SC-300 Set 1 Flashcards
A. Group1 and Group4 only
B. Group1, Group2, Group3, Group4, and Group5
C. Group1 and Group2 only
D. Group1 only
E. Group1, Group2, Group4, and Group5 only
B. Group1, Group2, Group3, Group4, and Group5
B is correct. The feature can be used with security groups, and Microsoft 365 groups that have securityEnabled = TRUE.
You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com.Several users use their contoso.com email address for self-service sign-up to Azure Active Directory (Azure AD).You gain global administrator privileges to the Azure AD tenant that contains the self-signed users.You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services.Which PowerShell cmdlet should you run?
A. Set-MsolCompanySettings
B. Set-MsolDomainFederationSettings
C. Update-MsolfederatedDomain
D. Set-MsolDomain
A. Set-MsolCompanySettings
The correct answer is A. Set-MsolCompanySettings. To prevent users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services, you need to run the Set-MsolCompanySettings cmdlet with the -AllowAdHocSubscriptions parameter set to $false. This will disable all self-service sign-ups for all Microsoft cloud-based apps and services in the contoso.com Azure AD tenant
A. User2 onlyC. User 3 only
B. User1 only
C. User 3 only
D. User1 and User2 only
E. User1, User2, and User3
C. User 3 only
According to this question the answer should be “none”. As someone else mention the answer option has been changed in the exam. The user3 now have a gmail account. In that case user3 will be the only one getting the one-time passcode.
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users.You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.What should you use?
A. the Identity Governance blade in the Azure Active Directory admin center
B. the Set-AzureAdUser cmdlet
C. the Licenses blade in the Azure Active Directory admin center
D. the Set-WindowsProductKey cmdlet
C. the Licenses blade in the Azure Active Directory admin center
You can unassign licenses from users on either the Active users page, or on the Licenses page. The method you use depends on whether you want to unassign product licenses from specific users or unassign users licenses from a specific product.
Note: There are several versions of this question in the exam. The question has two possible correct answers:1. the Licenses blade in the Azure Active Directory admin center2. the Set-MsolUserLicense cmdlet
Other incorrect answer options you may see on the exam include the following:✑ the Administrative units blade in the Azure Active Directory admin center✑ the Groups blade in the Azure Active Directory admin center✑ the Set-AzureAdGroup cmdlet
From a Microsoft SharePoint Online site, a user invites user3@adatum.com to the site. For each of the following statements, select Yes if the statement is true. Otherwise, select No.
User1 can accept the invitation and gain access to the enterprise application
-YES
-NO
User2 can access the enterprise application.
-YES
-NO
User3 can accept the invitation and gain access to the SharePoint site.
-YES
-NO
Box 1: Yes -Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.
Box 2. Yes -Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.
Box 3. No -Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to bulk invite Azure AD business-to-business (B2B) collaboration users. Which two parameters must you include when you create the bulk invite? Each correct answer presents part of the solution.
A. email address
B. redirection URL
C. username
D. shared key
E. password
A. email address
B. redirection URL
When creating a bulk invite for Azure AD business-to-business (B2B) collaboration users, you must include the following parameters:
A. Email address: The email address is required to specify the email of the external user who will be invited to collaborate with your organization.
B. Redirection URL: The redirection URL is necessary to specify where the invited user will be redirected to after they accept the invitation. It typically leads to the sign-up or sign-in page for the external user’s organization.
A. User2 and Group2 only
B. User2, Group1, and Group2 only
C. User1, User2, Group1 and Group2
D. User1 and User2 only
E. User2 only
E. User2 only
You can’t assign the users with no license. 100%
You have an on-premises Microsoft Exchange organization that uses an SMTP address space of contoso.com. You discover that users use their email address for self-service sign-up to Microsoft 365 services.You need to gain global administrator privileges to the Azure Active Directory (Azure AD) tenant that contains the self-signed users. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
- Create a self-signed user account in Azure AD tenant
- Sign in to the Microsoft 365 admin center
- Respond to the Become the Admin message
- Create TXT record in the contoso.com DNS zone
Group A - User1, Group1, Group2 and Group3. Group A cannot contain M365 groups.
