Microsoft Updated SC-300 Exam Questions and Answers by freja

Azure AD (Entra ID) allows administrators to control how users request permission for applications that require admin consent. By default, only administrators can grant such consent.

According to the SC-300 Study Guide (Identity Management & Governance) and Microsoft Entra Documentation , the least privileged and compliant method to enable user-driven admin consent requests is to:

Enable admin consent requests in the tenant.

Designate one or more reviewers (optional) to handle these requests.

Once enabled, users who encounter an app that needs admin consent can submit a request for approval instead of being blocked. This ensures controlled delegation without globally granting broad permissions to all apps.

“Enable admin consent requests in Azure AD to allow users to request approval for apps that need tenant-wide permissions, ensuring least privilege and administrator oversight.”

This question refers to Azure AD Entitlement Management under Identity Governance . The goal is to let User1 modify the review frequency (i.e., Access Reviews) for an existing access package named Package1 , following the principle of least privilege .

In Azure AD, the ability to create and manage access packages, catalogs, and access reviews is granted through certain administrative roles:

Global Administrator and Identity Governance Administrator — Full control over all Identity Governance settings.

Catalog Owner or Access Package Manager — Manage access packages and settings within a catalog.

User Administrator — Can configure access reviews and manage users, groups, and limited governance settings.

Privileged Role Administrator , Security Administrator , and External Identity Provider Administrator — Have no direct control over access review settings in Entitlement Management.

From Microsoft documentation ( “Azure AD Entitlement Management Delegation and Roles” ):

“A user administrator can manage access reviews and entitlement management settings for the directory and assigned catalogs, including adjusting the review frequency or review settings.”

Thus, to modify the Access Review configuration (frequency, reviewers, etc.) in Package1 , the User Administrator role provides the minimum necessary privilege without granting excessive permissions like Identity Governance Administrator or Global Administrator.

Statement

Yes / No

If User1 requests Role1, the request will be approved automatically.

No

User1 can approve the request of User3 for Role2.

No

User1 must provide justification to approve the request of User2 for Role1.

Yes

According to the Microsoft SC-300 study guide, Exam Ref SC-300, and Microsoft Entra Privileged Identity Management (PIM) documentation, role activation and assignment settings in Azure AD PIM determine who can activate roles, who can approve activations, and whether justification is required. Let’s analyze each configuration step-by-step.

Role1 Configuration Summary Setting

Value

Required justification on activation

No

Require approval to activate

Yes

Approvers

User1

Allow permanent eligible assignment

Yes

Allow permanent active assignment

Yes

Require justification on active assignment

Yes

Eligible Assignments: User1, User2

Role2 Configuration Summary Setting

Value

Required justification on activation

Yes

Require approval to activate

No

Approvers

None

Allow permanent eligible assignment

No

Allow permanent active assignment

Yes

Require justification on active assignment

Yes

Eligible Assignments: User3

Statement 1: “If User1 requests Role1, the request will be approved automatically.”

Role1 requires approval to activate.

The approver is User1, but a user cannot self-approve their own request in Azure AD PIM.

Therefore, even though User1 is listed as an approver, the system does not automatically approve self-requests.

✅ Answer: No

Statement 2: “User1 can approve the request of User3 for Role2.”

Role2 does not require approval to activate (approval = No).

User3 is the only eligible member for Role2 and can activate it directly.

Hence, no approval action exists for User1.

✅ Answer: No

Statement 3: “User1 must provide justification to approve the request of User2 for Role1.”

Role1 requires approval to activate, and User1 is the approver.

The assignment settings for Role1 state: Require justification on active assignment = Yes.

This means when approving or activating, the approver (User1) must enter a justification before approval.

✅ Answer: Yes

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn module: “Discover and manage shadow IT” within Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) , the Cloud app catalog is the authoritative reference database that contains detailed risk assessments of thousands of cloud applications discovered within your organization.

Each application in the cloud app catalog is automatically evaluated against a large set of security and compliance criteria — over 80 risk factors including authentication requirements , encryption standards , data ownership , regulatory compliance , and certifications . This catalog helps administrators identify which discovered or sanctioned applications do not require user authentication , which is a critical factor when evaluating application risk posture.

From the Microsoft 365 Defender portal , administrators can open Defender for Cloud Apps → Cloud Discovery → Cloud app catalog . Within this interface, you can filter and sort apps by authentication type , specifically reviewing those listed with “No authentication” or “Not supported” . This allows quick identification of unsecured or unauthenticated apps that could pose risks to enterprise data and identity protection.

Microsoft’s documentation emphasizes:

“The Cloud app catalog provides detailed information about each discovered application, including whether the app supports user authentication and what authentication methods are required.”

Options A and B (queries and reports) are used for analyzing discovered app traffic data, not intrinsic app properties. Option C (OAuth policy) monitors app permissions, not authentication requirements.