Microsoft SC-300 Exam Dumps & Practice Test Questions
Which groups are eligible to have a Microsoft Office 365 Enterprise E5 license assigned directly in Azure AD?
A. Group1 and Group4 only
B. Group1, Group2, Group3, Group4, and Group5
C. Group1 and Group2 only
D. Group1 only
E. Group1, Group2, Group4, and Group5 only
Correct Answer: A
Explanation:
In Azure Active Directory (Azure AD), you can assign licenses either to individual users or to groups. However, the type of group is a critical factor that determines whether license assignment is allowed. There are two main types of groups in Azure AD: assigned groups and dynamic groups.
Assigned groups are manually managed, meaning an administrator directly adds and removes members. Because of this static membership structure, these groups support direct license assignment. Group1 and Group4 fall under this category, which makes them valid recipients for the Microsoft Office 365 Enterprise E5 license. When you assign a license to an assigned group, all the members within that group inherit the license automatically.
On the other hand, dynamic groups work differently. They rely on rules to automatically include members based on attributes, such as department, location, or device type. Group2, Group3, and Group5 are dynamic groups in this scenario. Dynamic groups are powerful for automating membership but do not support direct license assignment. This limitation exists because the membership is continuously evaluated based on dynamic criteria, making license tracking and enforcement more complex.
Furthermore, Group3 represents a dynamic device group, which is completely incompatible with user licenses like Microsoft Office 365 Enterprise E5, as this license type applies only to user accounts, not devices.
In summary, the only groups from the list that meet the criteria for direct license assignment are Group1 and Group4. Attempting to assign a license to a dynamic group like Group2 or Group5 will result in an error, as Azure AD does not permit this functionality for dynamic memberships. Thus, option A is the correct and only feasible choice based on Azure AD licensing rules.
You need to block users from creating Microsoft 365 accounts using your organization's domain (contoso.com) via self-service sign-up.
What PowerShell command should you use to disable this capability?
A. Set-MsolCompanySettings
B. Set-MsolDomainFederationSettings
C. Update-MsolFederatedDomain
D. Set-MsolDomain
Correct Answer: A
Explanation:
When users sign up for Microsoft 365 services using their organizational email addresses (like @contoso.com), they can inadvertently create unmanaged Azure AD tenants. This self-service sign-up mechanism can result in administrative confusion and fragmentation of your corporate identity. To regain and maintain control over domain-based identities in Microsoft 365, it’s important to disable this behavior.
The PowerShell cmdlet that provides control over self-service sign-up behavior is Set-MsolCompanySettings. This command is used to configure organization-wide settings in Microsoft Online Services, including whether or not users can create their own accounts for Microsoft services.
By modifying the AllowAdHocSubscriptions setting within Set-MsolCompanySettings, you can disable the self-service sign-up option. Here is an example of how you might use the cmdlet:
Running this command effectively prevents users from using their @contoso.com email addresses to sign up for Microsoft 365 or Azure AD independently. This ensures that all user creation and license assignment remain within the control of your IT administrators.
The other PowerShell options listed are incorrect in this scenario:
Set-MsolDomainFederationSettings is used to configure federation settings for a domain, typically used with identity providers like ADFS.
Update-MsolFederatedDomain refreshes or synchronizes settings for a federated domain, which is unrelated to user self-service sign-up.
Set-MsolDomain helps manage domain settings like verification, but it doesn't directly impact self-service sign-up permissions.
Thus, Set-MsolCompanySettings is the correct cmdlet for managing user self-registration behaviors and is the best solution for preventing the creation of unmanaged accounts.
Question 3:
You are configuring access reviews in Azure Active Directory (Azure AD) for a company that uses Microsoft 365. Your goal is to ensure that group owners are responsible for reviewing user membership in their Microsoft 365 groups on a quarterly basis. You also want to ensure that inactive users are automatically removed during the review if they do not respond.
Which configuration options should you choose to meet these requirements?
