A free study hub for Microsoft identity and access administration, built around Microsoft Entra, Zero Trust, Conditional Access, workload identities, and identity governance.
Microsoft Entra Connect Sync, Cloud Sync, password hash synchronisation, pass through authentication, seamless SSO, AD FS migration, and Connect Health
Implement authentication and access management
25 to 30 percent in the summary, with a section heading currently showing 20 to 25 percent
Authentication methods, Temporary Access Pass, OAuth 2.0 tokens, Microsoft Authenticator, passkeys, MFA, SSPR, Windows Hello for Business, account disablement, session revocation, password protection, and Microsoft Entra Kerberos
Microsoft Entra ID Protection for user risk, sign in risk, MFA registration, risky users, risky sign ins, and risky workload identities
Global Secure Access clients, Private Access, Internet Access, and Internet Access for Microsoft 365
Plan and implement workload identities
20 to 25 percent
Managed identities, service principals, user accounts, managed service accounts, and Azure resource access
Enterprise application settings, app roles, on premises app publishing with Microsoft Entra Application Proxy, SaaS app integration, assignment, classification, consent, and app collections
App registrations, authentication, API permissions, and app roles
Microsoft Defender for Cloud Apps discovery, connected apps, application restrictions, Conditional Access app control, policies for OAuth apps, and the Cloud app catalog
Plan and automate identity governance
20 to 25 percent
Entitlement management, catalogues, access packages, requests, terms of use, external user lifecycle, and connected organisations
Access review planning, configuration, monitoring, and manual responses
Privileged Identity Management for Microsoft Entra roles, Azure resources, groups, approvals, audit history, reports, and break glass accounts
Sign in logs, audit logs, provisioning logs, diagnostic settings, Log Analytics, KQL, workbooks, reports, and Identity Secure Score
Case studies
Practise reading the business context, constraints, and requirements before answering. These are original scenarios based on the SC-300 objective style.
Liver ShippingDelegated administration and Conditional Access
Overview
Liver Shipping operates port offices in Liverpool, Belfast, and Cardiff. The central IT team owns identity design, but each port has a local support team that handles first line account issues.
Identity environment
The tenant uses Microsoft Entra ID with Microsoft 365 E5 licences.
Users are grouped by port and department.
The helpdesk team must reset passwords only for users in its own port.
Two emergency access accounts are excluded from normal Conditional Access policies and are monitored.
Cloud environment
SharePoint Online is used for port operations documents.
A finance application is integrated as an enterprise application.
Sign in logs are sent to a Log Analytics workspace.
Requirements
Use least privilege for delegated administration.
Require MFA outside trusted port office locations.
Test new Conditional Access policies before enforcement.
Keep evidence for sign in troubleshooting.
User identities
You need to allow the Belfast helpdesk to reset passwords only for Belfast users. What should you configure first?
Administrative units let you scope supported role assignments to a defined set of users or groups.
Conditional Access
You need to validate the MFA policy before users are affected. What should you use?
Report only mode lets you evaluate Conditional Access impact before turning on enforcement.
Monitoring
Which two sources should you review to troubleshoot Conditional Access results for a user sign in?
Sign in logs show policy results, and the policy configuration explains assignments, conditions, and controls.
Blink IncPasswordless onboarding and risk based access
Overview
Blink Inc is moving product and engineering teams to passwordless sign in. The support team must onboard new starters without issuing long lived temporary passwords.
Identity environment
All employees use Microsoft Entra ID for Microsoft 365 and SaaS access.
New starters receive managed devices but have no registered authentication methods on day one.
The security team wants to reduce risky sign ins and prompt users to register strong methods.
Cloud environment
The company uses Microsoft Authenticator and passkeys where supported.
Several SaaS apps use enterprise application SSO.
Risk detections are reviewed daily.
Requirements
Provide a secure onboarding method for passwordless registration.
Require MFA for risky sign ins.
Avoid permanent shared credentials.
Use clear evidence when support investigates blocked access.
Authentication
You need to let a new starter register Microsoft Authenticator without issuing a permanent password. What should you create?
Temporary Access Pass is suited to secure onboarding and recovery scenarios.
Identity Protection
You need to respond automatically when a user has high sign in risk. What should you configure?
Risk based Conditional Access can use sign in risk as a condition.
Authentication methods
Which two items should you review before enforcing passwordless registration?
Authentication methods policy controls available methods, and registration status shows readiness.
Mill Town EngineeringHybrid identity, workload identity, and privileged access
Overview
Mill Town Engineering runs AD DS on premises and Azure workloads for design automation. Engineers need secure access to resources without storing secrets in scripts.
Identity environment
AD DS users are synchronised to Microsoft Entra ID.
Privileged administrators currently have standing role assignments.
Automation jobs access Azure Key Vault and storage accounts.
Cloud environment
Azure resources are spread across production and test subscriptions.
A Log Analytics workspace stores Microsoft Entra sign in and audit logs.
PIM has been enabled but not fully configured.
Requirements
Reduce standing privileged access.
Avoid secrets in automation code.
Monitor role activation and sign in activity.
Keep hybrid sign in resilient.
Workload identities
You need an Azure automation process to access Key Vault without storing a secret in code. What should you use?
Managed identities allow supported Azure resources to authenticate without secrets in code.
Privileged access
You need administrators to activate roles only when required. What should you configure?
PIM eligible assignments reduce standing privilege and support activation controls.
Hybrid identity
Which two features should you compare when choosing how to synchronise AD DS identities?
Microsoft Entra Connect Sync and Cloud Sync are the main synchronisation options to compare.
Whippet ExportsExternal collaboration and identity governance
Overview
Whippet Exports works with freight brokers, customs agents, and temporary warehouse partners. Partner access must be easy to request but removed when work ends.
Identity environment
Partners access Teams, SharePoint Online, and a customs tracking application.
Guest users are currently invited manually by project managers.
Some partner organisations use their own Microsoft Entra tenants.
Cloud environment
The customs tracking application uses Microsoft Entra enterprise application assignment.
Access reviews are available but not scheduled.
Entitlement management is licensed.
Requirements
Use an approval process for partner access.
Remove access automatically when the project ends.
Review guest access every month.
Use cross tenant access settings for trusted partner tenants.
Identity governance
You need partners to request access to Teams and SharePoint resources with approval and expiry. What should you create?
Access packages support governed requests, approvals, expiry, and lifecycle management.
External identities
You need to control inbound collaboration from a trusted partner tenant. What should you configure?
Cross tenant access settings control inbound and outbound collaboration with other Microsoft Entra tenants.
Access reviews
Which two settings should you define for a monthly guest access review?
Access reviews require a target scope and reviewers, along with recurrence and outcome settings.
Study material
How to read an SC-300 case study
Start with the overview, then separate identity environment, cloud environment, requirements, and constraints. Most questions ask for the option that meets every requirement with the least privilege and fewest operational changes.
Example company: All companies
Delegated administration
Look for scope words such as only, specific department, region, or business unit. These often point towards administrative units, scoped role assignment, or group based design rather than tenant wide administrator roles.
Example company: Liver Shipping
Authentication and risk
For onboarding and recovery, compare Temporary Access Pass, authentication methods policy, registration campaigns, and SSPR. For risky access, look for user risk, sign in risk, and Conditional Access policy controls.
Example company: Blink Inc
Workload and privileged identities
For Azure workloads, prefer managed identities where supported. For administrators, prefer PIM eligible assignments, activation controls, approval, justification, and audit history over permanent broad roles.
Choose a course section and work through the practice questions. Each section is designed to hold 50 questions.
Explore identity in Microsoft Entra ID50 questions
Module | 48 min
Identity basics, Zero Trust, Microsoft Entra services, authentication, authorisation, tokens, licensing, and auditing.
Zero Trust
Liver Shipping is preparing a Conditional Access rollout. The identity team must explain how Zero Trust changes access decisions. The answer must not rely only on trusted network locations. What should you recommend?
Zero Trust relies on explicit verification, least privilege, and assumed breach. Identity is a core control point.
Authentication and authorisation
Blink Inc is reviewing a failed access attempt. The team must explain why a user can sign in but still cannot open an application. The answer must separate identity proof from access rights. What should you recommend?
Authentication and authorisation are separate. A successful sign in does not automatically grant access to every app.
Tokens and claims
Mill Town Engineering is troubleshooting an app that receives Microsoft identity platform tokens. The developer must know which token is used by an API to authorise access. The answer must not treat tokens as passwords. What should you recommend?
Access tokens are presented to APIs. ID tokens describe the signed in user to the client application.
Microsoft Entra services
Whippet Exports is choosing identity services for partner access. The company needs controlled collaboration with external users. Partners should keep their own organisation identities where possible. What should you recommend?
External identity features support collaboration without creating standard employee accounts for every partner.
Identity licensing
Blink Inc wants to use advanced governance and risk features. The security lead must confirm whether the tenant can use the planned controls. The answer must avoid assuming every Microsoft Entra feature is available. What should you recommend?
