Last Attempt SC-300 Questions

The question asks which role allows a user to create access reviews for Azure AD roles using the principle of least privilege.

Privileged Role Administrator can manage all role assignments and access reviews, but it has more privileges than needed.

Identity Governance Administrator manages entitlement management and access packages, not Azure AD roles directly.

User Administrator can manage users but not access reviews for roles.

✅ User Access Administrator is the correct least-privilege role, as it allows management of access reviews related to Azure AD roles and role-assignable groups.

From Microsoft Documentation (SC-300 Exam Guide):

“The User Access Administrator role allows management of access reviews and permissions for Azure AD roles and resources using the least-privileged approach.”

To enforce a Terms of Use (ToU) prompt when users sign in, the SC-300 exam and Microsoft Learn materials specify configuring it under a Conditional Access policy. The ToU object must first be created in Microsoft Entra ID → Identity Governance → Terms of Use, then linked to a Conditional Access policy via Grant Controls → Require Terms of Use.

Access packages and lifecycle workflows (A, C) handle identity lifecycle and provisioning, not authentication-time prompts. Authentication methods (D) manage how users sign in but not policy-based ToU enforcement.

The issue described is that disabled on-premises AD accounts can still authenticate to Azure AD for up to 30 minutes. This behavior occurs when Password Hash Synchronization (PHS) is used, as authentication happens directly against the cloud copy of the password hash, which syncs periodically (every 30 minutes by default).

The proposed solution — configuring password writeback — allows users to reset or change their on-premises password from Azure AD (via self-service password reset). However, it does not affect the authentication flow or timing of disabled account status replication between AD and Azure AD.

From Microsoft documentation:

“Password writeback enables users to reset their on-premises passwords from the cloud but does not impact authentication or account disable synchronization.”

Therefore, configuring password writeback does not prevent a disabled user from authenticating in Azure AD until the next sync occurs.

 User1: Key Vault Crypto Officer

 User2: Key Vault Certificates Officer

As detailed in Microsoft documentation and the Exam Ref SC-300: Microsoft Identity and Access Administrator, Azure Key Vault provides role-based access control (RBAC) to manage keys, secrets, and certificates independently. The built-in roles are designed with the principle of least privilege — granting users only the permissions necessary to perform their tasks.

According to the Microsoft Learn module “Manage access to Key Vault using Azure RBAC”, the relevant built-in roles are:

Key Vault Crypto Officer — This role allows users to manage cryptographic keys in a key vault. Specifically, the Crypto Officer can create, import, delete, and manage keys, as well as perform cryptographic operations such as encrypt, decrypt, sign, and verify. This aligns perfectly with the requirement that User1 must manage and create keys in Vault1.

Key Vault Certificates Officer — This role allows a user to manage and retrieve certificates within a key vault. It provides access to read, import, and delete certificates but not to manage or create keys or secrets. This satisfies the requirement that User2 must access a certificate stored in Vault1.

The Exam Ref SC-300 emphasizes that the least privilege principle requires assigning users the lowest possible role that meets their operational needs. Therefore, assigning Key Vault Crypto Officer to User1 and Key Vault Certificates Officer to User2 ensures compliance, minimal access exposure, and operational