Group B - User1 only; M365 groups cannot contain other groups.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure password writeback.Does this meet the goal?
A. Yes
B.No
Answer B. NO
Password writeback is a feature of Azure AD Connect which ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy.
Technically, a password write-back operation is a password “reset” action. Password writeback removes the need to set up an on-premises solution for users to reset their password. It all happens in real time, and so users are notified immediately if their password could not be reset or changed for any reason.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure pass-through authentication. Does this meet the goal?
A. Yes
B. No
Answer A. YES
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure conditional access policies. Does this meet the goal?
A. Yes
B. No
Answer B. NO
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign into both on-premises and cloud-based applications using the same passwords It uses a lightweight on-premises agent that listens for and responds to password validation requests. If disabled user can not login
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.Solution: You configure Azure AD Password Protection.Does this meet the goal?
A. Yes
B. No
B. No
Azure AD Password Protection With this feature, you can use the same checks for passwords in AzureAD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant. The DC agent software must be installed on all DCs in a domain.
PTA (Passthrough authentication) is the only thing that’ll work
You have an Azure Active Directory (Azure AD) tenant that contains the following objects.
✑ A device named Device1
✑ Users named User1, User2, User3, User4, and User5
Five groups named Group1, Group2, Group3, Group4, and Group5
The groups are configured as shown in the following table.
How many licenses are used if you assign the Microsoft 365 Enterprise E5 license to Group1?
Answer B. 2
B: 2 licenses, because nested group do not inherit licenses and M365 Group can not be member of Security Group.
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains an Azure AD enterprise application named App1.
A contractor uses the credentials of user1@outlook.com. You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as user1@outlook.com. What should you do?
A. Run the New-AzADUser cmdlet.
B. Configure the External collaboration settings.
C. Add a WS-Fed identity provider.
D. Create a guest user account in contoso.com.
D. Create a guest user account in contoso.com.
Correct answer is D. New-AzADUser is used to create a new active directory user as work/school account
Probably in the exam the cmdlet New-AzureADMSInvitation is proposed and correct
Your network contains an Active Directory forest named contoso.com that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com by using Azure AD Connect.
You need to prevent the synchronization of users who have the extensionAttribute15 attribute set to NoSync.
What should you do in Azure AD Connect?
A. Create an inbound synchronization rule for the Windows Azure Active Directory connector.
B. Configure a Full Import run profile.
C. Create an inbound synchronization rule for the Active Directory Domain Services connector.
D. Configure an Export run profile.
C. Create an inbound synchronization rule for the Active Directory Domain Services connector.
A. User1 and User3 only
B. User1 only
C. User1, User2, and User3
D. User1 and User2 only
A. User1 and User3 only
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage only cloud users ( User 1 and User 3) can be authenticated
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the objects shown in the following table.
User1 syncs to Azure AD - YES
User2 syncs to Azure AD - NO
Group2 syncs to Azure AD . YES
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You need to ensure that Azure AD External Identities pricing is based on monthly active users (MAU). What should you configure?
A. a user flow
B. the terms of use
C. a linked subscription
D. an access review
C. a linked subscription
To take advantage of MAU billing, your Azure AD tenant must be linked to an Azure subscription.
