Free SC-300 Practice Exam – 2025 Updated

To use a custom extension in an Azure Entitlement Management catalog, you must first have an endpoint for the extension to call. This endpoint is typically an Azure Logic App that contains the custom workflow you want to trigger. Therefore, the Logic App must be created before you configure the custom extension in the catalog.

Within Entitlement Management, a catalog is a container for resources. To grant users access to the resources within a catalog, you must create an access package. The access package bundles the resources and defines the policies for how users can request, approve, and maintain access. Users then request access to this package, making it the primary mechanism for distributing the resources held in the catalog.

Microsoft Learn: Trigger a Logic App with a custom extension in entitlement management. This document states under the "Prerequisites" section that to use custom extensions, you need "A Logic App to call." This confirms that the Logic App must be created first.

Microsoft Learn: What are access packages and what resources can I manage with them? This document states, "An access package is a bundle of all the resources with the access a user needs... All access packages must be in a container called a catalog." This clarifies that access packages are the objects used to bundle and distribute resources from a catalog.

Microsoft Learn: Create and manage a catalog of resources in entitlement management. This page describes a catalog as "a container of resources and access packages." This reinforces the relationship where access packages are created within a catalog to provide access.

A. Omits User3, a non-admin member who must use security questions.

C. Includes User1, but administrators cannot use security questions.

D. Same issue as C; wrongly adds administrator User1.

E. Wrongly includes administrator User1 and guest User2, neither can use security questions.

1. Microsoft Docs – “Self-service password reset authentication methods”, section “Security questions” (2024-02-01): “Security questions can be used only by users who aren’t administrators.”

https://learn.microsoft.com/azure/active-directory/authentication/concept-sspr-authentication-methods

2. Microsoft Docs – “Self-service password reset overview”, section “Who can reset a password?”: “B2B guest users can’t reset their password in the resource tenant.”

https://learn.microsoft.com/azure/active-directory/authentication/concept-sspr-overview

A. The executable name is not a standard configuration property for a web app registration in Azure AD; it is more relevant for identifying native desktop applications.

B. The bundle ID is a unique identifier required when registering native applications for Apple's iOS or macOS platforms, not for a .NET web app.

C. The package name is a unique identifier required when registering native applications for the Android platform, not for a .NET web app.

---

1. Microsoft identity platform documentation, "Quickstart: Register an application with the Microsoft identity platform."

Reference: Under the section "Register an application," step 5, "Add a redirect URI," it states: "Select the platform for your application - Web... Enter the redirect URI for your application." This explicitly shows that for a web app, the redirect URI is a required configuration.

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application

2. Microsoft identity platform documentation, "Redirect URI (reply URL) restrictions and limitations."

Reference: The document's overview section states, "A redirect URI, or reply URL, is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. For example, in a web application, the redirect URI is the location where the user is sent after they sign in."

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

3. Microsoft Learn, SC-300 Courseware, "Register an application."

Reference: In the learning module for implementing application access, the section on app registration details the required settings. It specifies: "When you register a web app, you must add a redirect URI. The redirect URI is the URI where users are sent after they've been authenticated." It also shows that Package Name and Bundle ID are for mobile platforms.

Source: https://learn.microsoft.com/en-us/training/modules/implement-manage-app-permissions/2-register-app

Statement 1: Yes. User1 is in OU1, which is selected for synchronization. The Azure AD Connect configuration also shows that Password writeback is enabled. Password writeback is a required component for allowing synchronized users to use Azure AD self-service password reset (SSPR) to change their on-premises passwords.

Statement 2: Yes. The user sign-in method is configured for Pass-through authentication. With this method, when a user signs into an Azure AD-integrated application like Exchange Online, Azure AD passes the user's credentials to an agent running on-premises, which then validates them directly against the on-premises Active Directory domain controller.

Statement 3: No. User2 is located in OU2. The Domain/OU Filtering configuration explicitly shows that OU2 is not checked, meaning it is filtered out from synchronization. As a result, User2's identity does not exist in Azure AD. A user account must exist in Azure AD to be added as a member to a resource like a SharePoint Online site.

Microsoft Documentation: "Tutorial: Enable self-service password reset writeback to an on-premises environment - Prerequisites". This document states, "The primary prerequisite for SSPR writeback is to have password writeback enabled in Azure AD Connect."

Microsoft Documentation: "Azure Active Directory Pass-through Authentication: How it works". This official guide explains, "The on-premises Authentication Agent receives the request and validates the username and password against Active Directory. The validation occurs on a standard Windows Server, which is similar to how Active Directory Federation Services (AD FS) works." (See the "How it works" section).

Microsoft Documentation: "Azure AD Connect sync: Configure filtering". This document clarifies the effect of OU-based filtering: "If you have filtered out an OU, user objects in that OU aren't synchronized to Azure AD."

To adhere to the principle of least privilege, each user must be assigned the role that grants only the necessary permissions for their required tasks.

• User1 needs to manage and create keys. The Key Vault Crypto Officer role is designed specifically for this purpose. It grants permissions to perform all data plane operations on keys, such as create, import, update, and delete, without providing access to certificates or secrets.
• User2 needs to access a certificate. The Key Vault Certificates Officer role allows a user to perform all data plane operations on certificates, including get, list, create, and import. This role appropriately scopes the user's permissions to only certificates, fulfilling the requirement.

Microsoft Corporation. (2024). Azure built-in roles for Key Vault data plane operations. Microsoft Learn.

Reference for User1: The documentation describes the Key Vault Crypto Officer role as allowing users to "Perform any data plane operation on keys." This directly maps to the requirement to manage and create keys.

Reference for User2: The documentation defines the Key Vault Certificates Officer role as enabling users to "Perform any data plane operation on certificates." This aligns with the requirement to access a certificate.

