CheapestExamDumps!

Microsoft

SC-300 — Microsoft Entra Identity and Access Administrator Study Guide

378 practice questions Updated 2026-02-27 $19 (70% off) HTML + PDF formats

SC-300 Exam Overview

Prepare for the Microsoft SC-300 certification exam with our comprehensive study guide. This study material contains 378 practice questions sourced from real exams and expert-verified for accuracy. Each question includes the correct answer and a detailed explanation to help you understand the material thoroughly.

The SC-300 exam — Microsoft Entra Identity and Access Administrator — is offered by Microsoft. Passing this exam earns you the Microsoft Certified: Identity and Access Administrator Associate credential, an industry-recognized certification that validates your expertise. Our study materials were last updated on 2026-02-27 to reflect the most recent exam objectives and content.

What You Get

378 Practice Questions

Complete question bank covering all exam domains and objectives.

HTML + PDF Formats

Interactive HTML file (recommended) for screen study and a print-ready PDF.

Instant Download

Access your study materials immediately after purchase.

Email with Permanent Download Links

You will receive a confirmation email with permanent download links in case you want to download the files again in the future.

Why Choose CheapestExamDumps?

Lowest Price Available

Only $19 per exam — competitors charge $50-$300 for similar content.

Updated Monthly

Study materials refreshed within 30 days of any exam content changes.

Free Preview

Try 15 real practice questions before you buy — no signup required.

Instant Access

Download HTML + PDF immediately after payment. No waiting, no account needed.

About the Microsoft Certified: Identity and Access Administrator Associate

The Microsoft Certified: Identity and Access Administrator Associate is awarded by Microsoft to professionals who demonstrate competence in the skills measured by the SC-300 exam. According to the official Microsoft certification page, this certification validates your ability to work with the technologies covered in the exam objectives.

According to the Global Knowledge IT Skills and Salary Report, certified IT professionals earn 15-25% more than their non-certified peers. Certifications from Microsoft are among the most recognized credentials in the IT industry, with strong demand across enterprise organizations worldwide.

$63 $19

One-time payment · HTML + PDF · Instant download · 378 questions

Free Sample — 15 Practice Questions

Preview 15 of 378 questions from the SC-300 exam. Try before you buy — purchase the full study guide for all 378 questions with answers and explanations.

Question 213

HOTSPOT - Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. You need to ensure that user authentication always occurs by validating passwords against the AD DS domain. What should you configure, and what should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Illustration for SC-300 question 213
Show Answer
Correct Answer: Configure: Pass-through authentication Use: Azure AD Connect
Explanation:
Pass-through Authentication validates sign-ins directly against on-premises AD DS, ensuring passwords are checked on-prem. It is enabled and managed through Azure AD Connect.

Question 131

You have a Microsoft Entra tenant. You need to configure continuous access evaluation for app sign-ins and assign the configuration to users that are assigned the Application Administrator role. What should you configure?

A. a sign-in risk policy
B. an access review
C. a Conditional Access policy
D. the Admin consent settings
Show Answer
Correct Answer: C
Explanation:
Continuous Access Evaluation (CAE) for app sign-ins is configured and enforced through Conditional Access. Conditional Access policies support CAE-enabled apps and can be scoped to specific users or directory roles, such as users assigned the Application Administrator role. Other options (sign-in risk policy, access review, admin consent settings) do not configure real-time or continuous access evaluation.

Question 347

You have a Microsoft 365 tenant. All users have mobile phones and laptops. The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access. You plan to implement multi-factor authentication (MFA). Which MFA authentication method can the users use from the remote location?

A. a notification through the Microsoft Authenticator app
B. an app password
C. Windows Hello for Business
D. SMS
Show Answer
Correct Answer: C
Explanation:
From the remote locations, users lack Wi‑Fi and mobile connectivity, so MFA methods that rely on phone data or SMS won’t work. Microsoft Authenticator push notifications require internet access, and SMS requires cellular service. An app password is not MFA. Windows Hello for Business provides strong MFA/passwordless authentication using a device-bound key plus PIN or biometrics and works without phone connectivity, making it the valid option.

