Microsoft Identity and Access Administrator · Domain 3 · 24% of exam

Plan and implement workload identities

Drill 20 practice questions focused entirely on Plan and implement workload identities for the Microsoft SC-300 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

You register a new daemon application in Microsoft Entra ID that runs as a background service with no signed-in user. The application must read all users' profiles from Microsoft Graph by calling the API unattended using its own identity. When you configure Microsoft Graph permissions in the app registration, which permission type must you add and what additional step is required before the app can access the data?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your company runs a background service that authenticates to Microsoft Graph as a daemon using an app registration with a client secret. The security team requires that credentials be rotated regularly and no longer permit long-lived shared secrets that could be extracted from configuration files. You must reconfigure the app to authenticate in a way that eliminates stored secrets while still supporting the client credentials flow. What should you configure for the app registration?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your company develops a web API named FinanceAPI that is registered in Microsoft Entra ID. A separate single-page application (SPA), also registered in the same tenant, must call FinanceAPI on behalf of the signed-in user. You need to allow the SPA to request a delegated permission to FinanceAPI so that users are prompted to consent when they sign in. What must you configure first on the FinanceAPI app registration?

Reviewed for accuracy · Report an issue
Question 4 of 20

You register a single-page application in Microsoft Entra ID and configure it to receive group membership claims in the ID token. Users who belong to a large number of groups report that the application fails to load, and you discover that Entra ID is issuing an overage claim instead of the full list of groups because the token exceeds the size limit. The application needs to make authorization decisions based only on the specific application roles you have defined, not on all of the user's security groups. What should you do to resolve this reliably for all users?

Reviewed for accuracy · Report an issue
Question 5 of 20

Contoso develops a SaaS application registered in their Entra ID tenant. They want customers in other Entra ID organizations to sign in with their own work accounts, but they do NOT want personal Microsoft accounts (such as Outlook.com) to be able to sign in. In the app registration, which supported account type (signInAudience) should you configure?

Reviewed for accuracy · Report an issue
Question 6 of 20

Your company develops an internal single-page web application registered in Microsoft Entra ID. The development team reports that after a user signs in, the ID token does not contain the user's email address, which the app needs to display in its UI. The users are cloud-only accounts that have the mail attribute populated. You must ensure the email address is included in the token without changing application code that reads the standard 'email' claim. What should you configure on the app registration?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your company develops a multi-tenant application registered in Entra ID that customers install via user consent. Customers report that the consent prompt shows an 'unverified' warning, and your security team wants the app to display a verified publisher badge to increase trust and comply with a customer's app consent policy that only permits verified publisher apps. What must you do to have the app show as publisher verified?

Reviewed for accuracy · Report an issue
Question 8 of 20

A developer at Contoso has built a JavaScript single-page application (SPA) that runs entirely in the browser and calls Microsoft Graph on behalf of the signed-in user. You are registering the app in Microsoft Entra ID. When you configure the platform under Authentication, which platform type and token flow should you select to follow Microsoft's current security recommendations?

Reviewed for accuracy · Report an issue
Question 9 of 20

Your company has a backend daemon service that must call a custom internal API (registered in Entra ID) without any signed-in user. The API defines two app roles: 'Orders.Read' and 'Orders.ReadWrite'. The daemon should only be able to read orders. You have already registered the daemon as its own application with a client secret. Which action grants the daemon exactly the read access it needs?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your company hosts an internal expense-tracking web application on Windows Server that uses Integrated Windows Authentication (IWA). You have published the app externally through Microsoft Entra application proxy. Remote users successfully reach the application's sign-in prompt through the external URL, but after authenticating to Microsoft Entra ID they are prompted again for their on-premises domain credentials by the backend server. You need to eliminate the second prompt so users get seamless single sign-on to the backend. What should you configure?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your organization uses Microsoft Defender for Cloud Apps. The security team wants to identify which unsanctioned cloud applications employees are using across the corporate network, based on traffic logs collected from your on-premises Palo Alto firewalls. They want a repeatable, automated process that keeps the discovery data continuously up to date rather than a one-time snapshot. What should you configure?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your organization uses Microsoft Defender for Cloud Apps. Users have been consenting to third-party OAuth applications that request broad Microsoft 365 permissions such as full mailbox access and file read/write. Security wants an automated way to detect and immediately revoke consent for OAuth apps that were granted high-privilege permissions by a small number of users or that match risky patterns, without manually reviewing each app. What should you implement?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your organization uses Microsoft Defender for Cloud Apps. Users access a SaaS application (Salesforce) that is integrated with Microsoft Entra ID for single sign-on. Security requires that when users sign in from unmanaged devices, they can view data in the app but must be prevented from downloading any files in real time. You must implement this control with the least administrative effort. What should you configure?