A. the Microsoft Defender for Cloud Apps portal: The standalone Defender for Cloud Apps portal is being deprecated. Its functionalities, including app governance, have been integrated into the Microsoft 365 Defender portal.

B. the Microsoft 365 admin center: This portal is used for managing subscriptions, licenses, and users at a high level, not for configuring specific security and compliance features like app governance.

D. the Azure Active Directory admin center: This portal is for managing identities, application registrations, and access control, but not the specific threat and compliance policies of app governance.

E. the Microsoft Purview compliance portal: This portal is focused on data governance, information protection, and compliance management, which is distinct from the app threat and anomaly detection focus of app governance.

---

1. Microsoft. (2023). Turn on app governance for Microsoft Defender for Cloud Apps. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-enable.

Reference Point: The document explicitly states, "This article describes how to turn on the app governance add-on to Microsoft Defender for Cloud Apps in the Microsoft 365 Defender portal." The step-by-step instructions confirm the path: "In the Microsoft 365 Defender portal, go to Settings > Cloud Apps. Under App governance, select Service enablement."

2. Microsoft. (2023). Get started with app governance. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started.

Reference Point: The "Prerequisites" section states, "To enable app governance, you first need to turn on Microsoft Defender for Cloud Apps." and "After you've confirmed that Defender for Cloud Apps is enabled, you need to opt in to app governance in the Microsoft 365 Defender portal." This confirms the management plane is the Microsoft 365 Defender portal.

A. License administrator: This role can manage license assignments for users and groups but lacks the permission to reset user passwords.

B. Helpdesk administrator: This role can reset passwords for non-administrators and other helpdesk administrators but does not have permissions to manage license assignments.

C. Billing administrator: This role is focused on managing purchases, subscriptions, and billing support tickets; it has no permissions related to user password or license management.

1. Microsoft Entra built-in roles - User administrator: Microsoft Learn. In the "User administrator" section, the description explicitly states this role can "Reset passwords for non-administrators, Helpdesk administrators, and other User administrators" and "Assign and remove licenses."

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "User administrator" role description.

2. Microsoft Entra built-in roles - License administrator: Microsoft Learn. The description for this role confirms it can "Assign, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users." It does not list password reset permissions.

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "License administrator" role description.

3. Microsoft Entra built-in roles - Helpdesk administrator: Microsoft Learn. The description for this role states it can "Reset passwords for non-administrators and Helpdesk administrators." It does not list license management permissions.

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "Helpdesk administrator" role description.

B. a hardware token: Hardware OATH tokens must be registered by an administrator for the user; they cannot be self-registered by the user during the initial sign-in process.

C. a one-time passcode email: Email is a method available for SSPR only, not for MFA. It cannot be used to satisfy the initial MFA registration requirement that triggers the combined registration process.

D. Windows Hello for Business: This is provisioned on a specific device after a user has already successfully authenticated with MFA. It is not an option available during the initial registration flow itself.

1. Microsoft Learn. (2023). Combined security information registration for Azure Active Directory overview. In "Authentication methods". This document lists the available methods for combined registration, including "Microsoft Authenticator app" and "FIDO2 security key". It also specifies that "Email address" and "Security questions" are available for SSPR only.

2. Microsoft Learn. (2023). Authentication methods and features. In "Authentication". This table confirms that FIDO2 Security Key and Microsoft Authenticator are valid for both MFA and SSPR, while Email is only for SSPR.

3. Microsoft Learn. (2023). Passwordless security key sign-in to Windows 10 devices with Azure Active Directory. In "Enable passwordless security key sign-in". The section "User registration and management of FIDO2 security keys" describes the self-service registration process at https://myprofile.microsoft.com.

4. Microsoft Learn. (2023). How to register and manage OATH hardware tokens in Azure AD. In "OATH tokens". The "Prerequisites" section states, "Admins need to register the hardware tokens for each user." This confirms it is not a self-service method for a new user.

The "Require password change for high-risk users" policy template in Azure AD Conditional Access is designed to automatically secure accounts that Azure AD Identity Protection flags as high-risk.

By default, this template is configured to include "All users" in its scope. This ensures that any user account, regardless of its role, is subject to a mandatory password reset if it becomes compromised and is assessed as high-risk.

To prevent accidental lockouts of administrators and disruption of critical services that may run under privileged accounts, the template also defaults to excluding specific "Directory roles." This typically includes highly privileged roles like Global Administrator and Security Administrator. This exclusion is a built-in safety measure to ensure that administrators can always access the tenant to manage policies and respond to incidents.

Microsoft Entra Documentation | Conditional Access templates: This official document details the default configurations for the various Conditional Access policy templates. For the "Require password change for high-risk users" template, the documentation specifies the following default user assignments:

Users and groups:

Include: All users

Exclude: Select directory roles (Global Administrator, Security Administrator, Conditional Access Administrator, etc.)

This source directly confirms that the policy includes all users and excludes specific directory roles by default.

A. OAuth app policy: This policy type is used to govern third-party OAuth applications and their permissions, not to control user access based on risk.

B. anomaly detection policy: This policy is designed to identify unusual activities and potential security threats. It generates alerts about risk but does not directly enforce access controls.

D. activity policy: This policy is used to monitor and take action on specific user activities after they have occurred (e.g., mass download), not to block initial access based on a user's risk state.

1. Microsoft Learn. (2023). Control cloud apps with policies. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies.

Reference Section: "Policy types". This section explicitly describes an Access policy as the tool to "control access to your cloud apps" in real-time based on user, location, device, and other risk factors. This directly supports the answer.

2. Microsoft Learn. (2023). Create access policies in Microsoft Defender for Cloud Apps. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad.

