View SC-300 Exam Questions

Q: 1

You have an Azure Active Directory (Azure AD) tenant. You need to review the Azure AD sign-in logs to investigate sign-ins that occurred in the past. For how long does Azure AD store events in the sign-in logs?

Options

Discussion

Luke Z. Feb 18, 2026 11:10 am

B matches the default retention for Azure AD sign-in logs with Premium. It's not as long as people think, just 30 days unless you export it. Pretty sure that's right, but if your tenant has extra storage settings it could differ.

Arjun Y. Feb 21, 2026 9:16 am

B tbh

Casey Feb 22, 2026 1:01 pm

B or D? If question had mentioned export or external storage, D might fit but here looks like B applies.

Nora I. Mar 2, 2026 10:59 am

I don’t think it’s A, 14 days is a trap from old docs. B.

Adam I. Feb 14, 2026 8:03 am

Its B, Azure AD sign-in logs are kept for 30 days if you have P1 or P2. I think folks mixing with the old 14 days (that was before MS updated retention). Not totally sure if Free tier is in scope here though, correct me if I'm off.

Reese J. Feb 17, 2026 11:48 am

B had something like this in a mock exam and 30 days was the answer there.

Mia G. Feb 23, 2026 11:31 am

C vs B. I get why people say C since audit logs stick around for 90 days, but I think sign-in logs specifically are just 30 unless exported. Wouldn't bet my life on it though, pretty close on the details.

Anita Feb 24, 2026 10:16 am

Option C makes sense to me since I remember some audit logs being kept for 90 days by default, thought sign-in logs followed the same. Could be confusing with activity logs though. Not 100% sure, happy if someone points out where I'm off.

RobinC Mar 2, 2026 8:02 pm

I don’t think it’s D, 30 days is the standard for sign-in logs unless they mention exporting or a different SKU. B.

MasonA Mar 3, 2026 6:31 am

B is the one I've seen on recent study guides and MS docs for Premium tenants. Logs are only kept 30 days by default in Azure AD unless exported, so older reports of 14 days aren't current anymore. Pretty sure about this unless something changed very recently, let me know if you heard differently.

Be respectful. No spam.

Correct Answer:

Explanation

The retention period for Azure Active Directory (Azure AD) sign-in logs is dependent on the Azure AD license. For tenants with Azure AD Premium P1 or P2 licenses, which are typically assumed for the feature scope of the SC-300 exam, the sign-in logs are retained for 30 days. For tenants with an Azure AD Free license, the retention period is 7 days. Since 7 days is not an option and 30 days corresponds to the premium licenses that enable comprehensive log review, it is the correct answer. Longer retention requires exporting the logs to another service like Azure Monitor or a storage account.

Why Incorrect

A. 14 days: This is not a standard retention period for any Azure AD activity logs.

C. 90 days: This is the retention period for Audit logs in Azure AD Premium P1/P2 tenants, not for sign-in logs.

D. 365 days: This retention period is not available natively within Azure AD. It can be achieved by archiving logs to an Azure storage account, but it is not the default duration Azure AD stores the data.

References

1. Microsoft Learn. "How long does Azure AD store reporting data?". Azure Active Directory documentation. Accessed October 2023. In the "Activity logs" section

the table explicitly states that for the "Sign-ins" report type with an "Azure AD P1 or P2" license

the retention period is "30 Days".

Reference: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention (See the table under the "Activity logs" section).

2. Microsoft Learn. "What are Azure Active Directory reports?". Azure Active Directory documentation. Accessed October 2023. This document discusses the different reports available and notes that "If you have an Azure AD Premium P1 or Azure AD P2 license

you can retain the audit logs and sign-in logs for up to 30 days."

Reference: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-reports#what-azure-ad-license-do-you-need-to-access-activity-logs (See the "Activity log retention" section).

Q: 2

Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table. All the users work remotely. Azure AD Connect is configured in Azure AD as shown in the following exhibit. Connectivity from the on-premises domain to the internet is lost. Which users can sign in to Azure AD?

Options

Discussion

Parker A. Feb 21, 2026 4:47 am

B seems possible since User1 is cloud-only, so works no matter what. I thought PHS also needs sync functionality, so not sure about User3. Somebody correct me if I missed something.

Mason O. Mar 3, 2026 6:08 pm

A tbh

Jack Mar 2, 2026 3:14 pm

D tbh, based on some exam reports and the MS Learn guide. User1 and User2 both exist in Azure AD, so I figured both could sign in even if on-prem is down.

Casey J. Feb 14, 2026 10:56 pm

A imo, D is tricky but User2's pass-through auth needs a working connection so with internet down User2 can't log in. User1 and User3 both work. Open to corrections if I missed something.

