Free Practice Questions for Microsoft SC-300 Exam

In SC-300, Microsoft emphasizes Azure AD B2B collaboration for cross-tenant access without extra Microsoft 365 licensing. The guidance explains that organizations can invite external users as guests to their tenant to access Microsoft 365 resources such as SharePoint Online and Teams, and guest access does not require an additional Microsoft 365 license for the guest. The host tenant remains licensed for the workloads being accessed, and Azure AD billing for B2B collaboration is handled through External Identities (MAU) if configured. The study content also notes that synchronizing a single on-premises AD forest to multiple Azure AD tenants is not a supported topology with a single Azure AD Connect server, and deploying another AAD Connect to sync the same identities to a second tenant introduces complexity and is unnecessary when the requirement is simply to let users in one tenant access resources in another. Application Proxy (publishing on-prem apps) is unrelated to granting SharePoint Online cross-tenant access. Therefore, the minimum-effort, license-compliant approach is to invite Contoso East users as B2B guests in the Contoso West tenant and assign them the required SharePoint permissions.

In the SC-300 materials covering Azure AD MFA configuration, Microsoft distinguishes between Notifications (which control whether the Microsoft Authenticator sends push prompts) and Fraud alert settings (which determine what happens when a user reports an unexpected prompt). The study guide notes that notifications “enable push approvals to the app,” but this does not take action when a user reports a suspicious prompt. To satisfy the requirement “block the users automatically when they report an MFA request they didn’t initiate,” you must use Fraud alert options. The documentation states that administrators can “allow users to submit fraud alerts” and “block users who report fraud” so that “reported accounts are immediately blocked until an administrator unblocks them.” These options are part of the tenant’s MFA service settings, not the Notifications section. In other words, simply configuring Notifications won’t automatically block users who tap Report in Microsoft Authenticator; you must explicitly enable the setting to block users upon fraud reports. Therefore, the proposed solution—changing Notifications settings—does not meet the goal. The correct approach is to enable Fraud alert and select Block users who report fraud, ensuring automatic protection when users report unexpected MFA prompts.

According to Microsoft’s Azure Active Directory roles and permissions reference, the User Administrator role has the following capabilities:

Reset passwords for most non-admin users and certain administrative roles.

Manage user and group properties, including license assignments.

While the License Administrator can manage product licenses, they cannot reset user passwords. Conversely, the Helpdesk Administrator can reset passwords but not manage licenses. Therefore, the only role that satisfies both requirements (reset passwords and manage licenses) is User Administrator.

Microsoft documentation confirms:

“The User Administrator can manage all aspects of users and groups, including resetting passwords, monitoring service health, and assigning licenses.”

The Microsoft Azure connector integrates Azure resource activity into Defender for Cloud Apps, focusing primarily on resource management operations and security alerts within Azure, not OAuth authentication requests across third-party apps.

According to the official Microsoft Defender for Cloud Apps documentation:

“Adding the Microsoft Azure connector allows visibility into Azure Resource Manager activities and alerts, not third-party OAuth authorization data.”

Monitoring OAuth app authentication involves connecting cloud applications that use OAuth for authentication (like Google Workspace, AWS, GitHub), not Azure itself. Therefore, adding the Microsoft Azure connector does not achieve the goal of monitoring OAuth authentication requests across the hybrid environment.

SC-300 coverage of Azure AD B2B collaboration states that to grant an external person access to your enterprise application, you invite them as a guest using their existing identity (such as a Microsoft account like user1@outlook.com). The documentation emphasizes that B2B “lets you collaborate with external users by adding them to your directory as guest users using their existing credentials.” Once invited, the guest can authenticate in their home identity provider and be assigned to the target enterprise application (App1) through app role assignment or group membership. You do not need to create a new managed user or add a WS-Federation identity provider for Outlook.com; Azure AD natively supports Microsoft Accounts for B2B invitations, controlled by External collaboration settings (which generally allow invitations to any domain by default). Consequently, to ensure the contractor can authenticate as user1@outlook.com and access App1, you should create a guest user (invite) in the contoso.com tenant and assign that guest to App1.

Within the Remediation tab of Microsoft Entra Permissions Management, the Permissions subtab allows you to view, filter, and manage the permissions directly assigned to identities. It supports operations such as Read, Update, and Delete on granted permissions.

If you need to change a user’s permissions (for example, reduce all of User1’s permissions to read-only), the quick action capability in the Permissions subtab is the most efficient method. Using the quick action, you can right-size, remove, or adjust permissions for a user in bulk across their assigned permissions. This is less administrative effort than creating new roles or templates

The Roles/Policies subtab (option A) deals with role definitions (CRUD operations), not directly editing a given user’s permissions.

The My Requests subtab (option B) is for requesting elevated permissions, not for bulk modifying existing assignments.

The Role/Policy Template tab (option D) is for defining templates; using them is less direct and more overhead when you already have assignments to adjust.

Hence, the correct and minimal-effort choice is to use the quick action in the Permissions subtab of the Remediation tab to change User1’s permissions to read-only.

Identities with Owner role: Managed1, Managed2, VM1, and VM2 only

Virtual machines assigned to Managed2: VM2 and VM4 only

In Azure RBAC, role assignments can be made to Azure AD security principals, including managed identities (user-assigned and system-assigned). The SC-300 learning path on Identity Governance and Privileged Access, and the Exam Ref coverage of Azure RBAC, explain that a system-assigned managed identity is a service principal tied to a single resource, and you can assign RBAC at any scope (subscription, resource group, or resource) to that identity. A user-assigned managed identity is an independent Azure resource with its own service principal; it can also be granted roles at the resource group scope. Therefore, the assignable principals for RG1 include the two user-assigned identities (Managed1, Managed2) and the two VMs that have system-assigned identities (VM1, VM2). VM3 does not present a system-assigned identity; its access is represented by Managed1.

For attaching a user-assigned identity to a virtual machine, SC-300 materials note that the identity and the target resource must be in the same region (often phrased as “user-assigned identities are regional; the identity and the resource must share a region”). Since Managed2 is in West US, it can be associated only with West US VMs—here, VM2 and VM4.

In Azure AD B2B bulk invitations, the portal and CSV workflow require two core fields: the external user’s email address and the Invite Redirect URL that determines where the guest is sent to redeem the invitation. The study guide notes that the bulk invite template “must include the guest’s email address” and that “InviteRedirectUrl is required to define the post-invite redemption target (such as MyApps or a specific app).” Usernames and passwords are not supplied for B2B guests because “guest accounts authenticate with their home identity provider,” and there is no shared key involved in the invitation. Therefore, the only mandatory parameters to successfully process a bulk B2B invite are the email address of each guest and the redirection URL used during invitation redemption.