2026/January Latest Braindump2go SC-300 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SC-300 Real Exam Questions!
QUESTION 260
You have an Azure AD tenant.
You need to ensure that only users from specific external domains can be invited as guests to the tenant.
Which settings should you configure?
A. External collaboration settings
B. All identity providers
C. Cross-tenant access settings
D. Linked subscriptions
Answer: A
QUESTION 261
You have an Azure AD tenant that contains a user named User1 and a Microsoft 365 group named Group1. User1 is the owner of Group1.
You need to ensure that User1 is notified every three months to validate the guest membership of Group1.
What should you do?
A. Configure the External collaboration settings.
B. Create an access review.
C. Configure an access package.
D. Create a group expiration policy.
Answer: B
Explanation:
An access review is a process that allows you to review and manage the access of users and groups to resources. You can use access reviews to validate the guest membership of Group1 every three months.
QUESTION 262
You have an Azure AD tenant.
You deploy a new enterprise application named App1.
When users attempt to provide App1 with access to the tenant, the attempt fails.
You need to ensure that the users can request admin consent for App1. The solution must follow the principle of least privilege.
What should you do first?
A. Enable admin consent requests for the tenant.
B. Designate a reviewer of admin consent requests for the tenant.
C. From the Permissions settings of App1, grant App1 admin consent for the tenant.
D. Create a Conditional Access policy for App1.
Answer: A
Explanation:
To ensure that users can request admin consent for App1 in your Azure AD tenant, you should first enable admin consent requests for the tenant.
Enabling admin consent requests allows users to initiate the process of requesting admin consent for applications that require it. By default, users do not have the ability to grant admin consent for applications. Enabling this feature ensures that users can request admin consent for App1 without having to rely on an administrator to initiate the process.
QUESTION 263
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant.
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.
Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure Active Directory admin center, you configure the Block/unblock users settings for multi-factor authentication (MFA).
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Report suspicious activity and the legacy Fraud Alert implementation can operate in parallel. You can keep your tenant-wide Fraud Alert functionality in place while you start to use Report suspicious activity with a targeted test group.
If Fraud Alert is enabled with Automatic Blocking, and Report suspicious activity is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured. These users will need to be removed from the blocklist and have their risk remediated to enable them to sign in with MFA.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#report-suspicious-activity-and-fraud-alert
QUESTION 264
You have an Azure subscription that contains a user named User1.
The App registration settings for the Azure AD tenant are configured as shown in the following exhibit.
User1 builds an ASP.NET web app named App1.
You need to ensure that User1 can register App1. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Application Developer
B. Cloud App Security Administrator
C. Cloud Application Administrator
D. Application Administrator
Answer: A
Explanation:
Assign the Application Developer role to grant the ability to create application registrations when the Users can register applications setting is set to No. This role also grants permission to consent on one’s own behalf when the Users can consent to apps accessing company data on their behalf setting is set to No.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles#grant-individual-permissions-to-create-and-consent-to-applications-when-the-default-ability-is-disabled
QUESTION 265
Hotspot Question
You have an Azure subscription that contains the resources shown in the following table.
The subscription contains the virtual machines shown in the following table.
Which identities can be assigned the Owner role for RG1, and to which virtual machines can you assign Managed2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 266
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You plan to increase app security for the subscription.
You need to identify which apps do NOT require user authentication.
What should you do in the Microsoft 365 Defender portal?
A. Review the cloud app catalog.
B. Create an OAuth policy and review alerts.
C. Create a snapshot Cloud Discovery report.
D. Create a discovered app query.
Answer: A
Explanation:
To identify which apps do NOT require user authentication in the Microsoft 365 Defender portal, you should review the cloud app catalog.
Reviewing the cloud app catalog in the Microsoft 365 Defender portal provides you with a comprehensive list of all the apps connected to your Microsoft 365 environment. It allows you to see which apps require user authentication and which ones do not.
