SC-300 Exam Dumps : Microsoft Identity and Access Administrator

In Azure AD, user consent and admin consent workflows control which users or administrators can approve access to organizational data requested by applications.

The question states:

“Users can request admin consent to apps they are unable to consent to: Yes”

“Who can review admin consent requests: Admin2, User2”

When User1 attempts to add an app that requires consent to access company data, and if that app requires admin consent, the request is routed to those designated as admin consent reviewers. In this case, Admin2 and User2 are listed, but only one has the administrative capability to approve the request.

Based on Microsoft documentation:

“Only users who hold an administrative role such as Global Administrator, Cloud Application Administrator, or Authentication Administrator and are designated as reviewers can grant consent on behalf of the organization.”

Here, Admin2 holds the Authentication Administrator role — an Azure AD admin-level role — while User2 has no administrative privileges. Thus, Admin2 is the only eligible user to approve the admin consent request.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance>Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

Assigning built-in directory roles (like Device Administrators) to a group requires a role-assignable group. The SC-300 documentation explains: “You can assign Azure AD roles to a cloud security group by creating the group with the setting ‘Azure AD roles can be assigned to the group.’” It further emphasizes: “This attribute is immutable; you must decide at creation time. You cannot convert an existing group to be role-assignable later.” When a standard security group is not created as role-assignable, it will not appear in the picker when attempting to assign a directory role—exactly the behavior observed: “groups that aren’t role-assignable cannot be selected for Azure AD role assignments.” Therefore, the first step is to recreate IT_Group1 as a role-assignable security group (often called an “eligible for role assignment” group) and then assign the Device Administrators role to that group. Changing membership types (Dynamic User or Dynamic Device) or adding owners does not convert an existing group into a role-assignable one and thus would not resolve the issue.