Reviewed for accuracy · Report an issue
Question 14 of 20

Your company publishes an on-premises legacy web application through Microsoft Entra Application Proxy. The application does not support SAML, OpenID Connect, or Integrated Windows Authentication. Instead, it authenticates users by reading HTTP request headers that contain the user's identity and attributes. You must configure single sign-on so that authenticated Entra users are seamlessly signed in to this application. Which single sign-on method should you configure on the enterprise application?

Reviewed for accuracy · Report an issue
Question 15 of 20

Your organization already publishes an internal HR portal that has its own working authentication built on a legacy on-premises SSO product. Users navigate to this portal from the My Apps portal today only by typing the URL. Management wants the HR portal to appear as a tile in the Microsoft My Apps portal and Microsoft 365 app launcher, but they explicitly do not want Microsoft Entra ID to perform any authentication, issue any tokens, or replace the existing sign-in flow. What single sign-on mode should you configure on the enterprise application?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your company subscribes to a legacy SaaS web application that only supports authentication via its own username and password form. It does not support SAML, OIDC, or SCIM. The finance team of 12 users currently shares one set of credentials that they type manually, and management wants to stop distributing the password to users while still allowing single sign-on from the My Apps portal. Which enterprise application single sign-on option should you configure in Microsoft Entra ID?

Reviewed for accuracy · Report an issue
Question 17 of 20

Your organization uses automatic user provisioning from Microsoft Entra ID to a third-party SaaS application via SCIM. A new employee, Aisha, was created in Entra ID and assigned to the enterprise application 25 minutes ago, but she still cannot log in to the SaaS app because her account has not been created there. The provisioning status shows 'Enabled' and the last cycle completed successfully. You need to create Aisha's account in the SaaS app immediately without waiting for the next scheduled cycle, and confirm any attribute mapping issues for her specific record. What should you do?

Reviewed for accuracy · Report an issue
Question 18 of 20

Your company uses a SaaS HR application that supports SCIM 2.0. You configure automatic user provisioning from Microsoft Entra ID to the application using an enterprise application. The security team requires that only members of the 'Sales-Team' group are provisioned to the SaaS app, and that provisioning must occur automatically going forward. Users outside this group must never be created in the target application. What should you configure to meet the requirement with the least administrative effort?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your company uses a SaaS HR application that supports SAML 2.0 single sign-on. You add the application from the Microsoft Entra gallery and configure SAML-based SSO. The vendor requires that the user's employee ID (stored in the Entra ID extension attribute) be sent as the NameID in the SAML assertion instead of the default user principal name. Users can authenticate but the HR app rejects the sign-in because the NameID value does not match its expected identifier format. What should you do to resolve the issue?

Reviewed for accuracy · Report an issue
Question 20 of 20

Your organization has disabled user consent for applications so that users can no longer grant permissions to third-party apps on their own. Developers report that legitimate low-risk SaaS apps are now blocked, and the IT security team is overwhelmed reviewing every request manually. You need to allow users to request access to apps while ensuring an administrator approves each request before consent is granted, with minimal ongoing administrative effort. What should you configure in Microsoft Entra ID?

Reviewed for accuracy · Report an issue

More SC-300 practice

Keep going with the other Microsoft Identity and Access Administrator domains, or take a full timed mock exam.

← Back to SC-300 overview