Some identity protection and governance features depend on licensing. Licence checks prevent a design that cannot be deployed.
Audit evidence
Liver Shipping is investigating who changed a tenant setting. The team must identify the evidence source for a configuration change. The answer must not use user reports as the main evidence. What should you recommend?
Audit logs show directory and configuration changes. Sign in logs show sign in activity.
Sign in evidence
Blink Inc is investigating a blocked user sign in. The support team must see whether Conditional Access affected the sign in. The answer must show policy outcome evidence. What should you recommend?
Sign in logs show authentication details and Conditional Access policy results for a sign in.
Identity as control plane
Mill Town Engineering is modernising access to cloud workloads. The design must use identity as the main access control point. The answer must work across users, apps, and workloads. What should you recommend?
Identity is a control plane because it governs access across users, apps, devices, and workloads.
Least privilege
Whippet Exports is assigning a support role. The support user needs to manage only one narrow task. The answer must avoid broad tenant rights. What should you recommend?
Microsoft exams often include an over privileged answer. Least privilege usually removes it.
Exam reading
Liver Shipping is practising case study questions. The team must choose answers that meet all stated requirements. Some answer choices meet one requirement but break another. What should you recommend?
SC-300 case questions reward careful reading. The best answer must satisfy every constraint, not just the headline task.
Zero Trust
Liver Shipping is preparing a Conditional Access rollout. The identity team must explain how Zero Trust changes access decisions. The answer must not rely only on trusted network locations. What should you do first?
Zero Trust relies on explicit verification, least privilege, and assumed breach. Identity is a core control point.
Authentication and authorisation
Blink Inc is reviewing a failed access attempt. The team must explain why a user can sign in but still cannot open an application. The answer must separate identity proof from access rights. What should you do first?
Authentication and authorisation are separate. A successful sign in does not automatically grant access to every app.
Tokens and claims
Mill Town Engineering is troubleshooting an app that receives Microsoft identity platform tokens. The developer must know which token is used by an API to authorise access. The answer must not treat tokens as passwords. What should you do first?
Access tokens are presented to APIs. ID tokens describe the signed in user to the client application.
Microsoft Entra services
Whippet Exports is choosing identity services for partner access. The company needs controlled collaboration with external users. Partners should keep their own organisation identities where possible. What should you do first?
External identity features support collaboration without creating standard employee accounts for every partner.
Identity licensing
Blink Inc wants to use advanced governance and risk features. The security lead must confirm whether the tenant can use the planned controls. The answer must avoid assuming every Microsoft Entra feature is available. What should you do first?
Some identity protection and governance features depend on licensing. Licence checks prevent a design that cannot be deployed.
Audit evidence
Liver Shipping is investigating who changed a tenant setting. The team must identify the evidence source for a configuration change. The answer must not use user reports as the main evidence. What should you do first?
Audit logs show directory and configuration changes. Sign in logs show sign in activity.
Sign in evidence
Blink Inc is investigating a blocked user sign in. The support team must see whether Conditional Access affected the sign in. The answer must show policy outcome evidence. What should you do first?
Sign in logs show authentication details and Conditional Access policy results for a sign in.
Identity as control plane
Mill Town Engineering is modernising access to cloud workloads. The design must use identity as the main access control point. The answer must work across users, apps, and workloads. What should you do first?
Identity is a control plane because it governs access across users, apps, devices, and workloads.
Least privilege
Whippet Exports is assigning a support role. The support user needs to manage only one narrow task. The answer must avoid broad tenant rights. What should you do first?
Microsoft exams often include an over privileged answer. Least privilege usually removes it.
Exam reading
Liver Shipping is practising case study questions. The team must choose answers that meet all stated requirements. Some answer choices meet one requirement but break another. What should you do first?
SC-300 case questions reward careful reading. The best answer must satisfy every constraint, not just the headline task.
Zero Trust
Liver Shipping is preparing a Conditional Access rollout. The identity team must explain how Zero Trust changes access decisions. The answer must not rely only on trusted network locations. Which source should you use to confirm the result?
Zero Trust relies on explicit verification, least privilege, and assumed breach. Identity is a core control point.
Authentication and authorisation
Blink Inc is reviewing a failed access attempt. The team must explain why a user can sign in but still cannot open an application. The answer must separate identity proof from access rights. Which source should you use to confirm the result?
Authentication and authorisation are separate. A successful sign in does not automatically grant access to every app.
Tokens and claims
Mill Town Engineering is troubleshooting an app that receives Microsoft identity platform tokens. The developer must know which token is used by an API to authorise access. The answer must not treat tokens as passwords. Which source should you use to confirm the result?
Access tokens are presented to APIs. ID tokens describe the signed in user to the client application.
Microsoft Entra services
Whippet Exports is choosing identity services for partner access. The company needs controlled collaboration with external users. Partners should keep their own organisation identities where possible. Which source should you use to confirm the result?
External identity features support collaboration without creating standard employee accounts for every partner.
Identity licensing
Blink Inc wants to use advanced governance and risk features. The security lead must confirm whether the tenant can use the planned controls. The answer must avoid assuming every Microsoft Entra feature is available. Which source should you use to confirm the result?
Some identity protection and governance features depend on licensing. Licence checks prevent a design that cannot be deployed.
Audit evidence
Liver Shipping is investigating who changed a tenant setting. The team must identify the evidence source for a configuration change. The answer must not use user reports as the main evidence. Which source should you use to confirm the result?
Audit logs show directory and configuration changes. Sign in logs show sign in activity.
Sign in evidence
Blink Inc is investigating a blocked user sign in. The support team must see whether Conditional Access affected the sign in. The answer must show policy outcome evidence. Which source should you use to confirm the result?
Sign in logs show authentication details and Conditional Access policy results for a sign in.
Identity as control plane
Mill Town Engineering is modernising access to cloud workloads. The design must use identity as the main access control point. The answer must work across users, apps, and workloads. Which source should you use to confirm the result?
Identity is a control plane because it governs access across users, apps, devices, and workloads.
Least privilege
Whippet Exports is assigning a support role. The support user needs to manage only one narrow task. The answer must avoid broad tenant rights. Which source should you use to confirm the result?
Microsoft exams often include an over privileged answer. Least privilege usually removes it.
Exam reading
Liver Shipping is practising case study questions. The team must choose answers that meet all stated requirements. Some answer choices meet one requirement but break another. Which source should you use to confirm the result?
SC-300 case questions reward careful reading. The best answer must satisfy every constraint, not just the headline task.
Zero Trust
Liver Shipping is preparing a Conditional Access rollout. The identity team must explain how Zero Trust changes access decisions. The answer must not rely only on trusted network locations. Which option meets the requirement with the least privilege?
Zero Trust relies on explicit verification, least privilege, and assumed breach. Identity is a core control point.
Authentication and authorisation
Blink Inc is reviewing a failed access attempt. The team must explain why a user can sign in but still cannot open an application. The answer must separate identity proof from access rights. Which option meets the requirement with the least privilege?
Authentication and authorisation are separate. A successful sign in does not automatically grant access to every app.
Tokens and claims
Mill Town Engineering is troubleshooting an app that receives Microsoft identity platform tokens. The developer must know which token is used by an API to authorise access. The answer must not treat tokens as passwords. Which option meets the requirement with the least privilege?
Access tokens are presented to APIs. ID tokens describe the signed in user to the client application.
Microsoft Entra services
Whippet Exports is choosing identity services for partner access. The company needs controlled collaboration with external users. Partners should keep their own organisation identities where possible. Which option meets the requirement with the least privilege?
External identity features support collaboration without creating standard employee accounts for every partner.
Identity licensing
Blink Inc wants to use advanced governance and risk features. The security lead must confirm whether the tenant can use the planned controls. The answer must avoid assuming every Microsoft Entra feature is available. Which option meets the requirement with the least privilege?
Some identity protection and governance features depend on licensing. Licence checks prevent a design that cannot be deployed.
Audit evidence
Liver Shipping is investigating who changed a tenant setting. The team must identify the evidence source for a configuration change. The answer must not use user reports as the main evidence. Which option meets the requirement with the least privilege?
Audit logs show directory and configuration changes. Sign in logs show sign in activity.
Sign in evidence
Blink Inc is investigating a blocked user sign in. The support team must see whether Conditional Access affected the sign in. The answer must show policy outcome evidence. Which option meets the requirement with the least privilege?
Sign in logs show authentication details and Conditional Access policy results for a sign in.
Identity as control plane
Mill Town Engineering is modernising access to cloud workloads. The design must use identity as the main access control point. The answer must work across users, apps, and workloads. Which option meets the requirement with the least privilege?
Identity is a control plane because it governs access across users, apps, devices, and workloads.
Least privilege
Whippet Exports is assigning a support role. The support user needs to manage only one narrow task. The answer must avoid broad tenant rights. Which option meets the requirement with the least privilege?
