Microsoft Updated SC-300 Exam Questions and Answers by zidane

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn content under “Manage Azure AD tenants and configure tenant properties”, self-service sign-up (also known as viral sign-up) allows users to create accounts in an existing Azure AD tenant using an email domain associated with that tenant. This feature lets external or ungoverned users create identities if it is not explicitly disabled, which can cause unauthorized account creation in the organization’s namespace.

To stop users from performing self-service sign-ups using the organization’s verified domain (e.g., contoso.com), administrators must disable the AllowEmailVerifiedUsers setting in Azure Active Directory using PowerShell. This configuration change prevents users from automatically creating accounts with the organization’s domain when registering for Microsoft 365 or other Azure services.

The cmdlet used to configure tenant-level settings like this is Set-MsolCompanySettings from the MSOnline module.

The specific PowerShell command would be:

Set-MsolCompanySettings -AllowEmailVerifiedUsers $false

This command disables self-service sign-up for email-verified users, ensuring that only administrators can create accounts in the tenant.

Other cmdlets in the options serve different purposes:

Set-MsolDomainFederationSettings – Used for configuring federation settings for a domain.

Update-MsolFederatedDomain – Used to update or repair federation trust settings.

Set-MsolDomain – Used to configure domain-specific properties (e.g., authentication type).

As per Microsoft’s official documentation:

“To prevent users from self-service sign-up using your organization’s verified domain, set AllowEmailVerifiedUsers to $false using Set-MsolCompanySettings.”

In SC-300, the mitigation for unsolicited MFA prompts (push fatigue) is Fraud alert on Azure AD MFA. The materials state that administrators can “allow users to report suspicious MFA prompts and automatically block the user when they select Report fraud in Microsoft Authenticator.” By contrast, Account lockout settings are designed to “temporarily lock an account after a configurable number of consecutive MFA denials to thwart brute-force attempts,” and they do not initiate an automatic block tied to a user’s fraud report. The study guide further clarifies that fraud alerts “can automatically block the user for a specified period (default 90 days) when a fraudulent attempt is reported,” which is precisely the behavior required in the scenario. Therefore, merely configuring Account lockout settings will not meet the goal of automatically blocking users when they report an unsolicited prompt.

User1 syncs to Azure AD: ✅ Yes

User2 syncs to Azure AD: ❌ No

Group2 syncs to Azure AD: ❌ No

This scenario is directly covered in the Microsoft SC-300: Identity and Access Administrator exam section “Implement Azure AD Connect synchronization” and detailed in Microsoft documentation: “Azure AD Connect: Configure filtering”.

Azure AD Connect supports multiple filtering mechanisms:

Domain and Organizational Unit (OU) filtering – only objects in selected OUs are synchronized.

Group-based filtering (Pilot sync) – when enabled, only members of the specified security group (and required dependency objects) are synchronized. Nested groups are not supported.

OU Filtering:

Both OU1 and OU2 are selected.

Therefore, objects in both OUs are eligible for synchronization (if other filters allow).

Group-based filtering:

The selected filter group is Group1, located in OU2.

Azure AD Connect synchronizes only direct members of Group1 (users, groups, or devices).

Nested groups are ignored — their members are not recursively synchronized.

User1:

Is a direct member of Group1 (in OU1).

Since User1 is directly in Group1, and OU1 is included, User1 will sync to Azure AD.✅ User1 syncs to Azure AD = Yes

User2:

Is not a member of any group.

The Group1-based filtering excludes non-members, even though OU1 is selected.❌ User2 syncs to Azure AD = No

Group2:

Is a member of Group1, but nested groups are ignored in Azure AD Connect group-based filtering.

Thus, Group2 itself and its members will not be synchronized.❌ Group2 syncs to Azure AD = No

“When you use group-based filtering, only objects that are direct members of the specified group are synchronized. Nested group memberships are ignored.”

“If you select specific OUs for synchronization, objects must meet both the OU filtering and the group filtering criteria to be included in the sync.”