SC-300 exam domains
The SC-300 exam is weighted across 4 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Implement and manage user identities | 23% | Practice this topic |
| Implement authentication and access management | 28% | Practice this topic |
| Plan and implement workload identities | 24% | Practice this topic |
| Plan and automate identity governance | 25% | Practice this topic |
Sample SC-300 questions
A sample of the SC-300 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- Your organization uses entitlement management to grant employees access to a set of applications and groups bundled in an access package. The HR team…View question
- Your organization has assigned several external consultants (guest accounts) to the Security Reader Entra role. Compliance requires that these privile…View question
- Your organization runs a quarterly access review on a group that grants access to a sensitive finance application. Requirements: the resource owners s…View question
- Contoso invites hundreds of external guests each quarter for collaboration projects. Compliance requires that guest access to a set of sensitive Micro…View question
- Contoso has offices in three regions. The IT director wants regional helpdesk staff to reset passwords only for users in their own region, without gra…View question
- You register a new daemon application in Microsoft Entra ID that runs as a background service with no signed-in user. The application must read all us…View question
- Your company runs a background service that authenticates to Microsoft Graph as a daemon using an app registration with a client secret. The security…View question
- Your company develops a web API named FinanceAPI that is registered in Microsoft Entra ID. A separate single-page application (SPA), also registered i…View question
- You register a single-page application in Microsoft Entra ID and configure it to receive group membership claims in the ID token. Users who belong to…View question
- Contoso develops a SaaS application registered in their Entra ID tenant. They want customers in other Entra ID organizations to sign in with their own…View question
Key SC-300 terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SC-300 exam.
SC-300 frequently asked questions
What is the SC-300 certification?+
Microsoft positions SC-300 as validating the skills of an administrator who designs, implements, and operates an organization’s identity and access management with Microsoft Entra — managing identity lifecycles for users, devices, resources, and applications.
It expects familiarity with Azure, Microsoft 365, Active Directory Domain Services, PowerShell, and KQL, and covers user identities, authentication and Conditional Access, workload identities, and identity governance.
What topics are on the SC-300 exam?+
The SC-300 exam is organised into four weighted domains. The percentages below are the midpoints of Microsoft’s published ranges, normalized to total 100. Authentication and access management carries the most weight.
Implement and manage user identities (23%)
Covers configuring and managing a Microsoft Entra tenant (roles, administrative units, settings), creating and managing Entra identities (users, groups, licenses), managing external users and cross-tenant access, and implementing hybrid identity with Entra Connect Sync, Cloud Sync, and password hash synchronization.
Implement authentication and access management (28%)
The heaviest domain. It covers Entra user authentication (methods including passkeys/FIDO2, MFA, SSPR, Windows Hello for Business), Conditional Access (policies, controls, continuous access evaluation), managing risk with Entra ID Protection, and Global Secure Access.
Plan and implement workload identities (24%)
Covers identities for applications and Azure workloads (managed identities, service principals), integrating enterprise applications (SSO, Application Proxy, consent), planning app registrations (authentication, API permissions, app roles), and managing app access with Microsoft Defender for Cloud Apps.
Plan and automate identity governance (25%)
Covers entitlement management (catalogs, access packages, access requests), access reviews, privileged access with Privileged Identity Management (PIM) for roles, resources, and groups, and monitoring identity activity with logs, workbooks, KQL, and Identity Secure Score.
Is the SC-300 hard?+
SC-300 is an associate exam but a focused, deep one: it expects working knowledge of Microsoft Entra configuration — Conditional Access, PIM, governance — not just recognition of features.
The difficulty comes from the breadth of Entra features and from scenario questions that hinge on the exact right policy or governance control. Practising configuration scenarios until they are automatic is the key.
How many questions are on the SC-300 exam and how long is it?+
Microsoft does not fix a single public question count for SC-300; it typically presents roughly 40–60 questions in a mix of formats — multiple choice, multiple response, and case studies — with about 100 minutes of working time.
Our full-length practice mock uses a 60-question, 100-minute session so you can rehearse pacing under realistic time pressure before test day.
What score do you need to pass the SC-300?+
Microsoft scores SC-300 on a scale of 1 to 1,000, and the passing score is 700. That is a scaled score rather than a raw 70%, because Microsoft adjusts for question difficulty, and there is no penalty for wrong answers, so you should never leave a question blank. Our practice mock uses a 70% threshold to give you a comparable target.
How much does the SC-300 exam cost?+
The SC-300 exam fee is set by Microsoft and varies by region — check the Microsoft certification page for current pricing. Microsoft associate certifications are valid for one year and can be renewed for free through an online assessment on Microsoft Learn. Everything on this hub is free.
Who should take the SC-300?+
SC-300 is aimed at identity and access administrators, security administrators, and IT professionals who manage Microsoft Entra identity for their organization.
Microsoft recommends familiarity with Azure, Microsoft 365 workloads, Active Directory Domain Services, PowerShell, and KQL, though there is no formal prerequisite.
What jobs and salaries can the SC-300 lead to?+
SC-300 maps to roles such as identity and access administrator, security administrator, and IAM engineer, where managing Microsoft Entra identity and access is the core of the job. It sits in Microsoft’s security, compliance, and identity pathway.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SC-300 is best viewed as validation of identity-administration skill rather than a guaranteed raise on its own.
How long does it take to study for the SC-300?+
Candidates with Entra experience often need four to eight weeks; those newer to identity should plan longer. The most efficient path is to study each domain while practising in a Microsoft Entra tenant, then drill scenario questions.
Review every explanation, including for questions you answered correctly, because SC-300 distractors are built from plausible but incorrect Entra configurations. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.
How should you prepare for the SC-300?+
Study the four domains above, giving the most time to authentication and access management, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an exam that turns on exact identity configurations.
When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on practice with Conditional Access and PIM. Use the glossary to keep the Entra services straight, and aim to score consistently above the pass mark before you book.
Can you take the SC-300 exam online?+
Yes. Microsoft delivers SC-300 through Pearson VUE, so you can test at a physical Pearson VUE centre or online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, Microsoft requires a 24-hour wait before a second attempt; after that, a 14-day wait applies between further attempts, with a limit of five attempts in a 12-month period, and each attempt needs its own registration.
What certification should you take after the SC-300?+
After SC-300, common next steps include the Cybersecurity Architect Expert (SC-100), the Security Operations Analyst (SC-200), or the Information Security Administrator (SC-401), depending on your focus.
For many, the real next step is owning identity for an organization. Pairing SC-300 with hands-on Microsoft Entra experience is what turns the certificate into a career.