Pass the Microsoft Certified: Identity and Access Administrator Associate SC-300 Questions and answers with Dumpstech

According to the Microsoft SC-300 official exam reference and Microsoft’s official documentation, Azure AD Password Protection provides password policy enforcement and banned password protection for both cloud and on-premises environments.

The solution requires two primary components:

Domain Controllers (DC Agents) — enforce password policies within the domain.

Proxy Service (Azure AD Password Protection Proxy) — communicates with Azure AD to download the latest password policies and banned password lists and then shares them with the DC agents.

In the scenario, Server1 and Server2 are domain controllers that already have Azure AD Password Protection installed but cannot communicate with the internet directly. That means they rely on the proxy service running on a separate server to connect securely to Azure AD.

To ensure high availability, Microsoft recommends deploying at least two proxy servers . This ensures continuous synchronization of the password policy even if one proxy fails.

From the Microsoft documentation:

“For redundancy, deploy at least two proxy servers. The proxy service retrieves the global and custom banned password lists from Azure AD and replicates them to all domain controllers running the DC agent.”

Thus, installing the Azure AD Password Protection proxy service on Server4 ensures service continuity if one of the proxy servers fails.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Entra ID documentation , a break-glass account (also known as an emergency access account) is a cloud-only account that must not depend on any on-premises identity infrastructure, such as Active Directory synchronization or conditional access.

Location: The break-glass account must be created directly in Azure AD (cloud-only) — not in an on-premises Organizational Unit (OU1 or OU2).

OU1 syncs with Azure AD, meaning if on-premises synchronization fails or the domain controller is unavailable, accounts in OU1 might not authenticate.

OU2 doesn’t sync at all, so creating the account there wouldn’t provide Azure AD access. Therefore, the only resilient option is Azure AD (cloud-only) to ensure access even if directory sync or on-premises systems are unavailable.

Role: Microsoft recommends assigning the Global Administrator role to break-glass accounts. This ensures full tenant recovery capability in emergencies such as Conditional Access lockouts or MFA misconfiguration.

The Billing Administrator or Privileged Role Administrator roles don’t provide sufficient rights to recover access or modify Conditional Access settings.

The Global Administrator role has full control over all Azure AD resources and configuration settings.

Reasoning: Microsoft documentation states:

“Create at least two cloud-only emergency access accounts with the Global Administrator role. These accounts must be excluded from Conditional Access policies and protected with strong authentication methods.”

Statement

Yes / No

If User1 requests Role1, the request will be approved automatically.

No

User1 can approve the request of User3 for Role2.

No

User1 must provide justification to approve the request of User2 for Role1.

Yes

According to the Microsoft SC-300 study guide, Exam Ref SC-300, and Microsoft Entra Privileged Identity Management (PIM) documentation, role activation and assignment settings in Azure AD PIM determine who can activate roles, who can approve activations, and whether justification is required. Let’s analyze each configuration step-by-step.

Role1 Configuration Summary Setting

Value

Required justification on activation

No

Require approval to activate

Yes

Approvers

User1

Allow permanent eligible assignment

Yes

Allow permanent active assignment

Yes

Require justification on active assignment

Yes

Eligible Assignments: User1, User2

Role2 Configuration Summary Setting

Value

Required justification on activation

Yes

Require approval to activate

No

Approvers

None

Allow permanent eligible assignment

No

Allow permanent active assignment

Yes

Require justification on active assignment

Yes

Eligible Assignments: User3

Statement 1: “If User1 requests Role1, the request will be approved automatically.”

Role1 requires approval to activate.

The approver is User1, but a user cannot self-approve their own request in Azure AD PIM.

Therefore, even though User1 is listed as an approver, the system does not automatically approve self-requests.

✅ Answer: No

Statement 2: “User1 can approve the request of User3 for Role2.”

Role2 does not require approval to activate (approval = No).

User3 is the only eligible member for Role2 and can activate it directly.

Hence, no approval action exists for User1.

✅ Answer: No

Statement 3: “User1 must provide justification to approve the request of User2 for Role1.”

Role1 requires approval to activate, and User1 is the approver.

The assignment settings for Role1 state: Require justification on active assignment = Yes.

This means when approving or activating, the approver (User1) must enter a justification before approval.

✅ Answer: Yes

To evaluate and remediate risks associated with highly privileged accounts across multiple Azure subscriptions tied to one Microsoft Entra tenant, the recommended tool is Microsoft Entra Privileged Identity Management (PIM) . PIM allows you to centrally manage, monitor, and govern privileged access to both Azure resources and Microsoft Entra administrative roles, offering features like time-bound eligibility, just-in-time activation, access reviews, and alerts. TheTechTrails+2Microsoft Learn+2

Because the subscriptions are all under a single tenant, PIM can cover all of them (via Azure RBAC and directory roles) without needing separate tools per subscription. Using PIM minimizes administrative overhead because you don’t need to manually track or audit each high privilege account—you can enforce policies, schedule reviews, and use automation. Permissions Management (option D) is more about managing entitlements across cloud resources, rather than governing privileged administrative roles. Therefore, PIM is the correct choice.

