Free and Premium Microsoft SC-300 Dumps Questions Answers

In Azure AD Identity Governance, application access granted through Entitlement management is organized around catalogs and access packages. The SC-300 study materials explain that “a catalog is a container for resources and access packages” and that you must add your enterprise applications (or the groups tied to those apps) to a catalog before you can build access packages that users can request. Creating the catalog first enables you to place only the required resources in scope and to delegate day-to-day ownership: “catalog owners can manage the resources and access packages within their catalog without being tenant-wide admins,” satisfying the delegation requirement to use custom catalogs and least privilege. After the catalog exists, you create one or more access packages that include the application (or groups) and policies that control who can request, how they are approved, and for how long. Identity Governance then lets you track access package assignments and review who has the app over time. By contrast, programs are used to group and report on governance initiatives (for example, collections of access reviews) rather than to onboard application resources; and modifying user/admin consent settings affects app consent behavior, not the lifecycle tracking of assignments. Therefore, the correct first step to track application access assignments while meeting the delegation requirements is to create a catalog.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)” , there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID). The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM. The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario. As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources. The role responsible for managing these assignments is the User Access Administrator. This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control). The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel” , multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic

SC-300 emphasizes using Conditional Access with named locations to scope MFA—especially to exclude trusted corporate egress IPs . The materials state that administrators can define named locations by public IP ranges and “mark them as trusted” for policy exceptions. This aligns with the requirement: enforce MFA for all users, but exempt users authenticating from the Boston office. Because Azure AD evaluates the client’s public egress address, private RFC1918 ranges are never seen by Azure AD on the internet, so defining private IP ranges would not work. Likewise, the legacy “Trusted IPs” setting belongs to the old per-user MFA service settings; SC-300 guidance prefers Conditional Access named locations for modern MFA deployments and for combining with other conditions (apps, platforms, user risk, locations). Implementing the Boston office as a named location using its public egress IP range(s), and marking it trusted, lets you exclude that location from the tenant-wide MFA policy while still meeting the broader requirement to enforce MFA for everyone else and for on-prem apps published via Azure AD Application Proxy. In short: define Boston’s public IP as a named location and use it in your Conditional Access policy exclusion to satisfy the exemption precisely and securely.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses ) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq " E5 " ) ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

In SC-300, Azure AD Identity Protection is the prescribed control to “automatically detect and remediate externally leaked credentials.” That specific user risk—Leaked credentials—relies on Microsoft comparing known breached username/password pairs with what Azure AD can evaluate. The study materials explain that Identity Protection “detects leaked credentials when Microsoft finds a match with the user’s current credentials,” and also note that password hash synchronization (PHS) can be enabled even if your sign-in method is Pass-through Authentication or federation. A common exam call-out is that without PHS, Azure AD has no hash to compare, so the leaked-credential signal is unavailable. Enabling PHS (you can keep PTA as the active sign-in method) allows Identity Protection to raise user risk and enforce policy actions such as require password change or block access. By contrast, Azure AD Password Protection addresses banned/weak passwords at change time, not breached-credential telemetry; federation choices (e.g., PingFederate) don’t deliver the leaked-credential signal; and authentication method policy controls how users perform MFA (e.g., methods) rather than whether leaked credentials are detected. Therefore, to meet the requirement to “automatically detect and remediate externally leaked credentials,” the minimum correct step is to enable password hash synchronization while retaining PTA—exactly as recommended in SC-300 guidance.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “ provides secure remote access to on-premises applications ” and that apps published through it can have “ Conditional Access policies, including multifactor authentication ” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “ control and limit activities in real time ” and, for SharePoint Online and other Microsoft 365 apps, “ monitor user sessions and block download, cut, copy, and print ” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation , when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts . In Azure AD, internal users created within the tenant are designated with the attribute user.userType = " Member " , while external or guest accounts from partner organizations have user.userType = " Guest " .

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq " Member " ) .

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq " Member " )

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules” , which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq " Member " )

In Azure AD Privileged Identity Management (PIM), the SC-300 materials explain that role assignment type determines how a user obtains permissions. An eligible assignment means the user requests activation when needed; an active assignment grants continuous permissions. As the guide states, “Eligible assignments require the user to activate the role for just-in-time access, while active assignments grant standing access.” To allow users of the User administrator role to request the role when needed , you must set assignments to Eligible rather than active.

The same objective also calls for ensuring this capability is available “for up to one year.” In PIM role configuration, the duration of an eligibility is controlled by the Expire eligible assignments after policy. The documentation describes that administrators can “configure the maximum duration for eligible assignments by setting ‘Expire eligible assignments after’ to a specific period (for example, months up to one year).” Therefore, you must modify the “Expire eligible assignments after” setting to the required period.

