Last Attempt SC-300 Questions

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement Conditional Access Policies,” the Azure AD Conditional Access engine uses a structured framework that consists of conditions, grant controls, and session controls.

1️ ⃣ Configure HighRiskCountries by using A condition In Conditional Access, conditions define the circumstances under which a policy applies. Named locations (such as HighRiskCountries ) are part of the Locations condition. When configuring a Conditional Access policy, administrators can include or exclude sign-ins based on IP address ranges, country/region, or named locations.

Microsoft documentation states: “You can define named locations to specify IP ranges or countries/regions and use them as conditions in your Conditional Access policies.”

Thus, HighRiskCountries should be configured as a condition within the policy to target sign-ins from those regions.

2️ ⃣ Configure Sign-in frequency by using A session control Session controls in Conditional Access determine how sessions behave after a user successfully signs in. The Sign-in frequency setting controls how often users must reauthenticate, effectively limiting the duration of their authentication session.

Microsoft Learn reference: “Session controls, such as sign-in frequency and persistent browser session, enable administrators to enforce how often users must reauthenticate.”

Therefore, to restrict how long a user can remain authenticated when signing in from high-risk countries, you configure Sign-in frequency as a session control.

✅ Final Correct Answers:

HighRiskCountries: A condition

Sign-in frequency: A session control

In Azure Monitor, alert rules use action groups to define who receives notifications (emails, SMS, push notifications, webhooks, etc.) when an alert is triggered.

If you are currently receiving 100+ email alerts for failed sign-ins daily, and you want a new administrator to receive them instead, the correct way is to modify the action group and update or replace the email recipient .

According to Microsoft Learn ( “Create and manage action groups in Azure Monitor” ):

“Action groups specify the recipients of alerts. You can update an existing action group to add, remove, or modify the recipients for email, SMS, push, or ITSM connections.”

Thus, modifying the action group directly changes who receives the alerts.

Box 1: Yes

Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.

Box 2. Yes

Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.

Box 3. No

Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.

Based on the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Manage external collaboration settings in Azure AD”, Azure Active Directory provides granular control over external collaboration through External collaboration settings and Collaboration restrictions. These settings control which external domains can receive guest invitations.

1️ ⃣ Collaboration Restrictions Setting The configuration in the exhibit shows:

“Allow invitations only to the specified domains (most restrictive)”

Target Domain: Outlook.com

This means invitations can only be sent to users whose email domains are explicitly listed (in this case, Outlook.com). Any other external domain (like fabrikam.com or adatum.com) is not permitted to receive or accept invitations.

2️ ⃣ Evaluating Each User User1@outlook.com

Domain Outlook.com is listed under allowed domains.

Although the invitation was initially not accepted , since the domain is allowed, User1 can accept the invitation and gain access. ✅ Answer: Yes

User2@fabrikam.com

The domain fabrikam.com is not listed in the allowed domains list.

However, this user already accepted the invitation before the restriction was configured.

Once a guest has accepted the invitation, they are an existing guest object in Azure AD and retain access unless explicitly removed. ✅ Answer: Yes

User3@adatum.com

Domain adatum.com is not listed under allowed domains.

Therefore, this user cannot receive or accept new invitations for collaboration resources like SharePoint Online. ❌ Answer: No

Summary from Microsoft documentation:

“When collaboration restrictions are set to allow invitations only to specified domains, invitations to all other domains are blocked. Existing guest users who have already accepted invitations remain unaffected.”

( Source: Microsoft Learn – Configure external collaboration settings in Azure AD )

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Implement and manage Azure AD Identity Protection,” Azure AD Identity Protection is the service responsible for detecting risky behaviors such as leaked credentials, suspicious sign-ins, and compromised accounts in a Microsoft 365 or Azure AD environment.

1️ ⃣ Classify leaked credentials as high-risk Identity Protection automatically flags leaked or compromised credentials detected through Microsoft’s threat intelligence signals and dark web monitoring. It classifies these users with a high user risk level.

“Identity Protection detects leaked credentials and marks the user risk as high when evidence of compromise is found.”

Thus, the feature used for this classification is Azure AD Identity Protection.

2️ ⃣ Trigger remediation Remediation for leaked credentials is driven by User Risk policies. The User risk policy in Identity Protection can automatically respond to users identified as high-risk. This triggers actions such as forcing a password reset.

“User risk policy can be configured to respond to risky users by requiring password change or blocking access.”

Hence, User risk is the correct trigger.

3️ ⃣ Mitigate the risk To allow users to continue accessing applications after remediation, the proper action is Grant access but require password change. This enforces an immediate credential reset to mitigate the compromise but still allows access once the user remediates their risk.

“To automatically remediate high user risk while maintaining access, configure the policy to grant access but require a password change.”