Associate-level certification covering identity and access administration with Microsoft Entra: user and workload identities, authentication, Conditional Access, and identity governance, with a worked explanation on every practice question.
Free sample questions
No account needed. Every question has a worked explanation, just like the full bank.
lock_openFree sampleImplement Authentication and Access Managementhard
A finance team accesses a sensitive payroll web app. The security lead wants users to reauthenticate every hour while inside the app, without forcing reauthentication for any other application. Which Conditional Access configuration meets this requirement with the least administrative effort?
- ACreate a policy scoped to the payroll app and configure the sign-in frequency session control to a periodic value of one hour.check_circle Correct
- BCreate a policy targeting all cloud apps and set the sign-in frequency session control to one hour for every user in the tenant.
- CCreate a policy scoped to the payroll app and enable the persistent browser session control so the browser session expires after one hour.
- DCreate a policy scoped to the payroll app and set the grant control to require multi-factor authentication on every single sign-in event.
Sign-in frequency is the Conditional Access session control that forces periodic reauthentication, and it can be scoped to a single application. Sign-in frequency is a session control that defines how long a token is valid before the user must reauthenticate. Scoping the policy to the payroll app alone limits the hourly interval to that resource, whereas persistent browser session and grant controls address different problems.
Why A is correct: Scoping the policy to the single payroll app and using the sign-in frequency session control enforces hourly reauthentication only where required, satisfying the precise scope.
Why B is wrong: Targeting all cloud apps applies the hourly reauthentication far beyond the payroll app, which breaks the stated requirement to leave other applications untouched.
Why C is wrong: Persistent browser session controls whether cookies survive browser closure; it does not impose a periodic one-hour reauthentication interval inside an active session.
Why D is wrong: Requiring MFA defines the strength of a grant, not a timed reauthentication interval, so it does not deliver the hourly cadence the requirement specifies.
lock_openFree sampleImplement Authentication and Access Managementhard
An administrator must validate a new Conditional Access policy that blocks legacy authentication before enforcing it, so that no production sign-ins are interrupted while the impact is measured. Which approach captures the policy impact in sign-in logs without affecting users?
- ASet the policy state to On but exclude all users with a directory-wide exclusion group while reviewing the Microsoft Entra audit logs.
- BSet the policy state to report-only, then review the report-only result columns in the Microsoft Entra sign-in logs over several days.check_circle Correct
- CLeave the policy Off and instead model the outcome by running the What If tool repeatedly for each affected user account.
- DSet the policy state to On but apply it only to a small pilot group, then compare blocked counts in usage analytics dashboards.
Report-only mode evaluates a Conditional Access policy against live sign-ins and logs the result without enforcing any grant or block control. Report-only is a dedicated policy state that runs the full evaluation against real sign-ins and writes the would-be result into the sign-in logs, so administrators can size impact safely. Off performs no evaluation, and any On state enforces the control and disrupts users.
Why A is wrong: Excluding every user disables enforcement entirely and produces no evaluation results, so it cannot measure the realistic impact of the policy on production sign-ins.
Why B is correct: Report-only mode evaluates the policy and records what would have happened in the sign-in logs, giving impact data without blocking any user, which exactly fits the requirement.
Why C is wrong: The What If tool models a single hypothetical sign-in at a time and does not collect ongoing impact data from real traffic, so it does not measure live impact.
Why D is wrong: Turning the policy on actively blocks the pilot users, which contradicts the requirement that no sign-ins be interrupted during measurement.
lock_openFree sampleImplement Authentication and Access Managementhard
Company policy states that a particular line-of-business app may only be opened from corporate devices enrolled and marked compliant in Microsoft Intune. The security team also wants the simplest grant control that enforces device health. Which Conditional Access grant control should be applied to the app?
- ARequire multi-factor authentication, because verifying the user identity with a second factor confirms the request comes from a managed corporate device.
- BRequire approved client app, because only managed mobile applications can read the device compliance signal from Microsoft Intune at sign-in.
- CRequire the device to be marked as compliant, because this grant control checks the Microsoft Intune compliance state of the device during evaluation.check_circle Correct
- DRequire a named location match, because designating the corporate office network as a trusted location restricts the app to managed devices only.
The require device marked as compliant grant control evaluates the Microsoft Intune compliance state to limit access to managed, healthy devices. Device compliance is signalled by Microsoft Intune, and the require device marked as compliant grant control reads that signal during Conditional Access evaluation. MFA, approved client app, and named locations each test a different attribute and cannot enforce device compliance on their own.
Why A is wrong: MFA proves identity, not device state; a user can complete MFA from any personal device, so it does not restrict access to compliant corporate devices.
Why B is wrong: The approved client app control limits which applications may connect, but it does not evaluate whether the underlying device is marked compliant in Intune.
Why C is correct: Require device marked as compliant reads the Intune compliance status at sign-in and blocks access from non-compliant devices, directly meeting the corporate-device requirement.
Why D is wrong: A named location evaluates the network the request originates from, not the compliance state of the device, so an unmanaged device on that network would still pass.
Frequently asked questions
- How many questions are on the SC-300 exam?
- The Microsoft Identity and Access Administrator (SC-300) (SC-300) exam has Typically 40 to 60 questions questions and runs for 120 minutes. The format is multiple choice and multiple response, at a pearson vue testing center or online proctored.
- What score do I need to pass SC-300?
- The pass mark is 700 / 1000. Examworthy gives you a per-domain readiness score so you can see which domains are holding you back before you book.
- How much does the SC-300 exam cost?
- The exam costs 165 USD to sit. Practising on Examworthy is free to start, with a worked explanation on every question.
- How does Examworthy help me prepare for SC-300?
- Every practice question carries a worked explanation and a per-distractor rationale, mapped to the official blueprint domains. You learn why each answer is right or wrong, not just the letter.
- Is Examworthy affiliated with Microsoft?
- No. Examworthy is not affiliated with or endorsed by Microsoft. Our questions are original, blueprint-aligned practice material; we never reproduce live exam items.
Examworthy is not affiliated with or endorsed by Microsoft. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. SC-300 and related marks belong to their respective owners.
