Microsoft Identity and Access Administrator · Domain 2 · 28% of exam

Implement authentication and access management

Drill 20 practice questions focused entirely on Implement authentication and access management for the Microsoft SC-300 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

Contoso currently allows users to approve sign-ins with Microsoft Authenticator push notifications. Following a wave of MFA fatigue attacks where users blindly approved malicious prompts, the security team wants to reduce accidental approvals without deploying new hardware or moving all users to passwordless immediately. They also want approvers to see which application and location triggered the request. Which configuration should you enable in the Authentication methods policy for Microsoft Authenticator?

Reviewed for accuracy · Report an issue
Question 2 of 20

Contoso wants employees to use device-bound passkeys stored in the Microsoft Authenticator app on their corporate iOS and Android phones as a phishing-resistant sign-in method. As the Identity Administrator, you open the Authentication methods policy. Which configuration correctly enables this specific capability for a pilot group?

Reviewed for accuracy · Report an issue
Question 3 of 20

Contoso wants employees to sign in to cloud apps using the Microsoft Authenticator app without entering a password, approving requests with biometric or PIN verification on their phones. You have enabled the Microsoft Authenticator authentication method policy and targeted all users. Several pilot users report that they can only use Authenticator for MFA push notifications and do not see the option to sign in without a password. What must you configure to enable the passwordless experience?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your organization is deploying Entra certificate-based authentication (CBA) for a group of high-privilege administrators who use smart cards. Security requires that these admins satisfy the multifactor authentication requirement using only their certificate, and that the certificate be validated against a specific policy OID. During pilot testing, admins report they can sign in but are still being prompted for a second factor after presenting their certificate. Which configuration change in the Entra admin center resolves this while enforcing the OID requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your organization uses a custom line-of-business SharePoint site that contains highly sensitive financial records. Users can already access other SharePoint content after satisfying a baseline Conditional Access policy requiring MFA. Security requires that when users open the sensitive financial site specifically, they must re-authenticate with a phishing-resistant method (FIDO2), even if they already have an active session. You need to enforce this step-up requirement only for that site without affecting access to the rest of SharePoint. What should you configure?

Reviewed for accuracy · Report an issue
Question 6 of 20

Contoso has a SharePoint Online document library named 'Financials' that contains highly sensitive files. Users may already have an active session to SharePoint after signing in with a password. Security requires that when a user attempts to open a file specifically in the 'Financials' library, they must satisfy multifactor authentication at that moment — even if they authenticated with only a password earlier in the session. Regular access to other SharePoint sites should not be affected. Which combination should you configure to enforce this granular, on-demand step-up?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your organization has deployed FIDO2 security keys and Microsoft Authenticator passwordless sign-in to all administrators. Security policy now requires that members of the Global Administrator and Security Administrator roles can only complete sign-in using phishing-resistant methods, while all other users may continue to satisfy MFA with any registered method. You need to enforce this using Conditional Access with the least administrative effort. What should you configure?

Reviewed for accuracy · Report an issue
Question 8 of 20

Contoso reports repeated password-spray attacks succeeding against Exchange Online mailboxes. Investigation shows the attackers authenticate using IMAP and POP3 clients that do not present multi-factor authentication prompts. You must stop these attacks while allowing modern Outlook and Teams clients to continue working. Which Conditional Access configuration should you deploy?

Reviewed for accuracy · Report an issue
Question 9 of 20

Contoso wants sign-in tokens for Exchange Online and SharePoint Online to be revoked in near real time when a user's IP address moves outside a defined corporate network range during an active session. They have already enabled continuous access evaluation (CAE) and configured named locations for their corporate IP ranges. However, they notice that when a user's IP changes mid-session, access is not being blocked until the token naturally expires. What must they configure to achieve near-real-time enforcement of the location change?

Reviewed for accuracy · Report an issue
Question 10 of 20

Contoso wants to ensure that administrators can only perform actions in the Microsoft Entra admin center from corporate-owned devices marked as compliant. Some administrators also carry personal laptops that are Entra registered but not compliant. You must build a single Conditional Access policy that blocks access to admin portals unless the sign-in comes from a compliant device, and this restriction should apply only when users are actively using a privileged directory role. Which combination of policy assignments and conditions should you configure?