QUESTION 267
You have an Azure subscription that contains the users shown in the following table.
You need to implement Azure AD Privileged Identity Management (PIM).
Which users can use PIM to activate their role permissions?
A. Admin1 only
B. Admin2 only
C. Admin3 only
D. Admin1 and Admin2 only
E. Admin2 and Admin3 only
F. Admin1, Admin2, and Admin3
Answer: C
Explanation:
You cannot manage the following classic subscription administrator roles in Privileged Identity Management:
– Account Administrator
– Service Administrator
– Co-Administrator
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-roles
QUESTION 268
Hotspot Question
You have an Azure AD tenant.
You perform the tasks shown in the following table.
On April 5, an administrator deletes App1, App2, App3, and App4.
You need to restore the apps and the settings.
Which apps can you restore on April 16, and which settings can you restore for App4 on April 16? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties.
Box 1: App1, App2, App3, and App4
Box 2: App roles, Users and groups, client secrets, and Self-service
https://learn.microsoft.com/en-us/entra/identity-platform/howto-restore-app
QUESTION 269
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account.
You deploy an Azure subscription and enable Microsoft 365 Defender.
You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the GitHub app connector.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Adding the GitHub app connector to Microsoft Defender for Cloud Apps will allow you to monitor OAuth authentication requests from GitHub to Microsoft 365. However, it will not allow you to monitor OAuth authentication requests to your AWS account, Google Workspace subscription, or Azure subscription.
QUESTION 270
You have an Azure AD tenant.
You plan to implement Azure AD Privileged Identity Management (PIM).
Which roles can you manage by using PIM?
A. Global Administrator only
B. Global Administrator and Security Administrator only
C. Global Administrator, Security Administrator, and Security Contributor only
D. Account Administrator, Global Administrator, Security Administrator, and Security Contributor only
Answer: B
Explanation:
You can manage just-in-time assignments to all Microsoft Entra roles and all Azure roles using Privileged Identity Management (PIM) in Microsoft Entra ID.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
QUESTION 271
Hotspot Question
Your company uses Microsoft Entra ID to manage user and guest access to its Microsoft 365 services.
You have recently enabled Guest access to enable your users to collaborate with another company on projects. The current user setting configuration is shown in the three exhibits.
One of the new project teams you need to collaborate have the following requirements:
Some of the users report:
– User-GU-A (guest user) reports that they do not currently have the same access as UserC.
– UserB reports that they cannot use the combined security information registration experience.
– UserD reports that they cannot access LinkedIn with their Microsoft Entra ID account.
You need to update the user settings within Microsoft Entra to meet the users’ requirements. For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer:
Explanation:
You should change Guest user access to be more inclusive to allow User-GU-A to have the same access as UserC. With the current configuration of the User Settings and User Features, as shown in the three exhibits, Guest user access is set to limit access to properties and memberships of directory objects. To allow User-GU-A to have the same access as UserC, this setting would need to change to the most inclusive setting, which is Guest users have the same access as members.
You do not need to add UserB to the AWS-WS group to allow them access to My Staff. With the current configuration of the User Settings and User Features, as shown in the three exhibits, we can see that only the AVD-Users group have been added to the setting Administrator can access My Staff option. As UserB is already a member of this group, they already have the access they need to access My Staff, and you do not need to add them to the AWS-WS group.
Not only UserA and UserD can access the Combined Security Information Registration Experience. With the current configuration of the User Settings and User Features, as shown in the three exhibit images, we can see that the AVD-Users group is selected under the Users can use the combined security information registration experience setting. In this scenario, UserA, UserB, and UserD are all in the AVD-User group.
QUESTION 272
A company has a hybrid environment with both on-premises Active Directory and Microsoft Entra ID. An IT administrator notices that users are not syncing anymore from the on-premises directory to the cloud.
You need to make sure that Active Directory and Microsoft Entra ID are in sync.
What is the first step you should take to troubleshoot the issue?
