Use VCE Exam Simulator to open VCE files
SC-300 Microsoft Practice Test Questions and Exam Dumps
Question No 1:
To which groups can you assign a Microsoft Office 365 Enterprise E5 license directly?
A. Group1 and Group4 only
B. Group1, Group2, Group3, Group4, and Group5
C. Group1 and Group2 only
D. Group1 only
E. Group1, Group2, Group4, and Group5 only
Correct Answer: A. Group1 and Group4 only
Explanation:
In Azure AD, groups can be categorized as assigned or dynamic. The type of group impacts how you can assign licenses:
Assigned Groups (Group1 and Group4):
These are groups where members are explicitly added by the administrator.
For assigned groups, you can manually assign a Microsoft Office 365 Enterprise E5 license to the group, as membership is directly managed by the admin.
Dynamic Groups (Group2, Group3, and Group5):
Dynamic User Groups (such as Group2 and Group5) automatically include users based on defined rules, such as a specific attribute in their user profile.
Dynamic Device Groups (like Group3) automatically include devices based on set criteria.
Microsoft Office 365 licenses cannot be directly assigned to dynamic groups. Instead, the licenses are typically assigned to users or devices, and the groups act as dynamic memberships, which means you cannot assign a license directly to the dynamic group itself.
Why the Correct Answer is A:
Group1 and Group4 are assigned groups, meaning you can directly assign a Microsoft Office 365 Enterprise E5 license to them.
Group2, Group3, and Group5 are dynamic groups, and direct license assignment is not possible for these types of groups.
Question No 2:
You are managing a Microsoft Exchange organization that uses an SMTP address space of contoso.com. Several users in your organization are using their contoso.com email addresses to self-sign-up to Azure Active Directory (Azure AD). You have gained global administrator privileges in the Azure AD tenant that contains the self-signed users. Your goal is to prevent these users from creating new user accounts in the contoso.com Azure AD tenant while signing up for Microsoft 365 services.
Which PowerShell cmdlet should you run to prevent the users from creating these accounts?
A. Set-MsolCompanySettings
B. Set-MsolDomainFederationSettings
C. Update-MsolFederatedDomain
D. Set-MsolDomain
Answer: The correct answer is A. Set-MsolCompanySettings.
Explanation:
In Azure Active Directory (Azure AD), users can be allowed to sign up for services like Microsoft 365 using their organization’s domain (in this case, contoso.com) if the domain is verified and associated with the Azure AD tenant. To control self-service sign-ups and prevent unauthorized account creation, administrators need to configure company settings specifically designed to manage such scenarios.
The Set-MsolCompanySettings cmdlet is used to configure various settings for a Microsoft Online Services organization, including controlling self-service sign-up behavior for users. It allows the administrator to disable or limit the ability of users to sign up for services using their organizational email addresses.
When using Set-MsolCompanySettings, the global administrator can prevent self-service sign-ups for certain users or domains, which in this case is the contoso.com domain. By running the appropriate cmdlet with the correct parameters, you can ensure that users are unable to create new accounts using their contoso.com email addresses.
Here’s a sample PowerShell command to disable self-service sign-up for a specific domain:
This command ensures that users with contoso.com email addresses cannot sign themselves up for Microsoft 365 services or other Azure AD-related services, maintaining the security and integrity of the organization’s Azure AD environment.
The other options, such as Set-MsolDomainFederationSettings, Update-MsolFederatedDomain, and Set-MsolDomain, are related to domain federation, verification, and configuration, but they do not directly control the self-service sign-up process for users. Therefore, Set-MsolCompanySettings is the most appropriate choice for this scenario.
Question No 3:
You manage an on-premises Microsoft Exchange organization that uses the SMTP address space contoso.com. It has come to your attention that users are using their email addresses for self-service sign-ups to Microsoft 365 services.
You need to gain global administrator privileges to the Azure Active Directory (Azure AD) tenant that contains these self-signed users.
