Microsoft Identity and Access Administrator · Domain 4 · 25% of exam

Plan and automate identity governance

Drill 20 practice questions focused entirely on Plan and automate identity governance for the Microsoft SC-300 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

Your organization uses entitlement management to grant employees access to a set of applications and groups bundled in an access package. The HR team wants all users whose 'department' attribute equals 'Finance' to automatically receive this access package without submitting a request, and to have the access automatically removed if their department changes. You need to configure this with minimal ongoing administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your organization has assigned several external consultants (guest accounts) to the Security Reader Entra role. Compliance requires that these privileged role assignments be reviewed monthly, and that any reviewer who does not respond by the deadline results in the guest losing the assignment automatically. You create an access review for the Security Reader role. Which combination of settings meets the requirement with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your organization runs a quarterly access review on a group that grants access to a sensitive finance application. Requirements: the resource owners should review first, and if a reviewer does not respond within the stage duration, the review should escalate to the group members' managers. Some group members do not have a manager attribute populated in Entra ID. You need to configure the access review so that these users are still reviewed and no access decision is left unmade. What should you configure?

Reviewed for accuracy · Report an issue
Question 4 of 20

Contoso invites hundreds of external guests each quarter for collaboration projects. Compliance requires that guest access to a set of sensitive Microsoft 365 groups be validated every 90 days, that reviewers see system guidance based on the guest's sign-in activity, and that any access the reviewers do not approve is removed automatically without manual follow-up. Which access review configuration meets all of these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

Contoso uses entitlement management to grant contractors access to project resources through an access package. The compliance team requires that whenever a contractor's access request is approved, a record must be created in an external ticketing system by calling a REST API, and the access grant must not complete until the API confirms the ticket was created. You need to configure this in the access package. What should you do?

Reviewed for accuracy · Report an issue
Question 6 of 20

Contoso uses entitlement management to grant contractors access to a project SharePoint site through an access package. The security team requires that contractor access automatically ends after 90 days unless the contractor's manager approves an extension, and that the manager must reconfirm justification at the time of any extension. Which access package policy configuration meets these requirements with the least administrative effort?

Reviewed for accuracy · Report an issue
Question 7 of 20

Contoso uses Entra ID entitlement management to grant access to a collection of resources through a single access package named 'Project Falcon Resources'. The security team requires that internal employees can self-request access with no approval and a 90-day review, while external users from partner organizations must be sponsored, require two-stage approval, and expire after 30 days. Both groups must use the same underlying resources in the access package. What is the correct way to configure this?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your company uses Microsoft Entra entitlement management to grant access to a sensitive finance application through an access package. Compliance requires that when an employee requests the package, the request must first be approved by the requestor's manager and then, only after the manager approves, by a designated finance governance team member. If either approver takes no action, the request must be automatically denied after 7 days. Which access package policy configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 20

Contoso uses Entra ID entitlement management. Users who already have the 'Finance-Payroll' access package assigned must never be allowed to request the new 'Finance-Audit' access package, because holding both violates a segregation-of-duties control. You want to enforce this automatically at request time without relying on manual approver review. What should you configure on the 'Finance-Audit' access package?

Reviewed for accuracy · Report an issue
Question 10 of 20

Contoso uses entitlement management to grant contractors access to a project SharePoint site and a security group through a single access package. Compliance requires that every 90 days, the resource owners re-confirm that each contractor still needs the access, and any access not confirmed within 14 days must be automatically removed. You want to configure this with the least administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 11 of 20

Contoso uses entitlement management access packages to grant partner users access to a project SharePoint site. Compliance requires a quarterly access review on the access package assignments. During testing, the governance team notices that some reviewers do not complete their reviews before the review period ends. The team wants to ensure that assignments belonging to users whose reviewers never responded are automatically removed when the review closes, while still applying the reviewers' explicit decisions where they were made. Which access review setting configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your organization uses Entra ID entitlement management. The central identity team owns the top-level configuration, but a project lead named Dana in the Marketing department needs to create and manage access packages that grant access only to a specific set of Marketing SharePoint sites and groups. Dana must NOT be able to add resources from outside Marketing, and she must not be granted any tenant-wide administrative role. What should you do to enable this with least privilege?

Reviewed for accuracy · Report an issue
Question 13 of 20

Contoso uses entitlement management to give external partners access to a SharePoint site through an access package. Security requires that when an external user's last access package assignment expires and they have no other assignments, their guest account is automatically blocked and eventually removed from the directory. You need to configure this behavior with the least administrative effort. What should you configure?

Reviewed for accuracy · Report an issue
Question 14 of 20

Contoso uses Entra ID entitlement management. The security team requires that a specific access package intended for external partners can only grant access to two SharePoint Online sites and one enterprise application—no other tenant resources should ever be selectable when building this package. Additionally, the package must be manageable by a partner-relations manager who is NOT a Global Administrator. What must you configure to meet BOTH requirements with the least privilege?

Reviewed for accuracy · Report an issue
Question 15 of 20

Contoso wants a business unit lead named Priya to be able to create and manage access packages for her department, including adding her own team's groups and SharePoint sites as resources. She should NOT be able to create new catalogs or manage resources in other departments' catalogs. Following least privilege, how should you configure this in entitlement management?

Reviewed for accuracy · Report an issue
Question 16 of 20

Contoso uses Entra entitlement management to grant external partners access to a set of resources through an access package. The access package policy is configured to allow users from connected organizations to request access. A new partner, Fabrikam, uses a Microsoft Entra tenant that Contoso has NOT yet added as a connected organization. A Fabrikam user attempts to request the access package using their work account. Assuming the policy allows requests from 'All configured connected organizations,' what happens when the Fabrikam user submits the request?

Reviewed for accuracy · Report an issue
Question 17 of 20

Contoso uses Entra ID entitlement management to grant partner employees access to a collaboration catalog. A new partner, Fabrikam, uses its own Entra tenant. You must configure an access package so that only users from Fabrikam's verified domain can request access, and their accounts should be automatically created as B2B guests upon approval. You have already created the access package and its resources. What must you configure so that Fabrikam users are recognized as an approved external source and can submit requests?

Reviewed for accuracy · Report an issue
Question 18 of 20

Contoso uses Microsoft Entra entitlement management to grant partner users from a connected organization access to a SharePoint site through an access package. Legal requires that every external user must accept a legally binding agreement before they receive access, and the acceptance must be recorded and re-triggered annually. You must configure this with the least administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your security team wants to demonstrate to leadership how the organization's identity posture has changed over the past three months, including whether recent Conditional Access rollouts moved the needle. They ask you where in the Microsoft Entra admin center they can view a trend of the Identity Secure Score over time and compare it against similar organizations. What should you direct them to?

Reviewed for accuracy · Report an issue
Question 20 of 20

Contoso's security team wants a quantitative way to measure the tenant's identity security posture over time and receive prioritized recommendations for improvement. Leadership requires evidence that changes made to Conditional Access and MFA policies have actually raised the tenant's posture. Which Microsoft Entra feature should you use to obtain a numeric score, prioritized improvement actions, and historical trend comparison against similar organizations?

Reviewed for accuracy · Report an issue

More SC-300 practice

Keep going with the other Microsoft Identity and Access Administrator domains, or take a full timed mock exam.

← Back to SC-300 overview