Reference Section: "Prerequisites" and "To create an access policy". The document states, "Microsoft Defender for Cloud Apps access policies enable you to monitor and control access to cloud apps in real time...". This confirms that the primary purpose of an access policy is to control access.

3. Microsoft Learn. (2023). Deploy Conditional Access App Control for featured apps. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-aad.

Reference Section: "Step 4: Configure the policies in Defender for Cloud Apps". This section details the process after routing traffic via Conditional Access, stating you can "Create an access policy" to "Block or monitor access to apps". This confirms that an access policy is the correct type to create in Defender for Cloud Apps for blocking access.

B. SMS: While the SMS method is enabled by default in the authentication methods policy, it is not the primary method that the default security posture (Security Defaults) requires users to register.

C. voice call: Similar to SMS, the voice call method is available by default in the tenant's policy, but it is not the method specifically enforced by the default Security Defaults configuration.

D. email OTP: The email one-time passcode (OTP) method is enabled by default for self-service password reset (SSPR) but is not a usable method for multi-factor authentication sign-in events.

---

1. Microsoft Entra Documentation, "Security defaults in Microsoft Entra ID." This document states, "All users in your tenant must register for multi-factor authentication (MFA)... Users have 14 days to register for Multi-Factor Authentication by using the Microsoft Authenticator app." This confirms that the Authenticator app is the required and default method under the default tenant configuration.

Reference: Microsoft Corporation. (2023). Security defaults in Microsoft Entra ID. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#requiring-users-to-register-for-mfa

2. Microsoft Entra Documentation, "Manage authentication methods for Microsoft Entra ID." This document includes a table showing the default state of authentication method policies. It shows that while SMS and Voice Call are "Enabled" (in a "Microsoft managed" state), the entire security framework for new tenants, Security Defaults, is built around the Microsoft Authenticator app.

Reference: Microsoft Corporation. (2023). Manage authentication methods for Microsoft Entra ID. Microsoft Learn. See the table under the "Authentication methods policy" section. Retrieved from https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

3. Microsoft Entra Documentation, "Authentication and verification methods." This source provides a table detailing which methods are available for different purposes. It explicitly shows that "Email OTP" is available for SSPR but not for MFA, confirming why option D is incorrect.

Reference: Microsoft Corporation. (2024). Authentication and verification methods are available in Microsoft Entra ID. Microsoft Learn. See the table "Method strengths and security". Retrieved from https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods#method-strengths-and-security

A. the Microsoft 365 Defender portal: This portal is for managing security services and threat protection. Its roles are specific to security operations, not for comparing general Azure AD administrative permissions.

B. the Microsoft 365 admin center: While it allows for some user and role management, it is less detailed than the Entra admin center and is not the primary tool for in-depth permission comparison of Azure AD roles.

D. the Microsoft Purview compliance portal: This portal is used for data governance, risk, and compliance management. The roles within it are scoped to compliance functions, not general tenant-wide administrative roles.

1. Microsoft Entra documentation, "Compare roles in Microsoft Entra ID." This document explicitly states, "You can compare the permissions for up to three roles in Microsoft Entra ID... This article describes how to compare roles in the Microsoft Entra admin center." It provides a step-by-step guide on using this feature within the "Roles and administrators" section.

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/identity/role-based-access-control/roles-compare.

2. Microsoft Entra documentation, "Assign administrator and non-administrator roles to users with Microsoft Entra ID." This guide details the process of managing roles and shows that the primary interface for these tasks is the Microsoft Entra admin center.

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/fundamentals/how-to-assign-roles. Section: "Assign roles".

3. Microsoft Purview documentation, "Permissions in the Microsoft Purview compliance portal." This document outlines the role groups available in the Purview portal, such as Compliance Administrator and eDiscovery Manager, confirming its scope is limited to compliance and not general Azure AD role management.

Source: Microsoft Learn, learn.microsoft.com/en-us/purview/microsoft-365-permissions. Section: "Roles and Role Groups in Microsoft Defender XDR and Microsoft Purview".

The evaluation of these statements hinges on the device filter in CAPolicy1. This policy is configured to exclude any device whose display name starts with "Device". Since all three devices (Device1, Device2, and Device3) match this naming convention, the "Block access" control from CAPolicy1 is not enforced in any of the three scenarios.

• User1 on Device1: User1 is only in Group1. CAPolicy1 targets this group, but the policy is excluded because of the device filter. No other policy applies, so access is permitted.
• User2 on Device2: User2 is only in Group2. CAPolicy2 applies, requiring MFA. Since the user can satisfy the MFA requirement, access is granted.
• User3 on Device3: User3 is in both groups. CAPolicy1 is excluded by the device filter. CAPolicy2 applies, and access is granted after the user completes the MFA challenge.

Microsoft Entra ID Documentation, Conditional Access: Filter for devices. This document explains the use of rules to target or exclude specific devices from a policy. It clarifies that when the "Exclude filtered devices from the policy" option is selected, the policy's grant or session controls are not applied to sign-ins from devices matching the rule.

Microsoft Entra ID Documentation, Building a Conditional Access policy. This guide details how policies are constructed and evaluated. In the section "Assignments," it describes how conditions, including device filters, determine whether a policy applies to a specific sign-in event.

Microsoft Entra ID Documentation, Conditional Access: Grant. This source describes how access controls are enforced. A "Block access" control is the most restrictive. However, it is only enforced if the policy's assignment and condition criteria are met. In this scenario, the condition (device filter) prevents the block from being applied.

A. Yes – Only connects Google Workspace; without also connecting AWS and GitHub, their OAuth events are not ingested, so the requirement is not met.