No requirement mentions activation justification or ticket metadata; those are optional controls used to add context to activations. Consequently, the two actions that directly satisfy the stated technical requirement are: set all assignments to Eligible (C) and configure “Expire eligible assignments after” (D) .

Azure AD External collaboration settings govern who can bring guests into the tenant. The SC-300 content specifies: “External collaboration settings let you control who can invite guests (Anyone, Members, Guests, or Only admins and users in the Guest Inviter role) and whether guests can invite.” It also highlights: “To restrict guest invitations to administrators or designated inviters, configure External collaboration to ‘Only admins and users in the Guest Inviter role’ and disable guest-to-guest invitations if required.” Because the problem states that “Anyone in the organization can invite guest users, including other guests and non-administrators,” the remediation is to tighten External collaboration settings so only approved roles (e.g., Global admins, Guest Inviter, or specific administrators) can invite. Access reviews address periodic entitlement verification, Conditional Access enforces sign-in/session policies, and Continuous Access Evaluation relates to token lifetime/signal-based revocation; none of these change who can send guest invitations. Adjusting External collaboration settings directly resolves the issue and aligns with the requirement that “only users that are assigned specific admin roles can invite guest users.”

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.

For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn “Implement and manage Azure AD Identity Protection” module, Azure AD Identity Protection detects two primary categories of risks: user risks and sign-in risks.

User Risk Policy: A user risk represents the probability that a user ' s identity (credentials) has been compromised. Examples of user risk signals include leaked credentials , unusual sign-ins from different geographies , or sign-ins from infected devices . The Exam Ref SC-300 specifically lists “leaked credentials detected on the dark web or other compromised repositories” as the main trigger for a user risk policy. Such a policy can automatically force password change or enforce MFA to remediate the threat.

Sign-in Risk Policy: A sign-in risk reflects the likelihood that a specific authentication attempt is not performed by the legitimate user. Sign-in risk is based on context, such as sign-ins from suspicious browsers , anonymous IP addresses (like TOR networks) , or impossible travel sce narios . The SC-300 documentation highlights these examples as conditions best handled with a sign-in risk policy, where conditional access can block or require MFA for the risky sign-in attempt.

Therefore:

Leaked credentials are addressed through a User Risk Policy, since the account itself is compromised.

Sign-ins from suspicious browsers and access from anonymous IP addresses are handled through Sign-in Risk Policies, as they relate to risky sessions rather than compromised identities.

In Microsoft Entra ID (Azure AD), the per-user device cap is controlled in Devices > Device settings. The SC-300 materials describe that administrators can configure “Users may join devices to Azure AD” and the “Maximum number of devices per user” . The guide notes that this limit defaults to five and is used to “control how many devices a user can join or register in Azure AD”; when users reach the limit, “they cannot add additional devices until the limit is increased or an existing device is removed.” For scenarios like field or sales staff who use multiple devices, the study content recommends adjusting this value to meet business needs. Because A. Datum’s sales users hit the current cap and a requirement states “Increase the maximum number of devices that can be joined or registered to Azure AD to 10,” the fix is to change the tenant’s Device settings—not User settings, Access reviews, or Security defaults. This aligns with the exam objective to configure device settings for Azure AD join and registration and addresses the precise symptom reported by users.

Answer is

This question asks you to apply the stated Technical Requirements for Self-Service Password Reset (SSPR) to complete the form. The specific scenario about " User3 " is a distraction, as the configuration applies to all users.

The relevant technical requirements are:

" Users must provide one authentication method to reset their password by using SSPR. "

This directly dictates the value for the Number of authentication methods required , which is 1 .

" Available methods must include: Email, Phone, Security questions, The Microsoft Authenticator app "

This lists all the options that are configured to be available for SSPR, which determines the value for Authentication methods that can be used : Email , Phone , Security   questions , The   Microsoft   Authenticator   app .

The requirement is:

“Require admin approval for application access to organizational data.”

According to the Microsoft SC-300 exam guide and Microsoft documentation on “Configure consent settings for applications”, Azure AD provides User consent settings under Enterprise applications → Consent and permissions to control how applications can request permissions to access organizational data.

By default, users can consent to allow apps to access organizational data on their behalf, which can create security risks. To ensure tighter control, administrators can:

Disable user consent entirely, or

Require admin consent workflow so that when users try to grant an app access, it must first be approved by an administrator.

The SC-300 study materials explicitly describe:

“To require administrator approval before an app can access organizational data, configure the User consent settings to use the admin consent workflow.”

