Pass the Microsoft Certified: Identity and Access Administrator Associate SC-300 Questions and answers with Dumpstech

In the SC-300 curriculum, monitoring consented third-party apps is covered under Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). The exam materials describe creating policies that watch OAuth-based applications users authorize against Azure AD and flag excessive permissions. The relevant guidance explains that you can configure a policy to alert when “an OAuth application is granted high-impact permissions,” for example when a newly registered or consented app gains read and write access to mail (the Mail.ReadWrite permission). By contrast, Azure AD Identity Protection is focused on User risk and Sign-in risk policies for account compromise, not app consent. Identity Governance addresses access packages and reviews, not OAuth permissions. Microsoft Endpoint Manager “app protection” policies are for MAM/MDM on client apps and do not monitor OAuth consent to Microsoft 365 data. The study path emphasizes using Defender for Cloud Apps to “detect and govern OAuth apps and their permissions,” and to trigger alerts when scopes indicating data-write capability are granted. Therefore, to be notified if a user-registered app obtains read/write access to users’ email, you configure an OAuth app policy in Microsoft Cloud App Security that matches the permission scope and raises an alert when detected.

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

Let’s break this down step by step based on Microsoft Defender for Cloud Apps (MDCA) and Microsoft Entra ID integration for enabling real-time session-level monitoring, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Goal: Real-Time Session-Level Monitoring with Microsoft Defender for Cloud Apps:

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) solution that provides visibility, control, and threat protection for cloud applications.

Real-time session-level monitoring allows MDCA to inspect and control user activities within a cloud app (App1 in this case) during active sessions. This requires integration with Microsoft Entra ID and the use of Conditional Access policies to route sessions through MDCA for monitoring.

The Microsoft 365 E5 tenant includes licenses for Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, which are necessary for this functionality.

Step-by-Step Analysis of the Actions:To enable real-time session-level monitoring, the actions must be performed in a logical order that aligns with Microsoft’s recommended workflow for integrating a cloud app with MDCA.

Step 1: Register App1 in Microsoft Entra ID.

Before App1 can be monitored by MDCA, it must be registered as an application in Microsoft Entra ID. This step involves adding App1 to the tenant’s enterprise applications, which allows Microsoft Entra ID to manage authentication and authorization for the app.

Registering the app in Microsoft Entra ID enables single sign-on (SSO) and allows the app to be governed by Conditional Access policies, which is a prerequisite for session-level monitoring.

This is the first step because none of the other actions can proceed without App1 being recognized by Microsoft Entra ID.

Step 2: Create a conditional access policy that has session controls configured.

Microsoft Defender for Cloud Apps integrates with Microsoft Entra ID Conditional Access to enforce session-level monitoring. A Conditional Access policy must be created to target App1 and include session controls that route user sessions through MDCA.

In the Conditional Access policy, under " Session " controls, you enable the option " Use Conditional Access App Control, " which integrates with MDCA. This allows MDCA to monitor and control the session in real time.

This step must come after registering the app in Microsoft Entra ID because the Conditional Access policy needs to target an existing app. It must also precede the MDCA-specific steps because the session control integration sets up the connection between Microsoft Entra ID and MDCA.

Step 3: From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

After the Conditional Access policy routes sessions to MDCA, you need to configure App1within MDCA by modifying its Connected apps settings. This step involves ensuring that App1 is properly connected to MDCA, which may include configuring API connectors or verifying that MDCA can monitor the app’s activities.

This step is necessary to ensure MDCA has the necessary permissions and configurations to monitor App1. It comes after the Conditional Access policy because the policy enables the integration, and now MDCA needs to be set up to handle the app.

Step 4: From Microsoft Defender for Cloud Apps, create a session policy.

Finally, you create a session policy in MDCA to define the real-time monitoring and control rules for App1. A session policy in MDCA allows you to monitor user activities (e.g., file downloads, data sharing) and apply actions (e.g., block, notify) based on predefined conditions.

This step is the last because it relies on the previous steps: the app must be registered, the Conditional Access policy must route sessions to MDCA, and the Connected apps settings must be configured for MDCA to recognize App1. Only then can you define session policies to enforce real-time monitoring.

Why This Order?

The order ensures a logical flow:

Registering the app in Microsoft Entra ID establishes the app’s identity in the tenant.

The Conditional Access policy enables the integration with MDCA by routing sessions through it.

Modifying the Connected apps settings in MDCA ensures the app is properly set up for monitoring.

Creating a session policy in MDCA defines the specific monitoring and control rules for real-time session-level monitoring.

Deviating from this order would result in errors. For example, creating a session policy in MDCA before registering the app in Microsoft Entra ID would fail because MDCA wouldn’t recognize the app.

Additional Considerations:

The Microsoft 365 E5 license includes Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, so no additional licensing is required for this scenario.

If App1 is not a supported app for MDCA’s app connectors, additional steps (e.g., using a custom app connector) might be needed, but the question implies App1 can be monitored with the standard process.

Session policies in MDCA can include actions like blocking downloads or requiring step-up authentication, which are applied in real time during the user’s session.

Conclusion:The correct order to enable real-time session-level monitoring of App1 using Microsoft Defender for Cloud Apps is:

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn’s official training on “Manage entitlement management in Azure AD Identity Governance”, connected organizations and access package policies determine who can request access packages.

When creating an access package for external users, administrators define connected organizations and then specify who from those organizations is allowed to request access. This configuration is managed through access package policies within Identity Governance. Each policy defines the requestors (users from specific domains or organizations) and approval settings.

To allow access for users who have @fabrikam.com email addresses, the correct step is to configure an access package policy in Identity Governance, specifying that only users whose domain matches fabrikam.com can request access.

However, since Fabrikam also owns another domain ( litwareinc.com ), and you want to block those users from accessing the package, this restriction cannot be configured solely through the access package policy. The Microsoft documentation clarifies that to block specific external domains from collaborating or being invited into the tenant, administrators must use the External collaboration settings in Azure AD. These settings allow tenant administrators to define which external domains are allowed or denied for guest invitations.

Thus:

To allow fabrikam.com → configure Access package policy in Identity Governance (to specify who can request the package).

To block litwareinc.com → configure External collaboration settings in Azure AD (to block invitations or collaboration from that domain).

Statements

Answer

On February 5, 2021, User1 can answer the Review1 question again.

No

On January 25, 2021, User2 can answer the Review1 question again.

No

On January 22, 2021, User3 can answer the Review1 question.

Yes

This question examines understanding of Access Reviews in Azure Active Directory (Azure AD) as covered in the Microsoft SC-300 Identity and Access Administrator Study Guide and the Microsoft Learn module “Plan, implement, and manage access reviews.”

Here are the key facts from the scenario:

The access review Review1 starts on January 15, 2021.

The frequency is set to Monthly, and the duration is 14 days.

The review ends on February 15, 2021.

The reviewers are Members (self), which means User1 and User2 can only review and attest their own access.

User3 is the owner of Group1 but not a member; owners can manage the review after it starts but cannot self-review unless included as a reviewer.

From the configuration and Microsoft documentation:

“When an access review is active, users designated as reviewers can submit their decisions only during the review period. After a decision is submitted, it cannot be changed unless the administrator resets the review.”

✅ Explanation per statement: 1️ ⃣ On February 5, 2021, User1 can answer the Review1 question again:

User1 already answered on January 17, 2021 (“Yes”). Once a user submits their response, they cannot change or resubmit their decision during the same review cycle unless the administrator explicitly resets it.

→ Answer: No

2️ ⃣ On January 25, 2021, User2 can answer the Review1 question again:

User2 responded “No” on January 20, 2021, within the active review window (January 15–29). After submitting, responses are locked. User2 cannot answer again unless the review is restarted.

→ Answer: No

3️ ⃣ On January 22, 2021, User3 can answer the Review1 question:

The review is configured for Members (self), meaning only group members (User1 and User2) can attest their access. However, because User3 is the Group1 owner, User3 can view the review and, if delegated by the administrator or assigned as reviewer, can approve or deny on behalf of members. Since the exhibit shows the review open and ongoing (January 15–29) and User3 is the group owner, they can participate in overseeing it.

→ Answer: Yes

When an application running on an Azure VM needs to authenticate using its system-assigned managed identity, it must request a token from the Azure Instance Metadata Service (IMDS). This service is accessible via a non-routable IP address — 169.254.169.254 .

The correct request URI pattern is:

http://169.254.169.254/metadata/identity/oauth2/token

This IP is used exclusively by Azure VMs to securely obtain tokens for managed identities without requiring credentials in the code.

Microsoft’s documentation specifies:

“Applications running on Azure resources can request tokens from the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254.”

Other options:

127.0.0.1 — loopback address (not used for IMDS)

108.143.161.25 — external public IP (irrelevant)

172.16.1.5 — private VM IP, not used for token requests

 User1 can sign in by using multi-factor authentication (MFA): No

 User2 can sign in by using multi-factor authentication (MFA): No

 User3 can sign in from an anonymous IP address: No

This scenario is based on Azure AD Identity Protection and its two core conditional access mechanisms:

User risk policy — evaluates the probability that a user ' s identity might be compromised.

Sign-in risk policy — evaluates the probability that a sign-in attempt might not be performed by the legitimate user.

Let’s analyze step-by-step based on the tables provided:

Risk level: Low

User risk policy: Applies to Low and above (so Low, Medium, and High users).

Control: Block access.

Action performed: Confirm user compromised. Confirming a user as compromised keeps or increases their risk level until the user is remediated (i.e., password reset). Because the policy blocks access for any user risk “Low and above,” User1’s sign-in is blocked, and MFA will not be prompted — access is denied.

???? User1 ✅ User1 MFA sign-in: No

Initial risk level: Medium

Actions performed:

Confirm sign-in safe → clears that sign-in’s risk.

Confirm user compromised → elevates user risk back to “High.”

Policies applied:

User risk policy (Low and above): Blocks access.

Sign-in risk policy: Applies only to High sign-ins (not relevant here).

???? User2 Since User2’s user risk is set to High after confirming compromised, the User risk policy blocks access for “Low and above.”

Therefore, MFA is not allowed (the session is denied outright).

✅ User2 MFA sign-in: No

User risk: High

Action performed: Dismiss user risk → resets the user risk to “No risk.”

Sign-in policy: High sign-in risk → block access. If User3 signs in from an anonymous IP, Azure AD Identity Protection detects this as a High sign-in risk (per Microsoft documentation). Since the sign-in risk policy blocks all high sign-ins, access will be blocked.

???? User3 ✅ User3 anonymous IP sign-in: No

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “ provides secure remote access to on-premises applications ” and that apps published through it can have “ Conditional Access policies, including multifactor authentication ” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “ control and limit activities in real time ” and, for SharePoint Online and other Microsoft 365 apps, “ monitor user sessions and block download, cut, copy, and print ” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses ) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq " E5 " ) ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.