Reviewed for accuracy · Report an issue
Question 11 of 20

Contoso must block all access to Microsoft 365 from any country except the United States and Canada. Users report that some access attempts from within the US are still being blocked because their IP addresses resolve to unexpected countries through corporate VPN providers. You need to implement a Conditional Access policy that determines the user's location based on the actual physical location of the device rather than the IP address, while minimizing false positives. What should you configure?

Reviewed for accuracy · Report an issue
Question 12 of 20

Contoso invites external guests from partner organizations to collaborate in SharePoint and Teams. Security requires that all guests satisfy MFA before accessing any cloud app. You create a Conditional Access policy assigned to 'All guest and external users' that requires multifactor authentication. After deployment, guests who have never signed in report they cannot register an MFA method and are completely blocked at sign-in. Contoso does not use cross-tenant access trust settings for these partners. What should you do so guests can complete MFA registration while still being protected?

Reviewed for accuracy · Report an issue
Question 13 of 20

Contoso wants users to satisfy MFA when signing in to Microsoft 365, but the security team wants to reduce prompts when users are physically working from the corporate headquarters, which uses a fixed public IP range. They also require that any sign-in from outside that range always triggers MFA, and they must be able to prove during audits that the headquarters range is explicitly designated as trusted. What should you configure to meet these requirements with the least administrative effort?

Reviewed for accuracy · Report an issue
Question 14 of 20

Contoso has 4,200 users who were enabled for MFA years ago using legacy per-user MFA (their state is set to 'Enforced' in the MFA service settings). Security wants to modernize to Conditional Access so they can require MFA based on risk and location, and eventually retire per-user MFA. During the transition, an administrator creates a Conditional Access policy requiring MFA for all users. Several users report they are still being prompted to re-register MFA methods and are asked to confirm the app-password legacy behavior. What is the recommended approach to complete the migration cleanly?

Reviewed for accuracy · Report an issue
Question 15 of 20

You are preparing to deploy a new Conditional Access policy that requires MFA for all users accessing Microsoft 365 apps. Leadership is concerned that a misconfiguration could lock out users or disrupt business operations. Before enforcing the policy, you need to evaluate its real-world impact on actual sign-ins without affecting users. What should you do?

Reviewed for accuracy · Report an issue
Question 16 of 20

Contoso allows users to access SharePoint Online and Exchange Online from any device. Security requires that when users sign in from unmanaged (non-compliant, non-Hybrid-joined) devices, they must NOT be able to download, print, or sync files from SharePoint Online, but should still be able to view documents in the browser. On managed devices, full access should remain unrestricted. Which Conditional Access session control should you configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

Contoso allows users to access Microsoft 365 web apps from personal, unmanaged browsers. Security requires that on these unmanaged devices, users must re-authenticate every 4 hours and that the browser session must NOT stay signed in after the browser window is closed. Which Conditional Access session control configuration meets both requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

Contoso allows employees to access Microsoft 365 web apps from personal, unmanaged devices. Security requires that on these devices users must re-authenticate every 4 hours and that browser sessions must not persist after the browser is closed. On corporate Entra-joined devices, users should retain a normal persistent session. You need to configure Conditional Access to meet these requirements while affecting only unmanaged devices. What should you configure?

Reviewed for accuracy · Report an issue
Question 19 of 20

Contoso is rolling out passwordless authentication for a new group of frontline workers who have no existing credentials. IT wants each worker to complete a self-service bootstrap on their first day: sign in once with a time-limited passcode issued by the helpdesk, then immediately register a FIDO2 security key. The passcode must be usable only once and expire within 4 hours. Which authentication method should you configure in the Authentication methods policy to enable this onboarding flow?

Reviewed for accuracy · Report an issue
Question 20 of 20

Contoso must ensure that all external guest users accept a legal disclaimer before they can access the company's SharePoint Online and Teams data. The disclaimer document has already been uploaded as a PDF, and legal requires that guests re-accept it every 12 months. The solution must be enforced automatically at sign-in and must be auditable. What should you configure?

Reviewed for accuracy · Report an issue

More SC-300 practice

Keep going with the other Microsoft Identity and Access Administrator domains, or take a full timed mock exam.

← Back to SC-300 overview