Noah M. Feb 16, 2026 1:38 am

PHS changes things here since if fallback to password hash was enabled for PTA users (like User2), they could still sign in even if the agent can't connect. But with no mention of fallback, only User1 (cloud-only) and User3 (PHS) are good, so picking A. Someone shout if I'm missing a weird case.

Zoe L. Mar 1, 2026 11:54 am

Man, Microsoft scenarios always trip people up with PTA versus PHS. D is wrong here, A fits since only cloud-only and PHS users (User1 and User3) still authenticate when on-prem is offline. Not 100% if there's a trick in the table but that's how most practice exams explain it.

Nathan L. Feb 15, 2026 6:23 pm

A makes sense since User1 is cloud-only and User3 uses Password Hash Sync, both work without the on-prem domain online. User2’s PTA needs a live connection back to the domain. Pretty sure about this but happy to hear other takes.

Daniel X. Mar 4, 2026 5:07 pm

Jason I. Feb 26, 2026 11:19 am

Official MS Learn docs and practice tests cover this exact scenario, worth reviewing for PTA vs PHS sign-in differences.

Ben E. Feb 25, 2026 1:36 pm

D honestly the Azure AD stuff gets confusing on the exam. User1 and User2 seem like they'd still have access.

Be respectful. No spam.

Q: 3

You have a Microsoft 365 tenant. All users have mobile phones and laptops. The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access. You plan to implement multi-factor authentication (MFA). Which MFA authentication method can the users use from the remote location?

Options

Discussion

CarefulCandidate680 Mar 4, 2026 5:57 am

D . Had something like this in a mock, TOTP codes from the Authenticator app don't need network on the phone. Other options require connectivity or aren't MFA. Think that's right here, but open to challenge if missed anything.

Jason R. Mar 5, 2026 8:01 pm

D imo

Nora S. Feb 19, 2026 12:48 pm

B , figured email could still work since laptops have internet, but maybe I'm missing a catch with MFA traps.

Amelia H. Feb 17, 2026 4:23 pm

Option D saw a similar question in a recent exam report and it's always the offline code from Authenticator that fits these no connectivity scenarios.

Zoe B. Feb 27, 2026 9:31 am

Why wouldn't B (email) work here? If users have wired internet on their laptops, shouldn't they still receive email verification?

Luke G. Feb 27, 2026 9:57 pm

D seems right because the Authenticator app's verification codes (TOTP) work even if your phone is totally offline, no signal or Wi-Fi. The other options require a network or aren't supported for MFA in Azure. Pretty sure that's what they're after, but correct me if I missed something.

Quinn X. Feb 24, 2026 12:09 am

Probably D here. Only D (verification code from the Authenticator app) works even if the phone has no internet or cell service, since TOTP codes generate offline. B looks tempting but email is not considered a secure MFA method in Azure AD. Disagree?

Noah Feb 20, 2026 1:14 am

B, not D

Aisha J. Mar 4, 2026 6:15 pm

Seriously wish Microsoft made these options less confusing on exams. It's D.

SeasonedNeteng2175 Mar 5, 2026 10:09 am

D works from what I've seen on practice exams. The Authenticator app's codes are generated locally and don't need signal, so perfect for offline MFA. Official docs and guides mention this scenario a lot. Not 100 percent sure if all exam wording matches, but pretty confident here.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires an MFA method that works when the user's mobile phone has no internet or cellular connectivity. The Microsoft Authenticator app can generate time-based one-time passcodes (TOTP), which are displayed as a "verification code." This functionality works entirely offline on the mobile device. The user can open the app on their disconnected phone, retrieve the 6 or 8-digit code, and manually enter it into the sign-in prompt on their internet-connected laptop to satisfy the MFA requirement. This is the only method listed that accommodates the specified connectivity constraints.

Why Incorrect

A. A notification through the Microsoft Authenticator app requires the phone to have an active internet connection (Wi-Fi or cellular) to receive the push notification from Microsoft Entra ID.

B. Email is a method primarily used for Self-Service Password Reset (SSPR), not as a primary authentication method for an MFA challenge during a sign-in event.

C. Security questions are a knowledge-based proof used for Self-Service Password Reset (SSPR) and are not considered a valid "possession" factor for multi-factor authentication.

References

1. Microsoft Learn. "Authentication and verification methods available in Microsoft Entra ID." Microsoft Entra Documentation. Under the table "Method

" the row for "Microsoft Authenticator verification code" lists its use case for "MFA and SSPR" and notes it is a one-time passcode (OATH). In contrast

"Email address" and "Security questions" are listed for SSPR only.