This aligns perfectly with the stated requirement — to ensure admin approval is required before apps gain access to organizational data.

Other options are incorrect:

Authentication methods manage MFA and SSPR, not app consent.

Access packages are part of Identity Governance for resource access, not app consent.

Application Proxy publishes on-premises apps, not related to app consent permissions.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage synchronization for Azure AD” , Azure AD Connect Cloud Sync is the preferred solution when you need to synchronize objects from multiple Active Directory (AD DS) forests without establishing forest trusts .

The scenario specifies that trust relationships must NOT be established between adatum.com and litware.com , but A. Datum must still sync the AD DS users and groups of litware.com to their existing Azure AD tenant (adatum.com).

The SC-300 training materials clarify:

“Azure AD Connect cloud sync enables syncing from multiple AD forests to a single Azure AD tenant without the need for forest trusts or a full Azure AD Connect installation in each forest.”

Unlike staging mode (which provides a standby sync server for failover) or extending the same Azure AD Connect instance to another domain (which requires trust relationships and network connectivity between forests), Azure AD Connect Cloud Sync uses lightweight agents and does not depend on forest trust.

Therefore, to meet the requirement of syncing Litware’s AD DS to A. Datum’s Azure AD tenant without creating a trust , the correct choice is to configure Azure AD Connect Cloud Sync between the Azure AD tenant and the litware.com domain.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Publish on-premises apps for remote access using Azure AD Application Proxy”, Azure AD Application Proxy enables secure remote access to internal, on-premises web applications without requiring VPN access.

In the scenario, App1 is an on-premises application hosted within the Litware network, and the technical requirements specify that it must be securely accessible to both internal and external users — including Fabrikam guest accounts — through Azure AD authentication.

Microsoft’s official documentation states:

“Azure AD Application Proxy provides secure remote access to on-premises web applications, integrating with Azure AD for single sign-on (SSO) and conditional access policies.”

Given that the environment already includes a server (SERVER1) running the Azure AD Application Proxy connector, and that Litware wants to enforce Azure AD Conditional Access and MFA for App1, Azure AD Application Proxy is the correct implementation.

The other options are not suitable:

A. Policy set in Microsoft Endpoint Manager: Used for device compliance and app management, not for publishing on-premises apps.

B. App configuration policy in Endpoint Manager: Used for mobile app configuration (e.g., MAM policies), not for access publishing.

C. App registration in Azure AD: Used for modern cloud or SaaS apps integration, but App1 is on-premises and needs proxy access.

Correct Answer: D. Azure AD Application Proxy

According to the Microsoft SC-300: Identity and Access Administrator official study guide and Microsoft Learn modules on Azure AD Identity Governance , the correct way to manage user access—especially for scenarios involving both internal and external users—is through Entitlement Management in Azure AD Identity Governance .

Entitlement Management uses access packages to define and automate how users obtain access to resources such as groups, SharePoint sites, and applications. Access packages contain policies that specify who can request access (internal users, external users, or both) and how that access is approved and periodically reviewed. The guide clearly states:

“Access packages provide a structured method to configure and automate access for users, ensuring that access assignments follow the organization’s policy and compliance requirements.”

To enable external collaboration with another organization (such as fabrikam.com ), Microsoft documentation emphasizes that you must create a connected organization . A connected organization represents an external directory or domain whose users can be invited to request access packages or participate in identity governance workflows. The connected organization defines trust boundaries for cross-tenant collaboration, without requiring domain federation or acceptance.

In summary:

Access packages configure and automate user access.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses ), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq " E5 " ). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

✅ Correct Answer: A. A Dynamic User security group

User1 must request access to App1 before they can use the app: No

If User2 requests access to App1, they will be added to Group1 automatically: Yes

User2 can approve App1 requests by using the Microsoft Entra admin center: Yes

Let’s break this down step by step based on Microsoft Entra ID self-service application access and the configured settings, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Self-Service Application Access in Microsoft Entra ID:

Self-service application access in Microsoft Entra ID allows users to request access to applications without needing an administrator to manually assign them. This is configured on a per-application basis.

The settings for App1 are:

Allow users to request access to this application: Yes– Users can request access to App1.

To which group should assigned users be added: Group1– Users who are granted access will be added to Group1, which provides the necessary permissions to use App1.

Require approval before granting access to this application: Yes– Access requests must be approved before the user is added to Group1.

Who is allowed to approve access to this application: User2– User2 is the designated approver for access requests to App1.

Statement 1: User1 must request access to App1 before they can use the app.

Analysis:

User1 is already a member of Group1, as stated in the question.