1. Microsoft Defender for Cloud Apps – “Connect apps to Microsoft Defender for Cloud Apps”, Steps 1-2; Note: “To monitor activity, you must create an app connector for each SaaS app (e.g., AWS, Google Workspace, GitHub).”

https://learn.microsoft.com/en-us/defender-cloud-apps/connect-apps

2. Microsoft Defender for Cloud Apps – “Monitor and govern OAuth apps”, Section “Prerequisites”; “OAuth events are collected only for connected apps.”

https://learn.microsoft.com/en-us/defender-cloud-apps/oauth-apps

3. Microsoft Defender for Cloud Apps – “Connect Google Workspace”, Overview paragraph; confirms scope is limited to Google Workspace tenant.

https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-workspace

(Additional sources not required.)

A. Yes: This is incorrect. The Microsoft Azure app connector's function is to monitor the Azure platform's management and activity logs, not to monitor OAuth authentication requests for third-party applications connected to services like Google Workspace, AWS, or GitHub.

1. Microsoft Learn. (2023). Connect Azure to Microsoft Defender for Cloud Apps.

Section: "How to connect Azure to Defender for Cloud Apps"

Content: This document explicitly states that connecting Azure provides "improved visibility into your Azure user activities, and provides threat detection for anomalous behavior." It details the data sources as Azure Activity Log and security recommendations from Microsoft Defender for Cloud, confirming its focus is on the Azure platform's security posture and administrative activities, not OAuth app monitoring.

2. Microsoft Learn. (2023). Investigate and manage OAuth apps that are risky or suspicious.

Section: "How Defender for Cloud Apps helps you manage your OAuth apps"

Content: This document outlines how Defender for Cloud Apps provides visibility into OAuth apps. It specifies that this capability is available for apps connected to Microsoft 365, Google Workspace, and Salesforce, demonstrating that specific SaaS app connectors are required for OAuth app monitoring, not the generic Azure platform connector.

3. Microsoft Learn. (2023). Connect Google Workspace to Microsoft Defender for Cloud Apps.

Section: "Prerequisites" and "How to connect Google Workspace to Defender for Cloud Apps"

Content: This guide details the steps to connect Google Workspace. One of the key capabilities gained from this specific connector is the ability to see and govern OAuth apps authorized in the Google Workspace environment, reinforcing that the correct connector for the specific service must be used.

A. This is incorrect because the AWS app connector's function is to monitor IaaS/PaaS activity via API logs (CloudTrail), not to discover and manage the permissions of third-party OAuth apps, which is a separate feature for specific SaaS platforms.

1. Microsoft Learn, Connect AWS to Microsoft Defender for Cloud Apps. This document details the capabilities of the AWS connector, focusing on security configuration assessment and threat detection based on CloudTrail logs. It does not list OAuth app governance as a feature. The document states, "Connecting AWS to Defender for Cloud Apps helps you secure your AWS resources and detect potential threats."

2. Microsoft Learn, Manage OAuth apps in Microsoft Defender for Cloud Apps. This document describes the OAuth app governance feature, explaining its purpose: "Defender for Cloud Apps provides you with the capabilities to see which OAuth applications have been authorized by your users, see the permissions they've granted, and mark them as approved or ban them."

3. Microsoft Learn, App governance in Microsoft 365. This documentation clarifies the scope of OAuth app governance, stating, "App governance is a security and policy management capability... for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs." This highlights that the feature is specific to platforms that support this type of app integration, such as Microsoft 365 and Google Workspace, not AWS. The table comparing Defender for Cloud Apps and App governance shows OAuth app management is a core CASB function for supported SaaS apps.

B. Designate a reviewer of admin consent requests for the tenant.

This is a necessary step in configuring the workflow, but it cannot be done until the admin consent request feature is enabled first.

C. From the Permissions settings of App1, grant App1 admin consent for the tenant.

This action bypasses the user request process entirely. The requirement is to enable users to request consent, not for an administrator to grant it proactively for everyone.

D. Create a Conditional Access policy for App1.

Conditional Access policies control user sign-in and access to applications based on conditions (like location or device health); they do not manage the application permission consent process.

---

1. Microsoft Learn. (2023). Configure the admin consent workflow. Microsoft Entra documentation. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow#enable-the-admin-consent-workflow.

Reference Details: The section "Enable the admin consent workflow" explicitly states: "To enable the admin consent workflow... 1. ... In Enterprise applications > Consent and permissions > Admin consent settings. 2. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to." This confirms enabling the setting is the primary step.

2. Microsoft Learn. (2023). Manage consent to applications and evaluating consent requests. Microsoft Entra documentation. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests#prerequisites.

Reference Details: The "Prerequisites" section lists the first requirement as: "The admin consent workflow is enabled." This establishes that enabling the workflow precedes other configuration steps like assigning reviewers.

A, B, C: These options are incorrect because they are incomplete. Both Admin1 (Privileged Role Administrator) and Admin2 (Global Administrator) have the necessary permissions to manage PIM.

E: This option is incorrect because Admin3, as a guest user, cannot perform administrative management tasks within PIM, even with the Global Administrator role assigned.

F: This option is incorrect because it includes Admin3. Management of core security services like PIM is restricted to trusted member accounts, not external guest identities.