Reference: learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

Section: "Methods and their use cases".

2. Microsoft Learn. "How to use the Microsoft Authenticator app." Microsoft Entra Documentation. This document explains the different modes of the app. The section "Sign in with a code from the app" explicitly states: "If you can't get a notification to your device

for whatever reason

you can still sign in using a one-time password (OTP) code in the Microsoft Authenticator app." This confirms its offline capability.

Reference: learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-use-microsoft-authenticator-app

Section: "Sign in with a code from the app".

3. Microsoft Learn. "How Microsoft Entra multifactor authentication works." Microsoft Entra Documentation. This document outlines the available verification methods. It distinguishes between the push notification and the verification code from the Microsoft Authenticator app

implicitly highlighting that they operate under different connectivity requirements.

Reference: learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

Section: "Available verification methods".

Q: 4

You have an Azure AD tenant named contoso.com that contains the resources shown in the following table. You create a user named Admin 1. You need to ensure that Admin can enable Security defaults for contoso.com. What should you do first?

Options

Discussion

Ajay X. Mar 3, 2026 10:20 pm

D tbh

Avery W. Feb 20, 2026 1:58 am

D is the way to go since Admin1 needs the proper role assigned to even manage security defaults. The roadblock isn’t about the Conditional Access policy first, it’s about permissions. Pretty sure but open to other interpretations.

ChrisU Feb 23, 2026 7:08 pm

A is wrong, D. Admin1 can't enable security defaults without being assigned the right admin role first, which is what D does. Deleting the CA policy (C) might look tempting since CA policies block security defaults, but Admin1 needs permissions before anything else is possible. I've seen similar wording cause confusion on practice exams-role assignment usually comes first in Microsoft questions like this. Pretty sure I'm right, but open to other takes.

Riley Feb 20, 2026 5:22 pm

Its D, Admin1 needs the Authentication Administrator role to manage security defaults in Azure AD. Can't touch those settings without the right permissions first. Pretty sure that's what they're asking, but if the question meant policy blockers then C could be a trap. Let me know if anyone reads it differently.

Sanjay B. Feb 24, 2026 8:30 am

Noah U. Mar 5, 2026 6:59 am

I see where you're coming from, JasonR. I'd probably pick C too since the Conditional Access policy can block enabling Security defaults. Deleting CAPolicy1 looks like it would remove that blocker. Not totally sure because Admin1 still needs the right permissions, but the question said "first" so C feels closer to what they want. More input?

JasonR Feb 23, 2026 3:50 pm

C. not D

Ivy S. Feb 20, 2026 11:37 pm

D imo

Chris J. Feb 24, 2026 2:33 am

Option D

NoahG Feb 28, 2026 6:12 pm

Option D

Be respectful. No spam.

Correct Answer:

Explanation

Security defaults and Conditional Access policies are mutually exclusive. To enable security defaults in an Azure AD tenant, all existing Conditional Access policies must first be disabled or deleted. The presence of CAPolicy1 prevents anyone, regardless of their administrative role, from enabling security defaults. Therefore, the first and necessary action to achieve the goal is to remove this blocking policy. After the policy is deleted, an administrator with the appropriate permissions (such as Security Administrator or Global Administrator) can then proceed to enable security defaults.

Why Incorrect

A. Configure Identity Governance. Identity Governance features, such as access packages and access reviews, are unrelated to the configuration of tenant-wide security defaults. B. Delete Package1. Package1 is an access package within Identity Governance. Deleting it has no impact on the ability to enable or disable security defaults. D. Assign Admin1 the Authentication administrator role for Au1. This is incorrect for two reasons: the role and the scope. The Authentication Administrator role does not have permissions to manage security defaults, and a role scoped to an administrative unit (Au1) cannot manage tenant-wide settings.

References

1. Microsoft Entra documentation, "Security defaults in Microsoft Entra ID": This document explicitly states the relationship between security defaults and Conditional Access.

Section: "Disabling security defaults"

Content: "If you have Conditional Access policies enabled in your directory, security defaults will be unavailable to you... To enable security defaults, you must disable all Conditional Access policies." This supports the correct answer (C).

2. Microsoft Entra documentation, "Microsoft Entra built-in roles": This source details the permissions for different administrative roles.

Section: "Security Administrator"

Content: Lists "manage security defaults" as a permission for this role.

Section: "Authentication Administrator"

Content: Permissions are limited to setting or resetting authentication methods for users. It does not include managing security defaults, which invalidates option (D).

3. Microsoft Entra documentation, "Administrative units in Microsoft Entra ID": This document explains the purpose and limitations of administrative units.