The self-service settings specify that users who are granted access to App1 will be added to Group1. This implies that membership in Group1 is what grants access to App1.

Since User1 is already a member of Group1, they already have access to App1. In Microsoft Entra ID, if a user is already assigned to an application (either directly or via group membership), they do not need to request access through the self-service process—they can simply use the app.

The self-service access request process is for users who are not yet assigned to the app (i.e., not in Group1). Since User1 is already in Group1, they do not need to request access.

Conclusion:This statement isNo. User1 does not need to request access because they are already a member of Group1 and can use App1 immediately.

Statement 2: If User2 requests access to App1, they will be added to Group1 automatically.

Analysis:

User2 is not a member of Group1 (the question does not state that User2 is in Group1).

The self-service settings allow users to request access to App1, and the setting " To which group should assigned users be added: Group1 " means that users who are granted access will be added to Group1.

However, the setting " Require approval before granting access to this application: Yes " means that User2’s request must be approved before they are added to Group1. The approver for App1 requests is User2 themselves, which introduces a potential conflict.

In Microsoft Entra ID, if a user is both the requester and the approver, the system typicallyallows them to approve their own request (unless additional policies prevent this, which is not specified in the question). Therefore, User2 can request access and approve their own request.

Once the request is approved, User2 will be added to Group1 automatically as per the self-service settings. The term " automatically " in the statement refers to the process after approval—once approved, the addition to Group1 happens without further manual intervention.

Conclusion:This statement isYes. If User2 requests access to App1 and approves their own request, they will be added to Group1 automatically.

Statement 3: User2 can approve App1 requests by using the Microsoft Entra admin center.

Analysis:

The self-service settings specify that User2 is the designated approver for access requests to App1.

In Microsoft Entra ID, approvers can manage access requests through the Microsoft Entra admin center (via the " My Access " portal or the " Access Requests " section, depending on their role and permissions).

User2, as the designated approver, will receive a notification (via email or the My Access portal) when a request is made. They can then log into the Microsoft Entra admin center, navigate to the access requests section, and approve or deny the request.

Even though User2 is not explicitly an admin, the fact that they are designated as the approver for App1 requests grants them the ability to approve requests through the Microsoft Entra admin center.

Conclusion:This statement isYes. User2 can approve App1 requests using the Microsoft Entra admin center.

Additional Considerations:

If User2 were not allowed to approve their own request (e.g., due to a separation of duties policy), Statement 2 might be affected. However, Microsoft Entra ID does not enforce such a restriction by default, and the question does not specify any additional policies.

The Microsoft Entra admin center is the primary interface for managing access requests, but users can also approve requests via email links or the My Access portal. The statement specifically mentions the admin center, which is a valid method.

Conclusion:

Statement 1:No– User1 does not need to request access since they are already in Group1.

Statement 2:Yes– User2 will be added to Group1 automatically after their request is approved (by themselves).

Statement 3:Yes– User2 can approve requests using the Microsoft Entra admin center.

In Microsoft Defender for Cloud Apps (MCAS), a Session policy is used to monitor and control user activities in real time when accessing cloud resources through Conditional Access App Control.

The requirement states:

“Prevent users from printing PDF files directly from SharePoint Online.”

This requires controlling a user’s session behavior (e.g., download, print, copy) within a web session — not just detecting or auditing it afterward. According to Microsoft’s Identity and Access Administrator training materials:

“Session policies enable real-time monitoring and control of user sessions, allowing you to restrict activities such as printing, downloading, or copying content.”

By configuring a session policy, administrators can apply real-time controls to prevent printing within SharePoint or Teams sessions while allowing normal view access.

Other options:

File policy controls data at rest (e.g., classifying or sharing files).

Activity policy detects historical actions.

Access policy controls conditions for app access, not user actions.

Dynamic Azure AD groups use membership rules written against user attributes (for example, user.department , user.jobTitle , user.country , user.usageLocation ). The SC-300 materials show operators such as -eq, -contains, -startsWith, and logical -and/-or to build precise targeting. In this scenario, the provided rule syntax evaluates users in the Sales department whose jobTitle contains “Sales” (for example, “SalesRep”). From the data: User1 has job title Associate (does not contain “Sales”); User2 has job title SalesRep (contains “Sales”); User3 has job title Manager (does not contain “Sales”). Because department for all three is Sales, the discriminating condition is the job title match. Therefore, only User2 satisfies the rule and will be added to the dynamic group. The SC-300 guide emphasizes validating rules with the “Preview membership results” tool to confirm which users are included before enforcing at scale.