A. Assign group membership review to global administrators and set frequency to annually
B. Enable access review for Microsoft 365 groups, assign the group owner as the reviewer, set the frequency to quarterly, and configure auto-apply results
C. Use dynamic group membership rules and configure an expiration policy for the group
D. Assign access review to the manager of each user and set the frequency to weekly
Correct Answer: B
Explanation:
Azure Active Directory (Azure AD) access reviews are an essential feature in identity governance, especially when it comes to managing group memberships and ensuring that only the appropriate users have access to resources. In the scenario described, the goal is to configure an access review process for Microsoft 365 group memberships with the following key requirements:
Group Owners as Reviewers: Group owners are the most appropriate reviewers for this use case since they understand the purpose of the group and are best positioned to determine whether each user still requires access.
Quarterly Review Frequency: The question specifies that the review process should occur every three months. Azure AD access reviews support configurable frequencies, including quarterly, to meet governance and compliance needs.
Automatic Action for Inactive Users: Azure AD access reviews can be configured to automatically apply the results at the end of each review cycle. For users who fail to respond or are marked as "No," the system can automatically remove them from the group, streamlining the process and reducing administrative overhead.
Option B satisfies all these requirements by enabling access reviews specifically for Microsoft 365 groups, assigning the group owner as the reviewer, setting the recurrence to quarterly, and enabling the "Auto apply results" feature.
Let’s analyze why the other options are incorrect:
A: Assigning the task to global administrators is inefficient and goes against the principle of least privilege. It also does not meet the quarterly frequency requirement.
C: Dynamic membership rules and expiration policies are not part of access reviews and do not meet the requirement to have owners review memberships.
D: While assigning reviews to user managers may work in some contexts, it does not align with the specific requirement that group owners manage the review, and the weekly frequency is unnecessarily frequent.
Thus, B is the best option to meet the organization's access review goals.
Question 4:
You are managing a Microsoft Azure Active Directory (Azure AD) environment that includes several directory objects listed in a provided table. Your task is to determine which of these objects can be added as members to a group named Group3.
Which combination of objects is valid for membership in Group3?
A. User2 and Group2 only
B. User2, Group1, and Group2 only
C. User1, User2, Group1, and Group2
D. User1 and User2 only
E. User2 only
Correct Answer: B
Explanation:
In Azure Active Directory, group membership is subject to certain rules, particularly regarding which objects are permitted to be added to other groups. Groups in Azure AD can be configured to support nested membership, meaning one group can contain other groups as members. This is commonly used for hierarchical access control.
For user objects:
User1 and User2 are standard user accounts. Typically, these users can be added to groups unless specific directory policies restrict it.
For group objects:
Group1 and Group2 can be added to Group3 if Group3 is a security group or Microsoft 365 group that allows nested group membership. Azure AD permits group nesting under certain configurations, especially when groups are all security-enabled.
In this scenario, User2, Group1, and Group2 are valid members for Group3. The exclusion of User1 suggests that either Group3 has constraints or User1 lacks the necessary attributes (e.g., not enabled or filtered by policy). Therefore, the most accurate selection is:
User2: Valid user object.
Group1 & Group2: Valid group objects if nested membership is allowed.
Other choices are less accurate because:
A omits Group1, which is valid.
C includes User1, which is excluded for reasons implied by directory configuration.
D omits the valid groups.
E is too narrow.
So, the best response is B.
Question 5:
You are overseeing 2,500 users in your Azure Active Directory tenant, all of whom currently have Office 365 E3 licenses assigned individually. You have now applied Microsoft 365 E5 licenses to the same users using the Groups blade in Azure AD.
What is the most efficient way to remove the older E3 licenses from these users?
A. Use the Identity Governance blade in Azure AD
B. Use the Set-AzureADUser cmdlet
C. Use the Licenses blade in Azure AD
D. Use the Set-WindowsProductKey cmdlet
Correct Answer: C
Explanation:
When you're managing licenses for a large user base, especially during a transition from one license type to another (e.g., from Office 365 E3 to Microsoft 365 E5), efficiency and minimal administrative overhead are key. Azure AD provides specific tools for these tasks.
The Licenses blade in the Azure Active Directory admin center is specifically designed for assigning and revoking licenses in bulk. When licenses are assigned through groups—as in this scenario—removing older licenses (E3) from users individually is time-consuming. Instead, the Licenses blade enables administrators to:
View all license assignments.
Modify or remove licenses from users or groups.
Track which users receive licenses via direct assignment versus group-based assignment.
Using the Licenses blade streamlines this process significantly for all 2,500 users, minimizing manual effort.
