Microsoft Microsoft Certifications SC-300 Questions & Answers

• Question 151:

  You have a Microsoft 365 tenant.

  All users have mobile phones and laptops.

  The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.

  You plan to implement multi-factor authentication (MFA).

  Which MFA authentication method can the users use from the remote location?

  A. a notification through the Microsoft Authenticator app

  B. an app password

  C. Windows Hello for Business

  D. SMS

  Correct Answer: C

  In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.

  Incorrect Answers:

  A: The Microsoft Authenticator app requires a mobile phone that runs Android or iOS

  B: An app password can be used to open an application but it cannot be used to sign in to a computer.

  D: SMS requires a mobile phone

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview

• Question 152:

  You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following table.

  

  Which objects can you add as members to Group3?

  A. User2 and Group2 only

  B. User2, Group1, and Group2 only

  C. User1, User2, Group1 and Group2

  D. User1 and User2 only

  E. User2 only

  Correct Answer: E

  Reference: https://bitsizedbytes.wordpress.com/2018/12/10/distribution-security-and-office-365-groups-nesting/

• Question 153:

  You have a Microsoft 365 tenant that uses the domain named fabrikam.com.

  The Guest invite settings for Azure Active Directory (Azure AD) are configured as shown in the exhibit. (Click the Exhibit tab.)

  

  A user named [email protected] shares a Microsoft SharePoint Online document library to the users shown in the following table.

  

  Which users will be emailed a passcode?

  A. User2 only

  B. User1 only

  C. User1 and User2 only

  D. User1, User2, and User3

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode

• Question 154:

  You have an Azure Active Directory (Azure AD) tenant that contains the groups shown in the following table.

  

  For which groups can you create an access review?

  A. Group1 only

  B. Group1 and Group4 only

  C. Group1 and Group2 only

  D. Group1, Group2, Group4, and Group5 only

  E. Group1, Group2, Group3, Group4 and Group5

  Correct Answer: D

  You cannot create access reviews for device groups.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

• Question 155:

  You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest. The tenant-uses through authentication.

  A corporate security policy states the following:

  Domain controllers must never communicate directly to the internet. Only required software must be-installed on servers. The Active Directory domain contains the on-premises servers shown in the following table.

  

  You need to ensure that users can authenticate to Azure AD if a server fails.

  On which server should you install an additional pass-through authentication agent?

  A. Server2

  B. Server4

  C. Server1

  D. Server3

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

• Question 156:

  Your company has two divisions named Contoso East and Contoso West. The Microsoft 365 identity architecture tor both divisions is shown in the following exhibit.

  

  You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the Contoso West tenant. The solution must not require additional Microsoft 365 licenses. What should you do?

  A. Configure The exiting Azure AD Connect server in Contoso Cast to sync the Contoso East Active Directory forest to the Contoso West tenant.

  B. Configure Azure AD Application Proxy in the Contoso West tenant.

  C. Deploy a second Azure AD Connect server to Contoso East and configure the server to sync the Contoso East Active Directory forest to the Contoso West tenant.

  D. Create guest accounts for all the Contoso East users in the West tenant.

  Correct Answer: D

• Question 157:

  Your company recently implemented Azure Active Directory (Azure AD) Privileged Identity Management (PIM).

  While you review the roles in PIM, you discover that all 15 users in the IT department at the company have permanent security administrator rights.

  You need to ensure that the IT department users only have access to the Security administrator role when required.

  What should you configure for the Security administrator role assignment?

  A. Expire eligible assignments after from the Role settings details

  B. Expire active assignments after from the Role settings details

  C. Assignment type to Active

  D. Assignment type to Eligible

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

• Question 158:

  You configure a new Microsoft 36S tenant to use a default domain name of contosso.com.

  You need to ensure that you can control access to Microsoft 365 resource-, by using conditional access policy.

  What should you do first?

  A. Disable the User consent settings.

  B. Disable Security defaults.

  C. Configure a multi-factor authentication (Ml A) registration policy1.

  D. Configure password protection for Windows Server Active Directory.

  Correct Answer: B

• Question 159:

  You have a Microsoft 365 tenant.

  In Azure Active Directory (Azure AD), you configure the terms of use.

  You need to ensure that only users who accept the terms of use can access the resources in the tenant. Other users must be denied access.

  What should you configure?

  A. an access policy in Microsoft Cloud App Security.

  B. Terms and conditions in Microsoft Endpoint Manager.

  C. a conditional access policy in Azure AD

  D. a compliance policy in Microsoft Endpoint Manager

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

• Question 160:

  You have a Microsoft 365 tenant.

  All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.

  Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.

  You need to block the users automatically when they report an MFA request that they did not Initiate.

  Solution: From the Azure portal, you configure the Block/unblock users settings for multi-factor authentication (MFA).

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  You need to configure the fraud alert settings.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings