Implement and manage user identities
Drill 20 practice questions focused entirely on Implement and manage user identities for the Microsoft SC-300 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Contoso has offices in three regions. The IT director wants regional helpdesk staff to reset passwords only for users in their own region, without granting them any control over users in other regions. Each region's users are already members of a dynamic group based on their department attribute. What is the most appropriate way to delegate this permission using the least privilege?
You are an Identity Administrator at Contoso. The HR team gives you a CSV file with 480 new seasonal employees to onboard into Microsoft Entra ID. You use the 'Bulk create' option in the Microsoft Entra admin center and upload the CSV. After the operation completes, the bulk operation results show that 47 users were not created. All 47 failed rows share the same problem: their user principal name values used the domain 'contoso.seasonal', which is not registered in the tenant. What is the most efficient way to successfully create these 47 users while following Entra requirements?
Contoso has acquired two other companies, resulting in three separate on-premises Active Directory forests that have no trust relationships between them. Contoso wants to synchronize users from all three forests to a single Microsoft Entra tenant. The IT team requires a lightweight solution that supports high availability without deploying additional heavyweight servers, and they do not require advanced features such as device synchronization or pass-through authentication with complex filtering. Which hybrid identity solution should you recommend?
Your organization has an existing Microsoft 365 group named 'Sales-Team' that currently has 45 members added manually. Leadership wants membership to be maintained automatically based on the user's department attribute equal to 'Sales'. You need to change the group so its membership is calculated by a rule, while minimizing administrative effort. What should you do?
Contoso and Fabrikam are partner organizations, both using Microsoft Entra ID. Fabrikam users are invited as B2B guests into Contoso's tenant to access a sensitive SharePoint site that requires multifactor authentication (MFA). Fabrikam already enforces MFA and compliant-device requirements on its own users. Contoso wants to avoid forcing Fabrikam guests to re-register and complete MFA a second time in Contoso's tenant, while still requiring MFA. What should the Contoso administrator configure?
Contoso recently acquired Fabrikam, which uses a separate Microsoft Entra tenant. Leadership wants users from the Fabrikam tenant to automatically appear as B2B collaboration guest users in the Contoso tenant, with their profile attributes kept up to date and deprovisioned automatically when they leave Fabrikam. The synchronization must be driven from the Fabrikam side without exporting user data through CSV files. Which solution should you implement?
Your organization wants a small team of identity engineers to manage the membership and settings of a specific set of highly sensitive groups that also carry role assignments. These groups are role-assignable (isAssignableToRole = true). You create a custom role with permissions to update group membership and assign it to the engineers scoped to those groups. However, the engineers report they cannot modify the membership of the role-assignable groups, even though they can manage other groups. What is the reason for this behavior?
Your organization wants a group of application owners to be able to create and manage app registrations, but they must NOT be able to modify any other directory objects. The existing built-in roles grant either too many or too few permissions. You need to grant exactly the required permissions using the principle of least privilege. What should you do?
Your organization wants to delegate the ability to update the reply URLs (redirect URIs) of existing application registrations to a team of developers. The developers must NOT be able to create new app registrations, delete apps, or manage credentials such as client secrets. You need to follow least-privilege principles. What should you do?
Your organization has defined a custom security attribute set named 'ProjectData' in Microsoft Entra ID to tag users with their assigned project codes. The security team owns the attribute definitions and does not want them changed. However, individual project managers must be able to assign existing 'ProjectData' attribute values to their team members' user accounts. You need to grant the project managers only the ability to assign these attribute values, following least privilege. Which role should you assign to the project managers?
Your organization uses custom security attributes in Microsoft Entra ID to tag user accounts with a 'Project' attribute for attribute-based access control. A security analyst who is a member of the Global Reader role reports that they can view most user properties but cannot see the values of the custom security attributes on user profiles. You need to grant the analyst the ability to read custom security attribute values while following least privilege. What should you do?
Contoso wants to automatically group all corporate Windows devices that are managed by Intune into a single security group used for Conditional Access policy targeting. Personal (BYOD) or unmanaged devices must never appear in the group, and no administrator should have to add or remove devices manually. Which approach should you implement?
You are a Microsoft Entra administrator at Contoso. The HR department wants a security group that always contains all users whose department attribute is exactly 'Sales' and whose account is enabled, without any manual maintenance. New Sales hires and departures happen weekly. You must create a group whose membership updates automatically based on user attributes. Which action should you take?
Your organization uses Microsoft Entra Connect Sync with password hash synchronization to keep an on-premises Active Directory forest synchronized with Entra ID. The identity team wants proactive email notifications whenever the synchronization service stops exporting changes or when the sync engine encounters export errors, without deploying any additional third-party monitoring tools. Which solution should you implement to meet this requirement?
Contoso currently uses Microsoft Entra Connect Sync with federation to AD FS for all sign-ins. The security team wants to decommission the AD FS farm to reduce on-premises infrastructure while keeping the same on-premises passwords usable in the cloud and ensuring sign-in continues to work if the on-premises servers or network go offline. Which authentication method should you configure before converting the domains from federated to managed?
Contoso runs a single Entra Connect Sync server (Server A) that has been synchronizing on-premises Active Directory to Microsoft Entra ID for two years. The hardware is being decommissioned, so the identity team builds a new server (Server B) with the latest Entra Connect version. They want to migrate synchronization to Server B with minimal risk and the ability to verify configuration before it becomes authoritative. What should the team do?
Contoso runs Entra Connect Sync with the default configuration synchronizing all users from an on-premises Active Directory forest. The security team requires that user accounts located in an OU named 'ServiceAccounts' must never be synchronized to Microsoft Entra ID, while all other OUs continue to sync unchanged. You must implement this with the least administrative effort and without affecting objects already synced from other OUs. What should you do?
Contoso is deploying Microsoft Entra Connect to synchronize its on-premises Active Directory to a new Entra tenant. The internal AD forest uses the non-routable domain suffix contoso.local, and all user UPNs currently end in @contoso.local. The verified domain in the Entra tenant is contoso.com. Users report they cannot sign in to Microsoft 365 with their on-premises credentials after the initial sync. What should you do to resolve the sign-in problem while ensuring users retain a consistent sign-in name?
Contoso wants to allow only members of the Sales department to invite external guests into the tenant. All other members and existing guests must be prevented from sending invitations. In the Entra admin center, which External collaboration setting configuration meets this requirement with the least administrative effort?
Contoso assigns Microsoft 365 E5 licenses through two dynamic security groups: 'All-Employees' (assigns the full E5 license) and 'Legal-Restricted' (assigns E5 but with the Exchange Online service plan disabled to meet a compliance hold). A legal team member belongs to both groups. Their account currently shows a license assignment error, and Exchange Online is not functioning as expected. Which action correctly resolves the conflict so the user retains a working E5 license while honoring the most restrictive intent?
More SC-300 practice
Keep going with the other Microsoft Identity and Access Administrator domains, or take a full timed mock exam.
← Back to SC-300 overview