1. Microsoft Learn, Azure AD built-in roles, "Who can perform sensitive tasks in Privileged Identity Management": This document explicitly states the roles required to manage PIM. "To manage Azure AD role assignments in PIM, a user must have the Privileged Role Administrator role or the Global Administrator role." This supports why Admin1 and Admin2 are included.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-roles (Section: "Roles in PIM")

2. Microsoft Learn, Azure AD B2B collaboration, "Properties of an Azure Active Directory B2B collaboration user": This document outlines the inherently limited nature of guest accounts. "By default, guest users have limited permissions in the directory... A guest user's permissions are restricted even when they're a member of an administrator role." This principle supports the exclusion of Admin3 from managing a sensitive security service.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties (Section: "UserType property")

3. Microsoft Learn, Privileged Identity Management, "Assign Azure AD roles in Privileged Identity Management": This document clarifies that guest users can be targets of PIM assignments but does not state they can be managers of the service. "You can assign both members and guests as eligible for Azure AD roles." This distinction is key to understanding why Admin3 can be managed by PIM but cannot manage PIM itself.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-assign-role (Section: "Assign a role")

When an application is deleted in Azure AD, it is soft-deleted and can be restored for up to 30 days. All four applications were deleted on April 5, and the restoration attempt is on April 16, which is only 11 days later. Therefore, all four applications (App1, App2, App3, and App4) are within the 30-day window and can be restored.

However, not all settings are restored with the application object.

• Restored settings include properties defined in the application manifest, such as App roles and Client secrets.
• Settings that are NOT restored are those associated with the application's service principal, which include Users and groups assignments and Self-service configurations. These must be reconfigured manually after the application is restored.

Microsoft Learn | Restore a deleted application registration:

Section: "Restore a deleted application registration"

Content: "When you delete an application registration...the app is in a suspended state for 30 days. During this 30-day window, the app registration can be restored...Restoring an application registration also restores its corresponding service principal. However, any user or group assignments that were previously made to the service principal are not restored." This confirms that all apps are restorable but user/group assignments are lost.

Microsoft Learn | Application and service principal objects in Azure Active Directory:

Section: "Relationship between application and service principal objects"

Content: This document explains the distinction between the application object (global template) and the service principal object (local instance). App roles are defined on the application object, whereas user assignments and self-service SSO configurations are applied to the service principal in the tenant. This distinction clarifies why settings tied to the service principal are not restored with the application object.

The Identity Governance settings are configured to automatically manage the lifecycle of external users who are granted access via access packages. When such a user loses their last access package assignment, they are blocked from signing in, and a 30-day timer for account deletion begins.

• Guest1 & Guest2: Both users were granted access via Package1, which expired on April 1, 2022. This was their last access package assignment. The 30-day deletion timer started on this date. Consequently, their accounts were removed from the contoso.com directory around May 1, 2022. By May 5, 2022, their accounts no longer exist. Guest1's separate "Reports reader" role assignment does not prevent this automated deletion process, which is triggered by the loss of the final access package.
• Guest3: This user was invited and added to a group manually, not through an access package. Therefore, the automated lifecycle management settings do not apply to Guest3's account. Without any other policy in place to remove the account, it remains active in the directory.

Microsoft Entra documentation, "Govern access for external users in Microsoft Entra entitlement management": This document details the lifecycle management settings for external users. It states, "By default, when an external user no longer has any access package assignments, they are blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory." This directly supports the removal of Guest1 and Guest2. The scope is defined as, "This control only applies to external users who were invited through entitlement management." This supports why Guest3 is not removed.

A. Yes: This is incorrect. The GitHub app connector is designed to monitor the GitHub environment itself, not to enable the general monitoring of OAuth authentication requests across other major cloud suites like Google Workspace, which is a key part of the scenario.

1. Microsoft Learn. "Manage OAuth apps in Microsoft Defender for Cloud Apps." This document explicitly states which connected apps support OAuth app discovery: "Defender for Cloud Apps is available for Microsoft 365, Google Workspace, and Salesforce connected apps." This confirms that connecting GitHub does not enable this feature for the other platforms.

2. Microsoft Learn. "Connect GitHub to Microsoft Defender for Cloud Apps." This documentation details the capabilities of the GitHub connector, which include discovering repositories, auditing activities, and governing actions within GitHub. It makes no mention of enabling a general OAuth app monitoring capability for other services.

A. an access review: Access reviews are used to periodically review and recertify existing user access to resources, not to initially grant time-bound access.

B. a lifecycle workflow: Lifecycle Workflows automate identity-related processes based on a user's lifecycle events (Joiner, Mover, Leaver), not for managing time-limited access to specific resources.

D. a Conditional Access policy: Conditional Access policies enforce security controls (like requiring MFA) when a user attempts to access a resource; they do not grant the underlying permissions or manage their duration.

---

1. Microsoft Entra documentation, "What is entitlement management?": "Microsoft Entra entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration." This document explicitly states that entitlement management handles access expiration.

Source: Microsoft Learn, Microsoft Entra ID Governance documentation. Section: "What is entitlement management?".

2. Microsoft Entra documentation, "Tutorial: Manage access to resources in entitlement management": This tutorial demonstrates creating an access package and adding resources like groups, applications, and SharePoint sites. Step 4 of "Create an access package" details configuring the policy's lifecycle settings.

Source: Microsoft Learn, Microsoft Entra ID Governance documentation. Section: "Tutorial: Manage access to resources in entitlement management", Sub-section: "Step 4: Create an access package", Paragraph on "Lifecycle".

3. Microsoft Entra documentation, "What are Microsoft Entra access reviews?": "Microsoft Entra access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access." This confirms access reviews are for reviewing, not provisioning.

Source: Microsoft Learn, Microsoft Entra ID Governance documentation. Section: "What are Microsoft Entra access reviews?".

4. Microsoft Entra documentation, "What are lifecycle workflows?": "Lifecycle Workflows are a new identity governance feature that enables organizations to manage Microsoft Entra users by automating three basic lifecycle processes: Joiner, Mover, and Leaver." This defines the scope of Lifecycle Workflows as being tied to the user's employment status, not project-based resource access.

Source: Microsoft Learn, Microsoft Entra ID Governance documentation. Section: "What are lifecycle workflows?".

