SC-300 Set 3

Question 1

Answer 1

Question 2

You have an Azure subscription that contains an Azure Automation account named Automation1 and an Azure key vault named Vault1. Vault1 contains a secret named Secret1.

You enable a system-assigned managed identity for Automation1.

You need to ensure that Automation1 can read the contents of Secret1. The solution must meet the following requirements:

• Prevent Automation1 from accessing other secrets stored in Vault1.
• Follow the principle of least privilege.

What should you do?

A. From Vault1, configure the Access control (IAM) settings.
B. From Automation1, configure the Identity settings.
C. From Automation1, configure the Run as accounts settings.
D. From Secret1, configure the Access control (IAM) settings.

Answer 2

D. From Secret1, configure the Access control (IAM) settings.

Question 3

You have a Microsoft 365 tenant.
The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
Users connect to the internet by using a hardware firewall at your company. The users authenticate to the firewall by using their Active Directory credentials.
You plan to manage access to external applications by using Azure AD.
You need to use the firewall logs to create a list of unmanaged external applications and the users who access them.
What should you use to gather the information?

A. Application Insights in Azure Monitor
B. access reviews in Azure AD
C. Cloud App Discovery in Microsoft Cloud App Security
D. enterprise applications in Azure AD

Answer 3

C. Cloud App Discovery in Microsoft Cloud App Security

Question 4

Answer 4

Question 5

Answer 5

Question 6

Answer 6

All Users
All Users

Question 7

You have an Azure Active Directory (Azure AD) tenant.
You create an enterprise application collection named HR Apps that has the following settings:
✑ Applications: App1, App2, App3
✑ Owners: Admin1
✑ Users and groups: HRUsers
All three apps have the following Properties settings:
✑ Enabled for users to sign in: Yes
✑ User assignment required: Yes

Visible to users: Yes -

Users report that when they go to the My Apps portal, they only see App1 and App2.
You need to ensure that the users can also see App3.
What should you do from App3?

A. From Users and groups, add HRUsers.
B. From Single sign-on, configure a sign-on method.
C. From Properties, change User assignment required to No.
D. From Permissions, review the User consent permissions.

Answer 7

A. From Users and groups, add HRUsers

Question 8

You have an Azure Active Directory (Azure AD) tenant.
For the tenant, Users can register applications is set to No.
A user named Admin1 must deploy a new cloud app named App1.
You need to ensure that Admin1 can register App1 in Azure AD. The solution must use the principle of least privilege.
Which role should you assign to Admin1?

A. Managed Application Contributor for Subscription1.
B. Application developer in Azure AD.
C. Cloud application administrator in Azure AD.
D. App Configuration Data Owner for Subscription1.

Answer 8

B. Application developer in Azure AD.

Question 9

Answer 9

No
Yes
No

Question 10

Answer 10

Question 11

You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection enabled.
You need to implement a sign-in risk remediation policy without blocking user access.
What should you do first?

A. Configure access reviews in Azure AD.
B. Enforce Azure AD Password Protection.
C. Configure self-service password reset (SSPR) for all users.
D. Implement multi-factor authentication (MFA) for all users.

Answer 11

D. Implement multi-factor authentication (MFA) for all users.

Question 12

Your company requires that users request access before they can access corporate applications.
You register a new enterprise application named MyApp1 in Azure Active Directory (Azure AD) and configure single sign-on (SSO) for MyApp1.
Which settings should you configure next for MyApp1?

A. Self-service
B. Provisioning
C. Application proxy
D. Roles and administrators

Answer 12

A. Self-service

Question 13

Answer 13

First, we need to register a new application
Then we need to add application permissions
And then we need to grant admin consent

Question 14

You have an Azure Active Directory (Azure AD) tenant that contains cloud-based enterprise apps.
You need to group related apps into categories in the My Apps portal.
What should you create?