Microsoft exams often include an over privileged answer. Least privilege usually removes it.
Exam reading
Liver Shipping is practising case study questions. The team must choose answers that meet all stated requirements. Some answer choices meet one requirement but break another. Which option meets the requirement with the least privilege?
SC-300 case questions reward careful reading. The best answer must satisfy every constraint, not just the headline task.
Zero Trust
Liver Shipping is preparing a Conditional Access rollout. The identity team must explain how Zero Trust changes access decisions. The answer must not rely only on trusted network locations. Which two choices should be included?
Zero Trust relies on explicit verification, least privilege, and assumed breach. Identity is a core control point.
Authentication and authorisation
Blink Inc is reviewing a failed access attempt. The team must explain why a user can sign in but still cannot open an application. The answer must separate identity proof from access rights. Which two choices should be included?
Authentication and authorisation are separate. A successful sign in does not automatically grant access to every app.
Tokens and claims
Mill Town Engineering is troubleshooting an app that receives Microsoft identity platform tokens. The developer must know which token is used by an API to authorise access. The answer must not treat tokens as passwords. Which two choices should be included?
Access tokens are presented to APIs. ID tokens describe the signed in user to the client application.
Microsoft Entra services
Whippet Exports is choosing identity services for partner access. The company needs controlled collaboration with external users. Partners should keep their own organisation identities where possible. Which two choices should be included?
External identity features support collaboration without creating standard employee accounts for every partner.
Identity licensing
Blink Inc wants to use advanced governance and risk features. The security lead must confirm whether the tenant can use the planned controls. The answer must avoid assuming every Microsoft Entra feature is available. Which two choices should be included?
Some identity protection and governance features depend on licensing. Licence checks prevent a design that cannot be deployed.
Audit evidence
Liver Shipping is investigating who changed a tenant setting. The team must identify the evidence source for a configuration change. The answer must not use user reports as the main evidence. Which two choices should be included?
Audit logs show directory and configuration changes. Sign in logs show sign in activity.
Sign in evidence
Blink Inc is investigating a blocked user sign in. The support team must see whether Conditional Access affected the sign in. The answer must show policy outcome evidence. Which two choices should be included?
Sign in logs show authentication details and Conditional Access policy results for a sign in.
Identity as control plane
Mill Town Engineering is modernising access to cloud workloads. The design must use identity as the main access control point. The answer must work across users, apps, and workloads. Which two choices should be included?
Identity is a control plane because it governs access across users, apps, devices, and workloads.
Least privilege
Whippet Exports is assigning a support role. The support user needs to manage only one narrow task. The answer must avoid broad tenant rights. Which two choices should be included?
Microsoft exams often include an over privileged answer. Least privilege usually removes it.
Exam reading
Liver Shipping is practising case study questions. The team must choose answers that meet all stated requirements. Some answer choices meet one requirement but break another. Which two choices should be included?
SC-300 case questions reward careful reading. The best answer must satisfy every constraint, not just the headline task.
Implement an identity management solution using Microsoft Entra ID50 questions
Learning Path | 4 hr 16 min
Tenant setup, users, groups, external identities, and hybrid identity.
Tenant settings
Liver Shipping is standardising its Microsoft Entra tenant. The team must review settings that affect users, groups, devices, roles, domains, and branding. The answer must cover tenant level configuration. What should you recommend?
Tenant configuration covers several settings. The exam may hide the answer behind a mix of domains, users, groups, devices, and roles.
Administrative units
Liver Shipping has helpdesk teams in separate port offices. The Belfast helpdesk must reset passwords only for Belfast users. The team must not manage users in other ports. What should you recommend?
Administrative units scope supported role assignments to a subset of directory objects.
Microsoft Entra roles
Blink Inc is delegating application administration. A user must create and manage enterprise applications but must not manage all tenant settings. The answer must follow least privilege. What should you recommend?
Built in roles are preferred when they meet the task. Global Administrator is usually too broad.
Users and bulk operations
Mill Town Engineering is onboarding 200 contractors. The identity team must create users efficiently and consistently. Manual one by one creation should be avoided. What should you recommend?
Bulk operations and PowerShell reduce manual errors when many identities must be created or updated.
Groups and licences
Blink Inc assigns Microsoft 365 licences by department. Licences must follow group membership and show assignment errors. The answer must not rely on manual licence assignment for every user. What should you recommend?
Group based licensing is used when membership should drive licence assignment.
Custom security attributes
Whippet Exports classifies partner users by broker type. The attribute must support consistent classification in Microsoft Entra. The answer must not overload the display name field. What should you recommend?
Custom security attributes provide structured classification data for supported scenarios.
Device join and registration
Blink Inc is tightening access from managed and personal devices. The team must understand device identity state before writing access policy. The answer must distinguish joined and registered devices. What should you recommend?
Device state can be an access signal, but device registration is not the same as compliance.
External users
Whippet Exports invites customs brokers to collaborate. The company must control guest access without creating employee accounts. The answer must support partner lifecycle management. What should you recommend?
External collaboration settings and guest users are central to partner access scenarios.
Cross tenant access
Whippet Exports works with a partner that has its own Microsoft Entra tenant. Inbound collaboration must be controlled for that partner tenant. The answer must distinguish inbound and outbound access. What should you recommend?
Cross tenant access settings control collaboration between Microsoft Entra tenants.
Hybrid identity
Mill Town Engineering synchronises AD DS users to Microsoft Entra ID. The team must choose the right synchronisation and authentication design. The answer must account for existing on premises identity. What should you recommend?
Hybrid identity questions often test sync engine choice, authentication method, and health monitoring.
Tenant settings
Liver Shipping is standardising its Microsoft Entra tenant. The team must review settings that affect users, groups, devices, roles, domains, and branding. The answer must cover tenant level configuration. What should you do first?
Tenant configuration covers several settings. The exam may hide the answer behind a mix of domains, users, groups, devices, and roles.
Administrative units
Liver Shipping has helpdesk teams in separate port offices. The Belfast helpdesk must reset passwords only for Belfast users. The team must not manage users in other ports. What should you do first?
Administrative units scope supported role assignments to a subset of directory objects.
Microsoft Entra roles
Blink Inc is delegating application administration. A user must create and manage enterprise applications but must not manage all tenant settings. The answer must follow least privilege. What should you do first?
Built in roles are preferred when they meet the task. Global Administrator is usually too broad.
Users and bulk operations
Mill Town Engineering is onboarding 200 contractors. The identity team must create users efficiently and consistently. Manual one by one creation should be avoided. What should you do first?
Bulk operations and PowerShell reduce manual errors when many identities must be created or updated.
Groups and licences
Blink Inc assigns Microsoft 365 licences by department. Licences must follow group membership and show assignment errors. The answer must not rely on manual licence assignment for every user. What should you do first?
Group based licensing is used when membership should drive licence assignment.
Custom security attributes
Whippet Exports classifies partner users by broker type. The attribute must support consistent classification in Microsoft Entra. The answer must not overload the display name field. What should you do first?
Custom security attributes provide structured classification data for supported scenarios.
Device join and registration
Blink Inc is tightening access from managed and personal devices. The team must understand device identity state before writing access policy. The answer must distinguish joined and registered devices. What should you do first?
Device state can be an access signal, but device registration is not the same as compliance.
External users
Whippet Exports invites customs brokers to collaborate. The company must control guest access without creating employee accounts. The answer must support partner lifecycle management. What should you do first?
External collaboration settings and guest users are central to partner access scenarios.
Cross tenant access
Whippet Exports works with a partner that has its own Microsoft Entra tenant. Inbound collaboration must be controlled for that partner tenant. The answer must distinguish inbound and outbound access. What should you do first?
Cross tenant access settings control collaboration between Microsoft Entra tenants.
Hybrid identity
Mill Town Engineering synchronises AD DS users to Microsoft Entra ID. The team must choose the right synchronisation and authentication design. The answer must account for existing on premises identity. What should you do first?
Hybrid identity questions often test sync engine choice, authentication method, and health monitoring.
Tenant settings
Liver Shipping is standardising its Microsoft Entra tenant. The team must review settings that affect users, groups, devices, roles, domains, and branding. The answer must cover tenant level configuration. Which source should you use to confirm the result?
Tenant configuration covers several settings. The exam may hide the answer behind a mix of domains, users, groups, devices, and roles.
Administrative units
Liver Shipping has helpdesk teams in separate port offices. The Belfast helpdesk must reset passwords only for Belfast users. The team must not manage users in other ports. Which source should you use to confirm the result?
Administrative units scope supported role assignments to a subset of directory objects.
Microsoft Entra roles
Blink Inc is delegating application administration. A user must create and manage enterprise applications but must not manage all tenant settings. The answer must follow least privilege. Which source should you use to confirm the result?
Built in roles are preferred when they meet the task. Global Administrator is usually too broad.
Users and bulk operations
Mill Town Engineering is onboarding 200 contractors. The identity team must create users efficiently and consistently. Manual one by one creation should be avoided. Which source should you use to confirm the result?
