You have an Azure Active Directory (Azure AD) tenant named contoso.com.
All users who run applications registered in Azure AD are subject to conditional access policies.
You need to prevent the users from using legacy authentication.
What should you include in the conditional access policies to filter out legacy authentication attempts?
Answer : C
The Conditional Access chapter of SC-300 states that administrators block legacy protocols by targeting them with the Client apps condition. The guide notes: ''Client apps lets you target policy by application type such as browser, modern authentication clients, and legacy authentication clients.'' It gives the prescriptive action: ''To block legacy authentication, configure a policy with Client apps set to 'Other clients' (legacy) and grant control = Block.'' In contrast, Cloud apps or actions chooses the service (e.g., Office 365), User risk and Sign-in risk apply risk-based controls, not protocol filtering. Therefore, to filter out and prevent legacy authentication attempts, you must configure Conditional Access with the client apps condition targeting legacy/other clients and block them, exactly as taught in the SC-300 objectives ''Configure and manage Conditional Access.''
================
You need to resolve the issue of the guest user invitations. What should you do for the Azure AD tenant?
Answer : B
Azure AD External collaboration settings govern who can bring guests into the tenant. The SC-300 content specifies: ''External collaboration settings let you control who can invite guests (Anyone, Members, Guests, or Only admins and users in the Guest Inviter role) and whether guests can invite.'' It also highlights: ''To restrict guest invitations to administrators or designated inviters, configure External collaboration to 'Only admins and users in the Guest Inviter role' and disable guest-to-guest invitations if required.'' Because the problem states that ''Anyone in the organization can invite guest users, including other guests and non-administrators,'' the remediation is to tighten External collaboration settings so only approved roles (e.g., Global admins, Guest Inviter, or specific administrators) can invite. Access reviews address periodic entitlement verification, Conditional Access enforces sign-in/session policies, and Continuous Access Evaluation relates to token lifetime/signal-based revocation; none of these change who can send guest invitations. Adjusting External collaboration settings directly resolves the issue and aligns with the requirement that ''only users that are assigned specific admin roles can invite guest users.''
You have a Microsoft 365 subscription.
You need to ensure that users can grant enterprise applications access to their profile. The solution must ensure that the users can consent only to the User. Read and profile delegated permissions.
What should you configure first?
Answer : B
According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and official Microsoft Learn documentation (''Configure how end-users consent to applications''), application consent management in Microsoft Entra ID is governed by the Admin consent settings under Enterprise applications Consent and permissions User consent settings.
By default, users can grant delegated permissions to apps, but organizations often need to restrict which permissions users may consent to --- for example, allowing consent only to low-impact permissions like User.Read (basic profile information).
Microsoft Documentation Reference: ''In the Admin consent settings, you can control how end users grant consent to applications. You can limit user consent to low-risk permissions, such as permissions that only allow apps to access the user's basic profile data.''
The configuration steps outlined in Microsoft's official SC-300 training materials are:
In the Entra admin center, go to Enterprise applications Consent and permissions User consent settings.
Under User consent for applications, choose Allow user consent for apps from verified publishers for selected permissions (recommended).
Under Select permissions to allow, specify User.Read and User.ReadBasic.All, which correspond to User.Read and User.Read profile delegated permissions.
This ensures that users can only consent to applications accessing their basic profile data and no additional permissions beyond what's explicitly approved.
Why not the other options:
A . Security defaults: Controls basic security policies (e.g., MFA, legacy authentication) --- unrelated to app consent.
C . Permission classifications: Used for labeling permission risk levels but doesn't enforce consent behavior.
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Microsoft Entra roles. The solution must use the principle of least privilege.
Which role should you assign to User1?
Answer : D
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Conditional Access policies. You need to block access to cloud apps when a user is assessed as high risk.
Which type of policy should you create in the Microsoft Defender for Cloud Apps?
Answer : C
According to the Microsoft SC-300 Study Guide and Microsoft Defender for Cloud Apps documentation, an access policy in Microsoft Defender for Cloud Apps (MCAS) enables administrators to enforce real-time session control and conditional access based on user risk or session context. These policies integrate directly with Azure AD Conditional Access and Microsoft Defender for Identity signals to determine when a user's session should be allowed, monitored, or blocked.
The documentation specifies:
''Access policies are used to control user access and session activities in real-time. You can use these policies to block access, require session control, or limit downloads when risk conditions such as 'user risk = high' are detected.''
In this case, since the requirement is to block access to cloud apps when a user is assessed as high risk, an access policy in Defender for Cloud Apps must be used. Other options are not applicable because:
OAuth app policy controls permissions granted to third-party apps.
Anomaly detection policy detects unusual activities but does not block access.
Activity policy monitors specific user actions within apps.
You have a Microsoft 365 tenant.
The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
Users connect to the internet by using a hardware firewall at your company. The users authenticate to the
firewall by using their Active Directory credentials.
You plan to manage access to external applications by using Azure AD.
You need to use the firewall logs to create a list of unmanaged external applications and the users who access
them.
What should you use to gather the information?
Answer : C
According to the Microsoft SC-300: Identity and Access Administrator study materials and Microsoft Learn modules under ''Implement and manage Cloud App Security (Microsoft Defender for Cloud Apps)'', the Cloud App Discovery feature in Microsoft Cloud App Security (now called Microsoft Defender for Cloud Apps) is designed to identify and analyze the use of shadow IT --- unmanaged or unsanctioned applications accessed by users within the organization.
Cloud App Discovery collects logs from network appliances such as firewalls, proxies, or Secure Web Gateways (SWGs). Administrators upload these logs into Cloud App Security or configure continuous log collection through automatic log uploaders. The service then parses and analyzes the data to detect which external applications are being accessed and which users are using them.
In this scenario, since users authenticate to the firewall with their on-premises Active Directory credentials, the firewall logs will contain user information and the external applications being accessed. By importing these logs into Cloud App Discovery, administrators can generate a detailed list of unmanaged (unsanctioned) external applications and identify the specific users connecting to them.
Microsoft documentation explicitly states:
''Cloud App Discovery analyzes traffic logs to identify all cloud applications used in your organization. It provides information about app usage, users, IP addresses, and risk levels to help you assess shadow IT.''
Hence, the correct and verified answer --- based on official SC-300 curriculum and Azure AD Identity Governance content --- is Cloud App Discovery in Microsoft Cloud App Securit
You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps.
You have multiple third-party apps that access the resources in the subscription.
You need to monitor the access of the third-party apps.
What should you create?
Answer : A
In Microsoft Defender for Cloud Apps, OAuth app policies monitor and control third-party applications that have OAuth permissions to your Microsoft 365 environment. They allow administrators to review app permissions, detect over-privileged apps, and revoke access where needed. This aligns with the SC-300 topic ''Monitor and manage app permissions in Defender for Cloud Apps'', which states:
''OAuth app policies allow you to detect risky applications connected via OAuth authorization and monitor app access to your organizational data.''