Section: "Administrative unit management scenarios"

Content: It clarifies that AUs are for delegating permissions over a subset of directory objects (users, groups, devices). Tenant-wide settings like security defaults are managed at the directory level, not within an AU scope. This further invalidates the scoping in option (D).

Q: 5

You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users. From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users. You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort. What should you use?

Options

Discussion

Quinn H. Feb 15, 2026 3:08 pm

C . Set-HgUserLicense is built for handling user license assignments, which lines up with what official study guides and exam practice sets mention. PowerShell modules and Microsoft docs usually point to this for bulk removals like the scenario here. If you're brushing up, definitely review the cmdlet usage in lab guides.

Nina Feb 27, 2026 7:24 pm

Makes sense to pick C here. Set-HgUserLicense cmdlet is built for handling license changes at scale, so it's definitely the fastest for bulk removal like this. The other options either don't deal with user licenses directly or aren't as efficient in a bulk scenario. Pretty sure that's what Microsoft expects-correct me if you see it differently.

KevinA Feb 22, 2026 1:40 am

Option C here. Update-MgUser (D) is a common trap, it's more general but Set-HgUserLicense is built for license changes. Pretty sure C is what gets you fastest results for user-level assignments. Disagree?

NinaS Feb 22, 2026 8:55 pm

D tbh. Update-MgUser can change user properties and I thought it was used for license stuff too, not just Set-HgUserLicense. Pretty sure that's a common trap, though.

Robin Feb 18, 2026 5:04 am

D imo. Had something like this in a mock, Update-MgUser seemed to handle user properties pretty efficiently. Not 100% sure but sounds closest after C. Agree or did I miss something?

Adam Feb 20, 2026 6:16 am

Only thing I'd flag is if E3 was assigned via group, D could work, but since it's direct user assignment, C is made for this. Pretty sure that's why C fits best. Happy to hear otherwise if someone's got a weird edge case.

Nathan C. Feb 24, 2026 2:09 pm

A is wrong, D. From what I've seen in the official docs and some practice exams, Update-MgUser should let you manage user licenses along with other user properties. I think D is correct here but open to other thoughts if someone has run it in labs.

Zoe Y. Mar 2, 2026 1:00 am

Pretty sure it's C for this one. Set-HgUserLicense is all about license assignments, not just changing user info like D.

ReeseU Mar 4, 2026 2:20 pm

Its C. Set-HgUserLicense is purpose-built for user license actions, way more direct than the general user update approach in D. Easy to pick D by mistake since it handles lots of user properties, but doesn't specialize in licenses.

SeasonedArchitect5718 Feb 15, 2026 2:03 am

C here. Set-HgUserLicense is made for direct license updates, not just general user changes like D.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires removing Microsoft Office 365 E3 licenses that were assigned directly to individual users. The most efficient way to perform this bulk operation is by using a PowerShell script. The Set-MsolUserLicense cmdlet, part of the legacy MSOnline (Azure AD V1) PowerShell module, is specifically designed to modify license assignments for user accounts. It includes a -RemoveLicenses parameter that allows an administrator to specify which license SKU to remove. By scripting this command to iterate through the 2,500 users, the directly assigned E3 licenses can be removed with the least administrative effort, fulfilling the question's requirement.

Why Incorrect

A. the Set-MsolProductKey cmdlet: This is not a valid or recognized PowerShell cmdlet for managing Microsoft 365 or Azure AD licenses.

B. the Update-MgGroup cmdlet: This cmdlet modifies the properties of a group, including its license assignments. It cannot be used to remove licenses that were assigned directly to individual users.

D. the Update-MgUser cmdlet: This is a general-purpose cmdlet from the Microsoft Graph PowerShell SDK for updating user object properties. The more specific and direct cmdlet for managing licenses is Set-MsolUserLicense (or its modern equivalent, Set-MgUserLicense).

References

1. Microsoft Learn. (n.d.). Set-MsolUserLicense. Microsoft PowerShell Documentation. Retrieved from https://learn.microsoft.com/en-us/powershell/module/msonline/set-msoluserlicense.

Reference Details: The documentation explicitly states this cmdlet "can be used to update the license assignment for a user" and details the -AddLicenses and -RemoveLicenses parameters

which are central to the solution.

2. Microsoft Learn. (2023

September 15). What is group-based licensing in Azure Active Directory? Microsoft Entra Documentation.

Reference Details: Under the section "A user has a license that conflicts with a group license

" the documentation explains that a user can have both a directly assigned license and a group-inherited license. This confirms that assigning the E5 group license does not automatically remove the direct E3 license

necessitating a separate removal action.