Bulk operations and PowerShell reduce manual errors when many identities must be created or updated.
Groups and licences
Blink Inc assigns Microsoft 365 licences by department. Licences must follow group membership and show assignment errors. The answer must not rely on manual licence assignment for every user. Which source should you use to confirm the result?
Group based licensing is used when membership should drive licence assignment.
Custom security attributes
Whippet Exports classifies partner users by broker type. The attribute must support consistent classification in Microsoft Entra. The answer must not overload the display name field. Which source should you use to confirm the result?
Custom security attributes provide structured classification data for supported scenarios.
Device join and registration
Blink Inc is tightening access from managed and personal devices. The team must understand device identity state before writing access policy. The answer must distinguish joined and registered devices. Which source should you use to confirm the result?
Device state can be an access signal, but device registration is not the same as compliance.
External users
Whippet Exports invites customs brokers to collaborate. The company must control guest access without creating employee accounts. The answer must support partner lifecycle management. Which source should you use to confirm the result?
External collaboration settings and guest users are central to partner access scenarios.
Cross tenant access
Whippet Exports works with a partner that has its own Microsoft Entra tenant. Inbound collaboration must be controlled for that partner tenant. The answer must distinguish inbound and outbound access. Which source should you use to confirm the result?
Cross tenant access settings control collaboration between Microsoft Entra tenants.
Hybrid identity
Mill Town Engineering synchronises AD DS users to Microsoft Entra ID. The team must choose the right synchronisation and authentication design. The answer must account for existing on premises identity. Which source should you use to confirm the result?
Hybrid identity questions often test sync engine choice, authentication method, and health monitoring.
Tenant settings
Liver Shipping is standardising its Microsoft Entra tenant. The team must review settings that affect users, groups, devices, roles, domains, and branding. The answer must cover tenant level configuration. Which option meets the requirement with the least privilege?
Tenant configuration covers several settings. The exam may hide the answer behind a mix of domains, users, groups, devices, and roles.
Administrative units
Liver Shipping has helpdesk teams in separate port offices. The Belfast helpdesk must reset passwords only for Belfast users. The team must not manage users in other ports. Which option meets the requirement with the least privilege?
Administrative units scope supported role assignments to a subset of directory objects.
Microsoft Entra roles
Blink Inc is delegating application administration. A user must create and manage enterprise applications but must not manage all tenant settings. The answer must follow least privilege. Which option meets the requirement with the least privilege?
Built in roles are preferred when they meet the task. Global Administrator is usually too broad.
Users and bulk operations
Mill Town Engineering is onboarding 200 contractors. The identity team must create users efficiently and consistently. Manual one by one creation should be avoided. Which option meets the requirement with the least privilege?
Bulk operations and PowerShell reduce manual errors when many identities must be created or updated.
Groups and licences
Blink Inc assigns Microsoft 365 licences by department. Licences must follow group membership and show assignment errors. The answer must not rely on manual licence assignment for every user. Which option meets the requirement with the least privilege?
Group based licensing is used when membership should drive licence assignment.
Custom security attributes
Whippet Exports classifies partner users by broker type. The attribute must support consistent classification in Microsoft Entra. The answer must not overload the display name field. Which option meets the requirement with the least privilege?
Custom security attributes provide structured classification data for supported scenarios.
Device join and registration
Blink Inc is tightening access from managed and personal devices. The team must understand device identity state before writing access policy. The answer must distinguish joined and registered devices. Which option meets the requirement with the least privilege?
Device state can be an access signal, but device registration is not the same as compliance.
External users
Whippet Exports invites customs brokers to collaborate. The company must control guest access without creating employee accounts. The answer must support partner lifecycle management. Which option meets the requirement with the least privilege?
External collaboration settings and guest users are central to partner access scenarios.
Cross tenant access
Whippet Exports works with a partner that has its own Microsoft Entra tenant. Inbound collaboration must be controlled for that partner tenant. The answer must distinguish inbound and outbound access. Which option meets the requirement with the least privilege?
Cross tenant access settings control collaboration between Microsoft Entra tenants.
Hybrid identity
Mill Town Engineering synchronises AD DS users to Microsoft Entra ID. The team must choose the right synchronisation and authentication design. The answer must account for existing on premises identity. Which option meets the requirement with the least privilege?
Hybrid identity questions often test sync engine choice, authentication method, and health monitoring.
Tenant settings
Liver Shipping is standardising its Microsoft Entra tenant. The team must review settings that affect users, groups, devices, roles, domains, and branding. The answer must cover tenant level configuration. Which two choices should be included?
Tenant configuration covers several settings. The exam may hide the answer behind a mix of domains, users, groups, devices, and roles.
Administrative units
Liver Shipping has helpdesk teams in separate port offices. The Belfast helpdesk must reset passwords only for Belfast users. The team must not manage users in other ports. Which two choices should be included?
Administrative units scope supported role assignments to a subset of directory objects.
Microsoft Entra roles
Blink Inc is delegating application administration. A user must create and manage enterprise applications but must not manage all tenant settings. The answer must follow least privilege. Which two choices should be included?
Built in roles are preferred when they meet the task. Global Administrator is usually too broad.
Users and bulk operations
Mill Town Engineering is onboarding 200 contractors. The identity team must create users efficiently and consistently. Manual one by one creation should be avoided. Which two choices should be included?
Bulk operations and PowerShell reduce manual errors when many identities must be created or updated.
Groups and licences
Blink Inc assigns Microsoft 365 licences by department. Licences must follow group membership and show assignment errors. The answer must not rely on manual licence assignment for every user. Which two choices should be included?
Group based licensing is used when membership should drive licence assignment.
Custom security attributes
Whippet Exports classifies partner users by broker type. The attribute must support consistent classification in Microsoft Entra. The answer must not overload the display name field. Which two choices should be included?
Custom security attributes provide structured classification data for supported scenarios.
Device join and registration
Blink Inc is tightening access from managed and personal devices. The team must understand device identity state before writing access policy. The answer must distinguish joined and registered devices. Which two choices should be included?
Device state can be an access signal, but device registration is not the same as compliance.
External users
Whippet Exports invites customs brokers to collaborate. The company must control guest access without creating employee accounts. The answer must support partner lifecycle management. Which two choices should be included?
External collaboration settings and guest users are central to partner access scenarios.
Cross tenant access
Whippet Exports works with a partner that has its own Microsoft Entra tenant. Inbound collaboration must be controlled for that partner tenant. The answer must distinguish inbound and outbound access. Which two choices should be included?
Cross tenant access settings control collaboration between Microsoft Entra tenants.
Hybrid identity
Mill Town Engineering synchronises AD DS users to Microsoft Entra ID. The team must choose the right synchronisation and authentication design. The answer must account for existing on premises identity. Which two choices should be included?
Hybrid identity questions often test sync engine choice, authentication method, and health monitoring.
Implement an authentication and access management solution50 questions
Learning Path | 4 hr 58 min
MFA, authentication methods, SSPR, Conditional Access, Identity Protection, and Global Secure Access.
Authentication methods
Blink Inc is moving users to stronger authentication. The team must control which methods users can register. The answer must not rely on legacy per user MFA alone. What should you recommend?
Authentication methods policy controls available sign in methods such as Authenticator, passkeys, and certificate based authentication.
Temporary Access Pass
Blink Inc is onboarding a new starter. The user must register passwordless authentication without a long term password. The answer must be time limited. What should you recommend?
Temporary Access Pass is designed for secure onboarding and recovery.
MFA and registration
Liver Shipping is enforcing MFA for staff. Users must be prepared before enforcement begins. The rollout should reduce avoidable support calls. What should you recommend?
Registration readiness matters before MFA enforcement.
SSPR
Blink Inc wants users to reset passwords without calling support. Users must be registered for the required methods. The answer must support self service recovery. What should you recommend?
SSPR depends on configuration and user registration.
Session revocation
Mill Town Engineering suspects a user account is compromised. The team has disabled the account but wants to stop existing sessions. The answer must address active sessions. What should you recommend?
Disabling an account stops new sign ins, but existing sessions may need revocation.
Conditional Access assignments
Liver Shipping is creating a policy for finance apps. The policy must apply to finance users and the finance application only. Emergency access accounts must be excluded. What should you recommend?
Assignments define who and what a Conditional Access policy applies to.
Conditional Access testing
Blink Inc is deploying a new block policy. The team must confirm the effect before users are blocked. The answer must avoid immediate disruption. What should you recommend?
Report only mode shows expected Conditional Access results without enforcing the policy.
Identity Protection
Whippet Exports is responding to risky sign ins. High sign in risk should trigger stronger controls. The answer must use risk signals. What should you recommend?
Microsoft Entra ID Protection supports user risk and sign in risk based decisions.
Global Secure Access
Mill Town Engineering is protecting private engineering applications. Remote users need identity based access to private apps. The answer must include the required client and traffic profile. What should you recommend?
