SC-300 Part 1, Module 1

Question 1

What is Azure Active Directory (Azure AD)?

Answer 1

Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access:

• External resources
• Internal resources

Question 2

Azure AD helps your employees sign in and access what kinds of external resources?

Answer 2

External resources such as M365, the Azure portal, and thousands of other Software as a Service (SaaS) applications.

Question 3

Azure AD helps your employees sign in and access what kinds of internal resources?

Answer 3

Internal resources such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Question 4

Who is Azure AD intended for?

Answer 4

IT admins, App developers, and subscribers to Microsoft services.

Question 5

What permissions does the Global Admin have in Azure AD?

Answer 5

• Manage access to all admin features, and to services that federate to Azure AD.
• Assign admin roles to others.
• Reset admin and user passwords.

Question 6

What permissions does the User Admin have in Azure AD?

Answer 6

• Create/manage users and groups.
• Manage support tickets.
• Monitor service health.
• Change passwords for users, Helpdesk admins, and other User Admins.

Question 7

What permissions does the Billing Admin have in Azure AD?

Answer 7

• Making purchases.
• Manage subscriptions.
• Manage support tickets.
• Monitors service health.

Question 8

In the Azure portal, where can you see a list of roles?

Answer 8

On the “Roles and administrators” blade.

Question 9

Azure roles specify scope at what level?

Answer 9

Scope can be specified at multiple levels:

• Management group
• Subscription
• Resource group
• Resource

Question 10

Azure AD roles specify scope at what level?

Answer 10

Scope is at the tenant level.

Question 11

Azure roles info can be accessed using which 5 sources?

Answer 11

• Azure portal
• Azure CLI
• Azure PowerShell
• Azure Resource Manager templates
• REST API

Question 12

Azure AD roles info can be accessed in:

Answer 12

• Azure admin portal
• Azure AD PowerShell.
• M365 admin center
• MS Graph

Question 13

“Access management for Azure resources” switch

Answer 13

• Grants the Global Admin the User Access Admin role (an Azure role) on all subscriptions for a particular tenant.
• This enables the user to grant others access to Azure resources.
• Helpful for regaining access to a subscription.

Question 14

By default, what Azure resources does the Global Admin have access to?

Answer 14

By default, the Global Admin doesn’t have access to Azure resources.

Question 15

Do Azure AD roles span Azure AD and M365?

Answer 15

Several Azure AD roles span Azure AD and M365, such as the Global Admin and User Admin roles.

Question 16

Five ways to assign roles within Azure AD

Answer 16

• Assign a role to a user or group.
• Assign a user or group to a role.
• Assign a role to a broad-scope, like a Subscription, Resource Group, or Management Group.
• Assign a role using PowerShell or MSGraph API.
• Assign a role using Privileged Identity Management (PIM).

Question 17

What are the default restrictions for assigning roles?

Answer 17

There are no built in role assignment restrictions.

Question 18

How do you create a custom role in Azure AD?

Answer 18

1. Roles and administrators blade > New custom role.

2. Provide a name, description, select the permissions, then select Create.

Question 19

How do you add a new user in Azure AD?

Answer 19

1. Select Users > New User.

2. Populate the user’s info. Then select Create.

Question 20

What is a common method for assigning a role to a user in Azure AD?

Answer 20

1. All users blade. Select the user.
2. On the user’s profile page, select Assigned roles. Select Add assignments, select the role you want to assign. Select Add.

Question 21

What is a common method for removing a role in Azure AD?

Answer 21

1. Select Users, then select a user.
2. Select Assigned roles. Select the name of the role you want to remove.
3. Select Remove assignments.

Question 22

What is a domain name?

Answer 22

A part of the identifier for many Azure AD resources:

• It’s part of a user name or email address for a user,
• Part of the address for a group.
• Sometimes part of the app ID URI for an application.

Question 23

A domain name is sometimes part of the ___ for an application.

Answer 23

App ID URI

Question 24

Who can manage domains in Azure AD?

Answer 24

The Global Administrator

Question 25

How do you set a domain name in Azure AD?

Answer 25

1. Select Custom domain names.
2. Select a domain name from the list.
3. Select “Make primary”.

Question 26

How many custom domain names can you add to your Azure AD organization?

Answer 26

• You can add up to 900 managed domain names.
• If you’re configuring all your domains for federation with on-premises Active Directory, you can add 450 domain names in each organization.

Question 27

Where can you verify a subdomain you added to Azure AD?

Answer 27

Either in the Azure AD organization you added the subdomain to, or in a different Azure AD organization.

Question 28

What do you do after changing the DNS registrar for your custom domain name?

Answer 28

No additional configuration tasks are needed in Azure AD.

