Microsoft Updated SC-300 Exam Questions and Answers by justin

User

Can Reset Passwords For

User1

User3 and User5 only

User4

User3 only

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and official Microsoft Learn documentation on role-based access control (RBAC) and administrative units (AUs) , the scope of administrative privileges determines which users an administrator can manage.

Role Review:

Password Administrator (Organization scope): Can reset passwords for non-administrators and users with lesser privileges across the entire organization. They cannot reset passwords for Global Administrators or users with equal/higher roles.

Global Reader (Organization scope): Read-only access—cannot perform administrative actions (including password resets).

Password Administrator (Scoped to AU1): Can reset passwords for users within AU1 who are non-administrators and whose roles are less privileged than their own.

User

Role

Scope

Members in Administrative Unit

User1

Password Administrator

Organization

AU1

User2

Global Reader

Organization

AU1

User3

None

N/A

AU1

User4

Password Administrator

AU1

AU2

User5

None

N/A

None

Step 1 – For User1 (Org-scoped Password Administrator): User1’s permissions apply organization-wide, allowing resets for:

Users without admin roles, including those in or outside any AU.

Cannot reset passwords for users with equal or higher roles (e.g., Global Reader, Password Administrator).

✅ Therefore, User1 can reset passwords for:

User3 (no role, AU1)

User4 (Password Administrator in AU2) — ❌ cannot reset equal role

User5 (no role, no AU) ✅

Final for User1 → User3 and User5 only

Step 2 – For User4 (AU1-scoped Password Administrator): User4’s permissions apply only within AU1 and to users with lesser privileges.

Within AU1:

User1 (Org Password Admin) – ❌ higher privilege

User2 (Global Reader) – ❌ higher privilege

User3 (no role) – ✅ can reset

Final for User4 → User3 only

In Microsoft Entra Internet Access and Private Access, administrative permissions are controlled through specific Microsoft Entra roles. The SC-300 exam content (module “Manage Microsoft Entra Global Secure Access”) identifies that management of Global Secure Access features requires either of these roles:

Global Administrator, or

Network Access Administrator

These roles can configure, deploy, and manage settings for both Microsoft Entra Internet Access and Microsoft Entra Private Access in the Microsoft Entra admin center.

From Microsoft Learn:

“To configure and manage Microsoft Entra Internet Access or Private Access, you must be assigned either the Global Administrator or the Network Access Administrator role.”

Thus, if:

User1 = Global Administrator

User2 = Network Access Administrator

User3 = (Any other role)

Then only User1 and User2 can manage Microsoft Entra Internet Access.

Microsoft Entra certificate-based authentication (CBA) allows users to sign in with X.509 certificates. The SC-300 guidance explains that before users can authenticate with on-premises certificates, the tenant must trust the issuing Certificate Authorities : you must “ upload and configure the certificate authorities (root and any intermediates) that issue the user certificates ,” establishing the trust chain used to validate presented certificates. Only after the CA trust is configured can you map certificate fields and define authentication policies. Auto-enrollment (A) is optional operational convenience for issuing certs, not the first tenant configuration step. Azure Key Vault (B) is unrelated to validating client auth certificates. Windows Hello for Business (D) is a separate credential technology and not required for Entra CBA. Therefore, the first action is to add CA1 (and any intermediates) under Certificate Authorities in Microsoft Entra so that certificates issued by CA1 are recognized for sign-in.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and the Microsoft Learn module “Monitor and respond to Azure AD events with Azure Sentinel” , multi-staged attacks are advanced threat scenarios that require correlation of multiple events — for example, a suspicious sign-in followed by abnormal Office 365 activity.

The scenario in the question states:

“Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365 activity.”

Azure Sentinel’s Fusion rule is a built-in, machine-learning–driven correlation rule that automatically detects multi-stage attacks by analyzing anomalies across multiple data sources such as Azure AD sign-in logs, Office 365 activity, and security alerts.

However, to fine-tune detection or meet specific organizational monitoring requirements, administrators can customize the rule logic in Sentinel analytics. This allows you to define how different signals and events are correlated, what thresholds trigger an alert, and how Sentinel interprets combined anomalies.

Microsoft documentation states:

“Fusion uses correlation logic in analytics rules to detect complex multi-stage attacks. Administrators can customize rule logic to meet specific detection requirements and fine-tune alert sensitivity.”

The other options do not meet the requirement:

B. Create a workbook → Used for visualization and reporting, not detection.

C. Add data connectors → Used to ingest data sources; this is already configured.

D. Add a playbook → Used for automated response, not for detection logic configuration.

✅ Correct Answer: A. Customize the Azure Sentinel rule logic