Which four actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Available Actions:
Add a custom domain to Azure AD
Verify the contoso.com domain in Azure AD
Use the “Forgot my password” option on the Azure AD login page
Add a user with the global administrator role in Azure AD
Verify the users’ email addresses in the self-service sign-up list
Sign in to the Azure AD tenant using the self-signed user’s credentials
Create an external user in the Azure AD tenant
Set up domain federation for contoso.com in Azure AD
Select and Place:
Answer:
Add a custom domain to Azure AD
Verify the contoso.com domain in Azure AD
Use the “Forgot my password” option on the Azure AD login page
Add a user with the global administrator role in Azure AD
Explanation:
To gain global administrator privileges in an Azure AD tenant that contains self-signed users, there is a specific sequence of actions that need to be performed. Here’s how to approach it:
Add a custom domain to Azure AD:
Since the on-premises Exchange organization uses the contoso.com SMTP address space, you must first add this domain to Azure AD. This step ensures that Azure AD recognizes the domain as part of your organization and allows you to manage it effectively within the Azure AD environment.Verify the contoso.com domain in Azure AD:
After adding the contoso.com domain, you must verify it within Azure AD. Verification typically involves adding a DNS record (such as a TXT or MX record) to the domain's DNS zone to prove ownership of the domain. Once verified, Azure AD will treat it as a trusted domain, which is critical for managing user identities associated with this domain.Use the “Forgot my password” option on the Azure AD login page:
Once the domain is added and verified, you can attempt to recover the credentials for a self-signed user who may have a global administrator role. The "Forgot my password" option allows you to reset the password for any user in the Azure AD tenant, including self-signed users who might not have had their credentials properly managed or set initially.Add a user with the global administrator role in Azure AD:
At this point, you can add a global administrator to the Azure AD tenant. The global administrator role provides full control over the Azure AD tenant, enabling you to configure, manage, and monitor all Azure AD services, including those related to user authentication, policy enforcement, and role management.
By following these steps, you can gain administrative access to the Azure AD tenant containing the self-signed users. This sequence ensures that the domain is properly set up, the user identities are recoverable, and an administrator account can be created to manage Azure AD services.
This process is essential because without administrative privileges, managing Azure AD settings, security configurations, and user roles would not be possible, especially when dealing with self-signed users or external user sign-ups.
Question No 4:
You manage an Azure Active Directory (Azure AD) tenant that includes several objects as outlined in the table below. Based on the information provided, which objects can you add as members to Group3?
Available Objects:
User1
User2
Group1
Group2
Possible Answers:
A. User2 and Group2 only
B. User2, Group1, and Group2 only
C. User1, User2, Group1, and Group2
D. User1 and User2 only
E. User2 only
Answer: B. User2, Group1, and Group2 only
Explanation:
In Azure Active Directory (Azure AD), when managing groups and memberships, it's important to understand how group membership works, especially with respect to the types of objects that can be added to different groups. Specifically, group membership can involve users, other groups (nested groups), and service principals. However, there are restrictions on what types of objects can be included as members of a group.
Here’s how the options break down:
Groups and Users in Azure AD:
User1 and User2 are users in the directory and can be added to groups without restriction.
Group1 and Group2 are also groups. However, groups can typically contain other users or groups, but the ability to add a group to another group depends on the type of group (Security group, Office 365 group, etc.) and the settings or restrictions in place within the Azure AD tenant.
Nested Groups in Azure AD:
In Azure AD, you can add a group to another group, a concept known as nested groups. Therefore, Group1 and Group2 can be added to Group3 if Group3 allows nested groups, and they are both security groups or Office 365 groups.
However, User1 cannot be added to Group3 if there are specific restrictions based on the directory's group settings or policies (such as organizational policies preventing certain user-to-group relationships).
Why option B is correct:
User2 can be added to Group3 since it's a user object.
Group1 and Group2 can be added to Group3 because they are groups themselves, and assuming Group3 allows nested groups, they are valid additions.
Why other options are incorrect:
Option A (User2 and Group2 only): This option excludes Group1, which is a valid addition if nested groups are allowed.
Option C (User1, User2, Group1, and Group2): While it might seem that User1 could be added, restrictions on group memberships in some directory configurations can prevent it.
Option D (User1 and User2 only): This excludes Group1 and Group2, which are valid group members.
Option E (User2 only): This is too restrictive because Group1 and Group2 can also be added.
In conclusion, the correct answer is B: User2, Group1, and Group2 only, because these objects are allowed in Group3 based on the nested group configuration and Azure AD’s group membership policies.
Question No 5:
You have 2,500 users who are currently assigned Microsoft Office 365 Enterprise E3 licenses. These licenses have been assigned to individual users. Using the Groups blade in the Azure Active Directory (Azure AD) admin center, you then assign Microsoft 365 Enterprise E5 licenses to these users. Now, you need to remove the Office 365 Enterprise E3 licenses from the users with minimal administrative effort.