In Microsoft Entra Permissions Management (formerly CloudKnox), the Permissions Management Administrator role provides the least-privilege rights necessary to onboard cloud environments such as Azure subscriptions, AWS accounts, or GCP projects. This role allows users to configure data collection and onboard environments without granting global administrative access.

The Global Administrator role could also perform onboarding but exceeds the least-privilege requirement. Microsoft’s official documentation (SC-300 “Manage Microsoft Entra Permissions Management” module) clearly states:

“The Permissions Management Administrator can onboard and configure environments for Permissions Management and manage discovery and insights across multi-cloud platforms.”

In the SC-300 curriculum, monitoring consented third-party apps is covered under Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). The exam materials describe creating policies that watch OAuth-based applications users authorize against Azure AD and flag excessive permissions. The relevant guidance explains that you can configure a policy to alert when “an OAuth application is granted high-impact permissions,” for example when a newly registered or consented app gains read and write access to mail (the Mail.ReadWrite permission). By contrast, Azure AD Identity Protection is focused on User risk and Sign-in risk policies for account compromise, not app consent. Identity Governance addresses access packages and reviews, not OAuth permissions. Microsoft Endpoint Manager “app protection” policies are for MAM/MDM on client apps and do not monitor OAuth consent to Microsoft 365 data. The study path emphasizes using Defender for Cloud Apps to “detect and govern OAuth apps and their permissions,” and to trigger alerts when scopes indicating data-write capability are granted. Therefore, to be notified if a user-registered app obtains read/write access to users’ email, you configure an OAuth app policy in Microsoft Cloud App Security that matches the permission scope and raises an alert when detected.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and the Microsoft Learn – “Manage Microsoft 365 Groups naming policies” documentation, group naming policies in Azure Active Directory (now Microsoft Entra ID) apply to end users who create Microsoft 365 groups, but do not apply to administrators who have roles that allow them to override naming restrictions.

The policy defines conventions such as prefixes, suffixes, blocked words, and enforced naming rules. However, certain administrative roles are exempt from this policy to allow organizational management and automation processes. The exempt roles are:

Global Administrator

User Administrator

These two roles can create Microsoft 365 groups without the naming policy constraints. Other users — including Groups Administrator and users without administrative roles — are subject to the naming policy when creating groups.

From the official documentation:

“Naming policies apply to all users who create groups, except for global administrators and user administrators. These roles can create groups that bypass the naming policy restrictions.”

Applying this rule:

User1 (Global Administrator) — exempt

User2 (User Administrator) — exempt

User3 (Groups Administrator) — affected by the policy

User4 (no role) — affected by the policy

When users accept or decline a Terms of Use (ToU) in Azure AD, these actions are recorded in the audit logs. The Microsoft Identity and Access Administrator documentation specifies that audit logs capture “Terms of use acceptance records” including who accepted, who declined, timestamp, and version of the ToU accepted.

The other options are incorrect because:

Provisioning logs capture provisioning events (not ToU).

Usage and Insights reports provide activity metrics, not compliance actions.

Sign-in logs capture authentication activity but not ToU acceptance.

Therefore, to identify which users accepted or declined Terms1, you should use the Audit logs in Azure AD.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn modules on “Implement access management for apps” and “Implement Conditional Access policies” , Azure AD provides centralized identity and access management for integrated SaaS applications (such as Service1) that support Azure AD authentication and OAuth .

Ensure that users connect to Service1 without being prompted for authentication: When a third-party application is published in the Azure AD gallery , it supports federated single sign-on (SSO) using SAML, OAuth, or OpenID Connect. Registering the application as an enterprise application (rather than creating a new app registration) enables Azure AD to manage SSO automatically. The Microsoft documentation states:

“Enterprise applications from the Azure AD gallery can be configured for single sign-on so that users can access the app using their Azure AD credentials without being prompted to reauthenticate.”

Therefore, to achieve seamless sign-on with minimal administrative overhead, the correct option is An enterprise application in Azure AD .

Ensure that users can access Service1 only from Azure AD-joined computers: To restrict access based on device compliance or join status, Azure AD uses Conditional Access policies . Conditional Access allows enforcement of conditions such as “Require device to be marked as compliant” or “Require hybrid Azure AD-joined or Azure AD-joined device.” The official Microsoft guidance under “Plan and implement Conditional Access policies” confirms:

“You can enforce that users only access cloud resources from devices that are Azure AD-joined or compliant by applying Conditional Access device filters.”

Thus, to ensure that only Azure AD-joined devices can access Service1, you implement a Conditional Access policy .