For a scenario with multiple App Service apps requiring access to multiple storage accounts, a User-assigned managed identity is the most efficient choice. This type of identity is a standalone Azure resource. You can create one identity, grant it the necessary permissions on all the storage accounts using Role-based access control (RBAC), and then assign that single identity to all of the apps. This approach centralizes permission management and significantly minimizes administrative effort compared to creating and managing a separate system-assigned identity for each app.

Role-based access control (RBAC) is the standard and most secure method for granting this identity access. By assigning roles like "Storage Blob Data Contributor" to the user-assigned identity at the storage account scope, you provide granular permissions without managing any credentials like SAS tokens or certificates, which would increase administrative overhead.

Microsoft Entra Documentation, Managed identities for Azure resources: This source compares the two types of managed identities. It states, "User-assigned managed identities are more efficient in a broader range of scenarios than system-assigned managed identities... A user-assigned identity can be used in scenarios where... multiple resources need to share the same permissions." This directly aligns with the question's scenario of multiple apps.

Source: learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#which-type-of-managed-identity-should-i-use

Azure Storage Documentation, Authorize access to blobs using Microsoft Entra ID: This document confirms that using Azure AD (now Microsoft Entra ID) identities with RBAC is the recommended authorization mechanism for storage. It explicitly contrasts this with less secure and harder-to-manage methods like Shared Key or SAS tokens. "We recommend using Microsoft Entra credentials when possible for maximum security and ease of use... With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal."

Source: learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory#authorize-with-microsoft-entra-id

Azure RBAC Documentation, What is Azure role-based access control (Azure RBAC)?: This provides the fundamental definition of RBAC as the system for managing access to Azure resources. "Instead of trying to assign permissions directly to users, you make it easier to manage access by assigning roles... Azure RBAC is an authorization system built on Azure Resource Manager."

Source: learn.microsoft.com/en-us/azure/role-based-access-control/overview

A. Configuring IAM at the Vault1 level would grant the managed identity permissions to all secrets within the vault, which violates the principle of least privilege.

B. The identity is already enabled for Automation1. Configuring identity settings further does not grant permissions to external resources like a Key Vault.

D. Run As accounts are a legacy authentication method. The scenario correctly uses a modern managed identity, making Run As account configuration irrelevant.

1. Microsoft Learn | Azure Key Vault security: "Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control". This document states, "The Azure RBAC model allows you to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also allows having separate permissions on individual keys, secrets, and certificates". This directly supports assigning permissions at the individual secret scope (Option C).

2. Microsoft Learn | Assign an Azure role for access to keys, certificates, and secrets: Under the "Assign role at secret, key, or certificate scope" section, the documentation provides a step-by-step guide for assigning a role to a specific secret using the Azure portal, which is the action described in the correct answer.

3. Microsoft Learn | Managed identities for Azure Automation: This document explains the use of managed identities as the recommended method for an Automation account to securely access other Azure AD-protected resources, confirming the approach used in the question. It also notes that managed identities are preferred over legacy Run As accounts.

A. User1: The Reader role is a management plane role and does not include the storage data actions necessary for ABAC conditions.

B. User2: The Contributor role is a management plane role for managing resources, but it lacks the specific storage data actions that support ABAC conditions.

D. User4: The Virtual Machine Contributor role is for managing compute resources and does not contain the storage blob or queue data actions required for ABAC.

1. Microsoft Learn. (2024). What is Azure attribute-based access control (Azure ABAC)?. "Currently, conditions can be added to built-in or custom role assignments that have storage blob data actions or storage queue data actions." Retrieved from https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview#where-can-i-add-conditions

2. Microsoft Learn. (2024). Prerequisites to add or edit Azure role assignment conditions. "To add or update role assignment conditions, you must have... Microsoft.Authorization/roleAssignments/write... Also, your role assignment must be for a built-in or custom role that supports conditions. Conditions can be added to built-in or custom role assignments that have storage blob data actions." Retrieved from https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-prerequisites

3. Microsoft Learn. (2024). Azure built-in roles. This document lists the actions for each built-in role. Reviewing the permissions for Reader, Contributor, and Virtual Machine Contributor confirms they do not include Microsoft.Storage/storageAccounts/blobServices/... data actions, whereas Storage Blob Data Reader does. Retrieved from https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

B. Azure Automation account: This is a service for automating and orchestrating tasks, not an identity type that can be assigned to a VM to grant it access to other resources.

C. Microsoft Entra user account: This represents a human user identity for signing into services. It is not used to grant an Azure resource, like a VM, its own identity for service-to-service authentication.

D. user-assigned managed identity: While this also provides an identity, it is a standalone Azure resource managed separately from the VM. It is typically used when an identity needs to be shared across multiple resources, which is not a requirement in this scenario.

1. Microsoft Entra Documentation. What are managed identities for Azure resources? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview.

Section: Managed identity types. This document states, "A system-assigned managed identity is enabled directly on an Azure resource... The lifecycle of this identity is tied to the Azure resource that it's enabled on. If the resource is deleted, Azure automatically cleans up the identity for you." This supports using a system-assigned identity for a single VM.

2. Microsoft Entra Documentation. Configure managed identities for Azure resources on a VM using the Azure portal. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm.

Section: Enable system-assigned managed identity on an existing VM. This guide provides the exact steps for enabling a system-assigned identity on a VM, noting that it provides the VM with an "automatically managed identity in Microsoft Entra ID" which can be used "to authenticate to any service that supports Microsoft Entra authentication."

B. delegated permissions: This is incorrect because delegated permissions are used when an application acts on behalf of a signed-in user. The scenario explicitly states the app runs "without user interaction."

C. a custom role-based access control (RBAC) role: This is incorrect. Microsoft Entra RBAC roles grant permissions to manage Microsoft Entra resources (e.g., users, groups), not for granting an application permission to call an API.