A. Check the network connectivity between the on-premises and Microsoft Entra ID
B. Check the Microsoft Entra Connect sync configuration
C. Check the Microsoft Entra Connect Health sync status
D. Check the Event Viewer for error messages
Answer: C
Explanation:
You should check the Microsoft Entra Connect Health sync status as the very first step to troubleshoot the issue. Microsoft Entra Connect Health is a feature of Microsoft Entra ID that allows you to monitor and troubleshoot the directory synchronization between your on-premises Active Directory and Microsoft Entra ID. To do this, you would check the Microsoft Entra Connect Health dashboard seeing as it provides real-time monitoring and alerting for the synchronization service, including the status of the sync engine, the number of objects synced, and any errors that may have occurred. By checking the Microsoft Entra Connect Health dashboard and identifying the root cause of the issue, the IT administrator can then take the appropriate steps to resolve the issue and re-establish the sync between on-premises Active Directory and Microsoft Entra ID.
Your first step should not be to check the Event Viewer for error messages. The very first step to troubleshoot the issue with Microsoft Entra Connect should be to check Microsoft Entra Connect Health sync status in a centralized dashboard to identify the root cause of the issue. Only after this first step should you check the event log on the server running the Microsoft Entra Connect to see if there are any relevant events or errors that may be related to the syncing issue.
You should not check the Microsoft Entra Connect sync configuration as the very first step to troubleshoot the issue. Verifying the Microsoft Entra Connect sync configuration is one of the next steps during the troubleshooting. In this step you should check the Microsoft Entra Connect sync service and ensure that it is running and configured correctly. If the service is stopped, the administrator should start it again and check the configuration to ensure that it is correct.
You should not check the network connectivity between the on-premises and Microsoft Entra ID as the very first step to troubleshoot the issue. The first step is to identify the root cause of the issue. If the issue is related to network connectivity, the administrator should check the network connection between the on-premises and Microsoft Entra ID environments to ensure that there is no problem with it, such as a firewall restriction.
QUESTION 273
Your organization has an existing Microsoft 365 tenant. The following end-user devices have been onboarded into your tenant:
You set up a conditional access policy as shown in the exhibits. The support desk receives complaints that users are unable to access cloud resources due to MFA registration failing.
You need to report which of the new devices have been blocked from accessing cloud resources.
Which three devices does the Conditional Access policy block from accessing cloud resources? Each correct answer presents part of the solution.
A. DeviceE
B. DeviceF
C. DeviceD
D. DeviceB
E. DeviceA
F. DeviceC
Answer: BEF
Explanation:
The Conditional Access policy will block DeviceA, DeviceC, and DeviceF from accessing cloud resources in the tenant.
The policy Access Control settings is configured to only grant access if to devices that are Hybrid Microsoft Entra joined and located in the UK Office. In this scenario, these three devices are all Microsoft Entra Registered only so they will be blocked and they are all located outside of the UK office.
DeviceB, DeviceD, and DeviceE will all be granted access as they meet the requirement set in the policy of being Hybrid Microsoft Entra joined devices and located in the UK Office.
QUESTION 274
Drag and Drop Question
Your company is planning on using Privileged Identity Management (PIM) to grant administrative access to Azure resources.
You are setting up PIM for the first time and establish the workflow that will be used to ensure that PIM can be used by the first user.
What roles should you use for the following actions, while following the principle of least privilege? To answer, drag the appropriate role to each action. A role may be used once, more than once, or not at all.
Answer:
Explanation:
You should use the Privileged Identity Management (PIM) Administrator role to determine the users and roles to be managed using PIM. The PIM Administrator will be the person performing the initial setup of PIM and will therefore need to collect the requirements for the implementation.
You should use the PIM Administrator role to assign users as eligible admins. The PIM Administrator will determine and configure which users will have which rights within the environment. As this is an administrative task, the PIM Administrator role will be required for this.
You should use the PIM User role to request the activation of eligible admin roles. When users require elevated rights for their account, they can create a PIM activation request to be granted the requested permissions.
