Microsoft Updated SC-300 Exam Questions and Answers by zidane

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

Let’s break this down step by step based on Microsoft Defender for Cloud Apps (MDCA) and Microsoft Entra ID integration for enabling real-time session-level monitoring, as outlined in Microsoft Identity and Access Administrator documentation.

Understanding the Goal: Real-Time Session-Level Monitoring with Microsoft Defender for Cloud Apps:

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) solution that provides visibility, control, and threat protection for cloud applications.

Real-time session-level monitoring allows MDCA to inspect and control user activities within a cloud app (App1 in this case) during active sessions. This requires integration with Microsoft Entra ID and the use of Conditional Access policies to route sessions through MDCA for monitoring.

The Microsoft 365 E5 tenant includes licenses for Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, which are necessary for this functionality.

Step-by-Step Analysis of the Actions:To enable real-time session-level monitoring, the actions must be performed in a logical order that aligns with Microsoft’s recommended workflow for integrating a cloud app with MDCA.

Step 1: Register App1 in Microsoft Entra ID.

Before App1 can be monitored by MDCA, it must be registered as an application in Microsoft Entra ID. This step involves adding App1 to the tenant’s enterprise applications, which allows Microsoft Entra ID to manage authentication and authorization for the app.

Registering the app in Microsoft Entra ID enables single sign-on (SSO) and allows the app to be governed by Conditional Access policies, which is a prerequisite for session-level monitoring.

This is the first step because none of the other actions can proceed without App1 being recognized by Microsoft Entra ID.

Step 2: Create a conditional access policy that has session controls configured.

Microsoft Defender for Cloud Apps integrates with Microsoft Entra ID Conditional Access to enforce session-level monitoring. A Conditional Access policy must be created to target App1 and include session controls that route user sessions through MDCA.

In the Conditional Access policy, under " Session " controls, you enable the option " Use Conditional Access App Control, " which integrates with MDCA. This allows MDCA to monitor and control the session in real time.

This step must come after registering the app in Microsoft Entra ID because the Conditional Access policy needs to target an existing app. It must also precede the MDCA-specific steps because the session control integration sets up the connection between Microsoft Entra ID and MDCA.

Step 3: From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

After the Conditional Access policy routes sessions to MDCA, you need to configure App1within MDCA by modifying its Connected apps settings. This step involves ensuring that App1 is properly connected to MDCA, which may include configuring API connectors or verifying that MDCA can monitor the app’s activities.

This step is necessary to ensure MDCA has the necessary permissions and configurations to monitor App1. It comes after the Conditional Access policy because the policy enables the integration, and now MDCA needs to be set up to handle the app.

Step 4: From Microsoft Defender for Cloud Apps, create a session policy.

Finally, you create a session policy in MDCA to define the real-time monitoring and control rules for App1. A session policy in MDCA allows you to monitor user activities (e.g., file downloads, data sharing) and apply actions (e.g., block, notify) based on predefined conditions.

This step is the last because it relies on the previous steps: the app must be registered, the Conditional Access policy must route sessions to MDCA, and the Connected apps settings must be configured for MDCA to recognize App1. Only then can you define session policies to enforce real-time monitoring.

Why This Order?

The order ensures a logical flow:

Registering the app in Microsoft Entra ID establishes the app’s identity in the tenant.

The Conditional Access policy enables the integration with MDCA by routing sessions through it.

Modifying the Connected apps settings in MDCA ensures the app is properly set up for monitoring.

Creating a session policy in MDCA defines the specific monitoring and control rules for real-time session-level monitoring.

Deviating from this order would result in errors. For example, creating a session policy in MDCA before registering the app in Microsoft Entra ID would fail because MDCA wouldn’t recognize the app.

Additional Considerations:

The Microsoft 365 E5 license includes Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, so no additional licensing is required for this scenario.

If App1 is not a supported app for MDCA’s app connectors, additional steps (e.g., using a custom app connector) might be needed, but the question implies App1 can be monitored with the standard process.

Session policies in MDCA can include actions like blocking downloads or requiring step-up authentication, which are applied in real time during the user’s session.

Conclusion:The correct order to enable real-time session-level monitoring of App1 using Microsoft Defender for Cloud Apps is:

Register App1 in Microsoft Entra ID.

Create a conditional access policy that has session controls configured.

From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.

From Microsoft Defender for Cloud Apps, create a session policy.

When an application requires admin consent to access Microsoft Entra ID data, and you have enabled “Users can request admin consent to apps they are unable to consent to”, Microsoft Entra allows specific users or roles to act as reviewers who can review and approve or deny those requests.

In this scenario:

The Admin consent requests feature is enabled.

Admin1, Admin2, Admin3, and User1 were added as reviewers.

However, only users with the required administrative roles can actually review and approve admin consent requests — not standard users.

According to the Microsoft SC-300 study guide and Microsoft Learn documentation (“Configure the admin consent workflow”), the roles that can review and approve admin consent requests include:

Global Administrator

Cloud Application Administrator

Application Administrator

The Security Administrator role can view and audit permissions but cannot approve consent requests, and regular users (with no admin role) cannot perform any action in this workflow.

Applying this to the question:

Admin1 (Cloud Application Administrator) → ✅ Can approve requests.

Admin2 (Application Administrator) → ✅ Can approve requests.

Admin3 (Security Administrator) → ✅ Can review (depending on Entra configuration; Security Administrator has partial consent visibility for security-sensitive apps).

User1 (None) → ❌ Cannot review or approve because they lack an admin role.

Hence, only Admin1, Admin2, and Admin3 are valid reviewers who can act on admin consent requests.

Azure AD Identity Protection helps detect risky sign-ins and risky users. To mitigate these risks without blocking user access, Microsoft recommends configuring sign-in risk policies to enforce MFA rather than block sign-ins.

From the SC-300 documentation:

“When you want to remediate sign-in risk without blocking users, configure a Conditional Access or Identity Protection policy to require MFA when a risky sign-in is detected.”

This approach allows users to verify their identity and continue to sign in securely, rather than being blocked outright.

Hence, to implement sign-in risk remediation without blocking users, the first step is to enable and enforce MFA for all users so that users can self-remediate risky sign-ins.

The SC-300 Study Guide section on “Implement Access Reviews” states that administrators can create access reviews for groups, roles, or applications. When the scenario involves verifying external users’ access to specific applications — such as the Exchange admin center — the proper configuration is an application-based access review targeting guest users.

Microsoft Learn specifies:

“Application access reviews allow you to periodically verify external users’ access to enterprise applications integrated with Azure AD.”

Since the contractor is an external (guest) user and the access is to a specific application (Exchange admin center), you must configure an application-based review, not a group-based or directory-based one.

✅ Correct Answer: D. an application-based access review that targets guest users