Microsoft Identity SC-300 Exam Questions 2025

To use a custom extension in an Azure Entitlement Management catalog, you must first have an endpoint for the extension to call. This endpoint is typically an Azure Logic App that contains the custom workflow you want to trigger. Therefore, the Logic App must be created before you configure the custom extension in the catalog.

Within Entitlement Management, a catalog is a container for resources. To grant users access to the resources within a catalog, you must create an access package. The access package bundles the resources and defines the policies for how users can request, approve, and maintain access. Users then request access to this package, making it the primary mechanism for distributing the resources held in the catalog.

Microsoft Learn: Trigger a Logic App with a custom extension in entitlement management. This document states under the "Prerequisites" section that to use custom extensions, you need "A Logic App to call." This confirms that the Logic App must be created first.

Microsoft Learn: What are access packages and what resources can I manage with them? This document states, "An access package is a bundle of all the resources with the access a user needs... All access packages must be in a container called a catalog." This clarifies that access packages are the objects used to bundle and distribute resources from a catalog.

Microsoft Learn: Create and manage a catalog of resources in entitlement management. This page describes a catalog as "a container of resources and access packages." This reinforces the relationship where access packages are created within a catalog to provide access.

A. Omits User3, a non-admin member who must use security questions.

C. Includes User1, but administrators cannot use security questions.

D. Same issue as C; wrongly adds administrator User1.

E. Wrongly includes administrator User1 and guest User2, neither can use security questions.

1. Microsoft Docs – “Self-service password reset authentication methods”, section “Security questions” (2024-02-01): “Security questions can be used only by users who aren’t administrators.”

https://learn.microsoft.com/azure/active-directory/authentication/concept-sspr-authentication-methods

2. Microsoft Docs – “Self-service password reset overview”, section “Who can reset a password?”: “B2B guest users can’t reset their password in the resource tenant.”

https://learn.microsoft.com/azure/active-directory/authentication/concept-sspr-overview

A. The executable name is not a standard configuration property for a web app registration in Azure AD; it is more relevant for identifying native desktop applications.

B. The bundle ID is a unique identifier required when registering native applications for Apple's iOS or macOS platforms, not for a .NET web app.

C. The package name is a unique identifier required when registering native applications for the Android platform, not for a .NET web app.

---

1. Microsoft identity platform documentation, "Quickstart: Register an application with the Microsoft identity platform."

Reference: Under the section "Register an application," step 5, "Add a redirect URI," it states: "Select the platform for your application - Web... Enter the redirect URI for your application." This explicitly shows that for a web app, the redirect URI is a required configuration.

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application

2. Microsoft identity platform documentation, "Redirect URI (reply URL) restrictions and limitations."

Reference: The document's overview section states, "A redirect URI, or reply URL, is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. For example, in a web application, the redirect URI is the location where the user is sent after they sign in."

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

3. Microsoft Learn, SC-300 Courseware, "Register an application."

Reference: In the learning module for implementing application access, the section on app registration details the required settings. It specifies: "When you register a web app, you must add a redirect URI. The redirect URI is the URI where users are sent after they've been authenticated." It also shows that Package Name and Bundle ID are for mobile platforms.

Source: https://learn.microsoft.com/en-us/training/modules/implement-manage-app-permissions/2-register-app

Statement 1: Yes. User1 is in OU1, which is selected for synchronization. The Azure AD Connect configuration also shows that Password writeback is enabled. Password writeback is a required component for allowing synchronized users to use Azure AD self-service password reset (SSPR) to change their on-premises passwords.

Statement 2: Yes. The user sign-in method is configured for Pass-through authentication. With this method, when a user signs into an Azure AD-integrated application like Exchange Online, Azure AD passes the user's credentials to an agent running on-premises, which then validates them directly against the on-premises Active Directory domain controller.

Statement 3: No. User2 is located in OU2. The Domain/OU Filtering configuration explicitly shows that OU2 is not checked, meaning it is filtered out from synchronization. As a result, User2's identity does not exist in Azure AD. A user account must exist in Azure AD to be added as a member to a resource like a SharePoint Online site.

Microsoft Documentation: "Tutorial: Enable self-service password reset writeback to an on-premises environment - Prerequisites". This document states, "The primary prerequisite for SSPR writeback is to have password writeback enabled in Azure AD Connect."

Microsoft Documentation: "Azure Active Directory Pass-through Authentication: How it works". This official guide explains, "The on-premises Authentication Agent receives the request and validates the username and password against Active Directory. The validation occurs on a standard Windows Server, which is similar to how Active Directory Federation Services (AD FS) works." (See the "How it works" section).

Microsoft Documentation: "Azure AD Connect sync: Configure filtering". This document clarifies the effect of OU-based filtering: "If you have filtered out an OU, user objects in that OU aren't synchronized to Azure AD."

To adhere to the principle of least privilege, each user must be assigned the role that grants only the necessary permissions for their required tasks.

• User1 needs to manage and create keys. The Key Vault Crypto Officer role is designed specifically for this purpose. It grants permissions to perform all data plane operations on keys, such as create, import, update, and delete, without providing access to certificates or secrets.
• User2 needs to access a certificate. The Key Vault Certificates Officer role allows a user to perform all data plane operations on certificates, including get, list, create, and import. This role appropriately scopes the user's permissions to only certificates, fulfilling the requirement.

Microsoft Corporation. (2024). Azure built-in roles for Key Vault data plane operations. Microsoft Learn.

Reference for User1: The documentation describes the Key Vault Crypto Officer role as allowing users to "Perform any data plane operation on keys." This directly maps to the requirement to manage and create keys.

Reference for User2: The documentation defines the Key Vault Certificates Officer role as enabling users to "Perform any data plane operation on certificates." This aligns with the requirement to access a certificate.

A. the Microsoft Defender for Cloud Apps portal: The standalone Defender for Cloud Apps portal is being deprecated. Its functionalities, including app governance, have been integrated into the Microsoft 365 Defender portal.

B. the Microsoft 365 admin center: This portal is used for managing subscriptions, licenses, and users at a high level, not for configuring specific security and compliance features like app governance.

D. the Azure Active Directory admin center: This portal is for managing identities, application registrations, and access control, but not the specific threat and compliance policies of app governance.

E. the Microsoft Purview compliance portal: This portal is focused on data governance, information protection, and compliance management, which is distinct from the app threat and anomaly detection focus of app governance.

---

1. Microsoft. (2023). Turn on app governance for Microsoft Defender for Cloud Apps. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-enable.

Reference Point: The document explicitly states, "This article describes how to turn on the app governance add-on to Microsoft Defender for Cloud Apps in the Microsoft 365 Defender portal." The step-by-step instructions confirm the path: "In the Microsoft 365 Defender portal, go to Settings > Cloud Apps. Under App governance, select Service enablement."

2. Microsoft. (2023). Get started with app governance. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started.

Reference Point: The "Prerequisites" section states, "To enable app governance, you first need to turn on Microsoft Defender for Cloud Apps." and "After you've confirmed that Defender for Cloud Apps is enabled, you need to opt in to app governance in the Microsoft 365 Defender portal." This confirms the management plane is the Microsoft 365 Defender portal.

A. License administrator: This role can manage license assignments for users and groups but lacks the permission to reset user passwords.

B. Helpdesk administrator: This role can reset passwords for non-administrators and other helpdesk administrators but does not have permissions to manage license assignments.

C. Billing administrator: This role is focused on managing purchases, subscriptions, and billing support tickets; it has no permissions related to user password or license management.

1. Microsoft Entra built-in roles - User administrator: Microsoft Learn. In the "User administrator" section, the description explicitly states this role can "Reset passwords for non-administrators, Helpdesk administrators, and other User administrators" and "Assign and remove licenses."

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "User administrator" role description.

2. Microsoft Entra built-in roles - License administrator: Microsoft Learn. The description for this role confirms it can "Assign, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users." It does not list password reset permissions.

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "License administrator" role description.

