The Microsoft Identity and Access Administrator (SC-300)

Per Microsoft SC-300: Manage administrative units and delegated roles , administrative units (AUs) allow scoping of administrative privileges to subsets of users or groups within a tenant.

In this case, User5 is assigned the User Administrator role for AU1. This means User5 can only manage users and groups that are members of AU1. From the given table, Group1, User2, and User3 are part of AU1.

Therefore, User5 can reset passwords for users who are either:

Members of AU1 directly (User2, User3), or

Members of groups that belong to AU1, if those groups’ members fall under delegated scope.

However, User1 and User4 are not part of AU1, and User5 has no administrative control over them.

When users accept or decline a Terms of Use (ToU) in Azure AD, these actions are recorded in the audit logs. The Microsoft Identity and Access Administrator documentation specifies that audit logs capture “Terms of use acceptance records” including who accepted, who declined, timestamp, and version of the ToU accepted.

The other options are incorrect because:

Provisioning logs capture provisioning events (not ToU).

Usage and Insights reports provide activity metrics, not compliance actions.

Sign-in logs capture authentication activity but not ToU acceptance.

Therefore, to identify which users accepted or declined Terms1, you should use the Audit logs in Azure AD.

Azure RBAC roles on a scope (subscription, resource group, resource) can be assigned to Azure AD security principals: users , groups , and service principals (which includes enterprise applications and managed identities). The SC-300 content states: “RBAC roles can be assigned to users, groups, and applications (service principals), including system-assigned managed identities created for Azure resources.” In the table, User1 (user), Group1 (security group), VM1 (a VM with system-assigned managed identity), and App1 (an enterprise application service principal) are all valid principals. Therefore, all four can be assigned the Contributor role at the RG1 scope. This enables least-privilege delegation to workloads (VM1/App1) and to people (User1/Group1) without granting broader directory roles.

The SC-300 exam section “Implement Conditional Access” and the Azure AD Terms of Use documentation explain that Terms of Use must be enforced using Azure AD Conditional Access. The policy ensures users cannot access Microsoft 365 resources until they accept the presented terms. Conditional Access provides the “Require terms of use” control under Access Controls → Grant.

The study guide states:

“Administrators can require users to accept organization terms of use by including a Terms of Use control in a Conditional Access policy. Access is denied until acceptance.”

Microsoft Cloud App Security and Endpoint Manager policies (Options A, B, D) are unrelated — they cannot enforce user acceptance before access. The only supported method is through Azure AD Conditional Access.

✅ Correct Answer: C. a conditional access policy in Azure AD

In Microsoft 365, Basic authentication is an outdated protocol that sends credentials in plain text and does not support MFA. To enforce Modern authentication (OAuth 2.0), which is required for stronger identity protection and token-based access, administrators must block legacy authentication using Conditional Access policies in Azure AD.

According to the SC-300 study guide and Microsoft Learn module “Implement Conditional Access policies” , this can be achieved by:

Creating a Conditional Access policy in Azure AD.

Targeting the Exchange Online cloud app.

Setting the condition Client apps → Other clients (legacy authentication) to block access.

Modern authentication clients (like Outlook 2016+, Outlook on the web, and Outlook mobile) use secure OAuth tokens that comply with Conditional Access requirements (such as MFA, device compliance, or trusted location).

Compliance policies or application control profiles in Microsoft Endpoint Manager do not manage authentication protocols, and Microsoft Cloud App Security OAuth policies govern third-party app permissions, not Exchange connectivity.

Therefore, the correct approach to ensure only Modern authentication clients can connect is to enforce this through a Conditional Access policy in Azure AD.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn module “Plan and implement Azure AD Seamless Single Sign-On (SSO)”, Azure AD Seamless SSO allows domain-joined Windows devices (that are not necessarily Azure AD-joined) to automatically sign in to Azure AD without requiring users to re-enter their credentials.

