SC-300 Exam Dumps - Microsoft Identity and Access Administrator

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs . The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

In Microsoft Entra (Azure AD) app registrations, permissions are categorized as either delegated or application.

Delegated permissions are used when an app acts on behalf of a user who is signed in.

Application permissions are used when an app acts as itself, without user interaction — typically for background services, daemons, or APIs.

Because App1 is a service application that will:

Run without user interaction,

Access the Microsoft Graph API, and

Collect audit logs (sign-in logs) —

It requires application permissions such as AuditLog.Read.All or Directory.Read.All granted to the app identity itself.

Microsoft documentation states:

“Applications that run as background services or daemons use application permissions when calling Microsoft Graph APIs that access organization data without a signed-in user.”

The Microsoft Entra Terms of Use (ToU) documentation included in the SC-300 curriculum specifies that only PDF files are supported when uploading terms of use documents.

Microsoft Entra ID Premium licenses are required to configure Terms of Use, and when administrators create a new ToU, the upload field explicitly accepts a PDF document format. The PDF ensures consistent formatting across devices and preserves the legal structure of compliance statements.

The guide states:

“The terms of use document must be a PDF file. This ensures consistency in presentation and prevents tampering.”

Therefore, acceptable format: PDF only — formats such as HTML, DOCX, or RTF are not supported.

In Azure AD, user consent and admin consent workflows control which users or administrators can approve access to organizational data requested by applications.

The question states:

“Users can request admin consent to apps they are unable to consent to: Yes”

“Who can review admin consent requests: Admin2, User2”

When User1 attempts to add an app that requires consent to access company data, and if that app requires admin consent, the request is routed to those designated as admin consent reviewers. In this case, Admin2 and User2 are listed, but only one has the administrative capability to approve the request.

Based on Microsoft documentation:

“Only users who hold an administrative role such as Global Administrator, Cloud Application Administrator, or Authentication Administrator and are designated as reviewers can grant consent on behalf of the organization.”

Here, Admin2 holds the Authentication Administrator role — an Azure AD admin-level role — while User2 has no administrative privileges. Thus, Admin2 is the only eligible user to approve the admin consent request.