Exactprep SC-300 Questions

In Azure AD, user consent and admin consent workflows control which users or administrators can approve access to organizational data requested by applications.

The question states:

“Users can request admin consent to apps they are unable to consent to: Yes”

“Who can review admin consent requests: Admin2, User2”

When User1 attempts to add an app that requires consent to access company data, and if that app requires admin consent, the request is routed to those designated as admin consent reviewers. In this case, Admin2 and User2 are listed, but only one has the administrative capability to approve the request.

Based on Microsoft documentation:

“Only users who hold an administrative role such as Global Administrator, Cloud Application Administrator, or Authentication Administrator and are designated as reviewers can grant consent on behalf of the organization.”

Here, Admin2 holds the Authentication Administrator role — an Azure AD admin-level role — while User2 has no administrative privileges. Thus, Admin2 is the only eligible user to approve the admin consent request.

No

No

Yes

a) When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.

b) Tested in lab, existing owners will be replaced. Also direct assignment (resource owner) is path of least privilege. (replicated in test)

c) Application setting 'visible to users' is set to No, then no users see this application on their My Apps portal and O365 launcher.

Reference

According to the Microsoft SC-300: Identity and Access Administrator Study Guide, Azure AD Enterprise Application Self-service configuration determines how users can request access, who approves it, and whether access is automatically granted. Let’s analyze each statement based on the exhibits:

Members of Group3 can access App1 without approval from User1 — NOIn the Group1 exhibit, Group1 contains User1, User4, and Group3. In the App1 Self-Service exhibit, it shows that “Require approval before granting access” is set to Yes, and User1 is designated as the approver. Therefore, even though Group3 members might indirectly be part of Group1, access requests to App1 must still be approved by User1 before being granted.

After configuring self-service, the owner of Group1 is User1 — NOThe PowerShell command Get-AzureADGroupOwner clearly shows that Admin (not User1) is the owner of Group1. Configuring self-service for an application does not change group ownership; it only defines how access requests are handled. Ownership of Group1 remains with Admin.

App1 appears in the Microsoft 365 app launcher of User4 — YESIn the App1 Properties exhibit, the “User assignment required” setting is set to Yes. This means only assigned users (directly or via groups) can see and access the application. Since Group1 is configured as the target group for user assignment and User4 is a member of Group1, User4 will see App1 in their Office 365 app launcher after assignment approval.

This logic follows Microsoft Learn documentation:

“When a user is assigned to an enterprise application (either directly or through group membership), the application appears in the user's Office 365 app launcher once access is granted.”

In SC-300, the mitigation for unsolicited MFA prompts (push fatigue) is Fraud alert on Azure AD MFA. The materials state that administrators can “allow users to report suspicious MFA prompts and automatically block the user when they select Report fraud in Microsoft Authenticator.” By contrast, Account lockout settings are designed to “temporarily lock an account after a configurable number of consecutive MFA denials to thwart brute-force attempts,” and they do not initiate an automatic block tied to a user’s fraud report. The study guide further clarifies that fraud alerts “can automatically block the user for a specified period (default 90 days) when a fraudulent attempt is reported,” which is precisely the behavior required in the scenario. Therefore, merely configuring Account lockout settings will not meet the goal of automatically blocking users when they report an unsolicited prompt.

The SC-300 curriculum emphasizes synchronization behavior between on-premises Active Directory (AD) and Microsoft Entra ID using Microsoft Entra Connect. By default, directory synchronization occurs every 30 minutes, which means a user disabled in AD can still authenticate to Microsoft Entra for up to 30 minutes until the next synchronization cycle.

The proposed solution—Microsoft Entra Password Protection—is not related to authentication delay or sign-in blocking. Password Protection enforces strong password policies and prevents the use of weak or compromised passwords during account creation or reset. It does not control sign-in states or enforce real-time disablement.

To meet the goal of immediately blocking authentication when an account is disabled in AD, you must implement Microsoft Entra Connect with Pass-through Authentication (PTA) or federation (AD FS). These options validate sign-ins against the on-premises AD in real time, ensuring instant blocking of disabled accounts.

Microsoft documentation confirms:

“Password Protection does not affect authentication latency or synchronization frequency. To ensure disabled accounts cannot sign in, use Pass-through Authentication or federation for real-time validation.”