How Azure AD Seamless SSO Works: When a user tries to access an Azure AD-integrated application (like Microsoft 365, Teams, or SharePoint Online), Azure AD redirects the authentication request to the on-premises Active Directory. The Seamless SSO feature uses a computer account ( AZUREADSSOACC ) created in Active Directory to authenticate users through Kerberos tickets automatically.

For the Kerberos-based SSO to work properly in a browser or client, the service principal name (SPN) used by Azure AD must be treated as a trusted intranet site. This ensures that Integrated Windows Authentication (IWA) can pass the user’s Kerberos ticket automatically — without prompting for credentials.

Configuration Required on Windows 10 Devices: To enable automatic SSO without credential prompts, you must:

Add the following URLs to the Intranet Zone in Internet Explorer or Microsoft Edge (and by extension, Windows Authentication settings):

https: //autologon.microsoftazuread-sso.com

https: //aadg.windows.net.nsatc.net

Ensure Automatic logon with current user name and password is enabled for the Intranet Zone.

From Microsoft Documentation: “For Azure AD Seamless SSO to work, the client machines must be on the corporate network and the URLs ‘https://autologon.microsoftazuread-sso.com’ and ‘https://aadg.windows.net.nsatc.net’ must be added to the users ' Intranet zone settings.”

Other options are not correct because:

A. Enable Enterprise State Roaming — Manages user settings across devices, unrelated to SSO.

B. Configure Sign-in options — User-level authentication preferences, not required for Seamless SSO.

C. Install Azure AD Connect Authentication Agent — Used for Pass-through Authentication (PTA), not for Seamless SSO.

User1 is eligible for the Application Administrator role and needs to configure an Application Proxy connector group. Application Proxy is an Azure AD feature used to publish on-premises applications securely.

To activate the eligible role, User1 must perform a Privileged Identity Management (PIM) activation within the Azure AD admin center.

From Microsoft Documentation:

“Privileged Identity Management (PIM) role activations are performed in the Azure AD admin center under Azure AD → Privileged Identity Management → My roles.”

Activation steps are not available through Microsoft 365 or Defender portals.

Comprehensive and Detailed In-Depth Explanation:

Let’s break this down step by step based on Microsoft Entra ID self-service password reset (SSPR) settings and the available authentication methods, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding Self-Service Password Reset (SSPR) in Microsoft Entra ID:

Self-service password reset (SSPR) allows users to reset their passwords without administrator intervention, improving security and reducing helpdesk workload.

The settings provided are:

Require users to register when signing in: Yes– Users must register their authentication methods (e.g., phone number, email, security questions) the first time they sign in. This ensures they have methods available for SSPR.

Number of methods required to reset: 1– Users must verify their identity using one authentication method to reset their password. This is the minimum number of methods required, meaning users must have at least one method registered, and they will use one method during the reset process.

Available Authentication Methods for SSPR:

Microsoft Entra ID SSPR supports a specific set of authentication methods that users can use to verify their identity during a password reset. These methods are configured by the administrator in the Microsoft Entra admin center under " Password reset " settings.

The default authentication methods available for SSPR include:

Email:Users receive a code sent to an alternate email address.

Mobile phone (SMS):Users receive a code via SMS to their registered mobile phone.

Mobile app code:Users use a code generated by the Microsoft Authenticator app (or another compatible authenticator app).

Mobile app notification:Users receive a push notification in the Microsoft Authenticator app to approve the reset.

Security questions:Users answer predefined security questions they set up during registration.

Important Note:Methods like smartcards, FIDO2 security tokens, and Windows Hello are not supported for SSPR. These methods are typically used for authentication during sign-in (e.g., MFA or passwordless sign-in), not for the SSPR process.

Analysis of the Options:

A. A smartcard:

Smartcards are a form of certificate-based authentication often used for sign-in to Windows devices or VPNs. They require a physical card and a reader, and they are typically used for primary authentication, not for SSPR.