 Feature: An MFA registration policy

 Grace period: 14 days

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation under “Plan, implement, and manage multifactor authentication (MFA)” , when an organization wants to require users to register for multi-factor authentication methods (such as Microsoft Authenticator, phone number, or email), this is managed through the MFA registration policy within Azure AD Identity Protection.

This feature is called “Combined security information registration” or MFA registration policy, and it allows administrators to enforce users to register for MFA and Self-Service Password Reset (SSPR). The policy defines which users are required to register and sets a grace period — the amount of time a user can postpone registration after first being prompted.

From the Microsoft official exam reference:

“The MFA registration policy allows users to postpone registration for a defined grace period. The default and maximum supported value is 14 days.”

During the grace period, users can skip the registration prompt but will be reminded every time they sign in until they complete registration or the grace period expires. Once the 14-day period ends, users must register their authentication methods before accessing resources.

Therefore, based on Microsoft’s SC-300 study materials and Azure AD documentation:

The correct feature used to enforce this is An MFA registration policy.

The standard and maximum grace period before users must complete registration is 14 days.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement Conditional Access Policies,” the Azure AD Conditional Access engine uses a structured framework that consists of conditions, grant controls, and session controls.

1️ ⃣ Configure HighRiskCountries by using A condition In Conditional Access, conditions define the circumstances under which a policy applies. Named locations (such as HighRiskCountries ) are part of the Locations condition. When configuring a Conditional Access policy, administrators can include or exclude sign-ins based on IP address ranges, country/region, or named locations.

Microsoft documentation states: “You can define named locations to specify IP ranges or countries/regions and use them as conditions in your Conditional Access policies.”

Thus, HighRiskCountries should be configured as a condition within the policy to target sign-ins from those regions.

2️ ⃣ Configure Sign-in frequency by using A session control Session controls in Conditional Access determine how sessions behave after a user successfully signs in. The Sign-in frequency setting controls how often users must reauthenticate, effectively limiting the duration of their authentication session.

Microsoft Learn reference: “Session controls, such as sign-in frequency and persistent browser session, enable administrators to enforce how often users must reauthenticate.”

Therefore, to restrict how long a user can remain authenticated when signing in from high-risk countries, you configure Sign-in frequency as a session control.

✅ Final Correct Answers:

HighRiskCountries: A condition

Sign-in frequency: A session control

In Azure Monitor, alert rules use action groups to define who receives notifications (emails, SMS, push notifications, webhooks, etc.) when an alert is triggered.

If you are currently receiving 100+ email alerts for failed sign-ins daily, and you want a new administrator to receive them instead, the correct way is to modify the action group and update or replace the email recipient .

According to Microsoft Learn ( “Create and manage action groups in Azure Monitor” ):

“Action groups specify the recipients of alerts. You can update an existing action group to add, remove, or modify the recipients for email, SMS, push, or ITSM connections.”

Thus, modifying the action group directly changes who receives the alerts.

Box 1: Yes

Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.

Box 2. Yes

Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.

Box 3. No

Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.

Based on the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Manage external collaboration settings in Azure AD”, Azure Active Directory provides granular control over external collaboration through External collaboration settings and Collaboration restrictions. These settings control which external domains can receive guest invitations.

1️ ⃣ Collaboration Restrictions Setting The configuration in the exhibit shows:

“Allow invitations only to the specified domains (most restrictive)”

Target Domain: Outlook.com

This means invitations can only be sent to users whose email domains are explicitly listed (in this case, Outlook.com). Any other external domain (like fabrikam.com or adatum.com) is not permitted to receive or accept invitations.

2️ ⃣ Evaluating Each User User1@outlook.com

Domain Outlook.com is listed under allowed domains.

Although the invitation was initially not accepted , since the domain is allowed, User1 can accept the invitation and gain access. ✅ Answer: Yes

User2@fabrikam.com

The domain fabrikam.com is not listed in the allowed domains list.

However, this user already accepted the invitation before the restriction was configured.

Once a guest has accepted the invitation, they are an existing guest object in Azure AD and retain access unless explicitly removed. ✅ Answer: Yes

User3@adatum.com

Domain adatum.com is not listed under allowed domains.

Therefore, this user cannot receive or accept new invitations for collaboration resources like SharePoint Online. ❌ Answer: No

Summary from Microsoft documentation:

“When collaboration restrictions are set to allow invitations only to specified domains, invitations to all other domains are blocked. Existing guest users who have already accepted invitations remain unaffected.”

( Source: Microsoft Learn – Configure external collaboration settings in Azure AD )

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage Azure AD Identity Protection,” Azure AD Identity Protection is the service responsible for detecting risky behaviors such as leaked credentials, suspicious sign-ins, and compromised accounts in a Microsoft 365 or Azure AD environment.

