Nail the SC-300 Microsoft Identity Exam with Real-World Logic

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

According to the Microsoft SC-300 official study guide and Microsoft documentation on Azure AD Privileged Identity Management (PIM), PIM is used to manage, control, and monitor access within Azure Active Directory (Azure AD), Azure resources, and Microsoft 365. However, not every administrative role within Azure or Microsoft 365 can be managed or activated through PIM.

To understand which administrators can use PIM, we need to review how Azure roles are structured:

Account Administrator — This role is a classic subscription administrator role, not part of Azure AD role-based access control (RBAC). Therefore, it is not managed or activated through PIM.

Service Administrator — Also a classic Azure subscription role, but it maps to the Owner role in Azure RBAC. PIM can manage and activate this role because it exists within the RBAC model, which PIM supports.

SharePoint Administrator — This is an Azure AD directory role, not a classic subscription role, and is supported in Azure AD PIM. Azure AD PIM supports activation for directory roles such as Global Administrator, SharePoint Administrator, Exchange Administrator, etc.

From Microsoft’s official documentation:

“Azure AD Privileged Identity Management can manage role assignments for both Azure AD directory roles and Azure resource roles (via Azure RBAC). Classic subscription administrator roles such as Account Administrator are not supported.”

Therefore, Admin1 (Account Administrator) cannot use PIM because their role is outside the scope of PIM. Admin2 (Service Administrator) and Admin3 (SharePoint Administrator) can both use PIM since their roles are recognized by PIM as eligible for activation.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn module “Plan and implement Conditional Access policies” , enabling or customizing Conditional Access policies requires that Security Defaults in Azure AD be disabled .

Security defaults provide a basic level of protection, such as enforcing MFA for all users and blocking legacy authentication. However, when Security Defaults are enabled, custom Conditional Access policies cannot be created because both features manage sign-in risk and access control.

From the Microsoft documentation:

“To use Conditional Access policies, you must disable security defaults. Conditional Access policies provide more granularity and flexibility than security defaults.”

Therefore, before you can control access to Microsoft 365 resources through Conditional Access, the first step is to disable Security Defaults in the Azure AD tenant.

According to the Microsoft Identity and Access Administrator (SC-300) Official Study Guide and the Microsoft Learn module “Manage Enterprise Applications in Azure AD” , when an organization requires that users request access before being allowed to use a corporate application, the correct configuration is to enable Self-service application access.

In Azure AD, the Self-service settings under an enterprise application allow administrators to specify whether users can request access to the app, who can approve those requests, and whether approvals are automatic or manual. This feature integrates directly with Azure AD Entitlement Management, enabling governance controls around who can request and access applications.

The documentation states:

“To allow users to request access to an enterprise application, you must enable self-service application access and configure the request and approval workflow.”

By contrast:

Provisioning (Option B) is used for automatic account lifecycle management within the app, not for user access requests.

Roles and administrators (Option C) deals with administrative delegation, not access requests.

Application Proxy (Option D) is for enabling secure remote access to on-premises apps, not access workflows.

Therefore, enabling and configuring the Self-service settings is the required step to meet the requirement that users must request access before using MyApp1 .

In Microsoft Defender for Cloud Apps, OAuth app policies monitor and control third-party applications that have OAuth permissions to your Microsoft 365 environment. They allow administrators to review app permissions, detect over-privileged apps, and revoke access where needed.

This aligns with the SC-300 topic “Monitor and manage app permissions in Defender for Cloud Apps” , which states:

“OAuth app policies allow you to detect risky applications connected via OAuth authorization and monitor app access to your organizational data.”

In Azure AD, password resets and session invalidation for non-administrative users are delegated with the least privilege by assigning the Helpdesk administrator (formerly Password administrator) role. The SC-300 materials explain that this role can reset passwords for standard users, force password change at next sign-in, require re-register for MFA, and revoke refresh tokens (invalidate sessions). The Authentication administrator has broader reach, including managing some authentication methods and affecting certain admin roles, which exceeds the minimum needed. Privileged Authentication Administrator can reset passwords for most admin roles (beyond the scope here) and is therefore not least-privileged. Security administrator focuses on configuring and viewing security features, not resetting user passwords. To enable SecAdmin1 to “manage passwords and invalidate sessions on behalf of non-administrative users” while honoring least privilege, assign Helpdesk administrator.

 User1 can perform an access review for User1: No

 User1 can perform an access review for Managed2: Yes

 User1 can perform an access review for User3: Yes

In this scenario, an access review named Review1 has been configured for Group1, with the following conditions:

Review scope: Teams + Groups

Group: Group1

Scope: All users

Reviewers: Group owner(s)

Fallback reviewers: None

From the configuration, the reviewers of the access review are the owners of Group1 — namely User1 and User4. Therefore, both of these users are authorized to review all members of Group1.

Group1 includes the following members:

User1 (User, also owner)

Managed2 (Managed identity)

Group2 (which includes User3)

Since the scope is set to All users, it includes both internal and external members. However, the SC-300 materials emphasize that reviewers cannot review their own access; Microsoft Learn states:

“Reviewers cannot approve or deny their own access in an access review, even if they are members of the group under review.”

Therefore:

User1 cannot review themselves → No

User1 can review Managed2 → Yes, because Managed2 is a member of Group1

User1 can review User3 → Yes, because User3 is a member of Group2, and Group2 is itself a member of Group1, meaning User3’s membership is indirectly part of the review scope

This behavior aligns with SC-300 guidance that nested group members are included when the review scope is “All users,” and reviewers (owners) can assess all included members except themselves.