Question 29

What requirements must be met before deleting a custom domain name in Azure AD?

Answer 29

Ensure no resources in your organization rely on the domain name.

• No user has a name, email or proxy address that includes the domain name.
• No group has an email or proxy address that includes the domain name.
• Any application in your Azure AD has an app ID URI that includes the domain name.

Question 30

What is ForceDelete?

Answer 30

An operation that reverts a domain name to the initial default domain name.

Question 31

Where can you use the ForceDelete option?

Answer 31

Azure AD Admin Center

MS Graph API

Question 32

What requirements must be met before using ForceDelete?

Answer 32

• Ensure there are fewer than 1,000 references to the domain name.
• Any references where Exchange is the provisioning service must be updated or removed.
• The domain could not have been purchased via m365 domain subscription services.
• You can’t be a partner administering on behalf of another custom org.

Question 33

What two things result in an error when using ForceDelete?

Answer 33

• The number of objects to be renamed is greater than 1,000.

* One of the apps to be renamed is a multi-tenant app.

Question 34

With the proliferation of devices of all shapes and sizes and the bring your own device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:

Answer 34

• Allow end users to be productive wherever and whenever.

* Protect the organization’s assets.

Question 35

Who owns Azure AD registered devices?

Answer 35

The user or organization.

Question 36

What is an Azure AD registered device?

Answer 36

A device that’s registered to Azure AD without requiring an additional org account to sign into the device.

Question 37

What tools are used to manage Azure AD registered devices?

Answer 37

A Mobile Device Management tool (MDM) like Intune.
Mobile Application Management

“maam and madam”

Question 38

What are the key capabilities of Azure AD registered devices?

Answer 38

• SSO to cloud resources.
• Conditional Access when enrolled into Intune.
• Conditional Access via App protection policy.
• Enables Phone sign in with Microsoft Authenticator app.

Question 39

How are Azure registered devices signed in?

Answer 39

They are signed in using a local account like a Microsoft Account or Windows 10 device, but additionally they have an Azure AD attached for access to org resources.

Question 40

When can Azure AD device registration take place?

Answer 40

Can occur when accessing a work application for the first time or manually using the Windows 10 Settings menu.

Question 41

Who owns Azure AD joined devices?

Answer 41

The organization, not the user.

Question 42

Who can deploy Azure AD joined devices?

Answer 42

Any organization can deploy Azure AD joined devices.

Question 43

Azure AD joined devices enable access to ____.

Answer 43

Both cloud and on-premises apps and resources.

Question 44

Who is Azure AD join intended for?

Answer 44

Organizations that want to be cloud-first or cloud-only.

Question 45

How are Azure AD joined devices managed?

Answer 45

Using a Mobile Device Management (MDM) tool like Intune, or co-managed with Intune and Microsoft Endpoint Configuration Manager.

Question 46

How can access to resources by Azure AD joined devices be limited?

Answer 46

Admin can enforce organization-required configurations like requiring that storage be encrypted, password complexity, software installations, and software updates.

Question 47

How can admins make their org’s apps available to Azure AD joined devices?

Answer 47

Via Configuration Manager.

Question 48

What are self-service options for Azure AD join?

Answer 48

Out of Box Experience (OOBE), bulk enrollment, or Windows Autopilot.

Question 49

What connectivity do Azure AD joined devices have to on-premises resources?

Answer 49

Azure AD joined devices still maintain SSO access to on-premises resources when they are on the org’s network. They can still authenticate to on-premises servers like file, print, and other applications.

Question 50

What strategy do you use when you need to get mobile devices like tablets and phones under control? What strategy can you not use in this scenario?

Answer 50

Azure AD join. In this scenario, you can’t use an on-premises domain join.

Question 51

What strategy do you use when you want to transition from on-premises to cloud-based infrastructure? The strategy utilizes Azure AD and an MDM tool like Intune.

Answer 51

Azure AD join.

Question 52

What type of organization is Azure AD join intended for?

Answer 52

Organizations that do not have an on-premises Windows Server Active Directory infrastructure.

Question 53

What do you use when your users primarily need access to M365 or other SaaS apps integrated with Azure AD?

Answer 53

Azure AD join.

Question 54

When you want to manage a group of users in Azure AD instead of in Active Directory, what do you use?

Answer 54

Azure AD join.

Question 55

What solution can you make use of when you need to provide workers with joining capabilities and they’re in remote branch offices with limited on-premises infrastructure?

Answer 55

Azure AD join.

Question 56

You can configure Azure AD join for all Windows 10 devices with the exception of ___.

Answer 56

Windows 10 Home devices.

Question 57

The goal of Azure AD joined devices is to simplify what four things?