A. tags
B. collections
C. naming policies
D. dynamic groups

Answer 14

B. collections

Question 15

Answer 15

D. Group1 and Group4

Question 16

Answer 16

C. Admin1

Question 17

You have a Microsoft 365 subscription. The subscription contains users that use Microsoft Outlook 2016 and Outlook 2013 clients.
You need to implement tenant restrictions. The solution must minimize administrative effort.
What should you do first?

A. Configure the Outlook 2013 clients to use modern authentication.
B. Upgrade the Outlook 2013 clients to Outlook 2016.
C. From the Exchange admin center, configure Organization Sharing.
D. Upgrade all the Outlook clients to Outlook 2019.

Answer 17

A. Configure the Outlook 2013 clients to use modern authentication.

Question 18

You have a Microsoft 365 E5 subscription.

You need to create a Microsoft Defender for Cloud Apps session policy.

What should you do first?

A. From the Microsoft Defender for Cloud Apps portal, select User monitoring.
B. From the Microsoft Defender for Cloud Apps portal, select App onboarding/maintenance.
C. From the Azure Active Directory admin center, create a Conditional Access policy.
D. From the Microsoft Defender for Cloud Apps portal, create a continuous report.

Answer 18

C. From the Azure Active Directory admin center, create a Conditional Access policy.

Question 19

Answer 19

D. Admin1 and Admin2 only

Question 20

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.

You need to be notified if a user downloads more than 50 files in one minute from Site1.

Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

A. session policy
B. activity policy
C. file policy
D. anomaly detection policy

Answer 20

B. activity policy

Question 21

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1. Site1 hosts PDF files.

You need to prevent users from printing the files directly from Site1.

Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

A. activity policy
B. access policy
C. file policy
D. session policy

Answer 21

D. session policy

Question 22

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Conditional Access policies.

You need to block access to cloud apps when a user is assessed as high risk.

Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

A. access policy
B. OAuth app policy
C. anomaly detection policy
D. activity policy

Answer 22

A. access policy

Question 23

You have a Microsoft 365 E5 subscription.

Users authorize third-party cloud apps to access their data.

You need to configure an alert that will be triggered when an app requires high permissions and is authorized by more than 20 users.

Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

A. anomaly detection policy
B. OAuth app policy
C. access policy
D. activity policy

Answer 23

B. OAuth app policy

Question 24

Answer 24

B. User2

Question 25

You have an Azure AD tenant that contains a user named User1 and a registered app named App1. User1 deletes the app registration of App1. You need to restore the app registration. What is the maximum number of days you have to restore the app registration from when it was deleted? A. 14 B. 30 C. 60 D. 180

Answer 25

B. 30

Question 26

Answer 26

Question 27

You have an Azure AD tenant. You configure User consent settings to allow users to provide consent to apps from verified publishers. You need to ensure that the users can only provide consent to apps that require low impact permissions. What should you do? A. Create an enterprise application collection. B. Create an access review. C. Create an access package. D. Configure permission classifications.

Answer 27

D. Configure permission classifications.

Question 28

Answer 28

Question 29

You have an Azure subscription. You are evaluating enterprise software as a service (SaaS) apps. You need to ensure that the apps support automatic provisioning of Azure AD users. Which specification should the apps support? A. OAuth 2.0 B. WS-Fed C. SCIM 2.0 D. LDAP 3

Answer 29

C. SCIM 2.0

Question 30

You have an Azure AD tenant and a .NET web app named App1. You need to register App1 for Azure AD authentication. What should you configure for App1? A. the executable name B. the bundle ID C. the package name D. the redirect URI

Answer 30

D. the redirect URI

Question 31

You have a Microsoft 365 tenant. All users have mobile phones and Windows 10 laptops. The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access. You plan to implement multi-factor authentication (MFA). Which MFA authentication method can the users use from the remote location? A. a notification through the Microsoft Authenticator app B. security questions C. voice D. Windows Hello for Business

Answer 31

D. Windows Hello for Business

Question 32

You have an Azure AD tenant. You discover that a large number of new apps were added to the tenant. You need to implement an approval process for new enterprise applications. What should you do? A. From the Microsoft Defender for Cloud Apps portal, create a Cloud Discovery anomaly detection policy. B. From the Microsoft Entra admin center, configure the Admin consent settings. C. From the Microsoft Defender for Cloud Apps portal, configure an app connector. D. From the Microsoft Entra admin center, configure an access review.