Question 372

HOTSPOT - You have a Microsoft 365 tenant that contains a group named Group1 as shown in the Group1 exhibit. (Click the Group1 tab.) You create an enterprise application named App1 as shown in the App1 Properties exhibit. (Click the App1 Properties tab.) You configure self-service for App1 as shown in the App1 Self-service exhibit. (Click the App1 Self-service tab.) For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Illustration for SC-300 question 372 Illustration for SC-300 question 372 Illustration for SC-300 question 372 Illustration for SC-300 question 372
Show Answer
Correct Answer: No Yes No
Explanation:
1) Group-based app assignment does not support nested groups, so members of Group3 cannot access App1 unless individually approved and added to Group1. 2) When self-service with approval is configured, the selected approver becomes the owner of the target group (Group1). 3) "Visible to users" is set to No, so the app does not appear in the My Apps or Microsoft 365 app launcher, even for assigned users.

Question 321

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs. You receive more than 100 email alerts each day for failed Azure AD user sign-in attempts. You need to ensure that a new security administrator receives the alerts instead of you. Solution: From Azure AD, you modify the Diagnostics settings. Does this meet the goal?

A. Yes
B. No
Show Answer
Correct Answer: B
Explanation:
Azure AD diagnostic settings only control where logs are sent (Log Analytics, storage, Event Hub, partner solutions). They do not configure email alert recipients. Email alerts are managed in Azure Monitor via alert rules and their associated action groups. Therefore modifying Diagnostics settings does not meet the goal.

Question 364

Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table. All the users work remotely. Azure AD Connect is configured in Azure AD as shown in the following exhibit. Connectivity from the on-premises domain to the internet is lost. Which users can sign in to Azure AD?

A. User1 and User3 only
B. User1 only
C. User1, User2, and User3
D. User1 and User2 only
Show Answer
Correct Answer: A
Explanation:
When on‑premises connectivity is lost, Pass-through Authentication (PTA) cannot validate credentials against Active Directory. Although Password Hash Synchronization (PHS) may be enabled, it does NOT automatically act as a fallback while PTA remains the active sign-in method. Therefore, directory‑synced users relying on PTA cannot sign in. Cloud‑only users authenticate directly to Azure AD, and guest users authenticate via their home identity provider, neither of which depend on on‑premises connectivity. Thus, only User1 (cloud-only) and User3 (guest) can sign in.

Question 310

HOTSPOT - You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User2, and User3. You create a group named Group1. You add User2 and User3 to Group1. You configure a role in Azure AD Privileged Identity Management (PIM) as shown in the Application Administrator exhibit. (Click the Application Administrator tab.) Group1 is configured as the approver for the Application administrator role. You configure User2 to be eligible for the Application administrator role. For User1 you add an assignment to the Application administrator role as shown in the Assignment exhibit. (Click the Assignment tab.) For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Illustration for SC-300 question 310 Illustration for SC-300 question 310 Illustration for SC-300 question 310
Show Answer
Correct Answer: No Yes Yes
Explanation:
User1 is assigned as eligible, not automatically active. Approvers are Group1 members; User2 cannot approve their own request, leaving User3 as the approver. An activation approved at 23:00 can run for the 5-hour maximum, ending at 04:00 the next day.

Question 258

DRAG DROP - You have a Microsoft 365 E5 subscription and an Azure subscription. You need to meet the following requirements: • Ensure that users can sign in to Azure virtual machines by using their Microsoft 365 credentials. • Delegate the ability to create new virtual machines. What should you use for each requirement? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Illustration for SC-300 question 258
Show Answer
Correct Answer: Ensure that users can sign in to Azure virtual machines by using their Microsoft 365 credentials: Azure role-based access control (Azure RBAC) Delegate the ability to create new virtual machines: Azure AD built-in roles
Explanation:
Signing in to Azure VMs with Microsoft 365 (Entra ID) credentials requires assigning Azure RBAC roles such as Virtual Machine User Login or Virtual Machine Administrator Login at the VM or resource scope. Delegating VM creation is represented in the provided options as using Azure AD built-in roles to delegate administrative capabilities.

