Pass Microsoft Identity SC-300 Exam in First Attempt Easily
Latest Microsoft Identity SC-300 Practice Test Questions, Identity Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 274 Questions & Answers
Last Update: Nov 29, 2023
- Training Course 43 Lectures
- Study Guide 599 Pages
Download Free Microsoft Identity SC-300 Exam Dumps, Identity Practice Test
Free VCE files for Microsoft Identity SC-300 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest SC-300 Microsoft Identity and Access Administrator certification exam practice test questions and answers and sign up for free on Exam-Labs.
Microsoft Identity SC-300 Practice Test Questions, Microsoft Identity SC-300 Exam dumps
SC-300 Microsoft Identity and Access Administrator
1. Exam Requirements
So in this video we're going to talk about the requirements of the SC 300 exam. If you want to follow along, and I suggest that you do, I would go to your favourite search engine and enter the scene 300 to get to this page on the official Microsoft Learn website. Now, right off the top of this page, you're going to learn about what an identity and access administrator actually is. There are people, sometimes multiple people withan organisation who are responsible for runningtheir Azure Active Directory system. In order to give people access to various resources, they manage tasks such as providing secure authentication and authorization access to enterprise applications. In the context of this, this could be Dropbox, Microsoft Teams, Microsoft 365, Adobe, and other enterprise-level applications. And so there are certain self-service management capabilities that you could optionally give to users. Essentially, you are in charge of troubleshooting, monitoring, and reporting any identity Nexus management issues. So if you go to this page, you'll read all about this. Scrolling down a little bit, we can see this exam is currently offered in four languages: English, Japanese, Chinese, and Korean. This same exam is relatively new. It was only introduced in 2021, so there's no idea of when it will be retired just yet. You've got a few years. Obviously, at this kind of thing, the exam costs $165. In the United States, depending on the country that you live in, you could see prices expressed in different amounts, such as European prices. Also, there might be Indian prices and things like that. To schedule the exam, there's this big orange button that says "Schedule Exam." It'll take you to the Pearson View website, where you can book to take this exam either in person or online, depending on your preference. So the real meat of this is under the Skills Measured section.
So these are the four major categories of this test. And we talked about this in the last video. One-quarter of the test to implement Authentication and Access Management is Identity Management. Also one quarter of thetest implement Access Management. For enterprise apps, it's only 10% to 15% of the test. And finally, the Identity Governance Strategy is the final quarter of the test. You can see these numbers don't add up to 100. These are just rough ranges. So the real details are behind this link that says "Download Exam Skills Outline."
This is a PDF document that will tell you all of the details of the topics covered on this test. So I already have it opened. You can click on that link to get to this PDF. It repeats some of the same information here. Now notice that it says most questions cover features that have general availability. There might be some concept of preview features, but it's not very common. The reason is that preview features could change or could be removed from Azure entirely. So let's just briefly look at the four overall objectives of this exam. So the first one was an identity management solution.
Now, this largely covers Azure Active Directory and some of the core features and functions of AD. So this includes things like creating the basic ad, including tenant-wide settings and administrative units, as well as determining your roles and administrative roles for the Azure ad. The core feature of advertising is its users and groups. When you're dealing with P1 and P2 licenses, you're assigning those licences to the users that need them. There's the concept of "external identities," which is usually partners, or it could be your end customers. That's called B-to-B and B-to-C environments. Finally, the hybrid identity problem, which is connecting your Azure Active Directory with your on-premises Active Directory or whatever identity management solution you use through some type of federation model, And so, we go through how to set up Azure AdConnect and all of these features that are required for that.
The second big objective has to do with authentication and access management. Now in authentication, we're going to start to talk about more advanced features such as Azure Multifactor Authentication. We're going to talk about password lists, self-service, and password reset windows. Hello for Business is another password list model. Conditional access is a way that you can set up rules so that people are forced to go through multifactor authentication or are blocked from logging in based on certain risks and based on what they're trying to do. And finally, identity protection, which is perhaps a policy very similar to conditional access but site-wide policy that you're going to say if a user poses a certain risk, we're just not going to let them in at all. For instance, the third section has to do with apps, and this is the smallest of the sections. This has to do with registering apps and using enterprise apps for single sign on.
So if you have Dropbox for business, you can use your corporate credentials to log into Dropbox, and people don't need to maintain a separate set of credentials. The last section has to do with identity and governance. Identity. Governance means things like access reviews. Entitlement management allows people to sign up themselves for permissions, and those permissions could have an expiry date so they can say, "Hey, I need access to this." It can be automatically approved or manually approved, and the system will take care of removing those entitlements once the time is up.
Access Reviews is, as I said, privileged access, which really wants you to protect your most powerful users with additional security. and finally monitor and maintain your ad. So the reporting, diagnostics, auditing, and things like that So, this course covers all of these requirements, section by section and topic by topic. I do things generally in the order that they're presented in this PDF. So if you're following along on this course, you're going to say we'll start in the first section talking about identity management. We'll start by creating a new Azure AD tenant with you as the global administrator, and then we'll go over all of the different settings, users, groups, and things we can do with that tenant. Once again, I am so grateful that you're here.
Initial Configuration of Azure Active Directory
1. Introduction to Azure Active Directory
Alright, we're going to drive right into the Azure Portal to start off this course. Now the Azure Portal is basically where you're going to be managing a lot of your users, groups, applications, and all of the things relating to security and identity access within Microsoft Azure. Now, there are commandline options. You can create scripts in PowerShell or the Bash CLI. There are also Arm templates, Bicep templates, and other resources management options in Azure. But for visual effects, as we're learning it, we're going to start with the Portal.
So the URL for the portal is portal azurecom.Now, like I said, you're going to need to have access to an account if you want to follow along. So if you want to pause the video to get into doing what I do, then you're going to need access to an account. Now Microsoft does have a free account option. It is azure. Microsoft ComFree. And I do have a video at the end of this course. In the last section of the course, there's a video talking about how to get an Azure free account if you want to walk through the steps for that. So I'm going to assume at this point that you have access to an account. It's either an Azure free account, a pay-as-you-go account through your organization, or MSDN or one of these other options. You can get Azure credits for an Azure account. Now, when you log into Azure for the first time, you are using what is called a "user." So the user ID and password that you use to log into Azure are those of your Azure user. That user must belong to one or more tenants. And so there's no concept of having an Azure user that does not belong to any tenant. So when I created this account, this Scott's Course Account, it was basically created as a brand new account with a pay-as-you-go option. And Microsoft created what is called an Azure ActiveDirectory tenant to go along with that user. And this is the name of the default directory. Now the name of the user is followed by a period, followed by onmicrosoft.com.
Anytime you see this on Microsoft.com, that is a domain given to an Azure Active Directory tenant that was assigned by Microsoft. Now you can customise this, and we're going to get into that in this course. Now, as you can see on my account, I have seven tenants associated with my user. Tenants are free, so you can create more tenants. I think there must be a limit to the number of tenants you can create. And quickly looking that up, I can see that a single user can belong to a maximum of 500 AzureAD tenants as either a member or a guest. A user can create a maximum of 200. And so I've done seven. I have to keep an eye on this 200 limit, I guess. So we are going to create a tenant for this course. There's no cost to creating a tenant. But most of these tenants do not have what is called a subscription.
A subscription is the billing model within Azure is the entity which receives the bill that’s credit card or account gets charged. And so, if you create a tenant without a subscription, there are purposes for that. Tenants can still manage users, groups, passwords, and permissions, but they just can't create resources if they don't have a subscription. So we are going to create a tenantin this course to demonstrate that to you. When it comes to creating resources, we'll have to have a resource that has access to a subscription. So what we're going to do as we go through this is we're going to start off by creating a tenant for the first time. You can follow along. Like I said, there's no cost to it. And then we'll start to go through the various configuration elements, learning about user groups, dynamic groups, static groups, permissions, and all those things. And this course generally follows the exam requirements, but installing a basic Active Directory isn't part of the exam requirements. But we're going to cover it in this section as sort of a preface to the actual requirements. So thanks for being here. I appreciate it. And we're going to continue in the next lecture by creating a new Azure Active Directory tenant.
2. Create a New Azure AD TenantSo in this video, we're going to go through the process of creating a brand new Azure Active Directory tenant. Now, as I said in the last video, you don't have to create a new tenant because, chances are, if you have created a user, then you already have a tenant at your disposal.
You may no longer be the owner of the tenant. So let's say your corporation has a tenant and they've added you as a user. And so you may have very limited privileges for that tenant until you're in the position of being a global administrator. And so we're going to create a tenant so that you can be the global administrator for your own tenant, as opposed to being just a user in someone else's tenant. But, like I said, if you have a free account or a pay as you go account and you've been assigned a tenant by Microsoft and you are a global administrator, then you don't really need to create a second tenant. But I'm going to go through that process anyways.
