Microsoft Updated SC-300 Exam Questions and Answers by justin

In Azure, enabling a system-assigned managed identity on a virtual machine is done on the VM resource itself. With the Az PowerShell module, you first retrieve the VM object and then update it to enable the identity. The correct sequence is to call Get-AzVM to load VM1 into a variable and then Update-AzVM -IdentityType SystemAssigned to turn on the built-in identity for that VM. After the identity is enabled, Azure AD automatically creates a service principal that represents the VM’s managed identity. To add this identity to an Azure AD security group (Group1), you must reference that service principal. The Az.Resources cmdlet Get-AzADServicePrincipal -DisplayName "vm1" returns the service principal object for the VM’s system-assigned identity. You then look up the target group with Get-AzADGroup and add the service principal as a member using Add-AzureADGroupMember, passing the group’s ObjectId and the service principal’s Id. This aligns with Microsoft guidance that VM system-assigned identities are represented in Entra ID as service principals, and that group membership operations use the service principal’s object id when adding an application/managed identity to a group.

Filled script:

$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name vm1

Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned

$displayname = Get-AzADServicePrincipal -DisplayName "vm1"

$group = Get-AzADGroup -SearchString "group1"

Add-AzureADGroupMember -ObjectId $group.Id -RefObjectId $displayname.Id

The SC-300 official study guide and Microsoft Learn: Manage Access Reviews confirm that Access Reviews in Azure AD can target user-based groups, Azure AD roles, and enterprise applications. However, dynamic device groups are not supported for access reviews.

Azure AD External collaboration settings govern who can bring guests into the tenant. The SC-300 content specifies: “External collaboration settings let you control who can invite guests (Anyone, Members, Guests, or Only admins and users in the Guest Inviter role) and whether guests can invite.” It also highlights: “To restrict guest invitations to administrators or designated inviters, configure External collaboration to ‘Only admins and users in the Guest Inviter role’ and disable guest-to-guest invitations if required.” Because the problem states that “Anyone in the organization can invite guest users, including other guests and non-administrators,” the remediation is to tighten External collaboration settings so only approved roles (e.g., Global admins, Guest Inviter, or specific administrators) can invite. Access reviews address periodic entitlement verification, Conditional Access enforces sign-in/session policies, and Continuous Access Evaluation relates to token lifetime/signal-based revocation; none of these change who can send guest invitations. Adjusting External collaboration settings directly resolves the issue and aligns with the requirement that “only users that are assigned specific admin roles can invite guest users.”

For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.