Answer 57

• Windows deployments of work-owned devices
• Access to organizational apps and resources from any Windows device
• Cloud-based management of work-owned devices
• Users to sign in to their devices with their Azure AD or synced Active Directory work or school accounts.

Question 58

Typically, orgs with an on-premises footprint rely on imaging methods to provision devices, and they often use ___ to manage them.

Answer 58

Configuration Manager or group policy (GP).

Question 59

What are hybrid Azure AD joined devices?

Answer 59

Devices that are joined to your on-premises Active Directory and registered with your Azure AD.

Question 60

Who owns hybrid Azure AD joined devices?

Answer 60

The organization

Question 61

What type of organization are hybrid Azure AD joined devices suitable for?

Answer 61

They are suitable for hybrid organizations with existing on-premises AD infrastructure.

Question 62

What are the key capabilities of hybrid Azure AD joined devices?

Answer 62

• SSO to both cloud and on-premises resources.
• Conditional Access through Domain join or through Intune if co-managed.
• Self-service Password Reset and Windows Hello PIN reset on lock screen.
• Enterprise State Roaming across devices.

Question 63

What do you use when you want to continue to use Group Policy to manage device configuration?

Answer 63

Azure AD hybrid joined devices.

Question 64

If you must support down-level Windows 7 and 8.1 devices in addition to Windows 10, you need to use ___.

Answer 64

Azure AD hybrid joined devices.

Question 65

If you want to continue to use existing imaging solutions to deploy and configure devices, you need to use ___.

Answer 65

Azure AD hybrid joined devices.

Question 66

If you have Win32 apps deployed to devices that rely on Active Directory machine authentication, you need to use ___.

Answer 66

Azure AD hybrid joined devices.

Question 67

What are administrative units?

Answer 67

Resources that act as containers for other Azure AD resources. Used to restrict permissions in a role to any specified portion of your organization.

Question 68

What happens when you use administrative units to delegate a role to regional support specialists?

Answer 68

Using administrative units limits the specialists’ permissions to a specific portion of your organization.

Question 69

You can manage administrative units by using ___, ___, or ___.

Answer 69

The Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph.

Question 70

In a global organization that has suborganization that are semi-autonomous in their operations, administrative units could ___.

Answer 70

represent the suborganizations.

Question 71

An organization whose IT department is scattered globally might create administrative units that define ___.

Answer 71

relevant geographical boundaries

Question 72

Administrative units are a common way to define ___ across Microsoft M365 services.

Answer 72

structure

Question 73

You can expect the creation of administrative units in the organization to go through the following steps:

Answer 73

1. Initial adoption
2. Pruning
3. Stabilization

Question 74

What is the first step that the creation of admin units in an org goes through?

Answer 74

1. Initial adoption: Org creates admin units using initial criteria. The number of admin units increases as the criteria are refined.

Question 75

What is the second step that the creation of admin units in an org goes through?

Answer 75

2. Pruning: After the criteria are defined, admin units that are no longer required will be deleted.

Question 76

What is the third step that the creation of admin units in an org goes through?

Answer 76

3. Stabilization: Your organizational structure is defined, and the number of admin units isn’t going to change significantly in the short term.

Question 77

Organization should move towards a more centralized/decentralized administration.

Answer 77

decentralized

Question 78

One way to delegate app creation and management permissions is to assign one or more ___ to an application.

Answer 78

owners

Question 79

By default in Azure AD, ___ can register application registrations and manage all aspects of applications they create.

Answer 79

all users

Question 80

You can a built-in ___ that grants access to manage configuration in Azure AD for all applications. This grants IT experts access to manage broad app configuration permissions.

Answer 80

admin role

Question 81

One way to delegate app creation and management permissions is to create a custom role defining specific permissions and assigning it to the scope of a ____ application as a limited owner, or at the ___ (all apps) as a limited admin.

Answer 81

directory scope

Question 82

Two benefits of delegating the ability to perform admin tasks are:

Answer 82

1. Reduces global admin overhead.

2. Using limited permissions improves your security posture, reduces the potential for unauthorized access.

Question 83

It’s work to develop a delegation model that fits your needs. Developing a delegation model is an iterative design process, and we suggest you follow these steps:

• Define the ___ you need.
• Delegate app ___.
• Grant the ability to ___ applications.
• Delegate app ___.
• Develop a ___ plan.
• Establish ___ accounts.
• Secure your ___ roles.
• Make privileged ___ temporary.

Answer 83

roles
administration
register
ownership
security
emergency
admin 
elevation

Rhinos ate red apple sauce. Elephants ate Eggos.

Question 84

When delegating permissions, determine the Active Directory tasks that are carried out by admins and how they map to roles. Each task should be evaluated for ___, ___, and ___.

