Microsoft Identity and Access Administrator · Difficulty

Hard SC-300 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 21 hard questions available — no sign-up, always free.

Question 1 of 21

You register a single-page application in Microsoft Entra ID and configure it to receive group membership claims in the ID token. Users who belong to a large number of groups report that the application fails to load, and you discover that Entra ID is issuing an overage claim instead of the full list of groups because the token exceeds the size limit. The application needs to make authorization decisions based only on the specific application roles you have defined, not on all of the user's security groups. What should you do to resolve this reliably for all users?

Reviewed for accuracy · Report an issue
Question 2 of 21

Your organization is deploying Entra certificate-based authentication (CBA) for a group of high-privilege administrators who use smart cards. Security requires that these admins satisfy the multifactor authentication requirement using only their certificate, and that the certificate be validated against a specific policy OID. During pilot testing, admins report they can sign in but are still being prompted for a second factor after presenting their certificate. Which configuration change in the Entra admin center resolves this while enforcing the OID requirement?

Reviewed for accuracy · Report an issue
Question 3 of 21

Your organization uses a custom line-of-business SharePoint site that contains highly sensitive financial records. Users can already access other SharePoint content after satisfying a baseline Conditional Access policy requiring MFA. Security requires that when users open the sensitive financial site specifically, they must re-authenticate with a phishing-resistant method (FIDO2), even if they already have an active session. You need to enforce this step-up requirement only for that site without affecting access to the rest of SharePoint. What should you configure?

Reviewed for accuracy · Report an issue
Question 4 of 21

Contoso has a SharePoint Online document library named 'Financials' that contains highly sensitive files. Users may already have an active session to SharePoint after signing in with a password. Security requires that when a user attempts to open a file specifically in the 'Financials' library, they must satisfy multifactor authentication at that moment — even if they authenticated with only a password earlier in the session. Regular access to other SharePoint sites should not be affected. Which combination should you configure to enforce this granular, on-demand step-up?

Reviewed for accuracy · Report an issue
Question 5 of 21

Contoso wants sign-in tokens for Exchange Online and SharePoint Online to be revoked in near real time when a user's IP address moves outside a defined corporate network range during an active session. They have already enabled continuous access evaluation (CAE) and configured named locations for their corporate IP ranges. However, they notice that when a user's IP changes mid-session, access is not being blocked until the token naturally expires. What must they configure to achieve near-real-time enforcement of the location change?

Reviewed for accuracy · Report an issue
Question 6 of 21

Contoso invites external guests from partner organizations to collaborate in SharePoint and Teams. Security requires that all guests satisfy MFA before accessing any cloud app. You create a Conditional Access policy assigned to 'All guest and external users' that requires multifactor authentication. After deployment, guests who have never signed in report they cannot register an MFA method and are completely blocked at sign-in. Contoso does not use cross-tenant access trust settings for these partners. What should you do so guests can complete MFA registration while still being protected?

Reviewed for accuracy · Report an issue
Question 7 of 21

Contoso has 4,200 users who were enabled for MFA years ago using legacy per-user MFA (their state is set to 'Enforced' in the MFA service settings). Security wants to modernize to Conditional Access so they can require MFA based on risk and location, and eventually retire per-user MFA. During the transition, an administrator creates a Conditional Access policy requiring MFA for all users. Several users report they are still being prompted to re-register MFA methods and are asked to confirm the app-password legacy behavior. What is the recommended approach to complete the migration cleanly?

Reviewed for accuracy · Report an issue
Question 8 of 21

Contoso allows employees to access Microsoft 365 web apps from personal, unmanaged devices. Security requires that on these devices users must re-authenticate every 4 hours and that browser sessions must not persist after the browser is closed. On corporate Entra-joined devices, users should retain a normal persistent session. You need to configure Conditional Access to meet these requirements while affecting only unmanaged devices. What should you configure?

Reviewed for accuracy · Report an issue
Question 9 of 21

Contoso wants to prevent token replay attacks where refresh and access tokens are exported from a compromised device and used elsewhere. Security requires that tokens issued to a user's device are cryptographically bound to that device, so a stolen token cannot be used on a different machine. Which Conditional Access session control should you configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 10 of 21

Your organization runs a critical daemon application registered as a service principal in Microsoft Entra ID. Security requires that this service principal only be permitted to obtain tokens when the request originates from your on-premises datacenter's public IP range. Recently, credentials for a similar app were leaked and abused from a foreign IP. You need to enforce a location restriction specifically on the service principal's sign-ins. Which solution should you implement?

Reviewed for accuracy · Report an issue
Question 11 of 21

Your organization wants a small team of identity engineers to manage the membership and settings of a specific set of highly sensitive groups that also carry role assignments. These groups are role-assignable (isAssignableToRole = true). You create a custom role with permissions to update group membership and assign it to the engineers scoped to those groups. However, the engineers report they cannot modify the membership of the role-assignable groups, even though they can manage other groups. What is the reason for this behavior?

Reviewed for accuracy · Report an issue
Question 12 of 21

Your organization wants to delegate the ability to update the reply URLs (redirect URIs) of existing application registrations to a team of developers. The developers must NOT be able to create new app registrations, delete apps, or manage credentials such as client secrets. You need to follow least-privilege principles. What should you do?

Reviewed for accuracy · Report an issue
Question 13 of 21

Contoso uses entitlement management to grant contractors access to project resources through an access package. The compliance team requires that whenever a contractor's access request is approved, a record must be created in an external ticketing system by calling a REST API, and the access grant must not complete until the API confirms the ticket was created. You need to configure this in the access package. What should you do?

Reviewed for accuracy · Report an issue
Question 14 of 21

Your organization uses Microsoft Entra ID Protection. Security operations reports that legacy authentication protocols are generating a high volume of sign-in risk detections that cannot be challenged with MFA. Leadership wants automated protection that blocks the riskiest sign-ins in real time while allowing medium-risk users to self-remediate, and they want to avoid excessive help desk tickets from false positives at low risk. Which configuration best meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 21

Your organization has deployed Global Secure Access and enrolled all corporate Windows devices with the Global Secure Access client configured to route Microsoft 365 traffic. The security team wants to ensure that users can only access Exchange Online and SharePoint Online when their traffic is verifiably passing through the Global Secure Access service, without depending on IP address ranges that change frequently or can be spoofed by VPNs. What should you configure to enforce this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 21

Contoso has deployed Global Secure Access with the Microsoft 365 traffic forwarding profile and the Internet Access profile enabled on all corporate Windows devices. The security team wants to ensure that employees can only sign in to Contoso's own Microsoft 365 tenant from these managed devices and cannot authenticate to any external or personal Microsoft 365 tenants, even when using web browsers. The solution must apply automatically based on the device's Global Secure Access connectivity and must not require configuring proxy headers on each device manually. What should you configure?

Reviewed for accuracy · Report an issue
Question 17 of 21

Contoso assigns Microsoft 365 E5 licenses through two dynamic security groups: 'All-Employees' (assigns the full E5 license) and 'Legal-Restricted' (assigns E5 but with the Exchange Online service plan disabled to meet a compliance hold). A legal team member belongs to both groups. Their account currently shows a license assignment error, and Exchange Online is not functioning as expected. Which action correctly resolves the conflict so the user retains a working E5 license while honoring the most restrictive intent?

Reviewed for accuracy · Report an issue
Question 18 of 21

Contoso runs an Azure Function App in Tenant A that must read secrets from an Azure Key Vault located in a subscription owned by Tenant B (a recently acquired subsidiary). You want the Function App to authenticate to Key Vault without storing any credentials. You enable a system-assigned managed identity on the Function App and attempt to grant it access to the Key Vault in Tenant B. The access assignment fails. What is the correct explanation and recommended approach?

Reviewed for accuracy · Report an issue
Question 19 of 21

Your organization uses Privileged Identity Management (PIM) for Entra ID roles. The security team wants to receive an automated alert whenever the Global Administrator role is activated outside normal business hours. You have already configured diagnostic settings to send Entra ID audit logs to a Log Analytics workspace. You need to build a query that detects these activation events so it can be used in an Azure Monitor alert rule. Which log table and operation should your KQL query target?

Reviewed for accuracy · Report an issue
Question 20 of 21

Your organization is deploying Privileged Identity Management (PIM) for the Global Administrator role and enforcing a Conditional Access policy that requires phishing-resistant MFA for all administrators. Security policy also requires two break-glass (emergency access) accounts that must remain usable if PIM, MFA infrastructure, or federation fails. You must configure the break-glass accounts to comply with Microsoft's recommended practices while still maintaining oversight. Which configuration should you implement?

Reviewed for accuracy · Report an issue
Question 21 of 21

Your organization uses Microsoft Entra Connect with password hash synchronization and has enabled Seamless Single Sign-On (Seamless SSO). Security policy requires that the Kerberos decryption key used by the AZUREADSSOACC computer account be rolled over every 30 days. You need to perform this rollover while minimizing the risk of sign-in disruption for users. What should you do?

Reviewed for accuracy · Report an issue