You should use the PIM Approver role to view and approve activation requests. When PIM requests are created, the PIM Approver will approve or deny the request for the elevated permissions.
You should use the PIM Administrator role to view and export a history of assignments and activations. The PIM Administrator can access the history to make sure compliance requirements are met.
QUESTION 275
Hotspot Question
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named fabrikam.com. The domain contains an Active Directory Federation Services (AD FS) instance and a member server named Server1 that runs Windows Server. The domain contains the users shown in the following table.
You have a Microsoft Entra tenant named contoso.com that is linked to a Microsoft 365 subscription.
You establish federation between fabrikam.com and contoso.com by using a Microsoft Entra Connect instance that is configured as shown in the following exhibit.
You perform the following tasks in contoso.com:
– Create a group named Group1.
– Disable User2.
– Enable User3.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Yes
Group1 is created in the entra ID tenant, and the user is synced, so this is possible. It doesn’t state that the group should be visible on-prem.
Box 2: Yes
The user is a directory-synced user, so authority lies on-prem. Disabling it from the Entra ID portal will have no effect. The server is also an on-prem server. Disabling should be done in on-prem adds.
Box 3: No
You enable the account in the entra id tenant, but the account is directory synced, so authority lies with the on-prem AD, enabling from the portal is not possible.
QUESTION 276
Hotspot Question
You have a Microsoft Entra tenant that has a Microsoft Entra ID P2 service plan. The tenant contains the users shown in the following table.
You have the Device settings shown in the following exhibit.
User1 has the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 277
You have an Azure subscription named Sub1 that contains a user named User1.
You need to ensure that User1 can purchase a Microsoft Entra Permissions Management license for Sub1. The solution must follow the principle of least privilege.
Which role should you assign to User1?
A. Global Administrator
B. Billing Administrator
C. Permissions Management Administrator
D. User Access Administrator
Answer: B
QUESTION 278
You have an Azure subscription that contains a user named User1 and two resource groups named RG1 and RG2.
You need to ensure that User1 can perform the following tasks:
– View all resources.
– Restart virtual machines.
– Create virtual machines in RG1 only.
– Create storage accounts in RG1 only.
What is the minimum number of role-based access control (RBAC) role assignments required?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation:
Assign User1 the “Reader” role at the subscription level to view all resources.
Assign User1 the “Virtual Machine Contributor” role at the RG1 level to restart virtual machines and create virtual machines in RG1 only.
Assign User1 the “Storage Account Contributor” role at the RG1 level to create storage accounts in RG1 only.
QUESTION 279
You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com.
Contoso is working on a project with the following two partner companies:
– A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com.
– A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.
When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.
You can successfully invite a new guest user from fabnkam.com to contoso.com.
You need to be able to invite new guest users from adatum.com to contoso.com.
What should you configure?
A. Guest invite settings
B. Verifiable credentials
C. Named locations
D. Collaboration restrictions
Answer: D
Explanation:
You need to add adatum.com to the list of domains on External Identities >> External Collab Settings >> Collaboration Restrictions >> Allow invitations only to the specified domains.
QUESTION 280
You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1 and a Microsoft 365 group named Group1.
You need to ensure that the members of Group1 can access Site1 for 90 days. The solution must minimize administrative effort.
What should you use?
A. an access package
B. an access review
C. a lifecycle workflow
D. a Conditional Access policy
Answer: A
Explanation:
For this scenario, an access package would be the most suitable. An access package in Azure Active Directory (Azure AD) entitlement management is a bundle of resources that you can give to users so they can access a set of related resources. They can be configured to expire after a certain amount of days (in this case 90 days), after which access to the resources is automatically revoked, saving administrative effort.
QUESTION 281
Hotspot Question
You have a Microsoft Entra tenant that contains multiple storage accounts.
You plan to deploy multiple Azure App Service apps that will require access to the storage accounts.
