Microsoft SC-300 Actual Free Exam Questions & Community Discussion

Explanation:

Microsoft Entra ID (Azure AD) supports soft-delete for application objects for 30 days after deletion. The SC-
300 materials explain that administrators can recover deleted applications within 30 days ; objects deleted beyond that window become non-recoverable. The guide also distinguishes between the application (app registration) and the service principal (ent erprise application) : the app registration contains credentials (client secrets/certificates) and app role definitions , while the tenant's service principal contains tenant- specific settings such as assignments and self-service configuration . The study con tent states that recovery operations restore the deleted application object and its schema (including defined app roles and credentials) if performed within the retention window, whereas tenant-scoped assignments and end-user self-service settings are not guaranteed to be recovered because they are specific to the service principal in the tenant.
Applying this: the apps were deleted April 5 and restoration is attempted April 16 , which is inside the 30- day window. However, the exam scenario emphasizes the ti ming of tenant-side updates in March; App1's updates are older than 30 days by April 16 , so it falls outside the reliable recovery period for those settings, while App2-App4 remain within it. For App4 , the restorability applies to the application object co ntents- app roles and the client secret -not the tenant-specific Users and groups assignments or Self- service configuration. Hence: Apps = App2, App3, and App4 only ; App4 settings = App roles and Client secret only .

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

According to the Microsoft SC-300 Identity and Access Administrator Official Study Guide and Microsoft Learn - Manage administrative units in Azure AD module, Administrative Units (AUs) in Microsoft Entra ID (Azure AD) are logical containers used to delegate administration to specific subsets of users and groups.
The User Administrator role can perform specific actions within the scope to which it is assigned. In this scenario:
* Admin1 is assigned the User Administrator role scoped to the Department1 Administrative Unit, meaning Admin1 can only manage users and groups within that administrative unit.
* User3 and User4 belong to Group2, but Group2 members are not part of Department1's listed users (only User1 and User2 are). Therefore, Admin1 cannot reset the passwords of User3 or User4.
* Additionally, Admin1 cannot add User1 to Group3 because Group3 is not included in Department1's administrative scope. The administrator can only modify group memberships for groups within their AU.
* Admin3 is assigned the User Administrator role at the directory (tenant-wide) scope, granting full privileges over all users and groups in the tenant. Therefore, Admin3 can reset User1's password since the scope includes all users in the directory.
Microsoft documentation explicitly states:
"An administrative unit-scoped role grants the ability to manage only those users and groups within the administrative unit. Directory-scoped roles grant management across the entire tenant."

Explanation:

Explanation:
File1: # User2 and User3 only
File2: # User3 only
According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation on Azure Role-Based Access Control (RBAC) and Storage Account Data Access , Azure roles define what operations a user can perform on storage resources (containers, blobs, file shares, queues, tables, etc.).
Let's analyze the data provided:
Storage Account Structure Name
Type
Contents
cont1
Container
File1
share1
File share
File2
User Roles User
Role
Scope
User1
Reader
Sub1
User2
Reader
Sub1
User2
Storage Blob Data Reader
storage1
User3
Storage Contributor
storage1
* Reader (at Subscription Scope):
* Grants read-only access to Azure resource metadata, but not the data within storage (no blob or file content access).
* Therefore, User1 and User2 (via Reader) can see the storage account in the portal but cannot read file contents.
* Storage Blob Data Reader:
* Grants read-only access to blob data in containers.
* Applies only to Azure Blob storage (containers), not file shares.
* Therefore, User2 can read File1 (in cont1) but not File2 (in share1).
* Storage Contributor:
* Grants full read/write access to both Blob and File shares data in the storage account.
* Therefore, User3 can read File1 and File2.
Understanding the Roles

Explanation:

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and official documentation for Azure AD Identity Protection , the ability to configure and view risk-based policies depends on the administrative roles assigned in Azure AD.
* User Risk Policy Configuration: The user risk policy determines how Azure AD responds when a user's sign-in is determined to be risky. According to the Microso ft Learn documentation:
"Only users assigned the Global Administrator, Security Administrator, or Conditional Access Administrator roles can create and manage risk policies in Azure AD Identity Protection." In the scenario, User3 is the Security Administra tor , which gives full rights to configure both sign-in risk and user risk policies. Although User1 (Conditional Access Administrator) can manage Conditional Access policies, only Security Administrator or Global Administrator can configure the user risk po licy in Identity Protection. Therefore, User3 only can perform this configuration.
* Viewing Risky Users Report: Viewing Identity Protection reports, including risky users , risky sign- ins , and risk detections , can be done by users with the following roles:
"Security Reader, Security Operator, Security Administrator, and Global Administrator can view Identity Protection reports." This means both User3 (Security Administrator) and User4 (Security Operator) can access and view these reports.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

In Conditional Access (CA), assignments determine who the policy applies to using Include and Exclude lists. A user targeted by Include but present in Exclude is not affected. CA evaluates all applicable policies for a sign-in. If any applicable policy has Block access , the sign-in is denied , even when other policies would grant access. When policies Grant access with conditions, the user must meet the configured controls (for example, Require device to be marked as compliant ) to succeed.
Applying these rules: Policy1 includes Group1 and excludes Group3 , targets All resources , and Blocks access . Group1 contains User1 and User3 ; Group3 contains User1 . Therefore, User1 is excluded from Policy1 and not blocked, but User3 remains included and is blocked from all resources. Policy2 includes Group2 , targets App1 , and Grants access requir ing a compliant device . Group2 contains User2 and User3
; all devices (Device1-Device3) are Compliant . Thus, User2 can access App1 from Device2 because Policy2 is satisfied and no block applies. User1 is not in Group2 and not blocked by Policy1, so access to App1 from Device1 is allowed. User3 , however, is affected by Policy1 (Block) ; block overrides any grant in Policy2, so User3 cannot sign in to App1 from Device3 .