Exactprep SC-300 Questions

From the exhibit and the SC-300 Study Guide (Access Reviews section) , the access review is configured with the reviewer type set to (Preview) Manager, and Megan Bowen as the fallback reviewer.

In Azure AD Access Reviews, when “Manager” is selected as the reviewer type, the system automatically assigns each user’s Azure AD–defined manager to review their access. However, if a user does not have a manager assigned in Azure AD, the review task defaults to the fallback reviewer (in this case, Megan Bowen).

Therefore, if all access review requests are going to Megan Bowen, that means users in the tenant do not have managers properly assigned in Azure AD user attributes.

Adding the department managers as fallback reviewers does not solve the issue because the fallback reviewer receives only the reviews for users without a manager, not based on department.

Microsoft documentation states:

“When ‘Manager’ is selected as the reviewer, the manager property from Azure AD is used. If a user does not have a manager, the fallback reviewer is used. Adding managers as fallback reviewers will not assign reviews based on departments.”

Identities with Owner role: Managed1, Managed2, VM1, and VM2 only

Virtual machines assigned to Managed2: VM2 and VM4 only

In Azure RBAC, role assignments can be made to Azure AD security principals , including managed identities (user-assigned and system-assigned) . The SC-300 learning path on Identity Governance and Privileged Access, and the Exam Ref coverage of Azure RBAC, explain that a system-assigned managed identity is a service principal tied to a single resource, and you can assign RBAC at any scope (subscription, resource group, or resource) to that identity. A user-assigned managed identity is an independent Azure resource with its own service principal; it can also be granted roles at the resource group scope. Therefore, the assignable principals for RG1 include the two user-assigned identities ( Managed1 , Managed2 ) and the two VMs that have system-assigned identities ( VM1 , VM2 ). VM3 does not present a system-assigned identity; its access is represented by Managed1 .

For attaching a user-assigned identity to a virtual machine, SC-300 materials note that the identity and the target resource must be in the same region (often phrased as “user-assigned identities are regional; the identity and the resource must share a region”). Since Managed2 is in West US , it can be associated only with West US VMs—here, VM2 and VM4 .

The Security Operator role is part of Microsoft’s tiered security roles designed to allow operational security tasks while limiting full administrative privileges.

Per Microsoft Learn ( “Permissions in the Microsoft 365 Defender portal” and SC-300 Study Guide ):

“Security Operators can view, investigate, and take actions on security recommendations, alerts, and improvement actions in Microsoft Secure Score.”

The Security Operator role can update the status of Secure Score improvement actions, making it the appropriate and least-privileged choice for this scenario.