Which method should you use?
A. The Identity Governance blade in the Azure Active Directory admin center
B. The Set-AzureAdUser cmdlet
C. The Licenses blade in the Azure Active Directory admin center
D. The Set-WindowsProductKey cmdlet
Answer:
C. The Licenses blade in the Azure Active Directory admin center
Explanation:
When managing licenses in Microsoft 365, it is common to assign and remove licenses for users efficiently, especially in a large organization with many users. In this scenario, you need to remove the existing Office 365 Enterprise E3 licenses from the users, after assigning them the Microsoft 365 Enterprise E5 licenses. The most efficient way to accomplish this task, using minimal administrative effort, is through the Licenses blade in the Azure Active Directory admin center.
Here's why option C is the best choice:
Licenses blade in Azure AD: This is the correct tool for assigning, modifying, and removing licenses for individual users or groups. The Licenses blade provides a user-friendly interface to manage licenses in bulk. You can select the group of users who need their E3 licenses removed and assign or remove licenses directly. It is also possible to automate license removal for a large number of users, which is particularly useful when dealing with large sets of users like the 2,500 in this example. The Azure AD portal simplifies the process, minimizing administrative effort.
The other options are not as suitable for this specific task:
Identity Governance blade in Azure AD (Option A): The Identity Governance blade is primarily used for managing access reviews, entitlement management, and role assignments. It is not focused on the day-to-day task of license removal or assignment.
Set-AzureAdUser cmdlet (Option B): This cmdlet is used for modifying properties of Azure AD users, but license management is not its primary use case. While you can script license assignments with PowerShell, it's more complex and time-consuming compared to the intuitive interface of the Licenses blade.
Set-WindowsProductKey cmdlet (Option D): This cmdlet is unrelated to Azure AD and is used for managing Windows activation keys, not for Microsoft 365 license management.
Thus, using the Licenses blade in Azure AD is the most efficient method for removing the Office 365 Enterprise E3 licenses from the users.
Question No 6:
You are managing an Azure Active Directory (Azure AD) tenant for a company named The company plans to bulk invite users for Azure AD business-to-business (B2B) collaboration.
Which two parameters must be included when creating the bulk invitation for external users? Choose two correct answers.
A. Email Address
B. Redirection URL
C. Username
D. Shared Key
E. Password
Answer:
A. Email Address
E. Password
Explanation:
Azure Active Directory (Azure AD) allows organizations to collaborate with external users using Azure AD Business-to-Business (B2B) collaboration. B2B collaboration allows external users to access organizational resources securely while using their own credentials (email accounts) for authentication. Bulk inviting users is a common scenario for organizations that need to invite many external users to their Azure AD tenant for collaborative purposes.
When inviting external users to Azure AD through bulk invitations, certain parameters are necessary to ensure the process is smooth and successful.
1. Email Address (A):
The email address is one of the critical components when inviting external users in bulk. It serves as the identifier for the external user and is used to send the invitation link for them to complete the registration process. In Azure AD B2B collaboration, external users do not need to have a local account in your organization’s directory; their external email address is used to create an account in your tenant. This email address will also be the login credential for the invited external users.
The email address must be unique and valid, as the external user will receive the invitation to join the organization via this address. Once they accept the invitation, their email address is used to authenticate them when accessing resources within the organization's tenant.
2. Password (E):
The password is essential when creating the bulk invitation for external users in some cases, especially if the invitation is being used to create a new Azure AD account for an external user who doesn't yet have an account in the tenant. If the external user is being invited for the first time, you might need to include an initial password in the bulk invite. This password will allow the user to log in for the first time and, subsequently, they can change it after their initial login.
In certain scenarios, an administrator might choose to set a temporary password or opt for the users to reset their password upon their first login. Therefore, including a password ensures the user has a way to authenticate and complete the process.
Why not the other options?
B. Redirection URL: While a redirection URL may be part of custom authentication flows or for configuring specific applications, it is not a required parameter for bulk invitations in Azure AD B2B collaboration.
C. Username: The username is typically derived from the email address in a B2B collaboration scenario, so explicitly including it is redundant.
D. Shared Key: Azure AD B2B collaboration does not require the use of shared keys in bulk invitations. Authentication relies on the email address and password (or existing credentials), not a shared secret.