3. Microsoft Entra built-in roles - Helpdesk administrator: Microsoft Learn. The description for this role states it can "Reset passwords for non-administrators and Helpdesk administrators." It does not list license management permissions.

Source: Microsoft Learn, "Microsoft Entra built-in roles," under the "Helpdesk administrator" role description.

B. a hardware token: Hardware OATH tokens must be registered by an administrator for the user; they cannot be self-registered by the user during the initial sign-in process.

C. a one-time passcode email: Email is a method available for SSPR only, not for MFA. It cannot be used to satisfy the initial MFA registration requirement that triggers the combined registration process.

D. Windows Hello for Business: This is provisioned on a specific device after a user has already successfully authenticated with MFA. It is not an option available during the initial registration flow itself.

1. Microsoft Learn. (2023). Combined security information registration for Azure Active Directory overview. In "Authentication methods". This document lists the available methods for combined registration, including "Microsoft Authenticator app" and "FIDO2 security key". It also specifies that "Email address" and "Security questions" are available for SSPR only.

2. Microsoft Learn. (2023). Authentication methods and features. In "Authentication". This table confirms that FIDO2 Security Key and Microsoft Authenticator are valid for both MFA and SSPR, while Email is only for SSPR.

3. Microsoft Learn. (2023). Passwordless security key sign-in to Windows 10 devices with Azure Active Directory. In "Enable passwordless security key sign-in". The section "User registration and management of FIDO2 security keys" describes the self-service registration process at https://myprofile.microsoft.com.

4. Microsoft Learn. (2023). How to register and manage OATH hardware tokens in Azure AD. In "OATH tokens". The "Prerequisites" section states, "Admins need to register the hardware tokens for each user." This confirms it is not a self-service method for a new user.

The "Require password change for high-risk users" policy template in Azure AD Conditional Access is designed to automatically secure accounts that Azure AD Identity Protection flags as high-risk.

By default, this template is configured to include "All users" in its scope. This ensures that any user account, regardless of its role, is subject to a mandatory password reset if it becomes compromised and is assessed as high-risk.

To prevent accidental lockouts of administrators and disruption of critical services that may run under privileged accounts, the template also defaults to excluding specific "Directory roles." This typically includes highly privileged roles like Global Administrator and Security Administrator. This exclusion is a built-in safety measure to ensure that administrators can always access the tenant to manage policies and respond to incidents.

Microsoft Entra Documentation | Conditional Access templates: This official document details the default configurations for the various Conditional Access policy templates. For the "Require password change for high-risk users" template, the documentation specifies the following default user assignments:

Users and groups:

Include: All users

Exclude: Select directory roles (Global Administrator, Security Administrator, Conditional Access Administrator, etc.)

This source directly confirms that the policy includes all users and excludes specific directory roles by default.

A. OAuth app policy: This policy type is used to govern third-party OAuth applications and their permissions, not to control user access based on risk.

B. anomaly detection policy: This policy is designed to identify unusual activities and potential security threats. It generates alerts about risk but does not directly enforce access controls.

D. activity policy: This policy is used to monitor and take action on specific user activities after they have occurred (e.g., mass download), not to block initial access based on a user's risk state.

1. Microsoft Learn. (2023). Control cloud apps with policies. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies.

Reference Section: "Policy types". This section explicitly describes an Access policy as the tool to "control access to your cloud apps" in real-time based on user, location, device, and other risk factors. This directly supports the answer.

2. Microsoft Learn. (2023). Create access policies in Microsoft Defender for Cloud Apps. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad.

Reference Section: "Prerequisites" and "To create an access policy". The document states, "Microsoft Defender for Cloud Apps access policies enable you to monitor and control access to cloud apps in real time...". This confirms that the primary purpose of an access policy is to control access.

3. Microsoft Learn. (2023). Deploy Conditional Access App Control for featured apps. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-aad.

Reference Section: "Step 4: Configure the policies in Defender for Cloud Apps". This section details the process after routing traffic via Conditional Access, stating you can "Create an access policy" to "Block or monitor access to apps". This confirms that an access policy is the correct type to create in Defender for Cloud Apps for blocking access.