Question 60

You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1. A contractor uses the credentials of . You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as . What should you do?

A. Run the New-MgUser cmdlet.
B. Run the New-MgInvitation cmdlet.
C. Configure the External collaboration settings.
D. Implement Microsoft Entra Connect sync.
Show Answer
Correct Answer: B
Explanation:
To provide a contractor with access to an enterprise application in Microsoft Entra ID while allowing them to authenticate using their own external credentials, you must invite them as a guest user. The New-MgInvitation cmdlet sends a B2B invitation and creates a guest account linked to the contractor’s existing identity. The other options either create internal users, configure tenant-wide settings without granting access, or synchronize on-premises identities, none of which meet the requirement.

Question 138

You have a Microsoft 365 E5 subscription that contains a user named User1. User1 is eligible for the Application Administrator role. User1 needs to configure a new connector group for an application proxy. What should you use to activate the role for User1?

A. the Microsoft 365 Defender portal
B. the Microsoft 365 admin center
C. the Microsoft Intune admin center
D. the Azure Active Directory admin center
Show Answer
Correct Answer: D
Explanation:
User1 is eligible for the Application Administrator role, which means the role must be activated through Privileged Identity Management (PIM). PIM role activation is performed in the Azure Active Directory admin center (now called the Microsoft Entra admin center) under My roles. Other portals do not support activating Entra ID roles via PIM.

Question 315

HOTSPOT - You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table. You have the locations shown in the following table. The tenant contains a named location that has the following configurations: ✑ Name: Location1 ✑ Mark as trusted location: Enabled IPv4 range: 10.10.0.0/16 - MFA has a trusted IP address range of 193.17.17.0/24. ✑ Name: CAPolicy1 ✑ Assignments - Users or workload identities: Group1 - Cloud apps or actions: All cloud apps ✑ Conditions - Locations: All trusted locations ✑ Access controls - Grant - Grant access: Require multi-factor authentication - Session: 0 controls selected ✑ Enable policy: On For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Illustration for SC-300 question 315 Illustration for SC-300 question 315 Illustration for SC-300 question 315 Illustration for SC-300 question 315
Show Answer
Correct Answer: No Yes No
Explanation:
CAPolicy1 applies only to Group1 and only when the sign-in is from a trusted location. Azure AD evaluates public IPs, not private IPs. 1) User1 (Group1) signs in from a private IP (10.10.0.150) which does not match a trusted public location; per-user MFA is disabled → no MFA. 2) User2 (Group2) is not targeted by the CA policy; per-user MFA is enforced and the public IP is not in the MFA trusted IP range → MFA required. 3) User2 signs in from a location whose public NAT IP is in the MFA trusted IP range (193.17.17.0/24) → MFA is skipped.

Question 199

You have an Azure AD tenant. You discover that a large number of new apps were added to the tenant. You need to implement an approval process for new enterprise applications. What should you do?

A. From the Microsoft Defender for Cloud Apps portal, create a Cloud Discovery anomaly detection policy.
B. From the Microsoft Entra admin center, configure the Admin consent settings.
C. From the Microsoft Defender for Cloud Apps portal, configure an app connector.
D. From the Microsoft Entra admin center, configure an access review.
Show Answer
Correct Answer: B
Explanation:
Configuring Admin consent settings in the Microsoft Entra admin center enables an approval workflow where user requests for new enterprise applications require administrator review and approval, directly addressing the need for an approval process.

