Microsoft Updated SC-300 Exam Questions and Answers by imran

According to the Microsoft Identity and Access Administrator (SC-300) official study guide and Microsoft Learn module “Manage External Identities” , when granting external users (such as contractors) access to Azure AD resources, the recommended method is to invite them as guest users (B2B collaboration users) into your Azure AD tenant.

The New-AzureADMSInvitation cmdlet is the PowerShell command used to create an Azure AD B2B guest invitation. It sends an invitation to an external user (such as user1@outlook.com ) and, upon acceptance, creates a corresponding guest user account in the tenant (for example, user1_outlook.com#EXT#@contoso.com ). This account can then be assigned to enterprise applications like App1.

From Microsoft documentation:

“To provide external users access to resources in your organization, invite them as guests using Azure AD B2B collaboration. You can do this by running the New-AzureADMSInvitation cmdlet or via the Azure portal.”

B. Configure the External collaboration settings: These settings define collaboration policies (who can invite guests, restrictions, etc.) but do not invite users themselves.

C. Add a WS-Fed identity provider: This is used to federate another identity provider (e.g., ADFS or another Azure AD tenant), not to onboard an individual external user.

D. Implement Azure AD Connect: This tool synchronizes on-premises directories with Azure AD; it’s not relevant for external users from Outlook.com.

Why not the other options: ✅ Correct Answer: A. Run the New-AzureADMSInvitation cmdlet.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn module “Manage licenses in Azure Active Directory”, the most efficient way to manage or remove product licenses from a large group of users is by using group-based licensing through the Licenses blade in the Azure Active Directory admin center.

In this scenario:

2,500 users were individually assigned Office 365 E3 licenses.

The same users are now assigned Microsoft 365 E5 licenses via group assignment (using group-based licensing).

When a user is assigned a license directly and later receives another license through a group, Azure AD continues to track both — the direct and inherited assignments. To remove the E3 licenses efficiently, you can use the Licenses blade to remove all direct assignments in bulk rather than editing each user individually.

In the Azure AD admin center, navigate to: Azure Active Directory → Licenses → All products → Office 365 E3.

Select Licensed users.

Select all users (or filter based on the direct assignment type).

Click Remove license assignment to remove the E3 licenses.

Step-by-Step (as per Microsoft documentation): This method removes the E3 licenses for all directly assigned users in a single operation—achieving the goal with the least administrative effort.

A. Identity Governance blade: Used for access reviews, entitlement management, and lifecycle workflows—not license management.

B. Set-AzureADUser cmdlet: Manages user properties but does not directly manage license assignments (you would need Set-AzureADUserLicense or Set-MgUserLicense , which is more manual).

D. Set-WindowsProductKey cmdlet: Used for activating Windows OS, not Microsoft 365 licensing.

Why the other options are incorrect:

Comprehensive and Detailed Explanation with all Microsoft SC-300: Identity and Access Administrator documents: =

Based on the Microsoft SC-300: Microsoft Identity and Access Administrator official study guide, Exam Ref SC-300 , and Microsoft Learn Identity & Access Management modules, Azure provides several mechanisms to manage identity integration and role delegation between Microsoft 365 and Azure resources.

Ensure that users can sign in to Azure virtual machines by using their Microsoft 365 credentials: This requirement refers to enabling Azure AD-based authentication for virtual machines. This capability is provided by Azure AD Managed Identities and Azure AD join support for Azure VMs. Managed identities allow Azure resources, such as virtual machines, to authenticate to Azure AD-secured services using Microsoft Entra (Azure AD) credentials, eliminating the need to manage credentials manually. As stated in the Microsoft Identity study guide:

“Azure AD-managed identities provide an automatically managed identity in Azure AD for applications or services to use when connecting to resources secured by Azure AD. This includes support for user sign-in to Azure VMs using Microsoft 365 or Azure AD credentials.”

Delegate the ability to create new virtual machines: To delegate resource creation and management in Azure, Azure role-based access control (Azure RBAC) is used. Azure RBAC enables granular access management for Azure resources by assigning roles such as Virtual Machine Contributor , Owner , or Contributor at different scopes (subscription, resource group, or resource). Microsoft documentation clarifies:

“Azure RBAC allows you to assign roles to users, groups, or service principals, granting permissions to create, modify, or delete Azure resources, including virtual machines.”

In Microsoft Entra ID, when one application (App1) needs to access another application’s (App2) API securely without user interaction, it uses app-only authentication (also known as client credentials flow).

For app-to-app communication:

App1 must be granted permissions to App2 (via application permissions).

App1 must authenticate using credentials that Entra ID recognizes.

The valid credential types are:

Certificates — Secure method for app authentication using an X.509 certificate.

Client secrets — A text-based key (password) used to authenticate the app.

Microsoft documentation states:

“Application identity can be established using a client secret or certificate in the client credentials flow.”

Options B (Managed identity) apply only to Azure resources (not registered apps).

Option D (User account) and E (One-time password) are interactive credentials and not valid for app-only access.

In Microsoft Entra ID, when one application (App1) needs to access another application’s (App2) API securely without user interaction, it uses app-only authentication (also known as client credentials flow).

For app-to-app communication:

App1 must be granted permissions to App2 (via application permissions).

App1 must authenticate using credentials that Entra ID recognizes.

The valid credential types are:

Certificates — Secure method for app authentication using an X.509 certificate.

Client secrets — A text-based key (password) used to authenticate the app.

Microsoft documentation states:

“Application identity can be established using a client secret or certificate in the client credentials flow.”

Options B (Managed identity) apply only to Azure resources (not registered apps).

Option D (User account) and E (One-time password) are interactive credentials and not valid for app-only access.