Global Secure Access Private Access is used for identity centred access to private applications.
Password protection
Liver Shipping wants to reduce weak password use. The policy must block known weak terms and company specific words. The answer must work with Microsoft Entra password controls. What should you recommend?
Microsoft Entra password protection helps block weak and banned passwords.
Authentication methods
Blink Inc is moving users to stronger authentication. The team must control which methods users can register. The answer must not rely on legacy per user MFA alone. What should you do first?
Authentication methods policy controls available sign in methods such as Authenticator, passkeys, and certificate based authentication.
Temporary Access Pass
Blink Inc is onboarding a new starter. The user must register passwordless authentication without a long term password. The answer must be time limited. What should you do first?
Temporary Access Pass is designed for secure onboarding and recovery.
MFA and registration
Liver Shipping is enforcing MFA for staff. Users must be prepared before enforcement begins. The rollout should reduce avoidable support calls. What should you do first?
Registration readiness matters before MFA enforcement.
SSPR
Blink Inc wants users to reset passwords without calling support. Users must be registered for the required methods. The answer must support self service recovery. What should you do first?
SSPR depends on configuration and user registration.
Session revocation
Mill Town Engineering suspects a user account is compromised. The team has disabled the account but wants to stop existing sessions. The answer must address active sessions. What should you do first?
Disabling an account stops new sign ins, but existing sessions may need revocation.
Conditional Access assignments
Liver Shipping is creating a policy for finance apps. The policy must apply to finance users and the finance application only. Emergency access accounts must be excluded. What should you do first?
Assignments define who and what a Conditional Access policy applies to.
Conditional Access testing
Blink Inc is deploying a new block policy. The team must confirm the effect before users are blocked. The answer must avoid immediate disruption. What should you do first?
Report only mode shows expected Conditional Access results without enforcing the policy.
Identity Protection
Whippet Exports is responding to risky sign ins. High sign in risk should trigger stronger controls. The answer must use risk signals. What should you do first?
Microsoft Entra ID Protection supports user risk and sign in risk based decisions.
Global Secure Access
Mill Town Engineering is protecting private engineering applications. Remote users need identity based access to private apps. The answer must include the required client and traffic profile. What should you do first?
Global Secure Access Private Access is used for identity centred access to private applications.
Password protection
Liver Shipping wants to reduce weak password use. The policy must block known weak terms and company specific words. The answer must work with Microsoft Entra password controls. What should you do first?
Microsoft Entra password protection helps block weak and banned passwords.
Authentication methods
Blink Inc is moving users to stronger authentication. The team must control which methods users can register. The answer must not rely on legacy per user MFA alone. Which source should you use to confirm the result?
Authentication methods policy controls available sign in methods such as Authenticator, passkeys, and certificate based authentication.
Temporary Access Pass
Blink Inc is onboarding a new starter. The user must register passwordless authentication without a long term password. The answer must be time limited. Which source should you use to confirm the result?
Temporary Access Pass is designed for secure onboarding and recovery.
MFA and registration
Liver Shipping is enforcing MFA for staff. Users must be prepared before enforcement begins. The rollout should reduce avoidable support calls. Which source should you use to confirm the result?
Registration readiness matters before MFA enforcement.
SSPR
Blink Inc wants users to reset passwords without calling support. Users must be registered for the required methods. The answer must support self service recovery. Which source should you use to confirm the result?
SSPR depends on configuration and user registration.
Session revocation
Mill Town Engineering suspects a user account is compromised. The team has disabled the account but wants to stop existing sessions. The answer must address active sessions. Which source should you use to confirm the result?
Disabling an account stops new sign ins, but existing sessions may need revocation.
Conditional Access assignments
Liver Shipping is creating a policy for finance apps. The policy must apply to finance users and the finance application only. Emergency access accounts must be excluded. Which source should you use to confirm the result?
Assignments define who and what a Conditional Access policy applies to.
Conditional Access testing
Blink Inc is deploying a new block policy. The team must confirm the effect before users are blocked. The answer must avoid immediate disruption. Which source should you use to confirm the result?
Report only mode shows expected Conditional Access results without enforcing the policy.
Identity Protection
Whippet Exports is responding to risky sign ins. High sign in risk should trigger stronger controls. The answer must use risk signals. Which source should you use to confirm the result?
Microsoft Entra ID Protection supports user risk and sign in risk based decisions.
Global Secure Access
Mill Town Engineering is protecting private engineering applications. Remote users need identity based access to private apps. The answer must include the required client and traffic profile. Which source should you use to confirm the result?
Global Secure Access Private Access is used for identity centred access to private applications.
Password protection
Liver Shipping wants to reduce weak password use. The policy must block known weak terms and company specific words. The answer must work with Microsoft Entra password controls. Which source should you use to confirm the result?
Microsoft Entra password protection helps block weak and banned passwords.
Authentication methods
Blink Inc is moving users to stronger authentication. The team must control which methods users can register. The answer must not rely on legacy per user MFA alone. Which option meets the requirement with the least privilege?
Authentication methods policy controls available sign in methods such as Authenticator, passkeys, and certificate based authentication.
Temporary Access Pass
Blink Inc is onboarding a new starter. The user must register passwordless authentication without a long term password. The answer must be time limited. Which option meets the requirement with the least privilege?
Temporary Access Pass is designed for secure onboarding and recovery.
MFA and registration
Liver Shipping is enforcing MFA for staff. Users must be prepared before enforcement begins. The rollout should reduce avoidable support calls. Which option meets the requirement with the least privilege?
Registration readiness matters before MFA enforcement.
SSPR
Blink Inc wants users to reset passwords without calling support. Users must be registered for the required methods. The answer must support self service recovery. Which option meets the requirement with the least privilege?
SSPR depends on configuration and user registration.
Session revocation
Mill Town Engineering suspects a user account is compromised. The team has disabled the account but wants to stop existing sessions. The answer must address active sessions. Which option meets the requirement with the least privilege?
Disabling an account stops new sign ins, but existing sessions may need revocation.
Conditional Access assignments
Liver Shipping is creating a policy for finance apps. The policy must apply to finance users and the finance application only. Emergency access accounts must be excluded. Which option meets the requirement with the least privilege?
Assignments define who and what a Conditional Access policy applies to.
Conditional Access testing
Blink Inc is deploying a new block policy. The team must confirm the effect before users are blocked. The answer must avoid immediate disruption. Which option meets the requirement with the least privilege?
Report only mode shows expected Conditional Access results without enforcing the policy.
Identity Protection
Whippet Exports is responding to risky sign ins. High sign in risk should trigger stronger controls. The answer must use risk signals. Which option meets the requirement with the least privilege?
Microsoft Entra ID Protection supports user risk and sign in risk based decisions.
Global Secure Access
Mill Town Engineering is protecting private engineering applications. Remote users need identity based access to private apps. The answer must include the required client and traffic profile. Which option meets the requirement with the least privilege?
Global Secure Access Private Access is used for identity centred access to private applications.
Password protection
Liver Shipping wants to reduce weak password use. The policy must block known weak terms and company specific words. The answer must work with Microsoft Entra password controls. Which option meets the requirement with the least privilege?
Microsoft Entra password protection helps block weak and banned passwords.
Authentication methods
Blink Inc is moving users to stronger authentication. The team must control which methods users can register. The answer must not rely on legacy per user MFA alone. Which two choices should be included?
Authentication methods policy controls available sign in methods such as Authenticator, passkeys, and certificate based authentication.
Temporary Access Pass
Blink Inc is onboarding a new starter. The user must register passwordless authentication without a long term password. The answer must be time limited. Which two choices should be included?
Temporary Access Pass is designed for secure onboarding and recovery.
MFA and registration
Liver Shipping is enforcing MFA for staff. Users must be prepared before enforcement begins. The rollout should reduce avoidable support calls. Which two choices should be included?
Registration readiness matters before MFA enforcement.
SSPR
Blink Inc wants users to reset passwords without calling support. Users must be registered for the required methods. The answer must support self service recovery. Which two choices should be included?
SSPR depends on configuration and user registration.
Session revocation
Mill Town Engineering suspects a user account is compromised. The team has disabled the account but wants to stop existing sessions. The answer must address active sessions. Which two choices should be included?
Disabling an account stops new sign ins, but existing sessions may need revocation.
Conditional Access assignments
Liver Shipping is creating a policy for finance apps. The policy must apply to finance users and the finance application only. Emergency access accounts must be excluded. Which two choices should be included?
Assignments define who and what a Conditional Access policy applies to.
Conditional Access testing
Blink Inc is deploying a new block policy. The team must confirm the effect before users are blocked. The answer must avoid immediate disruption. Which two choices should be included?
Report only mode shows expected Conditional Access results without enforcing the policy.
Identity Protection
Whippet Exports is responding to risky sign ins. High sign in risk should trigger stronger controls. The answer must use risk signals. Which two choices should be included?
Microsoft Entra ID Protection supports user risk and sign in risk based decisions.
Global Secure Access
Mill Town Engineering is protecting private engineering applications. Remote users need identity based access to private apps. The answer must include the required client and traffic profile. Which two choices should be included?
Global Secure Access Private Access is used for identity centred access to private applications.
Password protection
Liver Shipping wants to reduce weak password use. The policy must block known weak terms and company specific words. The answer must work with Microsoft Entra password controls. Which two choices should be included?
Microsoft Entra password protection helps block weak and banned passwords.
Implement access management for apps50 questions
Learning Path | 2 hr 34 min
Enterprise applications, SSO, Application Proxy, app registrations, API permissions, consent, and Defender for Cloud Apps.
Managed identities
Mill Town Engineering has an Azure automation process. The process must access Key Vault without a secret in code. The resource supports managed identities. What should you recommend?
Managed identities avoid storing application secrets for supported Azure resources.
Service principals
Blink Inc has a daemon application outside Azure. The app must authenticate without a signed in user. Managed identity is not available for this workload. What should you recommend?
Service principals represent application identities when managed identity is not available.
Enterprise application SSO
Liver Shipping is adding a SaaS application. Only selected users should access the app through Microsoft Entra SSO. The answer must control assignment. What should you recommend?
Enterprise applications handle SSO, assignment, and app specific access for many SaaS apps.
Application Proxy
Whippet Exports has an internal web app. Remote users need access without exposing the internal network broadly. The app remains on premises. What should you recommend?
Application Proxy publishes supported on premises web apps through Microsoft Entra.
User provisioning
Blink Inc wants SaaS app accounts to match Microsoft Entra assignments. User creation and removal should be automated. The SaaS app supports provisioning. What should you recommend?
Provisioning logs show account creation, update, and removal activity in target apps.
Admin consent
Mill Town Engineering reviews a third party app request. The app requests high privilege Microsoft Graph application permissions. Consent must be controlled. What should you recommend?
Admin consent should be controlled for high impact permissions.
App registration authentication
Blink Inc is registering a web application. The app must sign users in securely. The answer must include correct platform settings. What should you recommend?
App registration authentication settings must match the application platform and flow.
API permissions
Blink Inc is building an API client. The app must call Microsoft Graph without a signed in user. The answer must not use delegated permissions. What should you recommend?
Application permissions are used when the app acts without a signed in user.
Defender for Cloud Apps
Mill Town Engineering wants to control risky cloud app sessions. The control must inspect activity during a session. The answer must integrate with Conditional Access where required. What should you recommend?
Conditional Access app control can route sessions through Defender for Cloud Apps.
OAuth app governance
Whippet Exports is reviewing risky OAuth apps. The team must identify and control apps granted access by users. The answer must focus on OAuth app risk. What should you recommend?
OAuth app policies help govern risky app consent and access.
Managed identities
Mill Town Engineering has an Azure automation process. The process must access Key Vault without a secret in code. The resource supports managed identities. What should you do first?
Managed identities avoid storing application secrets for supported Azure resources.
Service principals
Blink Inc has a daemon application outside Azure. The app must authenticate without a signed in user. Managed identity is not available for this workload. What should you do first?
Service principals represent application identities when managed identity is not available.
Enterprise application SSO
Liver Shipping is adding a SaaS application. Only selected users should access the app through Microsoft Entra SSO. The answer must control assignment. What should you do first?
Enterprise applications handle SSO, assignment, and app specific access for many SaaS apps.
Application Proxy
Whippet Exports has an internal web app. Remote users need access without exposing the internal network broadly. The app remains on premises. What should you do first?
Application Proxy publishes supported on premises web apps through Microsoft Entra.
User provisioning
Blink Inc wants SaaS app accounts to match Microsoft Entra assignments. User creation and removal should be automated. The SaaS app supports provisioning. What should you do first?
Provisioning logs show account creation, update, and removal activity in target apps.
Admin consent
Mill Town Engineering reviews a third party app request. The app requests high privilege Microsoft Graph application permissions. Consent must be controlled. What should you do first?
Admin consent should be controlled for high impact permissions.
App registration authentication
Blink Inc is registering a web application. The app must sign users in securely. The answer must include correct platform settings. What should you do first?
App registration authentication settings must match the application platform and flow.
API permissions
Blink Inc is building an API client. The app must call Microsoft Graph without a signed in user. The answer must not use delegated permissions. What should you do first?
Application permissions are used when the app acts without a signed in user.
Defender for Cloud Apps
Mill Town Engineering wants to control risky cloud app sessions. The control must inspect activity during a session. The answer must integrate with Conditional Access where required. What should you do first?
Conditional Access app control can route sessions through Defender for Cloud Apps.
OAuth app governance
Whippet Exports is reviewing risky OAuth apps. The team must identify and control apps granted access by users. The answer must focus on OAuth app risk. What should you do first?
OAuth app policies help govern risky app consent and access.
Managed identities
Mill Town Engineering has an Azure automation process. The process must access Key Vault without a secret in code. The resource supports managed identities. Which source should you use to confirm the result?
Managed identities avoid storing application secrets for supported Azure resources.
Service principals
Blink Inc has a daemon application outside Azure. The app must authenticate without a signed in user. Managed identity is not available for this workload. Which source should you use to confirm the result?
Service principals represent application identities when managed identity is not available.
Enterprise application SSO
Liver Shipping is adding a SaaS application. Only selected users should access the app through Microsoft Entra SSO. The answer must control assignment. Which source should you use to confirm the result?
Enterprise applications handle SSO, assignment, and app specific access for many SaaS apps.
Application Proxy
Whippet Exports has an internal web app. Remote users need access without exposing the internal network broadly. The app remains on premises. Which source should you use to confirm the result?
Application Proxy publishes supported on premises web apps through Microsoft Entra.
User provisioning
Blink Inc wants SaaS app accounts to match Microsoft Entra assignments. User creation and removal should be automated. The SaaS app supports provisioning. Which source should you use to confirm the result?
Provisioning logs show account creation, update, and removal activity in target apps.
Admin consent
Mill Town Engineering reviews a third party app request. The app requests high privilege Microsoft Graph application permissions. Consent must be controlled. Which source should you use to confirm the result?
Admin consent should be controlled for high impact permissions.
App registration authentication
Blink Inc is registering a web application. The app must sign users in securely. The answer must include correct platform settings. Which source should you use to confirm the result?
App registration authentication settings must match the application platform and flow.
API permissions
Blink Inc is building an API client. The app must call Microsoft Graph without a signed in user. The answer must not use delegated permissions. Which source should you use to confirm the result?
Application permissions are used when the app acts without a signed in user.
Defender for Cloud Apps
Mill Town Engineering wants to control risky cloud app sessions. The control must inspect activity during a session. The answer must integrate with Conditional Access where required. Which source should you use to confirm the result?
Conditional Access app control can route sessions through Defender for Cloud Apps.
OAuth app governance
Whippet Exports is reviewing risky OAuth apps. The team must identify and control apps granted access by users. The answer must focus on OAuth app risk. Which source should you use to confirm the result?
OAuth app policies help govern risky app consent and access.
Managed identities
Mill Town Engineering has an Azure automation process. The process must access Key Vault without a secret in code. The resource supports managed identities. Which option meets the requirement with the least privilege?
Managed identities avoid storing application secrets for supported Azure resources.
Service principals
Blink Inc has a daemon application outside Azure. The app must authenticate without a signed in user. Managed identity is not available for this workload. Which option meets the requirement with the least privilege?
Service principals represent application identities when managed identity is not available.
Enterprise application SSO
Liver Shipping is adding a SaaS application. Only selected users should access the app through Microsoft Entra SSO. The answer must control assignment. Which option meets the requirement with the least privilege?
Enterprise applications handle SSO, assignment, and app specific access for many SaaS apps.
Application Proxy
Whippet Exports has an internal web app. Remote users need access without exposing the internal network broadly. The app remains on premises. Which option meets the requirement with the least privilege?
Application Proxy publishes supported on premises web apps through Microsoft Entra.
User provisioning
Blink Inc wants SaaS app accounts to match Microsoft Entra assignments. User creation and removal should be automated. The SaaS app supports provisioning. Which option meets the requirement with the least privilege?
Provisioning logs show account creation, update, and removal activity in target apps.
Admin consent
Mill Town Engineering reviews a third party app request. The app requests high privilege Microsoft Graph application permissions. Consent must be controlled. Which option meets the requirement with the least privilege?
Admin consent should be controlled for high impact permissions.
App registration authentication
Blink Inc is registering a web application. The app must sign users in securely. The answer must include correct platform settings. Which option meets the requirement with the least privilege?
App registration authentication settings must match the application platform and flow.
API permissions
Blink Inc is building an API client. The app must call Microsoft Graph without a signed in user. The answer must not use delegated permissions. Which option meets the requirement with the least privilege?
Application permissions are used when the app acts without a signed in user.