1️ ⃣ Classify leaked credentials as high-risk Identity Protection automatically flags leaked or compromised credentials detected through Microsoft’s threat intelligence signals and dark web monitoring. It classifies these users with a high user risk level.

“Identity Protection detects leaked credentials and marks the user risk as high when evidence of compromise is found.”

Thus, the feature used for this classification is Azure AD Identity Protection.

2️ ⃣ Trigger remediation Remediation for leaked credentials is driven by User Risk policies. The User risk policy in Identity Protection can automatically respond to users identified as high-risk. This triggers actions such as forcing a password reset.

“User risk policy can be configured to respond to risky users by requiring password change or blocking access.”

Hence, User risk is the correct trigger.

3️ ⃣ Mitigate the risk To allow users to continue accessing applications after remediation, the proper action is Grant access but require password change. This enforces an immediate credential reset to mitigate the compromise but still allows access once the user remediates their risk.

“To automatically remediate high user risk while maintaining access, configure the policy to grant access but require a password change.”

From the exhibit and the SC-300 Study Guide (Access Reviews section) , the access review is configured with the reviewer type set to (Preview) Manager, and Megan Bowen as the fallback reviewer.

In Azure AD Access Reviews, when “Manager” is selected as the reviewer type, the system automatically assigns each user’s Azure AD–defined manager to review their access. However, if a user does not have a manager assigned in Azure AD, the review task defaults to the fallback reviewer (in this case, Megan Bowen).

Therefore, if all access review requests are going to Megan Bowen, that means users in the tenant do not have managers properly assigned in Azure AD user attributes.

Adding the department managers as fallback reviewers does not solve the issue because the fallback reviewer receives only the reviews for users without a manager, not based on department.

Microsoft documentation states:

“When ‘Manager’ is selected as the reviewer, the manager property from Azure AD is used. If a user does not have a manager, the fallback reviewer is used. Adding managers as fallback reviewers will not assign reviews based on departments.”

Identities with Owner role: Managed1, Managed2, VM1, and VM2 only

Virtual machines assigned to Managed2: VM2 and VM4 only

In Azure RBAC, role assignments can be made to Azure AD security principals , including managed identities (user-assigned and system-assigned) . The SC-300 learning path on Identity Governance and Privileged Access, and the Exam Ref coverage of Azure RBAC, explain that a system-assigned managed identity is a service principal tied to a single resource, and you can assign RBAC at any scope (subscription, resource group, or resource) to that identity. A user-assigned managed identity is an independent Azure resource with its own service principal; it can also be granted roles at the resource group scope. Therefore, the assignable principals for RG1 include the two user-assigned identities ( Managed1 , Managed2 ) and the two VMs that have system-assigned identities ( VM1 , VM2 ). VM3 does not present a system-assigned identity; its access is represented by Managed1 .

For attaching a user-assigned identity to a virtual machine, SC-300 materials note that the identity and the target resource must be in the same region (often phrased as “user-assigned identities are regional; the identity and the resource must share a region”). Since Managed2 is in West US , it can be associated only with West US VMs—here, VM2 and VM4 .

The Security Operator role is part of Microsoft’s tiered security roles designed to allow operational security tasks while limiting full administrative privileges.

Per Microsoft Learn ( “Permissions in the Microsoft 365 Defender portal” and SC-300 Study Guide ):

“Security Operators can view, investigate, and take actions on security recommendations, alerts, and improvement actions in Microsoft Secure Score.”

The Security Operator role can update the status of Secure Score improvement actions, making it the appropriate and least-privileged choice for this scenario.

In Microsoft Entra ID (Azure AD), Security Defaults is a built-in baseline security configuration that enforces basic identity protection, such as requiring all users to register for multi-factor authentication (MFA) using the Microsoft Authenticator app. When security defaults are enabled, users cannot select alternate MFA methods (like SMS or phone call).

According to the Microsoft SC-300 Official Study Guide and Azure AD Identity Protection documentation , only administrators with elevated security roles—specifically the Security Administrator, Global Administrator, or Conditional Access Administrator—can enable or disable security defaults.

Here’s the detailed reasoning:

User1 (Security Administrator): This role can manage identity security settings, including modifying MFA configurations and security defaults.

User2 (Privileged Authentication Administrator): This role can reset MFA details for other users but cannot modify tenant-wide MFA or security default settings.

User3 (Service Support Administrator): This role is limited to viewing service health and support tickets and has no permissions to modify security configurations.

