Microsoft Updated SC-300 Exam Questions and Answers by imran

In this scenario, users already have Office 365 E3 licenses assigned individually, and you’ve now assigned Microsoft 365 E5 licenses through a group-based license assignment. The goal is to remove the E3 licenses from each user with the least administrative effort.

The SC-300 study guide and Microsoft documentation on “Manage license assignment in Azure AD” explain that when licenses are assigned both individually and through groups, the group assignment does not automatically remove the direct user-assigned licenses. To remove the individually assigned license programmatically, the Set-MgUserLicense cmdlet (Microsoft Graph PowerShell) is used.

The documentation states:

“Use the Set-MgUserLicense cmdlet to add or remove product licenses for users. You can specify the license plan to remove using the -RemoveLicenses parameter.”

Set-MgUserLicense -UserId user@domain.com -RemoveLicenses "O365_ENTERPRISE_E3"

A. the Set-KindohsProductKcy cmdlet:This is not a valid Microsoft 365 or Graph cmdlet (appears to be a distractor).

B. the Update-MgGroup cmdlet:Used to modify group properties — not for managing user licenses.

D. the Update-MgUser cmdlet:Updates user object attributes (e.g., display name) but cannot assign or remove licenses.

✅ Correct Answer: C. the Set-MgUserLicense cmdlet.

When configuring user consent settings in Azure AD, administrators can allow users to consent to third-party or verified publisher apps. However, to control which apps users can consent to based on their permission levels (for example, only “low impact” permissions), Microsoft provides enterprise application collections.

An enterprise application collection lets administrators group apps and assign consent policies that define what permissions apps can request and what level of user consent is allowed.

From Microsoft documentation:

“You can use enterprise application collections to group apps and assign user consent policies that restrict the permissions users can grant to apps. For instance, you can ensure users can only grant low-impact permissions, even when the app comes from a verified publisher.”

Other options explained:

Access package: Used for entitlement management, not app consent.

Permission classifications: Used to label permissions for administrators’ understanding, not enforce user consent behavior.

Access review: Used for periodic evaluation of access, not consent management.

In Azure AD Connect, filtering which users synchronize is achieved via synchronization rules. The SC-300 study content explains that to exclude objects based on an on-premises attribute (for example, extensionAttribute15=NoSync), you create an inbound rule on the Active Directory Domain Services (AD DS) connector. Inbound rules control the flow of data from AD DS into the metaverse, where you can use a scoping filter to mark objects as filtered (often via the cloudFiltered projection), preventing them from being provisioned to Azure AD. The official guidance highlights that inbound rules on the AD DS connector are used for attribute-based filtering and that export or run profiles (Full Import/Export) do not define logic; they only execute the configured rules. Therefore, to stop users with extensionAttribute15=NoSync from syncing, you create an inbound synchronization rule on the AD DS connector with a condition on that attribute to exclude those users from synchronization.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and the Microsoft Learn – “Manage Microsoft 365 Groups naming policies” documentation, group naming policies in Azure Active Directory (now Microsoft Entra ID) apply to end users who create Microsoft 365 groups, but do not apply to administrators who have roles that allow them to override naming restrictions.

The policy defines conventions such as prefixes, suffixes, blocked words, and enforced naming rules. However, certain administrative roles are exempt from this policy to allow organizational management and automation processes. The exempt roles are:

Global Administrator

User Administrator

These two roles can create Microsoft 365 groups without the naming policy constraints. Other users — including Groups Administrator and users without administrative roles — are subject to the naming policy when creating groups.

From the official documentation:

“Naming policies apply to all users who create groups, except for global administrators and user administrators. These roles can create groups that bypass the naming policy restrictions.”

Applying this rule:

User1 (Global Administrator) — exempt

User2 (User Administrator) — exempt

User3 (Groups Administrator) — affected by the policy

User4 (no role) — affected by the policy