D. a built-in role-based access control (RBAC) role: This is incorrect for the same reason as custom RBAC roles. Built-in roles like "Global Reader" are for administrative tasks, not for API access by a service principal.

1. Microsoft Entra documentation, "Permissions and consent in the Microsoft identity platform."

Section: "Permission types"

Content: This document explicitly defines the two permission types. It states, "Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons." This directly supports the use of application permissions for App1.

2. Microsoft identity platform documentation, "Scenario: Daemon app that calls web APIs."

Section: "Overview"

Content: This guide details the architecture for applications that run in the background. It specifies, "For this scenario, the permissions exposed by the API must be of type Application." This confirms that a daemon app like App1 must use application permissions.

3. Microsoft Graph documentation, "Microsoft Graph permissions reference."

Section: "Audit log permissions"

Content: The documentation for the auditLog resource type lists both delegated (AuditLog.Read.All) and application (AuditLog.Read.All) permissions. The choice between them is determined by the application's sign-in type. Since App1 has no user, the application permission is the only correct choice.

4. Microsoft Entra documentation, "Microsoft Entra built-in roles."

Section: "Role descriptions"

Content: This document describes the purpose of built-in roles, such as managing users, applications, or billing. It clarifies that these roles are for administrative access to the directory, which is distinct from granting an application permission to access data via an API like Microsoft Graph.

A. User2 is exempt as a User Account Administrator.

B. User3 is affected, but User4 is also affected, so option B is incomplete.

C. User2 is exempt; policy also applies to User4, so option C is wrong.

E. User1 and User2 hold exempt roles, so policy does not affect them.

F. User1 and User2 are exempt; policy only affects 3 and 4.

1. Microsoft Docs – “Configure naming policy for Microsoft 365 Groups,” Section: “Who can override the policy”

https://learn.microsoft.com/azure/active-directory/enterprise-users/groups-naming-policy#who-can-override-the-policy

(lists Global Administrator, User Account Administrator, Partner Tier 1/2 Support as exempt)

2. Microsoft Docs – “Directory roles”

https://learn.microsoft.com/azure/active-directory/roles/delegate-directory-administration#role-descriptions

(confirms Groups Administrator is not in the exempt list)

3. Microsoft 365 Identity & Services (MS-102) Official Courseware, Module 5 “Implement Group Lifecycle Management,” p. 12-13

(explains enforcement of naming policy and exemption of specified roles)

The settings for app consent are managed across two primary portals depending on the specific task.

1. Disabling user consent to apps is an organization-wide setting. This configuration is managed within the Microsoft 365 admin center under Settings > Org settings > Services, where you can find the "User consent to apps" option. This setting provides a straightforward way for administrators to turn off the ability for non-admin users to grant consent to applications.
2. The admin consent workflow is a more granular identity and access management feature. It enables users to request administrator approval for apps they cannot consent to themselves. This workflow, including its configuration and the management of requests, is a core feature of Microsoft Entra ID and is configured exclusively in the Microsoft Entra admin center under Enterprise applications > Consent and permissions.

Microsoft Learn. (2024). Manage user consent to apps in Microsoft 365. "As a global administrator, you can turn user consent off to prevent users from granting applications access to your organization's data... 1. In the Microsoft 365 admin center, go to Settings > Org settings > Services, and then select User consent to apps."

Microsoft Learn. (2024). Configure the admin consent workflow. "Enable the admin consent workflow to allow users to request access to applications that require admin consent... Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator. 2. Browse to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings."

The PowerShell script aims to enable a system-assigned managed identity for the virtual machine VM1 and then add that identity to Group1.

1. First Command: The script first needs to retrieve the VM object to work with. The $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name vm1 command uses the Get-AzVM cmdlet to fetch the Azure virtual machine named vm1 from the specified resource group and stores it in the $vm variable.
2. Second Command: After the system-assigned identity is enabled on VM1 using Update-AzVM, an enterprise application, also known as a service principal, is created in Microsoft Entra ID. To add this identity to a group, we must first retrieve this service principal object. The $displayname = Get-AzADServicePrincipal -displayname "vm1" command uses the Get-AzADServicePrincipal cmdlet to find the service principal that has the same display name as the VM.

The rest of the script then correctly uses these objects to add the VM's managed identity to the target group.

Microsoft Learn: The official documentation for configuring managed identities for Azure resources on a VM using PowerShell outlines this exact sequence of commands. It specifies using Get-AzVM to retrieve the VM object and Update-AzVM with the -IdentityType SystemAssigned parameter to enable the identity. It then shows the use of Get-AzADServicePrincipal to get the service principal for the newly created managed identity before adding it to a group.

Source: Configure managed identities for Azure resources on a VM using PowerShell, "System-assigned managed identity" section.

Microsoft Learn: The documentation for the Get-AzVM cmdlet confirms its purpose is to "get the properties of a virtual machine."

Source: Get-AzVM (Az.Compute).

Microsoft Learn: The documentation for the Get-AzADServicePrincipal cmdlet confirms its function is to get an "Azure Active Directory service principal." It is the standard cmdlet for retrieving the service principal associated with a managed identity.

Source: Get-AzADServicePrincipal (Az.Resources).

Admin1 can reset the passwords of User3 and User4: No. Admin1 is a User Administrator scoped to the Department1 Administrative Unit (AU). This role allows Admin1 to manage only the users who are direct members of that AU. Although Group2 is in the AU, its members (User3 and User4) are not. Therefore, Admin1 lacks the permissions to reset their passwords.

Admin1 can add User1 to Group3: No. While Admin1 can manage User1 (who is in the AU), Group3 is not shown to be within the Department1 AU. An administrator whose permissions are scoped to an AU cannot modify objects, such as the membership of a group, that are outside of that AU's scope.