You need to recommend an identity solution to provide the apps with access to the storage accounts. The solution must minimize administrative effort.
Which type of identity should you recommend, and what should you recommend using to control access to the storage accounts? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal
QUESTION 282
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains an Azure Cosmos DB database named DB1 and an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 uses a managed identity.
You need to ensure that AKS1 can access DB1. The solution must meet the following requirements:
– Ensure that AKS1 uses the managed identity to access DB1.
– Follow the principle of least privilege.
Which role should you assign to the managed identity of AKS1?
A. For Sub1, assign the Owner role.
B. For DB1, assign the Azure Cosmos DB Account Reader Role role.
C. For RG1, assign the Azure Cosmos DB Data Reader Role role.
D. For RG1, assign the Reader role.
Answer: B
QUESTION 283
You have an Azure subscription that contains a storage account named storage1 and a web app named WebApp1. WebApp1 uses a system-assigned managed identity.
You need to ensure that WebApp1 can read and write files to storage1 by using the system-assigned managed identity.
What should you configure for storage1 in the Azure portal?
A. data protection
B. a shared access signature (SAS)
C. the Access control (IAM) settings
D. the File share settings
E. access keys
Answer: C
Explanation:
In the Azure portal, go into your storage account to grant your web app access. Select Access control (IAM) in the left pane, and then select Role assignments. You’ll see a list of who has access to the storage account. Now you want to add a role assignment to a robot, the app service that needs access to the storage account. Select Add > Add role assignment to open the Add role assignment page.
https://learn.microsoft.com/en-us/entra/identity-platform/multi-service-web-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp#grant-access-to-the-storage-account
QUESTION 284
You have a Microsoft 365 tenant.
In Microsoft Entra ID, you configure the terms of use.
You need to ensure that only users who accept the terms of use can access the resources in the tenant. Other users must be denied access.
What should you configure?
A. Terms and conditions in Microsoft Intune
B. an access policy in Microsoft Defender for Cloud Apps
C. a conditional access policy in Microsoft Entra ID
D. a compliance policy in Microsoft Intune
Answer: C
QUESTION 285
You have a Microsoft 365 E5 subscription that contains a user named User1. User1 is eligible for the Application Administrator role.
User1 needs to configure a new connector group for an application proxy.
What should you use to activate the role for User1?
A. the Microsoft 365 Defender portal
B. the Microsoft 365 admin center
C. the Microsoft Intune admin center
D. the Azure Active Directory admin center
Answer: D
QUESTION 286
Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a certification authority (CA) named CA1.
You have an Azure AD tenant.
You need to implement certificate-based authentication in Azure AD. The solution must ensure that users can sign in by using certificates issued by CA1. What should you do first?
A. Deploy an Azure key vault.
B. Add CA1 as a Certificate Authority to the Microsoft Entra ID tenant.
C. Enable auto-enrollment for CA1.
D. Deploy Windows Hello for Business.
Answer: B
Explanation:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication
QUESTION 287
You have accounts for the following cloud platforms:
– Azure
– Alibaba Cloud
– Amazon Web Services (AWS)
– Google Cloud Platform (GCP)
You configure an Azure subscription to use Microsoft Entra Permissions Management to manage the permissions in Azure only.
Which additional cloud platforms can be managed by using Permissions Management?
A. AWS only
B. Alibaba Cloud and AWS only
C. Alibaba Cloud and GCP only
D. AWS and GCP only
E. Alibaba Cloud, AWS, and GCP
Answer: D
Explanation:
Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
QUESTION 288
You have three Azure subscriptions that are linked to a single Microsoft Entra tenant.
You need to evaluate and remediate the risks associated with highly privileged accounts. The solution must minimize administrative effort.
What should you use?
A. Global Secure Access
B. Privileged Identity Management (PIM)
C. Microsoft Entra Permissions Management
D. Microsoft Entra Verified ID
Answer: C
QUESTION 289
You have an Azure subscription named Sub1 that uses Microsoft Entra Permissions Management. Sub1 contains a user named User1. User1 is granted multiple permissions across Sub1.
You need to replace all the permissions granted to User1 with read-only permissions. The solution must minimize administrative effort.
What should you do on the Remediation tab in Permissions Management?
A. From the Role/Policy Template subtab, create a template.
B. From the My Requests subtab, create a new request.
C. From the Roles/Policies subtab, create a role.
D. From the Permissions subtab, use a quick action.
Answer: D
Explanation:
There are four quick actions that can be used to manage users:
Revoke Unused Tasks
Revoke High-Risk Tasks
Revoke Delete Tasks
Assign Read-Only Status
https://learn.microsoft.com/en-us/training/permissions-management/explore-features-of-permissions-management/9-act-on-your-findings-with-remediation-tab
QUESTION 290
You have an Azure subscription that contains a user named User1. The subscription is onboarded to Microsoft Entra Permissions Management.
You need to provide User1 with access to Permissions Management. The solution must meet the following requirements:
– Follow the principle of least privilege.
– Minimize administrative effort.
What should you do first?
A. From the Role/Policy Template subtab of Permissions Management, create a template.
B. From the Microsoft Entra admin center, create a security group.
C. From the My Requests subtab of Permissions Management, create a new request.
D. From the Microsoft Entra admin center, assign a role to User1.
Answer: B
Explanation:
Permissions Management has its own group-based access system that provides granular control over what cloud environments, authorization systems, and permissions users have access to. The settings to manage these areas are found under the User Management tab of the product, which is in your profile dropdown menu.
https://learn.microsoft.com/en-us/training/permissions-management/explore-features-of-permissions-management/13-manage-access-to-microsoft-entra-permissions-management
QUESTION 291
Drag and Drop Question
You have an Azure subscription that contains the resources shown in the following table.
The subscription uses Privileged Identity Management (PIM).
You need to configure the following access controls by using PIM:
– Ensure that User1 can read and update Secret1.
– Ensure that User2 can read the contents of the secrets stored in Vault2.
The solution must follow the principle of least privilege.
Which authorization method should you use for each user? To answer, drag the appropriate authorization methods to the correct users. Each authorization method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 292
Hotspot Question
You have two Azure subscriptions named Sub1 and Sub2 that are linked to a Microsoft Entra tenant. The tenant contains three groups named Group1, Group2, and Group3.
The subscriptions contain the resources shown in the following table.
The tenant contains the users shown in the following table.
You manage the subscriptions by using Microsoft Entra Permissions Management. Permissions Management is configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
No – User1 is part of the group that can request access to sub1, not sub2
No – User1 can request access to Sub1 on behalf of other identities, not user2
Yes – User3’s group can approve access requests for all subscriptions
QUESTION 293
Hotspot Question
You have an Azure subscription that contains a user named User1.
You onboard Microsoft Entra Permissions Management.
You need to perform the following tasks:
– Identify all the accounts that are assigned the Global Administrator role permanently.
– Review the Permission Creep Index (PCI) of User1.
Which tab in Permissions Management should you use for each task? To answer, select the appropriate options in the answer area.
Answer:
QUESTION 294
You have an Azure subscription that contains a user-assigned managed identity named Managed1 in the East US Azure region. The subscription contains the resources shown in the following table.
Which resources can use Managed1 as their identity?
A. WebApp1 only
B. storage1 and WebApp1 only
C. VM1 and WebApp1 only
D. VM1, storage1, and WebApp1
Answer: D
Explanation:
In short, yes you can use user assigned managed identities in more than one Azure region. The longer answer is that while user assigned managed identities are created as regional resources the associated service principal (SP) created in Microsoft Entra ID is available globally.
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq
QUESTION 295
You have a Microsoft 365 tenant that uses the domain name fabrikam.com.
The External collaboration settings are configured as shown in the Collaboration exhibit. (Click the Collaboration tab.)