Now I'm on the home screen withinthe Azure Portal, and everyone's home screenis going to look a little different. I do have quite a few resources in my account already, and these are sort of the most recent services that I've visited. and yours are going to obviously be different. So we're going to have to find this Azure Active Directory entryway. Now, I have it pinned to my menu. Now let's talk for a second about this menu. There's a menu that, in my case, is pinned to the left, and I can just expand it and contract it. Some other people might have a hamburger menu in the top left, and that becomes a flyout that is settled under the settings. this gear icon? Yeah. Under this gear icon, if we look at the appearance and start up, we can see that my menu is docked. But you might have a flyout menu, and I have colours and themes and contrasts. And when I log in, I'm taken to the dashboard. You might be taken to your home screen, et cetera. And I have a default directory. So this gear icon under Appearance is where you're going to find your settings. So I'm going to go into Azure Active Directory. Now what you could do is go into all services and start typing "activate." and then you'll see this here? I have it pinned to the menu. and that's done through this star. There's a little star, and that's my favorite. So however you get there, you find this pyramid, and you get into Azure Active Directory. I'm going to minimise the menu again so we can maximise the space. Now I'm going to go through the management of a directory in a later video, but what we're concerned with is the creation of a new directory. So we're going to go under this gear icon in here.
It's called Manage Tenants, and we can see. Like I said, I've been creating tenants for a few years. Now. You may only have one single tenant. It could be that you're using it. It could be that you're the owner of it. Anyways, we're going to go under "Create" and we're going to create a new tenant for this choice. We're going to choose the Azure Active Directory default. We'll talk about B and C later. We'll go under configuration. Now the tenant represents the organisation in the cloud. So technically, what you want is for your company to have its own tenant. And in this case, this is going to be a tester-dev tenant. So I'm going to call this my developer tenant. You can call it whatever you want. Now Microsoft is going to assign this to the Microsoft.com domain. And so you're going to have to come up with a unique domain that no one else has used. And we're going to have to findif that's taken someone's already using this. I'm going to put the course name in there.
Okay. Now the other thing is, of course, where the tenant can have a good physical instance that contains these resources. You can choose somewhere else to contain the resources. Now, depending on your country or region, you might have different laws around data protection. If you're a European, you probably want your data to be stored in a European data center. So make sure that you choose the country that's the most appropriate for your organization. You can see here, even though Ichose my country in Canada, canada doesn’t have an active directory tenant data storage. And so that will be stored in the United States. If I say "create now," that's going to make me a tenant. Now it's obviously asking me to prove that I am not a robot, which is fair enough. It does take a few minutes to create a tenant. Like I said, it's spinning up an instance to contain these resources. So we're going to let that be very simple. All you had to do was give it your organization's name. You had to give it a unique domain name and choose your region, then solve the little capture, and Bob's your uncle. In the next video, when it's created, we're going to get into the management of our brand new tenant.
3. Switch TenantsAll right, our tenant was successful. You can see they clicked the link to your new tenant, and so I'll do that. Now what Microsoft is doing is switching the context. So the whole thing reloads here next year, and I'm taking it directly to my new tenant. Now, like I said, does it really matter whether you are using your default tenant, which you are an administrator of, or whether you're using this test tenant that you're the administrator of? The only thing that matters is that you have administrative privileges over the tenant that you are playing with to learn this course.
All right, so we're inside the tenant, and this overviewscreen obviously gives us the lay of the land. We only have one user, which would be us. There are no groups, applications, or devices registered to this tenant, and we can see some other information. Now this tenant ID is used in some scripts and things. So you will from time to time be asked for a tenant ID when you're trying to do something in PowerShell or the CLI or something like that. So this is where you would get the overview screen to grab that. You can see that I am on the free licence for Azure ads. And, at some point, we'll start using Azure advertising features that require a Premium license. So the free licence does have some limitations. I won't talk about them right now, but soon enough we'll talk about the reasons to pay for Azure ads. Now, Active Directory in Azure is basically, like I said, an identity service. and the main purpose is to manage users. If I go under the Users tab, you can see that I am the only user. My type is member, which means that I'm not an external user. I am a proper user. If I click on this, I can see that there's no information on me; there's no name or title, but I could have various information on me. The real thing that I'm interested in at this point is my role. I'm the only user of this. I created it.
And my role is that of global administrator. So global administrator is the top-level security role within an Azure ad context. That means I can create any user or any group. I've got full and unlimited permissions, and I can create users that also have permissions. It's a built-in role. Now, later on in this course, we should be talking about custom roles. And so, being able to create your own hybrid type of administrator that has access to some things but not others would be a custom role. This is a built-in role. All of your Azure AD tenants must have one global administrator. You can have more than one, but you can't have less than one. So it looks like our tenant was created successfully here. The last thing that I'm going to talk about in this video is the concept of switching tenants. So right now I'm logged in as myself, and everything that I do is under this developer tenant. Like we saw before, there's no subscription for this tenant. And so I can't create resources; I can go back into Azure Active Directory; I can create users, groups, and all of these things. Now, what if I wanted to switch back to my original tenant?