Answer 32

B. From the Microsoft Entra admin center, configure the Admin consent settings.

Question 33

You have a Microsoft 365 E5 subscription. You purchase the app governance add-on license. You need to enable app governance integration. Which portal should you use? A. the Microsoft Defender for Cloud Apps portal B. the Microsoft 365 admin center C. Microsoft 365 Defender D. the Azure Active Directory admin center E. the Microsoft Purview compliance portal

Answer 33

C. Microsoft 365 Defender

Question 34

Your company purchases a new Microsoft 365 E5 subscription and an app named App1. You need to create a Microsoft Defender for Cloud Apps access policy for App1. What should you do you first? A. Configure a Conditional Access policy to use app-enforced restrictions. B. Configure a Token configuration for App1. C. Add an API permission for App1. D. Configure a Conditional Access policy to use Conditional Access App Control.

Answer 34

D. Configure a Conditional Access policy to use Conditional Access App Control.

Question 35

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account. You deploy an Azure subscription and enable Microsoft 365 Defender. You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps. Solution: From the Microsoft 365 Defender portal, you add the Google Workspace app connector. Does this meet the goal? A. Yes B. No

Answer 35

A. Yes

Question 36

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account. You deploy an Azure subscription and enable Microsoft 365 Defender. You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps. Solution: From the Microsoft 365 Defender portal, you add the Microsoft Azure app connector. Does this meet the goal? A. Yes B. No

Answer 36

B. No

Question 36

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub account. You deploy an Azure subscription and enable Microsoft 365 Defender. You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for Cloud Apps. Solution: From the Microsoft 365 Defender portal, you add the Amazon Web Services app connector. Does this meet the goal? A. Yes B. No

Answer 36

B. No

Question 37

Your company purchases a Microsoft 365 E5 subscription. A user named User1 is assigned the Security Administrator role. You need to ensure that User1 can create Microsoft Defender for Cloud Apps session policies. What should you do first? A. Create a Conditional Access policy and select Require app protection policy. B. Create a Conditional Access policy and select Use Conditional Access App Control. C. Assign the Cloud Application Administrator role to User1. D. Assign the Cloud App Security Administrator role to User1.

Answer 37

B. Create a Conditional Access policy and select Use Conditional Access App Control.

Answer 38

A. Application Developer

Question 39

Answer 39

- Managed1, Managed2, VM1, and VM2 only. - All VMs

Question 40

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps. You plan to increase app security for the subscription. You need to identify which apps do NOT require user authentication. What should you do in the Microsoft 365 Defender portal? A. Review the cloud app catalog. B. Create an OAuth policy and review alerts. C. Create a snapshot Cloud Discovery report. D. Create a discovered app query.

Answer 40

A. Review the cloud app catalog.

Question 41

Answer 41

system assigned RBAC

Question 42

You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains an Azure Cosmos DB database named DB1 and an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 uses a managed identity. You need to ensure that AKS1 can access DB1. The solution must meet the following requirements: * Ensure that AKS1 uses the managed identity to access DB1. * Follow the principle of least privilege. Which role should you assign to the managed identity of AKS1? A. For Sub1, assign the Owner role. B. For DB1, assign the Azure Cosmos DB Account Reader Role role. C. For RG1, assign the Azure Cosmos DB Data Reader Role role. D. For RG1, assign the Reader role.

Answer 42

B. For DB1, assign the Azure Cosmos DB Account Reader Role role.

Question 43

You have an Azure subscription that contains a storage account named storage1 and a web app named WebApp1. WebApp1 uses a system-assigned managed identity. You need to ensure that WebApp1 can read and write files to storage1 by using the system-assigned managed identity. What should you configure for storage1 in the Azure portal? A. data protection B. a shared access signature (SAS) C. the Access control (IAM) settings D. the File share settings E. access keys

Answer 43

C. the Access control (IAM) settings