The Email one-time passcode for guests setting is enabled for the tenant.
A user named [email protected] shares a Microsoft SharePoint Online document library to the users shown in the following table.
Which users will be emailed a passcode?
A. User1 only
B. User2 only
C. User1 and User2 only
D. User1, User2, and User3
Answer: C
QUESTION 296
You have an Azure subscription named Sub1 that contains a virtual machine named VM1.
You need to enable Microsoft Entra login for VM1 and configure VM1 to access the resources in Sub1.
Which type of identity should you assign to VM1?
A. Microsoft Entra user account
B. user-assigned managed identity
C. Azure Automation account
D. system-assigned managed identity
Answer: D
Explanation:
System-assigned managed identity: This type of managed identity is enabled directly on an Azure resource. In this case, enabling a system-assigned managed identity on VM1 would allow VM1 to authenticate with other Azure resources within Sub1, using the identity associated with VM1.
QUESTION 297
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Microsoft Entra admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Set-WindowsProductKey cmdlet
B. the Update-MgGroup cmdlet
C. the Set-MgUserLicense cmdlet
D. the Update-MgUser cmdlet
Answer: C
Explanation:
To remove the Office 365 Enterprise E3 licenses from the users who are now part of a group with Office 365 Enterprise E5 licenses assigned, you should use the Set-MgUserLicense cmdlet. This cmdlet allows you to modify the licenses assigned to a user. By using this cmdlet, you can remove the Office 365 Enterprise E3 licenses from all users who are part of the group where you assigned the Office 365 Enterprise E5 licenses.
QUESTION 298
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Microsoft Entra admin center, you assign Microsoft Office 365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?
A. the Licenses blade in the Microsoft Entra admin center
B. the Administrative units blade in the Microsoft Entra admin center
C. the Identity Governance blade in the Microsoft Entra admin center
D. the Update-MgUser cmdlet
Answer: A
Explanation:
To remove the Office 365 Enterprise E3 licenses from the users who are now part of a group with Office 365 Enterprise E5 licenses assigned, you should use the “Licenses” blade in the Microsoft Entra admin center. This allows you to manage license assignments at a group level, making it easier to apply and remove licenses for multiple users simultaneously.
QUESTION 299
Drag and Drop Question
Your network contains an on-premises Active Directory domain named contoso.com that syncs with Microsoft Entra ID by using Microsoft Entra Connect. The domain contains the users shown in the following table.
From Active Directory Users and Computers, you add the following user:
– Name: User3
– UPN: [email protected]
– Proxy addresses: smtp: [email protected], smtp: [email protected]
From Active Directory Users and Computers, you update the proxyAddresses attribute for each user as shown in the following table.
You trigger a manual synchronization.
Which sync status will Microsoft Entra Connect sync return for each user? To answer, drag the appropriate status to the correct users. Each status may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 300
You have a Microsoft Entra tenant that contains the groups shown in the following table.
You need to implement Privileged Identity Management (PIM) for the groups.
Which groups can be managed by using PIM?
A. Group1 only
B. Group1 and Group2 only
C. Group1 and Group3 only
D. Group3 and Group4 only
E. Group1, Group2, Group3, and Group4
Answer: C
Explanation:
Groups in Microsoft Entra ID can be classified as either role-assignable or non-role-assignable. Additionally, any group can be enabled or not enabled for use with Microsoft Entra Privileged Identity Management (PIM) for Groups. These are independent properties of the group. Any Microsoft Entra security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn’t have to be role-assignable group to be enabled in PIM for Groups.
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups
Resources From:
1.2026 Latest Braindump2go SC-300 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/sc-300.html
2.2026 Latest Braindump2go SC-300 PDF and SC-300 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1NZuutHaYtOunblg44BrB3XLXyjNDRv4F?usp=sharing
3.2026 Free Braindump2go SC-300 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/SC-300-VCE-Dumps(260-300).pdf
Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!