Pass the Microsoft Microsoft Certified: Identity and Access Administrator Associate SC-300 Questions and answers with CertsForce

Answer is

This question asks you to apply the stated Technical Requirements for Self-Service Password Reset (SSPR) to complete the form. The specific scenario about " User3 " is a distraction, as the configuration applies to all users.

The relevant technical requirements are:

" Users must provide one authentication method to reset their password by using SSPR. "

This directly dictates the value for the Number of authentication methods required , which is 1 .

" Available methods must include: Email, Phone, Security questions, The Microsoft Authenticator app "

This lists all the options that are configured to be available for SSPR, which determines the value for Authentication methods that can be used : Email , Phone , Security   questions , The   Microsoft   Authenticator   app .

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance > Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

According to the Microsoft SC-300: Identity and Access Administrator Official Study Guide and Microsoft Learn module “Configure Azure AD Multi-Factor Authentication settings”, the Ac count Lockout settings in Azure AD MFA define how the service reacts to repeated failed MFA verification attempts.

From the exhibit:

Number of MFA denials to trigger account lockout: 3

Minutes until account lockout counter is reset: 60

Minutes until account is automatically unblocked: 30

1. Lockout trigger type:

The lockout applies to MFA denials — specifically, failed verification attempts using methods such as the Microsoft Authenticator app (OTP code) or phone call verification. It does not apply to incorrect usernames or passwords, as those are handled by Azure AD sign-in risk policies.

The official Microsoft documentation states:

“Account lockout in Azure AD Multi-Factor Authentication occurs after the configured number of denied MFA verification attempts. This setting applies to users entering an incorrect PIN or app verification code.”

Therefore, after three incorrect Microsoft Authenticator app codes, the account is temporarily locked.

2. Lockout duration:

The setting “Minutes until account is automatically unblocked: 30” means that once an account is locked due to too many failed MFA attempts, it will automatically unlock after 30 minutes without administrator intervention.

This aligns with Microsoft’s MFA service behavior:

“When the account lockout threshold is reached, the account remains locked for the configured duration before being automatically unlocked.”

✅ Final Correct Answers:

Wrong input type causing lockout: Microsoft Authenticator app code

Unlock duration: 30 minutes

In Microsoft Entra ID (Azure AD), the per-user device cap is controlled in Devices > Device settings. The SC-300 materials describe that administrators can configure “Users may join devices to Azure AD” and the “Maximum number of devices per user” . The guide notes that this limit defaults to five and is used to “control how many devices a user can join or register in Azure AD”; when users reach the limit, “they cannot add additional devices until the limit is increased or an existing device is removed.” For scenarios like field or sales staff who use multiple devices, the study content recommends adjusting this value to meet business needs. Because A. Datum’s sales users hit the current cap and a requirement states “Increase the maximum number of devices that can be joined or registered to Azure AD to 10,” the fix is to change the tenant’s Device settings—not User settings, Access reviews, or Security defaults. This aligns with the exam objective to configure device settings for Azure AD join and registration and addresses the precise symptom reported by users.

The Microsoft SC-300 Exam Ref and Microsoft Learn module: “Manage administrative units” specify that administrative units (AUs) are used to delegate administrative permissions over subsets of users or groups within an Entra tenant.

In this scenario, the goal is to allow User1 to manage only the users in the marketing department. The correct approach is to create an administrative unit (AU) for the marketing department and then assign User1 an appropriate role (for example, User Administrator ) scoped to that AU.

Microsoft 365 groups, management groups, and resource groups serve different purposes:

Microsoft 365 groups are for collaboration.

Management groups organize Azure subscriptions.

Resource groups group Azure resources.

Only administrative units in Entra ID provide delegated role-based administration for user subsets.

According to Microsoft’s SC-300 Exam Guide and Microsoft Learn module: Manage Identity Governance in Azure AD , the removal and lifecycle management of external users (B2B guests) within Azure Active Directory’s Entitlement Management are configured through Entitlement management settings under the Identity Governance blade.

In scenarios where external partners (such as Fabrikam) are granted access via access packages , administrators can define lifecycle settings to ensure that when access is no longer required, the users are automatically removed from the directory. The Entitlement Management directory settings control two specific parameters:

Block external user from signing in to this directory — determines whether external users can still sign in after access expiration.

Remove external user — enables automatic deletion of the guest account after a specified number of days.

Number of days before removing external user — defines the delay period (in this case, 90 days).

Microsoft documentation states:

“To automatically remove external users from your directory after access expires, configure the Entitlement management settings. You can set whether to block sign-in and specify how many days after access expiration the user should be removed.”

Tenant Restrictions in Microsoft 365 are designed to prevent users from accessing external tenants while allowing access to approved tenants. According to the SC-300 exam material and Microsoft’s Tenant Restrictions documentation, only modern authentication–capable clients (OAuth 2.0) can enforce tenant restrictions.

Outlook 2013 by default uses basic authentication , which does not support tenant restrictions . Outlook 2016 (and later versions) use modern authentication , making them compatible.

Microsoft Documentation: “Tenant restrictions require modern authentication to enforce access control. Legacy clients like Outlook 2013 must be upgraded to Outlook 2016 or newer.”

Dynamic Azure AD groups use membership rules written against user attributes (for example, user.department , user.jobTitle , user.country , user.usageLocation ). The SC-300 materials show operators such as -eq, -contains, -startsWith, and logical -and/-or to build precise targeting. In this scenario, the provided rule syntax evaluates users in the Sales department whose jobTitle contains “Sales” (for example, “SalesRep”). From the data: User1 has job title Associate (does not contain “Sales”); User2 has job title SalesRep (contains “Sales”); User3 has job title Manager (does not contain “Sales”). Because department for all three is Sales, the discriminating condition is the job title match. Therefore, only User2 satisfies the rule and will be added to the dynamic group. The SC-300 guide emphasizes validating rules with the “Preview membership results” tool to confirm which users are included before enforcing at scale.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.