3. Microsoft Learn. (n.d.). Update-MgGroup. Microsoft Graph PowerShell Documentation. Retrieved from https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/update-mggroup.

Reference Details: The documentation shows that this cmdlet is used to "Update the properties of a group object." This confirms its scope is limited to the group itself

not the direct license assignments of its members.

Q: 6

You have an Azure AD tenant that has multi-factor authentication (MFA) enforced and self-service password reset (SSPR) enabled. You enable combined registration in interrupt mode. You create a new user named User1. Which two authentication methods can User1 use to complete the combined registration process? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

Discussion

QuietOps7312 Feb 15, 2026 7:55 pm

Microsoft changes things so often it's hard to keep up. I'd choose D and C, since email OTP and Windows Hello seem like valid auth methods for SSPR/MFA registration. Might have missed a recent update though.

Jamie H. Feb 19, 2026 1:31 am

Wouldn't B be a trap here since hardware tokens need admin setup, not available at first login?

SanjayE Feb 18, 2026 7:11 am

Probably A and E. B looks tempting but hardware tokens need extra admin steps, not available for self-service at combined reg.

Daniel Feb 25, 2026 5:03 am

Makes sense, A and E. Combined reg only lets you set up FIDO2 keys and Microsoft Authenticator from the start.

Daniel W. Mar 3, 2026 1:02 pm

A and E are correct here. FIDO2 security keys and Microsoft Authenticator app are the two supported methods during initial combined registration. D (Windows Hello) needs device enrollment first, so it's a common trap. Pretty sure on this based on recent exam updates, but open to correction if Azure changed something.

Kevin J. Feb 24, 2026 2:09 pm

A and E

Cameron H. Mar 3, 2026 9:26 pm

A and E imo, matches what official practice tests and Azure docs say new users can actually use here.

DirectAnalyst1288 Mar 4, 2026 11:26 am

Probably A and E, since those are actually available when doing combined self-registration for MFA/SSPR. D requires device enrollment first.

Olivia A. Mar 6, 2026 9:47 pm

C/D? I thought email OTP (C) was still supported for SSPR and Windows Hello for Business (D) is listed as a method sometimes. Maybe I'm missing something with registration flow specifics, but I think one of those fits here.

SamU Feb 28, 2026 8:00 pm

A and E tbh, that's what shows up in the exam guides and Microsoft's docs.

Be respectful. No spam.

Correct Answer:

A, E

Explanation

The combined security information registration process prompts users to register authentication methods for both Azure AD Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR). Since MFA is enforced, the new user, User1, must register at least one method that satisfies the MFA policy during their first sign-in.

The Microsoft Authenticator app and FIDO2 security keys are both strong authentication methods that can be used for MFA and are available for users to self-register during the initial combined registration experience. These methods allow the user to complete the mandatory setup and secure their account from the outset.

Why Incorrect

B. a hardware token: Hardware OATH tokens must be registered by an administrator for the user; they cannot be self-registered by the user during the initial sign-in process.

C. a one-time passcode email: Email is a method available for SSPR only, not for MFA. It cannot be used to satisfy the initial MFA registration requirement that triggers the combined registration process.

D. Windows Hello for Business: This is provisioned on a specific device after a user has already successfully authenticated with MFA. It is not an option available during the initial registration flow itself.

References

1. Microsoft Learn. (2023). Combined security information registration for Azure Active Directory overview. In "Authentication methods". This document lists the available methods for combined registration

including "Microsoft Authenticator app" and "FIDO2 security key". It also specifies that "Email address" and "Security questions" are available for SSPR only.

2. Microsoft Learn. (2023). Authentication methods and features. In "Authentication". This table confirms that FIDO2 Security Key and Microsoft Authenticator are valid for both MFA and SSPR

while Email is only for SSPR.

3. Microsoft Learn. (2023). Passwordless security key sign-in to Windows 10 devices with Azure Active Directory. In "Enable passwordless security key sign-in". The section "User registration and management of FIDO2 security keys" describes the self-service registration process at https://myprofile.microsoft.com.

4. Microsoft Learn. (2023). How to register and manage OATH hardware tokens in Azure AD. In "OATH tokens". The "Prerequisites" section states

"Admins need to register the hardware tokens for each user." This confirms it is not a self-service method for a new user.

Q: 7

You have an Azure AD tenant and a .NET web app named App1. You need to register App1 for Azure AD authentication. What should you configure for App1?

Options

Discussion

Alex S. Feb 25, 2026 9:00 am

Option D

Adam Mar 1, 2026 6:45 am

Karan D. Feb 21, 2026 10:21 pm

Nah, I don’t think it’s B or C. For a .NET web app, the redirect URI is what Azure AD uses to send back the authentication token after login. Executable name and package info matter more for client/mobile app registrations which trips people up. D is right here, unless I’m missing something?

