal or external users and define which resources (applications, groups, teams, or SharePoint sites) they can request access to — all under a governance framework.

First create an Azure Automation account

To use a custom extension in a catalog, Microsoft Entra requires an Azure Automation account.

The automation account hosts runbooks (PowerShell scripts or actions) that execute when access package events trigger (e.g., user request approval, role assignment, or removal).

The automation account acts as the backend engine for entitlement management extensions.

Step-by-Step Breakdown: As per Microsoft documentation:

“To add a custom extension to an access package, create an Azure Automation account that contains the runbook to handle the automation triggered by access lifecycle events.”

Distribute Catalog1 by using an access package

Once the catalog (Catalog1) and custom extension are configured, access to the resources in that catalog is granted through access packages.

Each access package defines eligibility, approval workflows, and access duration for users.

Access packages serve as the distribution mechanism of catalogs — users request access through them, and the catalog defines what access is granted.

From Microsoft SC-300 content:

“In Entitlement Management, catalogs define available resources, while access packages define who can request them and under what conditions. Access packages are the method of distributing access in a catalog.”

According to the Microsoft Identity and Access Administrator (SC-300) Exam Study Guide and Microsoft Learn module “Implement and manage hybrid identity with Azure AD Connect” , when a VPN solution authenticates users through an on-premises Active Directory and does not natively support Azure MFA, the correct method is to integrate Azure MFA using the Network Policy Server (NPS) extension for Azure MFA.

The NPS extension acts as an intermediary between the VPN server and Azure AD. The VPN server sends authentication requests to the NPS server. The NPS server validates the credentials against the on-premises Active Directory, and then the NPS extension triggers the Azure MFA challenge for secondary authentication.

Microsoft documentation states:

“To enable Azure Multi-Factor Authentication for on-premises resources such as VPNs, RD Gateway, and other services using RADIUS authentication, you must install the Azure MFA extension for the Network Policy Server (NPS).”

Therefore, the correct recommendation is to deploy and configure NPS on-premises, install the Azure MFA NPS Extension, and configure the VPN server to forward RADIUS requests to NPS.

According to the Microsoft SC-300 Study Guide, Exam Ref SC-300, and Microsoft Entra (Azure AD B2B collaboration) documentation, when a guest is invited to an Azure AD tenant and the setting “Email one-time passcode for guests” is enabled, Azure AD determines the authentication method based on the guest’s account type.

Here’s how the logic applies:

Guest1 (adatum.com – Azure AD account)

Because adatum.com is an Azure AD-managed domain, Guest1 will authenticate using their own organization’s Azure AD credentials.

The guest sign-in will federate to their home tenant, and therefore no one-time passcode (OTP) is sent.

Guest2 (outlook.com – Microsoft account)

A user with an @outlook.com email has a Microsoft account (MSA).

Microsoft accounts can authenticate directly via Microsoft’s identity system.

Hence, no one-time passcode is sent — the user signs in using their Microsoft account credentials.

Guest3 (gmail.com – Personal Google account)

A @gmail.com address is not a Microsoft account and not linked to any Azure AD tenant by default.

In this case, because the tenant’s setting “Email one-time passcode for guests” is enabled, Azure AD automatically sends a one-time passcode (OTP) to the guest’s email address for authentication.

The Microsoft documentation specifies that the OTP is valid for 30 minutes and is single-use. After expiration, a new code is issued upon the next authentication attempt.

This is confirmed in Microsoft’s official Entra ID documentation:

“When the Email one-time passcode for guests setting is enabled, guests who do not have an Azure AD or Microsoft account will authenticate using a one-time passcode that is valid for 30 minutes.”

< ï‚· User1 syncs to the Microsoft Entra tenant: Yes

ï‚· User2 syncs to the Microsoft Entra tenant: No

ï‚· Group2 syncs to the Microsoft Entra tenant: Yes

To detect and get alerts when a user downloads a large number of files in a short period of time (for example, more than 50 files within one minute) in Microsoft SharePoint Online , you must configure an Activity policy in Microsoft Defender for Cloud Apps (MCAS) .

Activity policies monitor specific user actions (upload, download, delete, share, etc.) and can trigger alerts based on thresholds or frequency.

Anomaly detection policies detect behavioral anomalies automatically (not threshold-based).

Session policies apply real-time controls during sessions (e.g., block download).

File policies monitor or classify files at rest.

From Microsoft’s documentation:

“Activity policies let you monitor specific activities in your cloud apps and define actions or alerts when certain criteria are met, such as excessive downloads or mass deletions.”

Thus, for detecting a user who downloads more than 50 files in one minute — an Activity policy is required.

In Azure AD, assigning directory roles to a group requires creating a role-assignable group. The SC-300 study materials and the official exam reference emphasize that the group must be a Security group and created with the isAssignableToRole capability. Microsoft’s guidance states: “Only security groups can be assigned Azure AD roles. Microsoft 365 groups are not supported.” It also clarifies membership constraints: “Dynamic membership is not supported for role-assignable groups.” Because you intend to assign Azure AD roles to Group1 and also add User1 and User2 directly, the acceptable configuration is a Security group with Assigned membership. This allows you to explicitly add the two users and later attach an Azure AD role to the group via PIM or standard role assignment. Options using Microsoft 365 groups (A, E) are invalid for role assignment, and options using Dynamic membership (A, B, C) are not permitted for role-assignable groups. Therefore, the only configuration that satisfies both adding the users and assigning Azure AD roles is Security + Assigned (Option D).