Since User2 is restricted by security defaults (which enforce Microsoft Authenticator only), the only way to allow alternative MFA methods is to disable or customize security defaults. That configuration must be done by User1 (Security Administrator).

Microsoft Documentation: “To enable or disable security defaults, you must be a Global Administrator, Security Administrator, or Conditional Access Administrator.”

In Azure AD Privileged Identity Management (PIM), the activation settings shown for the Global Administrator role include “On activation, require Azure MFA: Yes.” The SC-300 materials describe that when this flag is enabled, “eligible users must complete MFA during role activation.” Therefore, User1, who is eligible for Global Administrator, must satisfy MFA at activation time.

The exhibit also shows “Require approval to activate: No (Approvers: None).” Per the exam guide, “if approvals are not required, no approver action is taken; users activate directly after satisfying policy (e.g., MFA, justification).” Consequently, there are no activation requests to approve, so User2 cannot approve all activation requests (there are none).

Regarding who can change role assignments, the guide states that “only Global Administrator or Privileged Role Administrator (Role Management Administrator) can add, remove, or update Azure AD role assignments in PIM.” Privileged Authentication Administrator focuses on authentication method and MFA settings and does not grant role-assignment management. Thus, User2 (Privileged Authentication Administrator) cannot edit the assignment, while User3 (Global Administrator) can; since the statement claims both can edit, the correct evaluation is No.

According to the Microsoft SC-300: Identity and Access Administrator study materials and Microsoft Defender for Cloud Apps documentation, connecting third-party cloud applications such as GitHub , AWS , and Google Workspace to Defender for Cloud Apps allows the administrator to monitor user activities and OAuth app authentications in those external services.

The App connectors feature within Microsoft 365 Defender / Microsoft Defender for Cloud Apps provides deep visibility into sanctioned cloud applications by integrating their APIs. When an app connector is added — such as the GitHub app connector — Defender for Cloud Apps begins ingesting audit logs, including OAuth authorization events , sign-in attempts, and token consent grants.

The relevant Microsoft documentation states:

“App connectors use APIs from connected apps to extend visibility and control to cloud services, enabling monitoring of OAuth application authorizations and security activities.”

Since the question specifically asks to monitor OAuth authentication requests , adding the GitHub app connector fulfills this requirement because it brings OAuth consent and token data from GitHub into Microsoft 365 Defender (via Defender for Cloud Apps).

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance > Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups > Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance  >  Entitlement management  >  Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in as a Security Administrator or Global Administrator.

Navigate to MFA settings:

Go to Users  >  Active users.

On the Active users page, select Multi-factor authentication.

Manage user settings:

Find and select the Sg-Finance group.

Enable MFA for this group by setting the requirement status to Enabled.

Exclude a user from MFA:

In the Multi-factor authentication page, search for Debra Berger.

Set her MFA status to Disabled to exclude her from MFA registration.

Verify the configuration:

Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.

Communicate the change:

Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.

Monitor the setup:

Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.

To assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Make sure you have the role of Global Administrator or License Administrator.

Navigate to the licensing page:

Go toBilling > Licenses1.

Find the Windows 10/11 Enterprise E3 license:

Look for the Windows 10/11 Enterprise E3 license in the list of available products.

Assign licenses to the group:

Select the license and then choose Assign licenses.

Search for and select the Sg-Retail group.

Confirm the assignment and make sure that the correct number of licenses is available for the group.

Review and confirm the assignment:

Ensure that the licenses have been properly assigned to the Sg-Retail group without affecting other groups or users.

Monitor the license status:

Check the license usage and status to ensure that the Sg-Retail group members can utilize the Windows 10/11 Enterprise E3 features.

By following these steps, the Sg-Retail group should now have the Windows 10/11 Enterprise E3 licenses assigned to them.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.

To ensure that all users can consent to apps that require permission to read their user profile and prevent them from consenting to apps that require any other permissions, you can configure the user consent settings in the Microsoft Entra admin center. Here’s how you can do it:

Sign in as a Global Administrator:

Access the Microsoft Entra admin center with Global Administrator privileges.

Navigate to user consent settings:

Go toIdentity > Applications > Enterprise applications > Consent and permissions > User consent settings1.

Configure the consent settings:

Under User consent for applications, select the option that allows users to consent to apps that only require permission to read their user profile.

Ensure that all other permissions are set to require administrator consent, thus preventing users from consenting to apps that require additional permissions1.

Save the settings:

After configuring the consent settings, select Save to apply the changes.

By following these steps, you will have configured the system to allow user consent for apps that need to read the user profile while blocking consent for apps that require additional permissions. This setup helps maintain user autonomy where appropriate while safeguarding against unauthorized access to broader permissions.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.