Or, in your case, you want to switch from the tenant that you are, the global administrator, back to your company's tenant, where you may be neither an administrator nor a user. So, as you saw, this gear icon says Manage Tenants, and I can choose one of these tenants and just say Switch, right? That would certainly reset my context here. and everything I'll be doing is from my default directory in this case. There's another way to do this. If you go to your profile picture, which could be a grey ghost, there is a Switch Directorylink in the top right, and then you're given a list of favorites. So you can see the stars here, where I've set some as my favorites. Or you can go under all directories, and you can then switch tenants through that method as well. So it is very straightforward and simple to switch between tenants. If you've got, again, some users and groups over here and some users over there, with your role being different in each, et cetera. It is very straightforward to switch tenants. So, going forward, like I said, you want to be the tenant that you are, the administrator, so that you can go through and do some of these things. In the next video, we're going to jump into the requirements of the exam again, into managing roles, domains, and things like that. So come back for that.
4. Assign Admin RolesAll right, I'm back to my main default directory. Let's talk about rules. The first requirement of this exam talks about how to configure and manage Azure AD directory roles. So we're going to go into our tenant on the left. It says Manage, and we have roles and administrators. Now, this section here is basically talking about roles within Azure Active Directory.
Obviously, when you're talking about your own resources, such as virtual machines, web apps, and your custom applications, that's a different type of role. These are purely administrative roles that are used to grant access to AD and other Microsoft services. So, these are literally management roles. My role is that of global administrator. It's listed here. And we can see here that there are over 75 roles listed as "built in" roles. I actually have one custom role, and we'll talk about custom roles in the next video, but there are at least 75 built-in roles. Now, the roles can get quite granular, as we saw. I'm the global administrator, and global administrator is somewhere midway down here, and the description says I can manage all aspects of Azure and all Microsoft ption says I cSo this is really the company administrator. This is sort of the person who can control everything. And if we scroll down under the description tag under permissions, it really is all permissions—read, write, create, delete, update—for all resources within Microsoft Directory, which is Azure Active Directory Tree, as well as Office 365 in Tune Dynamics. And so we can see all users, principles, roles, groups, and things like that. So really, you have every role, and you have the ability to create users. Let's go back up. Now. The other roles are basically more granular than that. For instance, this one says "Guest invitee." The only permission that they have is that they can invite external users to invite guests into your Active Directory subscription. And they don't have to have members. They can invite guests, which other people can do.
So if I go under "guest inviter," I can see that that's what it's got the permissions to do. And if we go under role permissions, there are a lot fewer role permissions. And they're all under the "Microsoft Directory Users" role. And they are primarily the invited guests in a bunch of read permissions to devices, managers, and etc. users. There are a lot of read permissions and one permission to invite guest users, and there are some default guest permissions that they get too. So this is a much more granular role. So you can imagine that there are, in essence, roles for all of these products within the management of your Azure account. So we have in Tune Insights licences for your licence assignments within Azure ActiveDirectory: network administrator, password administrator, printer technician. So there are very specific roles that you can assign to people. Microsoft has a security philosophy called the principle of limited permissions. And the idea here is that you don't want to make everyone in your IT organization a global administrator, because that's where a hacker gets an account, and then they have some super permissions.
Or it could be a mistake that happens when somebody accidentally does something. Or perhaps there is simply confusion when people start creating users and resources that are outside the purview of the person whose responsibility it is. So, within a year, you should be assigning roles to your IT team with the fewest amount of permissions that they require. And if they need more permissions, maybe you can assign them to roles, right? So maybe they are directory writers as well as Exchange administrators, and it's okay to have multiple roles. Finally, we're going to talk in a second about the concept of the custom role. Custom role is where we're going to have to upgrade to a premium plan in order to play with custom roles because that is a paid feature within Azure, and we'll do that in the next video. So to summarize, the concept of roles is pretty much the permissions that your users have to use Azure Active Directory. And it could be from the user groups, applications, or devices—very granular stuff or very global stuff. And you want to be very careful about how you assign this to people.