Here's why the other options are not suitable:
A (Identity Governance blade): Focuses on access reviews and entitlement management—not license assignment.
B (Set-AzureADUser): Can modify user properties, but it doesn't manage licenses directly. PowerShell licensing changes are possible but complex and inefficient for this task.
D (Set-WindowsProductKey): Deals with Windows OS activation keys and is completely unrelated to Microsoft 365 or Azure AD licensing.
Therefore, the Licenses blade is the most appropriate and efficient tool for license removal in this context. The correct choice is C.
Question 6:
Your organization is preparing to invite a large number of external users for Azure AD B2B (business-to-business) collaboration. When preparing a bulk invitation file for these external users, which two parameters must be included for the invitation to work properly?
A. Email Address
B. Redirection URL
C. Username
D. Shared Key
E. Password
Correct Answer: A and E
Explanation:
Azure Active Directory supports B2B collaboration, which enables organizations to securely share resources with external partners. When you need to invite multiple users at once, you can use a bulk invitation process, which requires a properly formatted CSV file with specific parameters.
Two essential parameters are:
Email Address (A): This is the primary identifier for each external user. The email address is used to send the invitation and becomes the login credential the external user uses to access resources. It’s mandatory in any bulk invite process because Azure AD needs to know where to send the invitation and how to identify the user.
Password (E): In some bulk invitation scenarios, especially when provisioning guest accounts with temporary access, you may need to include a temporary password. This password allows the invited user to sign in for the first time and typically prompts them to create a new one. This field is critical if the invited external users do not already have a Microsoft account or Azure AD account.
Other options explained:
B (Redirection URL): Optional and used in some scenarios to direct users to a specific page post-login but not required for invitations.
C (Username): In B2B, the email address effectively serves as the username.
D (Shared Key): Not used in Azure AD B2B invitations and has no relevance in this context.
Therefore, to properly invite external users in bulk for B2B collaboration, the two required fields are A and E.
You are overseeing an Azure Active Directory (Azure AD) environment with multiple user and group objects. Considering the setup of these objects, which entities can legitimately be assigned as members of Group3?
A. User2 and Group2 only
B. User2, Group1, and Group2 only
C. User1, User2, Group1, and Group2
D. User1 and User2 only
E. User2 only
Correct Answer: B
Explanation:
In Azure Active Directory, group membership allows administrators to assign users or groups to other groups, depending on the group type and configuration. There are two primary types of groups in Azure AD: Security Groups and Microsoft 365 Groups, and they support either assigned membership, dynamic user membership, or dynamic device membership.
Nested group membership—where one group is added as a member of another—is allowed under certain conditions. For example, security groups can contain both users and other groups. However, Microsoft 365 groups do not support nested groups. Additionally, groups created via certain templates or policy settings may have restrictions regarding who or what can be added.
In this scenario, User2 is clearly a valid user that can be added to Group3. Similarly, both Group1 and Group2 are valid Azure AD groups that can be nested within Group3, assuming Group3 is a security group with assigned membership, which supports this structure.
On the other hand, User1 is not eligible to be added to Group3, based on either group type restrictions or attributes (e.g., User1 might belong to a group not compatible with Group3’s configuration).
Let’s break down the options:
Option A: Incorrect—User2 and Group2 are allowed, but it omits Group1.
Option B: Correct—User2, Group1, and Group2 can all be added.
Option C: Incorrect—includes User1, who cannot be added.
Option D: Incorrect—excludes groups, which are allowed.
Option E: Incorrect—too limited; omits valid group members.
Therefore, the only accurate set of members that can be assigned to Group3 is User2, Group1, and Group2.
You're managing a hybrid identity setup where your on-premises Active Directory (AD) is synchronized with Azure Active Directory (Azure AD). After disabling a user in AD, you observe that they can still log in to Azure AD for up to 30 minutes. You're tasked with stopping access immediately upon account disablement.
Will enabling password writeback achieve this goal?
A. Yes
B. No
Correct Answer: B
Explanation:
Password writeback is a feature of Azure AD Connect that allows users to reset or change their passwords in Azure AD, with those changes then written back to the on-premises Active Directory. This feature is primarily used to maintain password consistency between the cloud and on-premises environments.