Thus, when creating bulk invitations for external users in Azure AD, the email address and password are required parameters to successfully invite users and enable them to access the resources within the organization’s tenant.
Question No 7:
You are managing an Azure Active Directory (Azure AD) tenant that includes several objects such as users and groups. These objects are outlined in the table below. Based on the given information,
Which of the following objects can be added as members to Group3?
A. User2 and Group2 only
B. User2, Group1, and Group2 only
C. User1, User2, Group1, and Group2
D. User1 and User2 only
E. User2 only
Answer:
The correct answer is B. User2, Group1, and Group2 only.
Explanation:
In Azure Active Directory (Azure AD), group membership rules are crucial for controlling access and managing user permissions. Groups in Azure AD can either be security groups or Microsoft 365 groups, and both can have users, devices, or even other groups as members. However, there are some important limitations to consider when adding objects to a group:
Users: You can easily add users to a group, so User1 and User2 can be members of Group3.
Groups: Groups can be nested in Azure AD, meaning you can add groups (like Group1 and Group2) as members of another group. However, this is subject to certain conditions like group type and membership settings.
Cross-group membership restrictions: In some cases, you may not be able to add a group to another group due to the types of groups involved (for example, if there are conflicting policies about nested groups).
Based on the answer options:
Option A: User2 and Group2 only – Incorrect, as both User1 and Group1 could also potentially be added.
Option B: User2, Group1, and Group2 only – Correct, as you can add User2 (a user) and Group1 and Group2 (as other groups) to Group3.
Option C: User1, User2, Group1, and Group2 – Incorrect, as there is no restriction preventing User1 and Group1 from being added.
Option D: User1 and User2 only – Incorrect, as both groups can be added as well.
Option E: User2 only – Incorrect, as groups can also be added.
In conclusion, Group3 can contain User2, Group1, and Group2, but not User1 directly based on the group setup and Azure AD group membership rules.
Question No 8:
This question is part of a series of questions presenting a consistent scenario. Each question in this series offers a unique solution that may address the stated goals. Some sets may have one or more correct solutions, while others might not offer a viable solution.
Once you answer a question in this section, you will NOT be able to return to it. These questions will not appear in the review screen.
You manage an Active Directory (AD) forest that syncs with an Azure Active Directory (Azure AD) tenant. After disabling a user account in Active Directory, you notice that the user can still authenticate to Azure AD for up to 30 minutes.
Your task is to immediately prevent the user from authenticating to Azure AD as soon as their account is disabled in Active Directory.
Does this solution achieve the goal?
A. Yes
B. No
Answer: B. No
Explanation:
Password writeback is a feature that allows users to reset or change their passwords in Azure AD, with changes written back to the on-premises Active Directory. While this feature is useful in certain scenarios, it does not address the requirement of immediately preventing a disabled user from authenticating to Azure AD when their account is disabled in Active Directory.
In this scenario, the issue is that users who are disabled in Active Directory can still authenticate to Azure AD for up to 30 minutes. This delay is typically due to the time it takes for the changes in Active Directory to synchronize with Azure AD. This delay is a result of the Azure AD sync cycle, which is typically configured to run every 30 minutes by default.
To meet the goal of preventing a disabled user from authenticating to Azure AD immediately, the solution should focus on reducing or eliminating the delay in synchronization. There are a few ways to achieve this:
Use Azure AD Connect with Azure AD Connect Health:
Azure AD Connect is a tool that facilitates synchronization between on-premises Active Directory and Azure AD. Configuring Azure AD Connect Health allows for real-time monitoring and can help ensure that updates to user accounts, such as disabling them, are reflected in Azure AD more quickly. Additionally, manual force synchronization can be triggered to speed up the process when needed.Enable Conditional Access Policies:
Another approach could be to configure Azure AD Conditional Access policies. These policies can enforce stricter controls on user authentication, such as blocking access if the user’s account status in Active Directory is disabled. This can be done by integrating the on-premises AD with Azure AD, ensuring that any changes in the user’s account status (like disabling) are immediately reflected in the authentication process.
In conclusion, configuring password writeback will not solve the issue of immediate authentication denial, as it is primarily concerned with password changes and resets, not the synchronization of user account statuses. To achieve the desired outcome, synchronization settings need to be adjusted or alternative solutions like Conditional Access should be implemented.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