5. Define Custom RolesSo in this video, we're going to talk about custom roles within Azure. And as we can see here, the custom roles are greyed out by default. To create custom roles based on your organization's requirements for Azure Ad Premium, P One, or P Two? So I'm going to see this message. So in order to demonstrate custom roles, I'm going to have to start a free trial with Azure Ad Premium. Now, the great thing about Azure Ad Premium is that once you start the free trial, it expires after 30 days without charging you and doesn't actually automatically bill you at the end. You actually have to take a physical, well, logical action here in order to upgrade to the paid version. So you can activate the free trial multiple times. It's not a once-only thing. So I can hit Active, and for the next 30 days, we'll have 100 licences for the P-2 trial. Pretty straightforward.
Now, the other option presented to me is this E-five license, and that's more all-encompassing. It includes the Premium P2, but it also includes Microsoft Intune and Rights Management, which obviously have more to do with managing your devices and all across your organization, not just within Azure. That's pretty much overkill for what we need. And so we're going to go with the Ad Premium P2 trial. Now, before I click that button, I do want to show you what would happen if we were to switch back to this directory that doesn't have a subscription. So I'll go to all directories. I'm going to put a little star next to my developer tenant and say switch. So if I go into this and one does not have the ability to pay for anything, I can still activate the subscription.
I can still activate the trial even without a subscription. So it's not like, in order to pay for the trial, you're going to need a subscription in order to pay for it. But with this subscription on your account now, you don't need to have a subscription in order to have this free trial; that's pretty cool. So now I'm going to get out of this. So we upgraded to the trial. It might take a little bit for this free account to become a free trial account. So I'm going to pause the video and wait for the free trial to kick in. It might take a few minutes. So after waiting some minutes, we can see that the licence has been updated from the free licence to the Premium P-2 license. If we switch back to roles and administrators, we can see that we can now create a custom role.
It's no longer greyed out. Now, before you create a custom role, you should probably have an idea of why you're creating a custom role. As we saw, there are over 70 built-in roles, and they're quite grand. Some of them are quite granular. But maybe there are specific rules that don't exactly meet your needs. And so what I might suggest is that we find a rule that kind of does what we want it to do, but maybe it does too much, and we want to actually create a more restrictive role. So if we scroll down here and see, for instance, the directory writers, So this is going to go into here; I'm going to go into the description, and we can see there are a handful of permissions, a couple of dozen permissions here. And maybe our concept for the directory writers is that we want to create a custom role that has fewer permissions.
So maybe it has the ability to update things but doesn't have the ability to create them. Maybe that's a write-only or an update-only type of role. So, when creating a custom role, go into it with the idea of what the built-in roles aren't doing, and maybe start from there. And so what I might do is copy these sentences from here and put them into a Word document or something. And then when I'm creating the custom role, I know which roles' permissions to assign to my custom role. So, for my custom role, I'm going to create someone who can update groups and update group membership but cannot create or delete groups. So I'll base it off of who this group administrator is. So if we go in here, we can see that there are group-related permissions. So I'm going to copy this into a Word document, and then I'm going to go back to the tenant and I'm going to say "new custom role" and I'm going to call this group updater. Maybe that's their role—all they do is update groups, and they can't create or delete them. Now if I had another custom role, I could clone from there, but unfortunately you can't clone from a built-in role. You have to sort of start from scratch. Thank you for deleting that. Microsoft Group's update.
And so the concept of updating membership is next. We want to think about the permissions. Now, luckily, some of these are quite hierarchical, so we know it's a Microsoft directory, and the permissions that I'm interested in, which I'm going to come back to here, all have the Word groups in them, okay? So I'm going to be able to search for the group's permissions. So I'm going to take a look at the permissions that the administrator has, and I'm going to basically say, I want to update; I can update properties; I can update classifications; I can update membership." I can see obviously that the person needs to be able to read all of this information about groups.
They can update the members, they can't update the owners, they can't delete it, they can't create groups, and they can read the properties. So to me, this is a very limited role that I am only able to play within the groups in terms of updating members and updating the group itself by intending to create or delete it. And so now I can say "create," and so this is going to create this group administrator custom role, and I can assign this role to users, and then those users would not have the ability to create groups unless they have that ability through some other role. Obviously, if I send this to myself, it has no benefit because I already have the permission to create groups. So I'm going to create a new user and assign them this customer role, and that person will only be able to do the permissions that we specified when we created the custom role.
Microsoft Identity SC-300 Exam Dumps, Microsoft Identity SC-300 Practice Test Questions and Answers
Do you have questions about our SC-300 Microsoft Identity and Access Administrator practice test questions and answers or any of our products? If you are not clear about our Microsoft Identity SC-300 exam practice test questions, you can read the FAQ below.
Purchase Microsoft Identity SC-300 Exam Training Products Individually