Question 345

HOTSPOT - You have an Azure Active Directory (Azure AD) tenant that contains the following group: ✑ Name: Group1 ✑ Members: User1, User2 ✑ Owner: User3 On January 15, 2021, you create an access review as shown in the exhibit. (Click the Exhibit tab.) Users answer the Review1 question as shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Illustration for SC-300 question 345 Illustration for SC-300 question 345 Illustration for SC-300 question 345
Show Answer
Correct Answer: No Yes No
Explanation:
The access review runs monthly starting January 15 with a 14‑day response window (Jan 15–29). After that window closes, users cannot respond again until the next cycle, which would start Feb 15, but the review has an end date of Feb 15, so no new cycle occurs. User2’s second response date (Jan 25) is still within the active review window. User3 is only an owner, not a member of Group1, and is therefore not in scope of the review.

Question 38

HOTSPOT - You have a Microsoft 365 subscription. You configure a Global Secure Access security profile named SecurityProfile1. You need to create a Conditional Access policy named CAPolicy1 that will use SecurityProfile1. Which two settings should you configure to ensure that CAPolicy1 uses SecurityProfile1? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Illustration for SC-300 question 38
Show Answer
Correct Answer: Target resources Session
Explanation:
To use a Global Secure Access security profile in a Conditional Access policy, you must scope the policy to the appropriate Target resources and then configure the Global Secure Access security profile under Session controls. The security profile is applied via Session, not Grant controls.

Question 77

SIMULATION - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Microsoft 365 Username: Microsoft 365 Password: =1122334455667788 If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 99999999 - You need to prevent all users from using passwords that are variations of the word Falcon. To complete this task, sign in to the appropriate admin center.

Show Answer
Correct Answer: Microsoft Entra admin center Entra ID → Security → Authentication methods → Password protection Enforce custom banned passwords: Yes Add to custom banned password list: Falcon
Explanation:
Microsoft Entra Password Protection blocks passwords and their common variations by using a global and custom banned password list. Enforcing a custom list and adding the word “Falcon” prevents all users from using passwords derived from that term.

$63 $19

Get all 378 questions with detailed answers and explanations

SC-300 — Frequently Asked Questions

What is the Microsoft SC-300 exam?

The Microsoft SC-300 exam — Microsoft Entra Identity and Access Administrator — is a professional IT certification exam offered by Microsoft. Passing this exam earns you the Microsoft Certified: Identity and Access Administrator Associate certification, a widely recognized credential in the IT industry.

How many practice questions are included?

This study guide contains 378 practice questions, each with an expert-verified correct answer and a detailed explanation. Questions cover all exam domains and objectives.

Is there a free sample available?

Yes! We provide a free sample of 15 practice questions from the SC-300 exam right on this page. Scroll up to preview them and evaluate the quality of our materials before purchasing.

When was this SC-300 study guide last updated?

This study guide was last updated on 2026-02-27. We regularly refresh our materials to reflect the latest exam content and objectives so you're always studying current material.

What file formats do I receive?

After purchase you receive two files: an interactive HTML file with show/hide answer toggles (ideal for studying on screen) and a PDF file (ideal for printing or offline study). Both work on any device — desktop, tablet, or phone.

How much does the SC-300 study guide cost?

The Microsoft SC-300 study guide costs $19 (discounted from $63). This is a one-time payment with no subscriptions or hidden fees.

How do I get my files after payment?

After successful payment via Stripe, you are immediately redirected to a download page with links to your HTML and PDF files. We also send the download links to your email address as a backup, so you'll always have access.

Why choose CheapestExamDumps over other providers?

CheapestExamDumps offers the lowest price at $19 per exam — competitors charge $50-$300 for similar content. All study materials are expert-verified, updated monthly, and include a free 15-question preview with no signup required. You get instant access to both HTML and PDF formats after payment.

More Microsoft Certification Exams

DP-900 Microsoft Azure Data Fundamentals DP-700 Implementing Data Engineering Solutions Using Microsoft Fabric AZ-400 Designing and Implementing Microsoft DevOps Solutions PL-200 Microsoft Power Platform Functional Consultant PL-600 Microsoft Power Platform Solution Architect SC-200 Microsoft Security Operations Analyst

View all Microsoft exams →