SC-300 Cheat Sheet 2026
The 30 highest-yield SC-300 facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
100 min time limit
70.00% to pass
- Which Conditional Access control can restrict what users can do within a cloud application session without blocking access entirely? → Session control: Use Conditional Access App Control
- Which Identity Protection configuration setting controls the percentage of the organization's users who must be covered by the MFA registration policy? → Users scope — All users or specific groups
- Which report in Azure AD helps administrators identify users who have NOT registered for MFA? → Authentication methods activity report
- What is the minimum number of authentication methods a user must register when SSPR is configured to require 2 methods? → 2
- Which Entitlement Management feature allows users from partner organizations with a different Azure AD tenant to request access packages? → Connected organizations
- Which of the following authentication methods supports SMS as a verification option in Azure AD? → Self-Service Password Reset (SSPR)
- Which Azure AD feature allows bulk invitation of multiple guest users by uploading a CSV file? → Bulk invite users feature in the Azure portal
- Which Azure AD feature allows users to reset their own passwords without contacting the helpdesk? → Self-Service Password Reset (SSPR)
- An administrator configures a Conditional Access policy with the 'Require approved client app' grant control. Which scenario will this control block? → A user accessing Exchange Online from a native mail app that is not Intune-managed
- A Privileged Role Administrator wants to prevent any user from having a permanent eligible Global Administrator assignment. Which PIM setting enforces this? → Set assignment expiration for eligible assignments
- A Conditional Access policy is set to 'Report-only' mode. What is the effect on users? → Policy evaluates but does not enforce; results are logged only
- What action does 'Apply results' perform at the end of an Access Review? → It implements the decisions made during the review by adding or removing access
- An administrator needs to extend a user's expiring eligible role assignment without having the user re-activate. Which PIM action should the administrator take? → Update the existing assignment's end date using the 'Extend' option
- In PIM for Azure resources, which assignment type makes a user a permanent owner of a resource without any activation required? → Active assignment
- A user successfully completes SSPR to reset their password after being flagged by Identity Protection. What is the result on their user risk level? → User risk is automatically remediated and reset to none
- An administrator enables Azure AD Security Defaults. Which statement about Security Defaults and MFA is correct? → Security Defaults enforce MFA for all users and block legacy authentication protocols
- Which named location type in Conditional Access allows you to specify trusted locations using IP ranges? → IP ranges location
- To achieve the monitoring criteria, you must configure the detection of many staged attacks. What should you do? → Add Azure Sentinel data connectors.
- When an external user accepts a B2B collaboration invitation, what type of account is created in the inviting organization's Azure AD tenant? → A guest user account (UserType = Guest)
- In an Access Review configured for group members, who can be designated as reviewers? → Group owners, selected reviewers, members themselves, or managers of members
- A security team wants to require that users provide a support ticket number when activating the Security Administrator role. Which PIM setting enables this? → Require ticket information on activation
- Which Identity Protection policy automatically blocks or requires MFA for sign-ins that are detected as medium or high risk? → Sign-in risk policy
- An access package policy is configured with a 14-day expiration and no renewal. What happens to a user's access when the assignment expires? → Access is automatically removed from all resources included in the access package
- An administrator configures Authentication Strengths in Azure AD Conditional Access. What do Authentication Strengths define? → A combination of authentication methods that must be satisfied to access a resource
- A company wants to automatically force a password reset for any user whose risk level reaches 'High'. Which Identity Protection configuration achieves this? → Configure the user risk policy to require password change at high risk
- Which feature in Access Reviews allows a reviewer to look at a decision made by another reviewer and override it during the review period? → Multi-stage reviews
- What minimum Azure AD license is required to use Privileged Identity Management? → Azure AD Premium P2
- In Entitlement Management, what happens when a connected organization user is no longer a member of the connected organization? → Their assignments can be automatically removed based on the policy's expiration settings
- A user with an eligible Global Administrator role wants to activate it. They are not prompted for MFA during activation. What is the most likely cause? → The 'Require Azure MFA on activation' setting is disabled for the role
- Which risk detection in Identity Protection is triggered when a user's credentials appear in a publicly disclosed data breach? → Leaked credentials
Turn these facts into recall: