Medium SC-300 practice questions
Applied — put a concept to work in a realistic situation. 105 medium questions available — no sign-up, always free.
Your organization uses entitlement management to grant employees access to a set of applications and groups bundled in an access package. The HR team wants all users whose 'department' attribute equals 'Finance' to automatically receive this access package without submitting a request, and to have the access automatically removed if their department changes. You need to configure this with minimal ongoing administrative effort. What should you do?
Your organization has assigned several external consultants (guest accounts) to the Security Reader Entra role. Compliance requires that these privileged role assignments be reviewed monthly, and that any reviewer who does not respond by the deadline results in the guest losing the assignment automatically. You create an access review for the Security Reader role. Which combination of settings meets the requirement with the least ongoing administrative effort?
Your organization runs a quarterly access review on a group that grants access to a sensitive finance application. Requirements: the resource owners should review first, and if a reviewer does not respond within the stage duration, the review should escalate to the group members' managers. Some group members do not have a manager attribute populated in Entra ID. You need to configure the access review so that these users are still reviewed and no access decision is left unmade. What should you configure?
Contoso invites hundreds of external guests each quarter for collaboration projects. Compliance requires that guest access to a set of sensitive Microsoft 365 groups be validated every 90 days, that reviewers see system guidance based on the guest's sign-in activity, and that any access the reviewers do not approve is removed automatically without manual follow-up. Which access review configuration meets all of these requirements?
Contoso has offices in three regions. The IT director wants regional helpdesk staff to reset passwords only for users in their own region, without granting them any control over users in other regions. Each region's users are already members of a dynamic group based on their department attribute. What is the most appropriate way to delegate this permission using the least privilege?
You register a new daemon application in Microsoft Entra ID that runs as a background service with no signed-in user. The application must read all users' profiles from Microsoft Graph by calling the API unattended using its own identity. When you configure Microsoft Graph permissions in the app registration, which permission type must you add and what additional step is required before the app can access the data?
Your company runs a background service that authenticates to Microsoft Graph as a daemon using an app registration with a client secret. The security team requires that credentials be rotated regularly and no longer permit long-lived shared secrets that could be extracted from configuration files. You must reconfigure the app to authenticate in a way that eliminates stored secrets while still supporting the client credentials flow. What should you configure for the app registration?
Your company develops a web API named FinanceAPI that is registered in Microsoft Entra ID. A separate single-page application (SPA), also registered in the same tenant, must call FinanceAPI on behalf of the signed-in user. You need to allow the SPA to request a delegated permission to FinanceAPI so that users are prompted to consent when they sign in. What must you configure first on the FinanceAPI app registration?
Contoso develops a SaaS application registered in their Entra ID tenant. They want customers in other Entra ID organizations to sign in with their own work accounts, but they do NOT want personal Microsoft accounts (such as Outlook.com) to be able to sign in. In the app registration, which supported account type (signInAudience) should you configure?
Your company develops an internal single-page web application registered in Microsoft Entra ID. The development team reports that after a user signs in, the ID token does not contain the user's email address, which the app needs to display in its UI. The users are cloud-only accounts that have the mail attribute populated. You must ensure the email address is included in the token without changing application code that reads the standard 'email' claim. What should you configure on the app registration?
Your company develops a multi-tenant application registered in Entra ID that customers install via user consent. Customers report that the consent prompt shows an 'unverified' warning, and your security team wants the app to display a verified publisher badge to increase trust and comply with a customer's app consent policy that only permits verified publisher apps. What must you do to have the app show as publisher verified?
A developer at Contoso has built a JavaScript single-page application (SPA) that runs entirely in the browser and calls Microsoft Graph on behalf of the signed-in user. You are registering the app in Microsoft Entra ID. When you configure the platform under Authentication, which platform type and token flow should you select to follow Microsoft's current security recommendations?
Your company has a backend daemon service that must call a custom internal API (registered in Entra ID) without any signed-in user. The API defines two app roles: 'Orders.Read' and 'Orders.ReadWrite'. The daemon should only be able to read orders. You have already registered the daemon as its own application with a client secret. Which action grants the daemon exactly the read access it needs?
Your company hosts an internal expense-tracking web application on Windows Server that uses Integrated Windows Authentication (IWA). You have published the app externally through Microsoft Entra application proxy. Remote users successfully reach the application's sign-in prompt through the external URL, but after authenticating to Microsoft Entra ID they are prompted again for their on-premises domain credentials by the backend server. You need to eliminate the second prompt so users get seamless single sign-on to the backend. What should you configure?
Contoso currently allows users to approve sign-ins with Microsoft Authenticator push notifications. Following a wave of MFA fatigue attacks where users blindly approved malicious prompts, the security team wants to reduce accidental approvals without deploying new hardware or moving all users to passwordless immediately. They also want approvers to see which application and location triggered the request. Which configuration should you enable in the Authentication methods policy for Microsoft Authenticator?
Contoso wants employees to use device-bound passkeys stored in the Microsoft Authenticator app on their corporate iOS and Android phones as a phishing-resistant sign-in method. As the Identity Administrator, you open the Authentication methods policy. Which configuration correctly enables this specific capability for a pilot group?
Contoso wants employees to sign in to cloud apps using the Microsoft Authenticator app without entering a password, approving requests with biometric or PIN verification on their phones. You have enabled the Microsoft Authenticator authentication method policy and targeted all users. Several pilot users report that they can only use Authenticator for MFA push notifications and do not see the option to sign in without a password. What must you configure to enable the passwordless experience?
You are an Identity Administrator at Contoso. The HR team gives you a CSV file with 480 new seasonal employees to onboard into Microsoft Entra ID. You use the 'Bulk create' option in the Microsoft Entra admin center and upload the CSV. After the operation completes, the bulk operation results show that 47 users were not created. All 47 failed rows share the same problem: their user principal name values used the domain 'contoso.seasonal', which is not registered in the tenant. What is the most efficient way to successfully create these 47 users while following Entra requirements?
Contoso has acquired two other companies, resulting in three separate on-premises Active Directory forests that have no trust relationships between them. Contoso wants to synchronize users from all three forests to a single Microsoft Entra tenant. The IT team requires a lightweight solution that supports high availability without deploying additional heavyweight servers, and they do not require advanced features such as device synchronization or pass-through authentication with complex filtering. Which hybrid identity solution should you recommend?
Your organization has deployed FIDO2 security keys and Microsoft Authenticator passwordless sign-in to all administrators. Security policy now requires that members of the Global Administrator and Security Administrator roles can only complete sign-in using phishing-resistant methods, while all other users may continue to satisfy MFA with any registered method. You need to enforce this using Conditional Access with the least administrative effort. What should you configure?
Contoso reports repeated password-spray attacks succeeding against Exchange Online mailboxes. Investigation shows the attackers authenticate using IMAP and POP3 clients that do not present multi-factor authentication prompts. You must stop these attacks while allowing modern Outlook and Teams clients to continue working. Which Conditional Access configuration should you deploy?
Contoso wants to ensure that administrators can only perform actions in the Microsoft Entra admin center from corporate-owned devices marked as compliant. Some administrators also carry personal laptops that are Entra registered but not compliant. You must build a single Conditional Access policy that blocks access to admin portals unless the sign-in comes from a compliant device, and this restriction should apply only when users are actively using a privileged directory role. Which combination of policy assignments and conditions should you configure?
Contoso must block all access to Microsoft 365 from any country except the United States and Canada. Users report that some access attempts from within the US are still being blocked because their IP addresses resolve to unexpected countries through corporate VPN providers. You need to implement a Conditional Access policy that determines the user's location based on the actual physical location of the device rather than the IP address, while minimizing false positives. What should you configure?
Contoso wants users to satisfy MFA when signing in to Microsoft 365, but the security team wants to reduce prompts when users are physically working from the corporate headquarters, which uses a fixed public IP range. They also require that any sign-in from outside that range always triggers MFA, and they must be able to prove during audits that the headquarters range is explicitly designated as trusted. What should you configure to meet these requirements with the least administrative effort?
You are preparing to deploy a new Conditional Access policy that requires MFA for all users accessing Microsoft 365 apps. Leadership is concerned that a misconfiguration could lock out users or disrupt business operations. Before enforcing the policy, you need to evaluate its real-world impact on actual sign-ins without affecting users. What should you do?