Examworthyexamworthy.comMicrosoft Identity and Access Administrator (SC-300) cheat sheet
Microsoft
Free to share. Examworthy is not affiliated with or endorsed by Microsoft; SC-300 and related marks belong to their respective owners.
At a glance
Format: Multiple choice and multiple response, at a Pearson VUE testing center or online proctored
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
SC-300 is a build-it-correctly exam: nearly every question hands you a constrained scenario and asks for the single Microsoft Entra configuration that meets it with least privilege and least effort, and the traps are real features that fit all but one word of the requirement.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Microsoft Entra Connect Sync is the lightweight Microsoft-managed agent service for syncing disconnected forests.
Why it fails
Connect Sync can serve multiple forests, but it requires a full synchronisation server with network reachability and is not a lightweight Microsoft-managed agent. Microsoft Entra Cloud Sync is the lightweight agent-based service for disconnected multi-forest topologies.
Implement and Manage User Identities
Tempting but wrong
Setting sign-in frequency to one hour for all cloud apps is the cleanest way to force hourly reauthentication in just one sensitive app.
Why it fails
Targeting all cloud apps applies the hourly reauthentication tenant-wide, disrupting every application instead of the one that needs it. To limit the interval to a single resource, scope the Conditional Access policy to that one application.
Implement Authentication and Access Management
Tempting but wrong
A user-assigned managed identity is automatically deleted when the virtual machine it is attached to is deleted.
Why it fails
A user-assigned managed identity has its own independent lifecycle and is not removed when an attached resource is deleted. It remains as a standalone Microsoft Entra object that must be cleaned up separately, so it does not satisfy a no-leftover-object requirement; a system-assigned managed identity does.
Plan and Implement Workload Identities
Tempting but wrong
Setting group owners as the access review reviewer satisfies a requirement that guests self-attest to their own access.
Why it fails
Group owners attest on behalf of the guests, not as the guests. To meet a self-attestation requirement the reviewer type must be users review their own access; the recurrence and removal action can be correct but the reviewer choice still fails the requirement.
Plan and Automate Identity Governance
Tempting but wrong
A single Connect Sync server with a custom rule set can reach across disconnected forests over the public internet.
Why it fails
Disconnected forests share no trust path for one Connect Sync server to read them, and reaching across forests over the internet is not a supported synchronisation design. Cloud Sync with a per-forest agent is the supported approach.
Implement and Manage User Identities
Tempting but wrong
The persistent browser session control makes a user reauthenticate every hour while working inside an app.
Why it fails
Persistent browser session only governs whether authentication cookies survive closing and reopening the browser. It does not impose a timed reauthentication interval during an active session; sign-in frequency is the control that enforces a periodic one-hour prompt.
Implement Authentication and Access Management
Tempting but wrong
An app registration with a client secret in Key Vault gives a VM credential-free access tied to the VM lifecycle.
Why it fails
An app registration relies on a client secret the team must store, manage and rotate, which contradicts a no-stored-credentials goal. Its lifecycle is also independent of the virtual machine, so it is not removed with the VM. A system-assigned managed identity provides credential-free, lifecycle-bound access instead.
Plan and Implement Workload Identities
Tempting but wrong
A one-time access review with the application owner as reviewer can enforce quarterly guest self-attestation on an enterprise application.
Why it fails
A one-time review does not repeat each quarter, and an application owner is not the guest, so neither the recurrence nor the self-attestation need is met. Recurring self-review of the access package assignments is required instead.
Plan and Automate Identity Governance
Key terms
Exam-day rules
- Name the owning mechanism first. Decide whether the stem is about Conditional Access, Microsoft Entra ID Protection, Privileged Identity Management, entitlement management, a workload identity, or hybrid sync before you read the options, so you narrow the field before comparing details.
- Re-read the requirement for the deciding constraint. When two options are real Microsoft Entra features that both sound plausible, the answer turns on a single detail in the stem, such as least administrative effort, near real time, no credential to clean up, or scoped to one app.
- Separate grant controls from session controls every time. Requiring multifactor authentication or a compliant device is a grant control; sign-in frequency and persistent browser are session controls. Many traps swap these, so label the requirement before you answer.
- Pick the least-privilege, lowest-effort option. When more than one configuration would technically work, the exam wants the one that uses the narrowest scope and the fewest ongoing manual steps, such as group-based licensing over per-user assignment or an app-scoped policy over an all-apps policy.
- Distinguish near-real-time revocation from expiry-based controls. If the stem demands a session ends within minutes of a directory change, it is continuous access evaluation, not a shorter token lifetime or sign-in frequency.
Revision schedule
- Day 1Read the blueprint and book a date
- Week 1Build the user and identity foundation
- Week 1 to 2Master authentication and Conditional Access
- Week 2 to 3Work through workload identities and app integration
- Week 3Automate identity governance