When many new enterprise applications appear in a Microsoft Entra tenant, it typically means that users are granting consent for apps to access organizational data. To control this behavior, administrators can use the Admin consent workflow , found in Microsoft Entra ID → Enterprise applications → Consent and permissions → Admin consent settings .

Microsoft documentation explains:

“The admin consent workflow allows users to request access to applications that require admin consent, providing administrators with visibility and control over which apps get access to organizational data.”

Enabling this workflow ensures that any new enterprise app requesting permissions beyond user-level consent must go through an approval process where an administrator can review and grant or deny access.

Options A and C refer to Defender for Cloud Apps, which detects and monitors discovered applications but does not enforce approval workflows. Option D (Access review) is used to periodically review user access, not app consent approval.

The SC-300 exam section “Implement Conditional Access” and the Azure AD Terms of Use documentation explain that Terms of Use must be enforced using Azure AD Conditional Access. The policy ensures users cannot access Microsoft 365 resources until they accept the presented terms. Conditional Access provides the “Require terms of use” control under Access Controls → Grant.

The study guide states:

“Administrators can require users to accept organization terms of use by including a Terms of Use control in a Conditional Access policy. Access is denied until acceptance.”

Microsoft Cloud App Security and Endpoint Manager policies (Options A, B, D) are unrelated — they cannot enforce user acceptance before access. The only supported method is through Azure AD Conditional Access.

✅ Correct Answer: C. a conditional access policy in Azure AD

In Azure AD Connect, filtering which users synchronize is achieved via synchronization rules. The SC-300 study content explains that to exclude objects based on an on-premises attribute (for example, extensionAttribute15=NoSync ), you create an inbound rule on the Active Directory Domain Services (AD DS) connector. Inbound rules control the flow of data from AD DS into the metaverse, where you can use a scoping filter to mark objects as filtered (often via the cloudFiltered projection), preventing them from being provisioned to Azure AD. The official guidance highlights that inbound rules on the AD DS connector are used for attribute-based filtering and that export or run profiles (Full Import/Export) do not define logic; they only execute the configured rules. Therefore, to stop users with extensionAttribute15=NoSync from syncing, you create an inbound synchronization rule on the AD DS connector with a condition on that attribute to exclude those users from synchronization.

In Microsoft Entra Access Reviews, the “Upon completion settings” determine what happens after a review cycle ends — especially what happens when reviewers fail to take action. To automatically remove guest users who were not reviewed (or whose memberships were not approved), you must configure the “ If reviewers don’t respond ” option under the Upon completion settings to “Remove access.”

The Reviewers and General sections define who conducts reviews and their frequency, while Advanced settings provide notifications and reminders.

From SC-300 content:

“You can specify actions upon completion, such as removing users not reviewed, keeping access unchanged, or approving all. The ‘Upon completion settings’ section controls this behavior.”

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Implement and manage Application Proxy for on-premises apps” , Azure AD Application Proxy requires that the connector installation be performed by a user with either the Global Administrator or Application Administrator or Cloud Application Administrator role.

Part 1 — User that should perform the installation The Application Proxy connector must be installed by a user who can register and manage applications in Azure AD. The documentation specifies that both Application Administrator and Cloud Application Administrator roles can perform Application Proxy connector installation. Since the question requires adherence to the principle of least privilege, Admin3 (Cloud Application Administrator) is the most appropriate user — because this role grants the required permissions without the broader rights of the Global Administrator.

“Cloud Application Administrator can create, manage, and delegate enterprise applications and Application Proxy connectors, without tenant-wide permissions.”

✅ Therefore, Admin3 should perform the installation.

Part 2 — Role for User1 After the connector is installed, User1 needs to register App1 in Azure AD. The role required to register and configure application registrations is the Application Developer role.

According to Microsoft documentation:

“Users assigned the Application Developer role can register applications in Azure AD and manage app registrations they own.”

This role is the least privileged role that allows creating new application registrations, unlike Application Administrator or Cloud Application Administrator, which can manage all apps tenant-wide.

✅ Therefore, assign User1 the role of Application Developer.

The issue described is that disabled on-premises AD accounts can still authenticate to Azure AD for up to 30 minutes. This behavior occurs when Password Hash Synchronization (PHS) is used, as authentication happens directly against the cloud copy of the password hash, which syncs periodically (every 30 minutes by default).

The proposed solution — configuring password writeback — allows users to reset or change their on-premises password from Azure AD (via self-service password reset). However, it does not affect the authentication flow or timing of disabled account status replication between AD and Azure AD.

From Microsoft documentation:

“Password writeback enables users to reset their on-premises passwords from the cloud but does not impact authentication or account disable synchronization.”

Therefore, configuring password writeback does not prevent a disabled user from authenticating in Azure AD until the next sync occurs.