However, enabling password writeback does not impact account status synchronization, such as disabling a user. The issue described in the question stems from the default Azure AD Connect synchronization interval, which runs every 30 minutes. As a result, when a user account is disabled in the on-premises AD, the change may take up to 30 minutes to reflect in Azure AD—during which time the user can still authenticate.
To immediately block access upon account disablement, other solutions must be considered:
Reduce Sync Interval or Use Immediate Sync: You can manually trigger a synchronization using the Start-ADSyncSyncCycle PowerShell command, which pushes changes like account disablement to Azure AD more quickly. However, this requires administrative intervention and may not scale well.
Conditional Access Policies: These can be configured in Azure AD to enforce additional controls. For instance, a policy can deny access if a user’s AD account is disabled. This adds a layer of enforcement on top of identity synchronization.
Identity Protection and Risk-Based Policies: For organizations using Microsoft Entra or Azure AD Premium, advanced security features can detect anomalies, including unauthorized access, and take preventive actions automatically.
In conclusion, password writeback is not a viable solution to immediately block disabled users from authenticating. It only addresses password synchronization—not account status or access control—making it unsuitable for this scenario. The correct approach involves modifying sync behavior or applying Conditional Access policies to enforce immediate denial of access.
You are implementing conditional access policies in Azure Active Directory (Azure AD). Your goal is to require multi-factor authentication (MFA) when users sign in from untrusted locations, but allow seamless access from trusted corporate networks.
What should you do first to support this configuration?
A. Create a named location for trusted IP ranges
B. Configure identity protection risk policies
C. Enable Azure AD Seamless SSO
D. Assign MFA registration policy to all users
Correct Answer: B
Explanation:
To require multi-factor authentication (MFA) based on the user's sign-in location, Conditional Access must be used in conjunction with named locations in Azure AD. The first and most crucial step in this process is to define trusted IP ranges—these are usually corporate network IP addresses where MFA isn't required for ease of access.
Named locations help identify whether a sign-in attempt is coming from a trusted (safe) or untrusted (risky) location. After creating a named location with your trusted IPs, you can apply Conditional Access policies that exempt those IPs from triggering MFA and require MFA for all other attempts.
Let’s briefly review the other options:
B (Correct) – Creating a named location (for trusted IPs) is necessary for location-based Conditional Access policies.
C – Seamless SSO is used to provide single sign-on access from domain-joined devices on the corporate network. While helpful, it’s not directly related to enforcing location-based MFA.
D – While enabling MFA registration is important, it's not the first step to setting up location-based conditional access.
B – Identity Protection policies are based on risk levels (e.g., user risk, sign-in risk) and not directly tied to geographic or IP-based locations.
Thus, the first and correct step is to create a named location to represent the trusted network. This enables Conditional Access policies to evaluate sign-in context and apply MFA only where needed.
You are managing access to multiple enterprise applications integrated with Azure Active Directory (Azure AD). Your organization wants to implement just-in-time (JIT) access with approval workflows for these apps.
What feature should you configure to meet this requirement?
A. Conditional Access
B. Azure AD Identity Protection
C. Privileged Identity Management (PIM)
D. Azure AD B2B Guest Access
Correct Answer: C
Explanation:
When your organization needs to implement just-in-time (JIT) access with approval workflows for users accessing enterprise apps, the most suitable feature in Azure AD is Privileged Identity Management (PIM).
PIM is a critical component of Microsoft Entra ID Governance that helps enforce least privilege principles by enabling temporary assignment of roles. It provides:
Time-bound access to Azure AD roles and resources.
Approval-based activation workflows.
MFA requirements before activation.
Justification and auditing capabilities.
This aligns perfectly with the requirement to grant users elevated access to applications on a temporary basis, only when needed and with proper authorization.
Now let’s analyze the other options:
A – Conditional Access is useful for enforcing policies like MFA or blocking access, but it does not provide JIT role elevation or approval workflows.
B – Identity Protection focuses on risk detection and remediation for identities (like sign-in risk and user risk), not access management.
D – B2B Guest Access allows external users to collaborate with internal apps but does not manage role elevation or JIT workflows.
Therefore, Privileged Identity Management (PIM) is the correct and most relevant tool to configure just-in-time access with approval workflows for enterprise apps in Azure AD.
Top Microsoft Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.