Defender for Cloud Apps
Mill Town Engineering wants to control risky cloud app sessions. The control must inspect activity during a session. The answer must integrate with Conditional Access where required. Which option meets the requirement with the least privilege?
Conditional Access app control can route sessions through Defender for Cloud Apps.
OAuth app governance
Whippet Exports is reviewing risky OAuth apps. The team must identify and control apps granted access by users. The answer must focus on OAuth app risk. Which option meets the requirement with the least privilege?
OAuth app policies help govern risky app consent and access.
Managed identities
Mill Town Engineering has an Azure automation process. The process must access Key Vault without a secret in code. The resource supports managed identities. Which two choices should be included?
Managed identities avoid storing application secrets for supported Azure resources.
Service principals
Blink Inc has a daemon application outside Azure. The app must authenticate without a signed in user. Managed identity is not available for this workload. Which two choices should be included?
Service principals represent application identities when managed identity is not available.
Enterprise application SSO
Liver Shipping is adding a SaaS application. Only selected users should access the app through Microsoft Entra SSO. The answer must control assignment. Which two choices should be included?
Enterprise applications handle SSO, assignment, and app specific access for many SaaS apps.
Application Proxy
Whippet Exports has an internal web app. Remote users need access without exposing the internal network broadly. The app remains on premises. Which two choices should be included?
Application Proxy publishes supported on premises web apps through Microsoft Entra.
User provisioning
Blink Inc wants SaaS app accounts to match Microsoft Entra assignments. User creation and removal should be automated. The SaaS app supports provisioning. Which two choices should be included?
Provisioning logs show account creation, update, and removal activity in target apps.
Admin consent
Mill Town Engineering reviews a third party app request. The app requests high privilege Microsoft Graph application permissions. Consent must be controlled. Which two choices should be included?
Admin consent should be controlled for high impact permissions.
App registration authentication
Blink Inc is registering a web application. The app must sign users in securely. The answer must include correct platform settings. Which two choices should be included?
App registration authentication settings must match the application platform and flow.
API permissions
Blink Inc is building an API client. The app must call Microsoft Graph without a signed in user. The answer must not use delegated permissions. Which two choices should be included?
Application permissions are used when the app acts without a signed in user.
Defender for Cloud Apps
Mill Town Engineering wants to control risky cloud app sessions. The control must inspect activity during a session. The answer must integrate with Conditional Access where required. Which two choices should be included?
Conditional Access app control can route sessions through Defender for Cloud Apps.
OAuth app governance
Whippet Exports is reviewing risky OAuth apps. The team must identify and control apps granted access by users. The answer must focus on OAuth app risk. Which two choices should be included?
OAuth app policies help govern risky app consent and access.
Plan and implement an identity governance strategy50 questions
Whippet Exports is structuring partner access. Resources for partner requests must be grouped for governance. The answer must support access packages. What should you recommend?
Catalogues hold resources used by entitlement management.
Access packages
Whippet Exports needs partner access with approval and expiry. Partners need Teams, SharePoint, and app access for a project. The answer must support request, approval, and lifecycle. What should you recommend?
Access packages bundle resources and policies for governed access.
Terms of use
Liver Shipping requires users to accept a policy before accessing finance apps. Acceptance must be recorded. The answer must not replace MFA. What should you recommend?
Terms of use records acceptance of policy text.
Connected organisations
Whippet Exports works with two regular broker tenants. Partner users should request access through a governed relationship. The answer must represent the partner organisations. What should you recommend?
Connected organisations support external access governance in entitlement management.
Access reviews
Liver Shipping must review guest access monthly. Review decisions must be recorded and acted on. The answer must cover existing access. What should you recommend?
Access reviews validate whether existing access should continue.
PIM for Microsoft Entra roles
Mill Town Engineering wants to reduce standing admin rights. Administrators should activate roles only when required. The answer must support approval and audit. What should you recommend?
PIM reduces standing privilege through eligible role activation.
PIM for Azure resources
Mill Town Engineering has subscription administrators. Azure resource roles should use just in time activation. The answer must apply to Azure resources. What should you recommend?
PIM can manage eligible assignments for Azure resource roles.
PIM for Groups
Blink Inc uses a group to grant privileged application access. Membership should require activation. The answer must control group membership. What should you recommend?
PIM for Groups controls activation for privileged group membership or ownership.
Diagnostics and KQL
Blink Inc wants to query identity logs. The team must run KQL against sign in and audit data. The answer must send logs to the right destination. What should you recommend?
KQL queries run against Log Analytics data, so logs must be sent there first.
Identity Secure Score
Whippet Exports wants to improve identity security posture. The team needs prioritised recommendations. The answer must support measurable improvement. What should you recommend?
Whippet Exports is structuring partner access. Resources for partner requests must be grouped for governance. The answer must support access packages. What should you do first?
Catalogues hold resources used by entitlement management.
Access packages
Whippet Exports needs partner access with approval and expiry. Partners need Teams, SharePoint, and app access for a project. The answer must support request, approval, and lifecycle. What should you do first?
Access packages bundle resources and policies for governed access.
Terms of use
Liver Shipping requires users to accept a policy before accessing finance apps. Acceptance must be recorded. The answer must not replace MFA. What should you do first?
Terms of use records acceptance of policy text.
Connected organisations
Whippet Exports works with two regular broker tenants. Partner users should request access through a governed relationship. The answer must represent the partner organisations. What should you do first?
Connected organisations support external access governance in entitlement management.
Access reviews
Liver Shipping must review guest access monthly. Review decisions must be recorded and acted on. The answer must cover existing access. What should you do first?
Access reviews validate whether existing access should continue.
PIM for Microsoft Entra roles
Mill Town Engineering wants to reduce standing admin rights. Administrators should activate roles only when required. The answer must support approval and audit. What should you do first?
PIM reduces standing privilege through eligible role activation.
PIM for Azure resources
Mill Town Engineering has subscription administrators. Azure resource roles should use just in time activation. The answer must apply to Azure resources. What should you do first?
PIM can manage eligible assignments for Azure resource roles.
PIM for Groups
Blink Inc uses a group to grant privileged application access. Membership should require activation. The answer must control group membership. What should you do first?
PIM for Groups controls activation for privileged group membership or ownership.
Diagnostics and KQL
Blink Inc wants to query identity logs. The team must run KQL against sign in and audit data. The answer must send logs to the right destination. What should you do first?
KQL queries run against Log Analytics data, so logs must be sent there first.
Identity Secure Score
Whippet Exports wants to improve identity security posture. The team needs prioritised recommendations. The answer must support measurable improvement. What should you do first?
Whippet Exports is structuring partner access. Resources for partner requests must be grouped for governance. The answer must support access packages. Which source should you use to confirm the result?
Catalogues hold resources used by entitlement management.
Access packages
Whippet Exports needs partner access with approval and expiry. Partners need Teams, SharePoint, and app access for a project. The answer must support request, approval, and lifecycle. Which source should you use to confirm the result?
Access packages bundle resources and policies for governed access.
Terms of use
Liver Shipping requires users to accept a policy before accessing finance apps. Acceptance must be recorded. The answer must not replace MFA. Which source should you use to confirm the result?
Terms of use records acceptance of policy text.
Connected organisations
Whippet Exports works with two regular broker tenants. Partner users should request access through a governed relationship. The answer must represent the partner organisations. Which source should you use to confirm the result?
Connected organisations support external access governance in entitlement management.
Access reviews
Liver Shipping must review guest access monthly. Review decisions must be recorded and acted on. The answer must cover existing access. Which source should you use to confirm the result?
Access reviews validate whether existing access should continue.
PIM for Microsoft Entra roles
Mill Town Engineering wants to reduce standing admin rights. Administrators should activate roles only when required. The answer must support approval and audit. Which source should you use to confirm the result?
PIM reduces standing privilege through eligible role activation.
PIM for Azure resources
Mill Town Engineering has subscription administrators. Azure resource roles should use just in time activation. The answer must apply to Azure resources. Which source should you use to confirm the result?
PIM can manage eligible assignments for Azure resource roles.
PIM for Groups
Blink Inc uses a group to grant privileged application access. Membership should require activation. The answer must control group membership. Which source should you use to confirm the result?
PIM for Groups controls activation for privileged group membership or ownership.
Diagnostics and KQL
Blink Inc wants to query identity logs. The team must run KQL against sign in and audit data. The answer must send logs to the right destination. Which source should you use to confirm the result?
KQL queries run against Log Analytics data, so logs must be sent there first.
Identity Secure Score
Whippet Exports wants to improve identity security posture. The team needs prioritised recommendations. The answer must support measurable improvement. Which source should you use to confirm the result?
Whippet Exports is structuring partner access. Resources for partner requests must be grouped for governance. The answer must support access packages. Which option meets the requirement with the least privilege?
Catalogues hold resources used by entitlement management.