DRAG DROP -
You have a new Microsoft 365 tenant that uses a domain name of contoso.onmicrosoft.com. You register the name contoso.com with a domain registrar.You need to use contoso.com as the default domain name for new Microsoft 365 users. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
- Add a custom domain name of contoso.com
2.Create a new TXT record in DNS
3.Successfully verify the domain name
4.Set the domain to primary
- No Maximum number of devices: This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD
- Yes You must be assigned one of the following roles to view or manage device settings in the Azure portal: Global Administrator Cloud Device Administrator Global Reader Directory Reader
- No Only Azure AD joined devices
Microsoft Purview
User1: Azure Active Directory admin center
User2: Microsoft Purview
User3: (Intune) Microsoft Endpoint Manager admin center
A. Server4
B. Server2
C. Server1
D. Server3
A. Server4
The standalone Authentication Agents can be installed on any Windows Server 2016 or later, with TLS 1.2 enabled. The server needs to be on the same Active Directory forest as the users whose passwords you need to validate.
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains an Azure AD enterprise application named App1.
A contractor uses the credentials of user1@outlook.com.
You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as user1@outlook.com.
What should you do?
A. Run the New-AzureADMSInvitation cmdlet.
B. Configure the External collaboration settings.
C. Add a WS-Fed identity provider.
D. Implement Azure AD Connect.
A. Run the New-AzureADMSInvitation cmdlet.
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Administrative units blade in the Azure Active Directory admin center
B. the Set-AzureAdUser cmdlet
C. the Groups blade in the Azure Active Directory admin center
D. the Set-MsolUserLicense cmdlet
D. the Set-MsolUserLicense cmdlet
You have an Azure Active Directory (Azure AD) tenant and an Azure web app named App1.
You need to provide guest users with self-service sign-up for App1. The solution must meet the following requirements:
- Guest users must be able to sign up by using a one-time password.
- The users must provide their first name, last name, city, and email address during the sign-up process.
What should you configure in the Azure Active Directory admin center for each requirement?
You have an Azure Active Directory (Azure AD) Azure AD tenant.
You need to bulk create 25 new user accounts by uploading a template file.
Which properties are required in the template file?
A. displayName, identityIssuer, usageLocation, and userType
B. accountEnabled, givenName, surname, and userPrincipalName
C. accountEnabled, displayName, userPrincipalName, and passwordProfile
D. accountEnabled, passwordProfile, usageLocation, and userPrincipalName
C. accountEnabled, displayName, userPrincipalName, and passwordProfile
The correct answer is C, but according to the CSV in the Microsoft doc, the column names are a bit different: “The only required values are Name, User principal name, Initial password and Block sign in (Yes/No).”
You need to resolve the recent security incident issues.
What should you configure for each incident? To answer, drag the appropriate policy types to the correct issues. Each policy type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
- User2 and User3 only
- User1, User2 and User3
Tested it in our environment. The option to edit the job title for an on-premise synced user is greyed out. You will have to change the job title for an on-premise synced user from on-prem AD.
Usage location is available for all types of users.
You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the Contoso West tenant. The solution must not require additional Microsoft 365 licenses.
What should you do?
A. Configure Azure AD Application Proxy in the Contoso West tenant.
B. Invite the Contoso East users as guests in the Contoso West tenant.
C. Deploy a second Azure AD Connect server to Contoso East and configure the server to sync the Contoso East Active Directory forest to the Contoso West tenant.
D. Configure the existing Azure AD Connect server in Contoso East to sync the Contoso East Active Directory forest to the Contoso West tenant.
B. Invite the Contoso East users as guests in the Contoso West tenant.
it should be stated as answer: configure cross-tenant access settings
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.
You need to ensure that User1 can create access reviews for groups, and that User2 can review the history report for all the completed access reviews. The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
User 1 : User Administrator
User 2 : Security Reader
ou have an Azure subscription.
You need to create two custom roles named Role1 and Role2. The solution must meet the following requirements:
- Users that are assigned Role1 can create or delete instances of Azure Container Apps.
- Users that are assigned Role2 can enforce adaptive network hardening rules.
Which resource provider permissions are required for each role? To answer, select the appropriate options in the answer area.
Role1: Microsoft.app
Role2: Microsoft Security
You have a Microsoft 365 tenant that has 5,000 users. One hundred of the users are executives. The executives have a dedicated support team.