Microsoft Entra ID SSPR does not support smartcards as an authentication method for password reset. Smartcards are not listed as an available method in the SSPR configuration settings.

Conclusion:This is incorrect.

B. A mobile app code:

A mobile app code refers to a time-based one-time password (TOTP) generated by an authenticator app, such as the Microsoft Authenticator app.

This is a supported method for SSPR in Microsoft Entra ID. Users can register the Microsoft Authenticator app (or another compatible app) and use the generated code to verify their identity during a password reset.

Since the setting " Number of methods required to reset: 1 " means only one method is needed, a mobile app code is a valid option if the user has registered it.

Conclusion:This is correct.

C. An FIDO2 security token:

FIDO2 security tokens (e.g., YubiKey) are hardware-based security keys that support passwordless authentication in Microsoft Entra ID. They are part of Microsoft’s passwordless authentication strategy and can be used for sign-in.

However, FIDO2 security tokens are not supported for SSPR. The SSPR process does not allow users to verify their identity using a FIDO2 security key because the reset process is designed to work with simpler, more accessible methods like email, SMS, or app-based codes.

Conclusion:This is incorrect.

D. A Windows Hello PIN:

Windows Hello PIN is a device-specific authentication method used to sign in to Windows devices. It is part of Windows Hello, which also includes biometric authentication (e.g., facial recognition, fingerprint).

Windows Hello PIN is not supported for SSPR in Microsoft Entra ID. The SSPR process occurs in a web-based portal (e.g., aka.ms/sspr) and does not integrate with device-specific authentication methods like Windows Hello. Additionally, Windows Hello PIN is tied to a specific device, whereas SSPR is designed to be device-agnostic.

Conclusion:This is incorrect.

Additional Considerations:

The setting " Require users to register when signing in: Yes " ensures that users have at least one authentication method registered. However, the question does not specify which methods are enabled by the administrator. In Microsoft Entra ID, the default enabled methods for SSPR typically include email, mobile phone (SMS), mobile app code, and mobile app notification. Security questions may also be enabled but are less common due to security concerns.

If the administrator has disabled certain methods (e.g., mobile app code), the answer could change. However, the question does not indicate any such restrictions, so we assume the default methods are available.

The " Number of methods required to reset: 1 " setting means users only need to use one method to reset their password, but they may have multiple methods registered. The question asks for a " valid authentication method available to users, " so we need to identify a method that SSPR supports.

Conclusion:Based on the SSPR settings and the supported authentication methods in Microsoft Entra ID:

A mobile app code (option B) is a valid authentication method for SSPR, as it is supported by default and aligns with the configuration.

Smartcards, FIDO2 security tokens, and Windows Hello PIN are not supported for SSPR.Therefore, the correct answer isB.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation on “Enable Microsoft Entra login for Windows Server and Windows virtual machines in Azure”, successful sign-in to Azure VMs using Microsoft Entra (formerly Azure AD) credentials requires network connectivity to specific Microsoft identity endpoints. One of the most critical endpoints is https://enterpriseregistration.windows.net , which is used during the device registration and Microsoft Entra Join process.

When you enable Microsoft Entra login for Azure VMs, each VM must register itself as a device in the directory to allow authentication using Entra credentials. If the VM cannot reach the enterprise registration service, the registration fails, meaning the VM will not appear as a valid device in Entra ID. Consequently, users attempting to log in with their Entra credentials will encounter sign-in errors because the system cannot validate their device trust and user token against the identity service.

Microsoft documentation explicitly states:

“To enable Microsoft Entra sign-in to Windows VMs in Azure, the VM must be able to communicate with Microsoft Entra endpoints, including https://enterpriseregistration.windows.net , to complete device registration.”

Options B, C, and D are unrelated to initial configuration issues. Revoking refresh tokens or deleting device registrations would not resolve connectivity or registration failures. SSH support (option D) is applicable to Linux VMs, not Windows.