Answer 84

frequency, importance, and difficulty.

Question 85

Tasks that you do ___, have limited ___, and are ___ to complete are excellent candidates for delegation.

Answer 85

routinely, risk, trivial

Question 86

Tasks that you do ___ but have great impact across the organization and require high skill levels should be considered very carefully before delegating. Instead, you can temporarily ___ an account to the required role or reassign the task

Answer 86

rarely, elevate

Question 87

Application Admin?

Answer 87

Grants the ability to manage all apps in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. Doesn’t grant ability to manage Conditional Access.

Question 88

Cloud Application Admin

Answer 88

Grants abilities of the Application Admin, except it doesn’t grant access to Application Proxy settings (because it has no on-premises permission).

Question 89

By default, ___ can create application registrations.

Answer 89

all users

Question 90

To selectively grant the ability to create app registrations:

Answer 90

1. Set “Users can register applications” to “No” in User settings.
2. Assign the user to the Application Developer role.

Question 91

To selectively grant the ability to consent to allow an application to access data:

Answer 91

1. Set Users can consent to applications accessing company data on their behalf To No in User settings under Enterprise apps.
2. Assign the user to the Application Developer role.

Question 92

When an Application Developer creates a new application registration, they are automatically added as ___.

Answer 92

the first owner

Question 93

An enterprise application can have ___ owners, and a user can be the owner for ___ enterprise applications.

Answer 93

many, many

Question 94

Enterprise Application Owner

Answer 94

Role that grants the ability to manage the enterprise apps that the user owns, including SSO settings, user and group assignments, and adding additional owners.

Question 95

What ability does the Enterprise Application Owner role not grant?

Answer 95

It doesn’t grant the ability to manage Application Proxy settings or Conditional Access.

Question 96

Application Registration Owner

Answer 96

Role that grants the ability to manage application registrations for app that the user owns, including the application manifest and adding additional owners.

Question 97

What are emergency accounts used for?

Answer 97

To maintain access to your identity management store when issue arises.

Question 98

What does the Security Defaults feature do?

Answer 98

Enforces MFA on privileged Azure AD accounts.

Question 99

What are tenant-wide settings?

Answer 99

Configuration options that apply to all resources within your tenant. They control the look, feel and configuration of your tenant and its members.

Question 100

Tenant Properties

Answer 100

Where you give the name of your directory and set values like the primary contact.

Question 101

User Settings

Answer 101

Where you define what global rights your users have, like registering applications.

Question 102

External Collaboration Settings

Answer 102

Where you define what task an external guest user can perform like inviting more guest users.

Question 103

In Azure AD, the default user permissions can be changed only in ___.

Answer 103

user settings

Question 104

A user’s access consists of the ___ of user, their ___ assignments, and their ownership of ___ objects.

Answer 104

type, role, individual

Question 105

Member users can ___.

Answer 105

• Register applications.
• Manage their own profile photo and mobile phone number.
• Change their own password.
• Invite guest users.
• Read all directory info (with few exceptions).

Question 106

Guest users can ___.

Answer 106

• Manage their own profile.
• Change their own password.
• Retrieve some info about other users, groups, and apps.
• They cannot read all directory info.

Question 107

Guest users can be added to the ___, which grants them full read and write permissions those contain.

Answer 107

admin roles

Question 108

Using ___ minimizes the costs and time associated with implementing your own login, identity, profile management, and password management.

Answer 108

Sign in with Linkedin

Question 109

Common identity-related attacks

Answer 109

Password spray, replay, and phishing.

Question 110

Here you configure the actions that external users can take while using the cloud resources of your tenant.

Answer 110

External collaboration settings.

Question 111

Tenant properties configuration options

Answer 111

• Name
• Country
• Notification language
• Tenant ID
• Technical content
• Global privacy contact
  Privacy statement URL

Question 112

To change the tenant display name:

Answer 112

1. Select Properties.
2. In the Name box, change the tenant name.
3. Select Save.

Question 113

To find the country or region associated with your tenant:

Answer 113

1. Select Properties.

2. Locate the “Country or region” setting.

Question 114

To find the location associated with your tenant:

Answer 114

In the properties blade, under “Tenant properties”, locate Location.

Question 115

To find the TenantID:

Answer 115

1. Select Properties.

2. Locate the TenantID field under the “Tenant properties” header.

Question 116

What privacy info can you add about your org in Azure AD?

Answer 116

• Technical contact.
• Global privacy contact.
• Privacy statement URL.

Question 117

What happens when you don’t add your privacy info in Azure AD?

Answer 117

Your external guests will see text in the Review Permissions box that says, “has not provided links to their terms for you to review.”