You need to ensure that the support team can reset passwords and manage multi-factor authentication (MFA) settings for only the executives. The solution must use the principle of least privilege.
Which object type and Azure Active Directory (Azure AD) role should you use? To answer, select the appropriate options in the answer area.
Administrative Unit
Helpdesk administrator - The Authentication Administrator role is less privileged than the Helpdesk Administrator role
The Authentication Administrator
The Authentication Administrator role has permissions to manage authentication methods and password reset whereas the Helpdesk Administrator role has permissions to manage passwords, groups, and users.
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You have an administrative unit named Au1. Group1, User2, and User3 are members of Au1.
User5 is assigned the User administrator role for Au1.
For which users can User5 reset passwords?
A. User1, User2, and User3
B. User1 and User2 only
C. User3 and User4 only
D. User2 and User3 only
D. User2 and User3 only
Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You create a dynamic user group and configure the following rule syntax.
user.usageLocation -in [“US”,”AU”] -and (user.department -eq “Sales”) -and -not (user.jobTitle -eq “Manager”) –or (user. jobTitle -eq “SalesRep”)
Which users will be added to the group?
A. User1 only
B. User2 only
C. User3 only
D. User1 and User2 only
E. User1 and User3 only
F. User1, User2, and User3
D. User1 and User2 only
Your on-premises network contains an Active Directory domain that uses Azure AD Connect to sync with an Azure AD tenant.
You need to configure Azure AD Connect to meet the following requirements:
- User sign-ins to Azure AD must be authenticated by an Active Directory domain controller.
- Active Directory domain users must be able to use Azure AD self-service password reset (SSPR).
What should you use for each requirement?
A. User1 only
B. User1 and Group1 only
C. User1 and VM1 only
D. User1, VM1, and App1 only
E. User1, Group1, VM1, and App1
E. User1, Group1, VM1, and App1
You have an Azure AD tenant that contains a user named User1. User1 is assigned the User Administrator role.
You need to configure External collaboration settings for the tenant to meet the following requirements:
- Guest users must be prevented from querying staff email addresses.
- Guest users must be able to access the tenant only if they are invited by User1.
Which three settings should you configure? To answer, select the appropriate settings in the answer area.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant.
You need to ensure that user authentication always occurs by validating passwords against the AD DS domain.
What should you configure, and what should you use? To answer, select the appropriate options in the answer area.
B. User1 only
YES - Pass writeback is enabled (and SSPR works with PTA, PHS and ADFS federated environments)
YES - Because auth is PTA
NO - User2 not synced
B. the Microsoft 365 admin center
D. Reset the redemption status.
No
No
Yes
Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).
Yes: Group1 is created in the entra ID tenant, and the user is synced, so this is possible. It doesn’t state that the group should be visible on-prem
Yes: The user is a directory-synced user, so authority lies on-prem. Disabling it from the Entra ID portal will have no effect. The server is also an on-prem server. Disabling should be done in on-prem adds
No: for the same reason as above, you enable the account in the entra id tenant, but the account is directory synced, so authority lies with the on-prem AD, enabling from the portal is not possible…
1) NO
Maximum number of devices: This setting enables you to select the maximum number of Microsoft Entra joined or Microsoft Entra registered devices that a user can have in Microsoft Entra ID. If users reach this limit, they can’t add more devices until one or more of the existing devices are removed. The default value is 50. You can increase the value up to 100. If you enter a value above 100, Microsoft Entra ID sets it to 100. You can also use Unlimited to enforce no limit other than existing quota limits.
Note! The Maximum number of devices setting applies to devices that are either Microsoft Entra joined or Microsoft Entra registered. This setting doesn’t apply to Microsoft Entra hybrid joined devices.
2) YES
Admin1 is a Cloud Device Administrator. You must be assigned one of the following roles to manage device settings:
* Global Administrator
* Cloud Device Administrator
3) NO
This only applies to Win 10/11 Entra JOINED devices. This device is only registered.