Adam B. Feb 16, 2026 11:11 pm

Official docs and the MS Learn material both stress you have to set up a redirect URI for web app authentication in Azure AD. I also see this come up a lot in the practice tests. Anyone else use those resources for these SC-300 topics?

JamieH Feb 18, 2026 4:57 am

Its D

Noah W. Feb 28, 2026 5:25 am

Zoe Mar 2, 2026 8:27 pm

Not B here-bundle ID is more for mobile apps, but for a .NET web app the redirect URI (D) is the required config in Azure AD. Easy to mix these up, I nearly did myself.

Nina B. Feb 26, 2026 6:06 pm

Probably B, since bundle ID is usually important for registrations, at least that's what I've seen on some samples.

Ajay P. Feb 17, 2026 9:09 am

I don’t think it’s D, B sounds close from some exam reports, but check the official MS docs or the practice set for these registration details.

QuietLead853 Mar 5, 2026 2:08 am

Be respectful. No spam.

Correct Answer:

Explanation

When registering a web application in Azure AD to enable authentication, the Redirect URI (also known as a reply URL) is a critical security configuration. After a user successfully authenticates with the Microsoft identity platform, Azure AD redirects the user's browser back to this specific URI. The redirection includes the security token (an ID token or access token) required by the application to complete the sign-in process and verify the user's identity. Without a correctly configured Redirect URI, the authentication flow cannot be completed, and the application will not receive the necessary token.

Why Incorrect

A. The executable name is not a standard configuration property for a web app registration in Azure AD; it is more relevant for identifying native desktop applications.

B. The bundle ID is a unique identifier required when registering native applications for Apple's iOS or macOS platforms, not for a .NET web app.

C. The package name is a unique identifier required when registering native applications for the Android platform, not for a .NET web app.

---

References

1. Microsoft identity platform documentation

"Quickstart: Register an application with the Microsoft identity platform."

Reference: Under the section "Register an application

" step 5

"Add a redirect URI

" it states: "Select the platform for your application - Web... Enter the redirect URI for your application." This explicitly shows that for a web app

the redirect URI is a required configuration.

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application

2. Microsoft identity platform documentation

"Redirect URI (reply URL) restrictions and limitations."

Reference: The document's overview section states

"A redirect URI

or reply URL

is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. For example

in a web application

the redirect URI is the location where the user is sent after they sign in."

Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

3. Microsoft Learn

SC-300 Courseware

"Register an application."

Reference: In the learning module for implementing application access

the section on app registration details the required settings. It specifies: "When you register a web app

you must add a redirect URI. The redirect URI is the URI where users are sent after they've been authenticated." It also shows that Package Name and Bundle ID are for mobile platforms.

Source: https://learn.microsoft.com/en-us/training/modules/implement-manage-app-permissions/2-register-app

Q: 8

A user named User1 receives an error message when attempting to access the Microsoft Defender for Cloud Apps portal. You need to identify the cause of the error. The solution must minimize administrative effort. What should you use?

Options

Discussion

FocusedAuditor2633 Feb 25, 2026 9:28 pm

B. is correct. Had something like this in a mock and sign-in logs clearly showed the access failure reason for user errors. Quickest way to spot Conditional Access or auth issues. Pretty sure that's what they're after here.

Layla T. Mar 1, 2026 9:21 pm

Option B

Alex Feb 19, 2026 5:39 pm

C or B. I feel like audit logs (C) should highlight access issues if User1 hits an error while already inside the portal. If it's strictly a login problem, then yeah, B catches it. Not 100% though, what do you all think?

Mason Mar 4, 2026 2:09 pm

Had this exact type of question in my last practice test-B is correct.

Nathan Feb 27, 2026 8:51 pm

Did anyone try checking audit logs (C) for these access errors, or is everyone relying just on sign-in logs? Sometimes I see people mix up where access failure events actually show up. Wondering if there's any reason to use Log Analytics here instead?

Anita F. Feb 19, 2026 3:57 am

Looks like B, audit logs (C) are tempting but they miss failed sign-ins. Log Analytics seems like extra work. Disagree?

NinaQ Feb 20, 2026 8:11 am

Not B, C. Audit logs catch access attempts inside the portal if authentication succeeded but authorization failed.

Riley H. Mar 6, 2026 9:18 am

A is wrong, B. Similar question popped up on my practice exam reports, sign-in logs pinpoint initial access errors fastest in Entra.