Admin3 can reset the password of User1: Yes. Admin3 holds the User Administrator role with a Directory (tenant-wide) scope. This gives Admin3 permissions over all non-administrator users in the entire Microsoft Entra tenant, including User1, irrespective of User1's membership in an administrative unit.

Microsoft Entra documentation, "Administrative units in Microsoft Entra ID": This document details the scoping mechanism. It states, "An administrator that is assigned to the scope of an administrative unit can manage members only within that administrative unit." This supports the reasoning for the first two statements.

Microsoft Entra documentation, "User Administrator - Microsoft Entra built-in roles": This document outlines the permissions for the User Administrator role, which include resetting passwords and managing group memberships. The behavior in the question is determined by how the scope (AU vs. Directory) is applied to these permissions, confirming the logic for all three statements.

A. User Access Administrator: This role manages user access to Azure resources by assigning roles. It does not include permissions for purchasing services or managing billing.

B. Permissions Management Administrator: This role is used to manage settings within the Microsoft Entra Permissions Management service after it has been purchased and enabled, not to purchase the license itself.

D. Global Administrator: While a Global Administrator can purchase licenses, this role has the highest level of permissions across all Microsoft cloud services. Assigning it for a purchasing task violates the principle of least privilege.

1. Microsoft Entra built-in roles - Billing Administrator: Microsoft Learn. (2023). "Billing administrator". Microsoft Entra ID documentation. "Makes purchases, manages subscriptions, manages support tickets, and monitors service health." This confirms the role's purpose aligns with the question's requirement.

2. Enable Microsoft Entra Permissions Management: Microsoft Learn. (2023). "Enable Permissions Management in your organization". Microsoft Entra documentation. Under the "Prerequisites" section, it states: "To enable Permissions Management, you must have a Global Administrator or Billing Administrator role." This explicitly lists the two roles capable of the task, and applying the principle of least privilege makes Billing Administrator the correct choice.

3. Principle of Least Privilege: Microsoft Learn. (2023). "Best practices for Azure RBAC". Azure documentation. This document emphasizes assigning users "only the access they need to do their jobs," which supports selecting the most narrowly scoped role (Billing Administrator) over a broader one (Global Administrator).

A. Microsoft Entra Verified ID: This service is for creating and managing decentralized, verifiable credentials. It is used to prove identity, not to manage privileged access within a tenant.

C. Global Secure Access: This is a Security Service Edge (SSE) solution that secures access to the internet and corporate resources. It focuses on network security, not on managing privileged identity roles.

D. Microsoft Entra Permissions Management: This is a Cloud Infrastructure Entitlement Management (CIEM) solution for discovering and right-sizing permissions across multicloud environments (Azure, AWS, GCP). While it evaluates permissions, PIM is the primary tool for remediating standing privileged access in Azure/Entra via JIT activation.

---

1. Microsoft Entra documentation, "What is Privileged Identity Management?": "Microsoft Entra Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization... PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on sensitive resources."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure.

2. Microsoft Entra documentation, "Microsoft Entra Permissions Management overview": "Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities... across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP)." This highlights its multicloud focus, distinguishing it from PIM's primary role within Azure and Microsoft Entra.

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/permissions-management/overview.

3. Microsoft Entra documentation, "Overview of Microsoft Entra Verified ID": "Microsoft Entra Verified ID is a managed verifiable credentials service based on open standards."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/verified-id/decentralized-identifier-overview.

4. Microsoft Entra documentation, "What is Global Secure Access?": "Microsoft's Security Service Edge (SSE) solution is called Global Secure Access... The solution unifies access control for any app or resource, from any location, device, or identity."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/global-secure-access/overview-global-secure-access.

A. AWS only: This is incorrect because Microsoft Entra Permissions Management also supports Google Cloud Platform (GCP).

B. Alibaba Cloud and AWS only: This is incorrect because Alibaba Cloud is not a supported platform for Microsoft Entra Permissions Management.

C. Alibaba Cloud and GCP only: This is incorrect because Alibaba Cloud is not a supported platform for Microsoft Entra Permissions Management.

E. Alibaba Cloud, AWS, and GCP: This is incorrect because Alibaba Cloud is not a supported platform for Microsoft Entra Permissions Management.

1. Microsoft Learn. (2024). What is Microsoft Entra Permissions Management? Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/entra/permissions-management/overview. In the main overview section, the document states, "Microsoft Entra Permissions Management (Permissions Management) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities... across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP)."

2. Microsoft Learn. (2024). Onboard Amazon Web Services (AWS) accounts. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/entra/permissions-management/onboard-aws. This document provides the specific steps for onboarding AWS, confirming its support.

3. Microsoft Learn. (2024). Onboard a Google Cloud Platform (GCP) project. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/entra/permissions-management/onboard-gcp. This document provides the specific steps for onboarding GCP, confirming its support.

A. 14 days is not a standard retention period for Microsoft Entra ID sign-in logs for any license tier.

C. 90 days is the retention period for Audit logs in a premium (P1/P2) tenant, not for sign-in logs.

D. 365 days is not a default retention period. This duration can be achieved by exporting logs to a service like Azure Monitor Log Analytics and configuring a custom retention policy.

1. Microsoft Entra documentation. (2023). How long does Microsoft Entra ID store reporting data? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-reports-data-retention.

Reference details: The table under the section "How long does Microsoft Entra ID store the data?" explicitly states that for the "Sign-ins" report type, the retention for "Microsoft Entra ID P1" and "Microsoft Entra ID P2" licenses is "30 Days".

2. Microsoft Entra documentation. (2023). What are Microsoft Entra activity logs? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-logs.

Reference details: Under the "Sign-in logs" section, it states, "If you have a license for Microsoft Entra ID P1 or P2, you can retain sign-in logs for 30 days."