Access packages
Whippet Exports needs partner access with approval and expiry. Partners need Teams, SharePoint, and app access for a project. The answer must support request, approval, and lifecycle. Which option meets the requirement with the least privilege?
Access packages bundle resources and policies for governed access.
Terms of use
Liver Shipping requires users to accept a policy before accessing finance apps. Acceptance must be recorded. The answer must not replace MFA. Which option meets the requirement with the least privilege?
Terms of use records acceptance of policy text.
Connected organisations
Whippet Exports works with two regular broker tenants. Partner users should request access through a governed relationship. The answer must represent the partner organisations. Which option meets the requirement with the least privilege?
Connected organisations support external access governance in entitlement management.
Access reviews
Liver Shipping must review guest access monthly. Review decisions must be recorded and acted on. The answer must cover existing access. Which option meets the requirement with the least privilege?
Access reviews validate whether existing access should continue.
PIM for Microsoft Entra roles
Mill Town Engineering wants to reduce standing admin rights. Administrators should activate roles only when required. The answer must support approval and audit. Which option meets the requirement with the least privilege?
PIM reduces standing privilege through eligible role activation.
PIM for Azure resources
Mill Town Engineering has subscription administrators. Azure resource roles should use just in time activation. The answer must apply to Azure resources. Which option meets the requirement with the least privilege?
PIM can manage eligible assignments for Azure resource roles.
PIM for Groups
Blink Inc uses a group to grant privileged application access. Membership should require activation. The answer must control group membership. Which option meets the requirement with the least privilege?
PIM for Groups controls activation for privileged group membership or ownership.
Diagnostics and KQL
Blink Inc wants to query identity logs. The team must run KQL against sign in and audit data. The answer must send logs to the right destination. Which option meets the requirement with the least privilege?
KQL queries run against Log Analytics data, so logs must be sent there first.
Identity Secure Score
Whippet Exports wants to improve identity security posture. The team needs prioritised recommendations. The answer must support measurable improvement. Which option meets the requirement with the least privilege?
Whippet Exports is structuring partner access. Resources for partner requests must be grouped for governance. The answer must support access packages. Which two choices should be included?
Catalogues hold resources used by entitlement management.
Access packages
Whippet Exports needs partner access with approval and expiry. Partners need Teams, SharePoint, and app access for a project. The answer must support request, approval, and lifecycle. Which two choices should be included?
Access packages bundle resources and policies for governed access.
Terms of use
Liver Shipping requires users to accept a policy before accessing finance apps. Acceptance must be recorded. The answer must not replace MFA. Which two choices should be included?
Terms of use records acceptance of policy text.
Connected organisations
Whippet Exports works with two regular broker tenants. Partner users should request access through a governed relationship. The answer must represent the partner organisations. Which two choices should be included?
Connected organisations support external access governance in entitlement management.
Access reviews
Liver Shipping must review guest access monthly. Review decisions must be recorded and acted on. The answer must cover existing access. Which two choices should be included?
Access reviews validate whether existing access should continue.
PIM for Microsoft Entra roles
Mill Town Engineering wants to reduce standing admin rights. Administrators should activate roles only when required. The answer must support approval and audit. Which two choices should be included?
PIM reduces standing privilege through eligible role activation.
PIM for Azure resources
Mill Town Engineering has subscription administrators. Azure resource roles should use just in time activation. The answer must apply to Azure resources. Which two choices should be included?
PIM can manage eligible assignments for Azure resource roles.
PIM for Groups
Blink Inc uses a group to grant privileged application access. Membership should require activation. The answer must control group membership. Which two choices should be included?
PIM for Groups controls activation for privileged group membership or ownership.
Diagnostics and KQL
Blink Inc wants to query identity logs. The team must run KQL against sign in and audit data. The answer must send logs to the right destination. Which two choices should be included?
KQL queries run against Log Analytics data, so logs must be sent there first.
Identity Secure Score
Whippet Exports wants to improve identity security posture. The team needs prioritised recommendations. The answer must support measurable improvement. Which two choices should be included?
This guide is for the final 30 days before your SC-300 exam. Use it as a focused cram plan, not a full course replacement.
Day 1: Read the exam objectives
Map each objective to one example task, such as role assignment, domain configuration, user creation, or group based licensing.
Scenario: Liver Shipping
Day 2: Tenant configuration
Review tenant properties, company branding, domains, device settings, and user settings. Note which tasks need elevated roles.
Scenario: Liver Shipping
Day 3: Roles and administrative units
Compare built in roles, custom roles, and administrative units. Write three delegation examples for regional support teams.
Scenario: Liver Shipping
Day 4: Users and groups
Study user creation, group types, membership rules, custom security attributes, and bulk operations.
Scenario: Mill Town Engineering
Day 5: Licensing and devices
Review group based licensing, device join, and device registration. Make a short checklist for troubleshooting assignment issues.
Scenario: Blink Inc
Day 6: External users
Review guest invitations, collaboration settings, external user accounts, and sponsor or ownership processes.
Scenario: Whippet Exports
Day 7: Cross tenant access
Compare inbound and outbound cross tenant access settings, cross tenant synchronisation, and external identity providers.
Scenario: Whippet Exports
Day 8: Hybrid identity
Review Microsoft Entra Connect Sync, Cloud Sync, password hash synchronisation, pass through authentication, seamless SSO, and Connect Health.
Scenario: Mill Town Engineering
Day 9: Authentication methods
Study MFA, Microsoft Authenticator, passkeys, certificate based authentication, Temporary Access Pass, and OAuth 2.0 tokens. Compare device bound and synced passkeys for admin and general user scenarios.
Build a policy design table covering users, cloud apps, conditions, grant controls, session controls, exclusions, and report only testing.
Scenario: Liver Shipping
Day 12: Conditional Access troubleshooting
Review what if, sign in logs, policy results, device enforced restrictions, authentication context, protected actions, and templates.
Scenario: Blink Inc
Day 13: Identity Protection
Study user risk, sign in risk, risky users, risky sign ins, registration campaigns, and workload identity risk. Check where Microsoft Entra ID P2 or Microsoft Entra Suite is needed and remember that legacy ID Protection risk policies retire on 1 October 2026.
Scenario: Whippet Exports
Day 14: Global Secure Access
Review client deployment, Private Access, Internet Access, and Internet Access for Microsoft 365. Separate the Microsoft traffic profile from full Internet Access and Private Access licensing.
Scenario: Mill Town Engineering
Day 15: Managed identities
Compare system assigned and user assigned managed identities, then note how they are granted access to Azure resources.
Scenario: Mill Town Engineering
Day 16: Service principals and workload identity choices
Compare managed identities, service principals, user accounts, and managed service accounts. This belongs under Plan and implement workload identities, not Authentication and access.
Scenario: Blink Inc
Day 17: Enterprise applications
Review app assignment, app roles, user and group access, tenant level settings, application level settings, and app collections.
Scenario: Liver Shipping
Day 18: On premises and SaaS apps
Study Microsoft Entra Application Proxy, SaaS app integration, user provisioning, and admin consent flows.
Scenario: Whippet Exports
Day 19: App registrations
Review redirect URIs, certificates, secrets, API permissions, app roles, and authentication settings.
Scenario: Blink Inc
Day 20: Defender for Cloud Apps
Study cloud discovery, connected apps, Conditional Access app control, access policies, session policies, OAuth app policies, and the Cloud app catalog.
Scenario: Mill Town Engineering
Day 21: Entitlement management
Review catalogues, resources, access packages, request policies, approvals, terms of use, and connected organisations.
Scenario: Whippet Exports
Day 22: External user lifecycle
Study lifecycle controls for guests and partners, including access package expiry and removal behaviour.
Scenario: Whippet Exports
Day 23: Access reviews
Review review scope, reviewers, recurrence, recommendations, decisions, auto apply behaviour, and review audit evidence.
Scenario: Liver Shipping
Day 24: PIM for Microsoft Entra roles
Study eligible and active assignments, activation settings, approval, MFA, justification, audit history, and reports.
Scenario: Blink Inc
Day 25: PIM for Azure resources and groups
Review privileged access for Azure resources and PIM for Groups, including approval and assignment settings.
Scenario: Mill Town Engineering
Day 26: Break glass accounts
Write a break glass account checklist covering exclusions, monitoring, password handling, and regular validation.
Scenario: Liver Shipping
Day 27: Logs and diagnostics
Review sign in logs, audit logs, provisioning logs, diagnostic settings, storage destinations, Event Hubs, and Log Analytics.
Scenario: Blink Inc
Day 28: KQL and workbooks
Practise reading KQL queries for sign in analysis and review Microsoft Entra workbooks and reports.
Scenario: Mill Town Engineering
Day 29: Identity Secure Score
Review score improvement actions, risk trade offs, and how to explain recommendations to stakeholders.
Scenario: Whippet Exports
Day 30: Final review
Take a timed quiz, review wrong answers, check the Microsoft Learn change log, and revisit weak objectives.
Scenario: All companies
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.