SC300 - Implement Initial Entra ID Config

Question 1

Compare and contrast different Entra administrators.

Answer 1

*Global Admin - Manages access to all admin features in Entra ID as well as services that federate to Entra ID. Can assign admin to others, and reset passwords for any user or administrator

*User Administrator - Manage and create all aspects of users and groups. Can manage support tickets, monitor service health, and chnge passwords for users, helpdesk admins, and other UAs.

*Billing Administrator - Allowed to make purchases. Manages subscriptions, support tickets, and service health.

Question 2

Where can you see a list of Entra Roles?

Answer 2

From the Azure portal, you can see a list of Entra roles under the Roles and Administrators screen.

Question 3

Compare Azure and Entra roles.

Answer 3

azure roles manage access to Azure resources, support custom roles, and have slightly different scoping restrictions ( Management group, subscription, resource group, and resource.

Entra roles manage access to Entra resources, support custom roles, and scope at the tennant level or Administrative Unit.

Question 4

How do you access Azure role information?

Answer 4

Role information can be accessed through Azure CLI, portal, Azure PowerShell, Azure REsource Manager templates, or REST API.

Question 5

How do you access Entra role information?

Answer 5

Role information can be accessed in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, and PowerShell

Question 6

Describe the methods of assigning roles to users within Entra ID.

Answer 6

• Assign a role to a user or group
• Microsoft Entra ID - Roles and administration - Select a role - + Add Assignment
• Assign a user or group to a role
• Microsoft Entra ID - Open Users (or Groups) - Select an User (or group) - Assigned roles - + Add Assignment
• Assign a role to a broad-scope, like a Subscription, Resource Group, or Management Group
• Done via the Access control (IAM) within each settings screen
• Assign a role using PowerShell or Microsoft Graph API
• Assign a role using Privileged Identity Management (PIM)

Question 7

What options are available to you in the Company Branding section of the Manage menu in Entra ID?

Answer 7

*Language - Automatically set default language (can’t be changed)
*Sign in page background image - PNG or JPG file as the background for sign in
*Banner Logo - Logo appears on the sign in page after creds are entered.
*USername Hint - Hint that appears for users if they have forgotten their username.
*Sign in page text and formatting - Text that appears on the bottom of the sign in page.

Question 8

What is an administrative unit?

Answer 8

Administrative units allow for segregated management of permissions and user accounts.

Question 9

What admin roles are available for an administrative unit?

Answer 9

Authentication administrator
Groups administrator
Helpdesk administrator
License administrator
Password administrator
User administrator

Question 10

What are the 3 stages Microsoft lists as the stages of administrative unit creation?

Answer 10

1. Initial Adoption - Creation of administrative units based on initial criteria.
2. Pruning - Removing redundant units once the initial adoption is complete
3. • Stabilization - Organizational structure is defined, and the number of units will not change for a while.

Question 11

What ways can you delegate application creation and management permissions in Entra ID?

Answer 11

-Restricting who can create and manage applications
-Assign one or more owners to a single application
-Assign a built-in administrative role that grants access to manage different configurations in Entra
-Create a custom role to define specific permissions.

Question 12

What steps are reccomended to be followed when developing a delegation model?

Answer 12

1.Define the roles you need
2.Delegate app administration
3.Grant the ability to register applications
4.Delegate app ownership
5.Develop a security plan
6.Establish emergency accounts
7.Secure your administrator roles
8.Make privileged elevation temporary

Question 13

Describe the most-privileged application administrator roles.

Answer 13

Application Administrator - Ability to manage all applications in the directory including registrations, SSO, Group / user assignments, licensing, app proxy settings, and consent. Does not manage conditional access.

Cloud Application Administrator - All of the abilities of an app administrator except for Application proxy settings.

Question 14

Describe the 2 app owner roles.

Answer 14

Enterprise Application Owner - Grants the ability to manage the enterprise applications that the user owns, including SSO, user/group assignments, and adding additional owners.

Application Registration Owners - Grants the ability to manage application registrations for apps that the user owns, including the application manifest and adding new owners.

Question 15

What are some of the default permissions listed for member users?

Answer 15

Enumerate list of users and their contracts
Invite guest users
Can create Security and M365 groups
Register new applications

Question 16

What are some of the default permissions listed for guest users?

Answer 16

Read their own properties
Invite other guest users
Search for non hidden groups by name
Read properties of registered and enterprise applications.

Question 17

Under User Settings in Entra ID, what can you restrict users from doing?

Answer 17

Registering applications, accessing the Azure portal, LinkedIn connection ability, and managing settings for external collaboration.