Drew L. Feb 27, 2026 5:41 am

Its C. Audit logs seem like they'd show errors for user actions after login, not just sign-in failures. Trap is B, but if User1 reached the portal audit logs might help more, right?

Meera Feb 22, 2026 5:08 pm

C . Had something like this in a mock and audit logs showed user access attempts and failures. I figured that would cover errors too, plus it's easy to check for activity there. Not 100 percent but sounds reasonable to me, agree?

Be respectful. No spam.

Correct Answer:

Explanation

The Microsoft Entra ID sign-in logs are the most direct and efficient tool for diagnosing user access issues. These logs capture detailed information about every interactive user sign-in attempt, including the user, the target application (Microsoft Defender for Cloud Apps), the status (success or failure), and the specific reason for any failure. An administrator can quickly filter the logs for User1's attempts to access the portal and identify the root cause, such as a Conditional Access policy block, an incorrect password, or a failed MFA prompt. This approach directly addresses the problem with the least administrative overhead.

Why Incorrect

A. Log Analytics: This is a more complex tool requiring data to be forwarded and queries to be written, which is not the most minimal administrative effort.

C. audit logs: These logs track administrative actions and configuration changes within the tenant, not user sign-in attempts.

D. provisioning logs: These logs track the automated creation, update, and deletion of user identities in applications, not interactive sign-in events.

References

1. Microsoft Learn. "Sign-in logs in Microsoft Entra ID." Microsoft Entra documentation. Accessed October 10

2023. In the "What can you do with it?" section

it explicitly states a key use case is to "Troubleshoot sign-in issues for a user." The documentation further details that the logs contain the "Sign-in error code" and "Failure reason" which are essential for diagnosing the problem.

2. Microsoft Learn. "Troubleshoot sign-in problems with Conditional Access." Microsoft Entra documentation. Accessed October 10

2023. This document demonstrates using the sign-in logs as the primary tool for troubleshooting access failures

stating

"The first place to look for more information is the Microsoft Entra sign-in logs... The sign-in log for the user should tell you why a user is or is not getting a prompt for MFA or why a policy is or is not applying."

3. Microsoft Learn. "Reporting and monitoring overview." Microsoft Entra documentation. Accessed October 10

2023. This overview clearly distinguishes the different log types. It describes sign-in logs for "information about the usage of managed applications and user sign-in activities

" while audit logs are for "system activity for users and groups

" and provisioning logs are for "system activity for applications." This confirms that sign-in logs are the correct choice for the described scenario.

Q: 9

You have a Microsoft 365 tenant. You have 100 IT administrators who are organized into 10 departments. You create the access review shown in the exhibit. (Click theExhibittab.) You discover that all access review requests are received by Megan Bowen. You need to ensure that the manager of each department receives the access reviews of their respective department. Solution: You modify the properties of the IT administrator user accounts. Does this meet the goal?

Options

Discussion

Maya Z. Mar 4, 2026 1:29 am

Don't think B is right here, updating the Manager field solves it. A.

ThoughtfulAnalyst2524 Feb 21, 2026 9:07 pm

Nathan C. Feb 20, 2026 4:07 am

A or A/B? I'm a bit unsure because if the reviewer type is set to "Managers of users" then updating the Manager property on each user should work (so A). But if that's not configured, changing the user properties wouldn't matter. From the context though, looks like A is what they're going for. Anyone see a catch?

Ryan W. Mar 2, 2026 2:00 am

Kevin L. Feb 20, 2026 9:53 pm

B isn't right here, it's A. The real trick is that access reviews use the Manager attribute from Azure AD, so updating those properties pushes the review tasks to the correct department managers. B looks like a distractor for folks who forget how manager-based reviews are routed. Seen a similar setup in another practice set.

Mason I. Mar 4, 2026 7:55 am

Probably A

Jason F. Mar 1, 2026 5:45 am

I don't think it's B. A is right, since updating the Manager property pushes reviews to the correct manager per user. B feels like a trap for folks who forget how access reviews use those attributes.

Morgan I. Feb 26, 2026 4:29 pm

B . I'd expect that just updating the user account properties might not be enough unless you also confirm the access review is specifically set to use "Managers of users" as reviewers. Sometimes config in Azure AD can require more than just fixing attributes. Seen mixed explanations in Microsoft docs and official practice tests, so open to other takes.

Karan C. Feb 15, 2026 7:50 am

Had something like this in a mock exam, pretty sure it's A. Updating the Manager property makes Azure AD send future access reviews to the correct department managers. Simple attribute fix as long as reviewer type is set to manager.

Jordan Y. Feb 26, 2026 7:22 am

My pick: it's A because Azure AD pulls the manager info straight from the Manager property on each user. If you update those attributes, the access reviews will go to the right department heads. Correct me if I'm missing something in the scenario.

Be respectful. No spam.

Q: 10

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps. You need to identify which users access Facebook from their devices and browsers. The solution must minimize administrative effort. What should you do first?

Options

Discussion

Avery O. Mar 1, 2026 5:27 pm

Option A every time for fast identification, barely any admin overhead.

Sean A. Feb 18, 2026 8:11 am

A imo, had almost the same in a practice set last month, first step is mark Facebook unsanctioned.

Zoe Feb 20, 2026 2:07 am

C tbh, since creating a Defender for Cloud Apps access policy lets you specify Facebook and see user activity. Feels like the direct way, but I get why A is tempting for quick tagging.

Logan Feb 28, 2026 3:45 pm

Its C, create a Defender for Cloud Apps access policy.

Emma U. Feb 25, 2026 3:54 pm

C/D? I always thought creating a Defender for Cloud Apps access policy (C) was the first step if you want to track who is using something like Facebook. Conditional Access could also come in here, so not 100%.

HelpfulConsultant1857 Feb 25, 2026 2:46 pm

A imo. Tagging Facebook as unsanctioned in Defender for Cloud Apps lets you filter its usage right away, minimizing admin work. C feels like a trap here since that's more for blocking or controlling rather than just quick identification. Agree?

LunaB Feb 21, 2026 12:41 am

Its A, but if you needed to block or restrict access instead of just identify users, I'd switch to C.

Parker H. Mar 6, 2026 2:33 pm

C/D? I'm not sure, I'd probably start with C instead for identifying specific access. Could be wrong.

Skyler E. Mar 4, 2026 6:14 pm

C seems like the way to go, since a Defender for Cloud Apps access policy could let you target Facebook traffic directly and see those users. I thought that would be the fastest route. Not super confident though, maybe I'm missing some shortcut in A?

OwenV Feb 23, 2026 4:58 pm

A imo. Tagging Facebook as unsanctioned in Defender for Cloud Apps makes it super quick to filter and report on who accessed it. C can look tempting but it's more about enforcing controls, not just spotting usage with minimal work. If you wanted to block, sure, but for this question I think A fits best. Anyone see a reason C would actually be less effort here?

Be respectful. No spam.

Correct Answer:

Explanation

Microsoft Defender for Cloud Apps automatically discovers cloud application usage (Shadow IT) by analyzing traffic logs from sources like Microsoft Defender for Endpoint. This discovery process populates the "Discovered apps" page. To efficiently identify users accessing a specific application like Facebook, the first administrative action is to classify the app. By tagging Facebook as "Unsanctioned," you are not blocking it, but rather categorizing it for easier monitoring and filtering. This simple, low-effort action allows you to use the Cloud Discovery filters to immediately isolate all usage data for Facebook and identify the specific users, devices, and browsers involved.

Why Incorrect

B. Create an app configuration policy in Microsoft Endpoint Manager.

This is incorrect because app configuration policies are used to configure settings for managed applications on enrolled devices, not for discovering or identifying unmanaged cloud app usage.

C. Create a Defender for Cloud Apps access policy.

This is a subsequent step. Access policies are control mechanisms to manage real-time sessions (e.g., block downloads) after an app has already been discovered and classified.

D. Create a Conditional Access policy.

This is also a control mechanism. Conditional Access policies enforce access requirements (like MFA) for apps but are not the primary tool for the initial discovery and identification of users.

---

References

1. Microsoft Learn. (2023). Sanctioning/unsanctioning an app. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/governance-actions#sanctioningunsanctioning-an-app.

Section: Sanctioning/unsanctioning an app.

Quote: "Marking an app as unsanctioned doesn't block use

but enables you to more easily monitor its use with the Cloud Discovery filters." This directly supports that unsanctioning is a primary step for monitoring and identification.

2. Microsoft Learn. (2023). Working with discovered apps. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/discovered-apps.

Section: Discovered apps page.

Content: This document explains that after apps are discovered

a primary task for the administrator is to review and classify them. It states

"Once you've identified an app

you can sanction or unsanction it." This establishes sanctioning/unsanctioning as a foundational administrative step in managing discovered apps.

3. Microsoft Learn. (2023). Set up Cloud Discovery. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/set-up-cloud-discovery.

Section: Cloud Discovery dashboard.

Content: This document describes the workflow for Shadow IT discovery. The process begins with data collection and analysis

which is largely automatic. The first manual administrative phase involves evaluating the discovered apps

which includes the act of sanctioning or unsanctioning to apply organizational policy and facilitate further monitoring.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE