Chapter 16: Mock Test

Throughout this guide, you have learned about the objectives that you are required to master to pass the Microsoft Identity and Access Administrator Associate exam (SC-300). The exercises throughout the chapters in this book provide you with hands-on practice to prepare and references for performing the role of an identity and access administrator. The final assessment in this chapter can be used as additional preparation toward passing the SC-300 exam. For information regarding the exam structure and content, review Chapter 1, Preparing for Your Microsoft Exam.

In this assessment, you can expect the following:

• Number of questions: 80
• Question types: Multiple choice and true/false

Questions

For a true exam experience, attempt this assessment as a closed book and give yourself 190 minutes to take the assessment. Have a notepad to answer the questions and then review the answers to grade your exam and determine areas that need additional review. The recommendation for practice assessments is that you should be able to score 90% or better. Once you have attained this score, you should be ready to sit and pass the SC-300 exam. So, let's begin:

1. When thinking about identity and access management, which is the most accurate statement?

A. Identity is your password and access is your applications.

B. Identity is who you are and access is the permission that is granted.

C. Identity is the permission that is granted and access is who you are.

D. Identity is your username and access is your administrative privileges.

2. What are some of the use cases that we use identity and access management for?

A. Shopping on websites

B. Email accounts

C. Social media

D. Business applications

E. All of the above

3. The principle of least privilege is defined as ________________.

A. The concept that a user or resource only has access to the applications and information required to perform their specific duties

B. The concept that a user has global administrator privileges to access all applications within the company

C. The concept that a user must request access to applications and information every time they need to complete their duties

D. The concept that a user has no administrator access regardless of their job role

4. There are three levels of identity and access management: traditional, advanced, and optimal. Which of the following characteristics is not included in optimal identity and access management?

A. Password-less authentication.

B. Multi-factor authentication (MFA) is enforced.

C. Single sign-on (SSO) is not present.

D. User behavior is analyzed in real time for possible risks.

E. None of the above.

5. When creating your Azure Active Directory (AAD) tenant, which of the following is an example of the domain that you would create?

A. Tenantname.com

B. Tenantname.onmicrosoft.com

C. Sales.tenantname.com

D. Tenantname.microsoft.com

6. Which built-in AAD role has full control over the tenant and should be assigned to a limited number of select users?

A. Billing Administrator

B. Security Administrator

C. Global Administrator

D. User Administrator

E. None of the above

7. Which of the following would not be considered an Azure RBAC role?

A. Security Administrator

B. Virtual Machine Owner

C. Resource Group Contributor

D. Virtual Network Reader

8. When adding a custom domain to the AAD tenant, you can use a domain from which of the following domain registrars?

A. Microsoft

B. GoDaddy

C. WordPress

D. Google

E. All of the above

9. How many custom domains can be added to AAD in a cloud-only infrastructure?

A. 450

B. 900

C. 1,500

D. Unlimited

10. Which device registration option is commonly used for personal devices (BYOD)?

A. Hybrid AD-joined

B. AAD-joined

C. AAD-registered

D. None of the above

11. Which of the following is not a function of security defaults when enabled?

A. Require all users to register for AAD MFA.

B. Enforce and require the use of AAD MFA for all administrators.

C. Allow legacy authentication methods.

D. Protect privileged access activities.

E. Require MFA for accessing sensitive information.

12. In AAD, a user that is cloud-native on the AAD tenant is referred to as a(n) __________.

A. Guest user

B. External user

C. Windows user

D. Member user

13. When creating a new user in AAD, what are the two required fields to populate to allow the user to be created?

A. User name

B. Usage location

C. Name

D. Department

E. Manager

14. Which is not a valid method to add a user to AAD?

A. PowerShell

B. CSV file

C. AAD portal

D. Microsoft 365 admin portal

E. Microsoft 365 security portal

15. Which field or fields is/are required to invite a guest user to AAD?

A. Name

B. Usage location

C. Email address

D. Personal message

E. All of the above

16. Within the AAD portal, what are the group type options available? Select all that apply.

A. Microsoft 365

B. Distribution

C. Mail-enabled security

D. Security

17. When creating a dynamic group, what AAD license is required? Select all that apply.

A. AAD Free

B. Office 365 Apps

C. AAD Premium P1

D. AAD Premium P2

E. None of these

18. Dynamic groups can be used for which group type(s)? Select all that apply.

A. Microsoft 365

B. Distribution

C. Mail-enabled security

D. Security

19. You have created a user within the AAD portal. When you attempt to assign a license, you get an error. What information is missing that is required to assign a license?

A. Department

B. Manager

C. Role

D. Usage location

20. A partner relationship between two companies within AAD is known as _________.

A. B2C

B. A2B

C. B2B

C. C2B

21. When you visit a shopping website and it gives you the option to use your Microsoft account to log in, this is an example of a(n) ____________ relationship.

A. B2C

B. A2B

C. B2B

D. C2B

22. Which of the following is an option for guest invite restrictions?

A. Anyone in the organization can invite guest users, including guests and non-admins.

B. Member users and users assigned to specific admin roles can invite guest users, including guests with member permissions.

C. Only users assigned to specific admin roles can invite guest users.

D. No one in the organization can invite guest users, including admins.

E. All of the above.

23. What section of the External collaboration settings would you use to block someone from a specific domain from being invited to the AAD tenant?

A. Guest invite settings

B. Collaboration restrictions

C. Guest user access

D. None of the above

24. Which is not a valid method to use to invite a guest user to AAD?

A. PowerShell

B. CSV file

C. AAD portal

D. Microsoft 365 admin portal

E. Microsoft 365 security portal

25. True or false? Guest users can manage their passwords through self-service password reset (SSPR).

A. True

B. False

26. True or false? Guest users can be configured to use AAD MFA within the tenant in which they are a guest.

A. True

B. False

27. Which of the following external identity providers can be configured directly within the AAD portal? Select all that apply.

A. Google

B. Facebook

C. Amazon Web Services

D. Any SAML/WS-fed identity provider

28. You have created an AAD tenant. You also have an on-premises Windows Active Directory that includes users and groups. What can you use to bring together a hybrid infrastructure for AAD cloud applications and synchronize on-premises users and groups for identity and access management?

A. Application Proxy

B. Active Directory Federation Services (AD FS)

C. AAD Connect

D. External identities

29. There are three AAD Connect synchronization options. Which is the least complex and can be configured with the Express settings?

A. Password hash synchronization

B. Pass-through authentication

C. AD FS

30. Which AAD Connect synchronization option would you choose if you have a third-party MFA solution?

A. Password hash synchronization

B. Pass-through authentication

C. AD FS

31. What is the best AAD Connect synchronization option if you do not have registered custom domains in your Active Directory organizational units?

A. Password hash synchronization

B. Pass-through authentication

C. AD FS

32. To configure AAD Connect while adhering to the principles of least privilege, what are the two roles that are required during setup?

A. Hybrid Identity Administrator

B. Global Administrator

C. Domain Enterprise Administrator

D. User Administrator

33. To utilize seamless SSO in a Hybrid Identity architecture with pass-through authentication, what option must be activated in AAD Connect?

A. Device writeback

B. Password writeback

C. Password protection

D. Account lockout

34. What is used to monitor the connection of AAD Connect to AAD?

A. AAD Connect dashboard

B. AAD Connect Health

C. Windows Active Directory Connection Manager

D. Synchronization Service Manager

35. Which of the following is not a factor that is part of MFA?

A. Something you know

B. Something you have

C. Something you are

D. Something you belong to

36. You have entered your username and password to log into the company intranet site. You are prompted to provide an additional form of verification. Which of the following would not be a proper second form of verification with MFA?

A. Fingerprint

B. Code from an authenticator app

C. PIN

D. Phone call to cell phone

37. SSPR uses many of the same forms of verification as MFA. Which of the following is used by SSPR but not MFA?

A. Mobile phone

B. Authenticator app

C. Security question

D. App code

38. Which of the following is not configured in AAD Password Protection?

A. Lockout threshold

B. Lockout duration

C. Global banned passwords

D. Custom banned passwords

E. Windows Active Directory password protection

39. True or false? Password-less authentication provides a high level of complexity without the benefit of added identity protection.

A. True

B. False

40. True or false? Password-less authentication, such as Windows Hello, is considered an authentication method with MFA.

A. True

B. False

41. The verification workflow of a zero-trust identity model includes which of the following? Select all that apply.

A. Signal

B. Trigger

C. Decision

D. Enforcement

42. What is the service that implements zero trust for identity within AAD?

A. AAD Identity Protection

B. Privileged Identity Management

C. Identity Governance

D. Conditional Access

43. What can be used to test your Conditional Access policies to verify that they are working as expected?

A. Report only

B. Turning on the policy

C. What If

D. None of the above

44. Smart lockout in AAD Identity Protection can protect users against what type of attack?

A. SQL injection

B. Cross-site scripting

C. Phishing

D. Brute-force dictionary

45. An alert in AAD Identity Protection based on atypical travel is a form of what type of risk?

A. User risk

B. Sign-in risk

C. Device risk

D. None of the above

46. An alert in AAD Identity Protection regarding potentially leaked credentials is what type of risk?

A. User risk

B. Sign-in risk

C. Device risk

D. None of the above

47. What are two ways of discovering applications that are being used by a company?

A. Ask IT

B. Microsoft Defender for Cloud Apps

C. Microsoft Intune

D. AD FS

48. True or false? Cloud and line-of-business applications that authenticate using AD FS can be migrated to AAD to provide cloud-only SSO.

A. True

B. False

49. For cloud-only SSO, what is used to integrate on-premises applications to AAD?

A. AAD Connect

B. AAD Application Proxy

C. AD FS

D. None of the above

50. What are the benefits of registering on-premises applications to AAD?

A. SSO creates a better user experience.

B. Decreased reliance on on-premises Active Directory.

C. Full use of AAD security features.

D. All of the above.

51. Third-party cloud applications that can be registered directly to AAD can be found where?

A. Software website

B. AAD gallery

C. Azure Marketplace

D. Microsoft 365 portal

52. What is the primary use of Microsoft Defender for Cloud Apps?

A. Discovery apps to monitor for shadow IT.

B. Assign cloud apps to users.

C. Register for cloud apps licensing.

D. All of the above.

53. Which of the following are Conditional Access policy types that have templates in Microsoft Defender for Cloud Apps?

A. Access policy

B. Activity policy

C. File policy

D. App discovery policy

E. OAuth app policy

F. All of the above

54. When creating a file policy in Microsoft Defender for Cloud Apps, the policy governs over what solutions? Select all that apply.

A. Outlook

B. SharePoint Online

C. OneDrive for Business

D. Dropbox

E. Google Drive

55. Which policy monitors applications that could be identified as shadow IT?

A. Activity policy

B. Session policy

C. App discovery policy

D. File policy

E. None of the above

56. Which policy is considered a threat protection policy and can approve or revoke permissions to an app?

A. Activity policy

B. Access policy

C. Session policy

D. OAuth policy

E. None of the above

57. The four sections of a discovered app score are what?

A. General

B. Security

C. Compliance

D. Legal

E. Identity

58. True or false? Entitlement management allows non-administrators to delegate access to users and groups.

A. True

B. False

59. Which of these is a collection of users and groups, applications, and SharePoint sites?

A. Access package

B. Catalog

C. Department

D. Entitlement

60. What defines the life cycle and how requests are handled when governing catalogs?

A. Departments

B. Entitlements

C. Access package

D. None of the above

61. Evaluating a guest or member user's need of continued membership with an access package is done using ______________.

A. Catalogs

B. Entitlements

C. Administrator audits

D. Access reviews

62. True or false? Terms of use are company-provided documents on the proper processes and procedures for using an application or site. These can also be tied to Conditional Access policies to allow access to applications.

A. True

B. False

63. Which service provides just-in-time administrator access that is time-bound to decrease the attack surface of elevated privileges?

A. Identity Protection

B. Access packages

C. Privileged Identity Management

D. Microsoft Defender for Cloud

64. True or false? When creating a PIM role assignment, it is a best practice to make the role permanent.

A. True

B. False

65. When creating emergency access, or a break-glass account, what should you avoid using? Select all that apply.

A. MFA

B. Conditional Access policies

C. Strong passwords

D. Documented procedures

66. As a best practice, an access review for a guest user should be completed by who? Select all that apply.

A. Guest user

B. Manager

C. IT

D. Member user

67. True or false? Access reviews can be configured to remove access if the reviewer does not respond.

A. True

B. False

68. How is the reviewer notified that an access review has begun?

A. AAD portal

B. Text message

C. Authenticator app

D. Email

69. Which of the following logs are in the category of activity reporting? Select all that apply.

A. Risky sign-ins

B. Sign-ins

C. Audit logs

D. Provisioning logs

E. User risk

70. Which of the following logs are in the category of security reporting? Select all that apply.

A. Risky sign-ins

B. Sign-ins

C. Audit logs

D. Provisioning logs

E. User risk

71. In what section of the AAD menu would you find activity reporting logs?

A. Security

B. Overview

C. Manage

D. Monitoring

E. Troubleshooting + Support

72. In what areas of AAD can you find sign-in and audit logs? Select all that apply.

A. AAD portal

B. Enterprise applications

C. Users

D. Groups

E. All of the above

73. Workbooks provide graphical data on AAD activity for enterprise applications. Where can this be accessed in AAD?

A. Log analytics

B. Diagnostic settings

C. Usage & insights

D. Access reviews

74. True or false? Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM), extended detection and response (XDR), and security orchestration automated response (SOAR) solution.

A. True

B. False

75. Which of the following represents Microsoft Sentinel's workflow, in order?

A. Respond, collect, detect, investigate

B. Collect, detect, investigate, respond

C. Investigate, detect, collect, respond

D. Detect, collect, investigate, respond

76. The first thing that you need to do when setting up Microsoft Sentinel is what?

A. Connect data sources.

B. Run Kusto queries.

C. Connect a Log Analytics workspace.

D. Save workbooks.

77. What role is required to connect AAD log data to Microsoft Sentinel?

A. Security reader

B. Security operator

C. Security administrator

D. User administrator

78. Which third-party SIEM solution has integration with Azure Activity logs, but not audit logs?

A. Microsoft Sentinel

B. Splunk

C. IBM QRadar

D. ArcSight

79. Which third-party SIEM solution uses the Microsoft Azure Device Support Module and Microsoft Azure Event Hubs protocol to integrate with Azure Monitor?

A. Microsoft Sentinel

B. Splunk

C. IBM QRadar

D. ArcSight

80. Which third-party SIEM solution has an add-on for Azure Monitor built in for log integration and investigation?

A. Microsoft Sentinel

B. Splunk

C. IBM QRadar

D. ArcSight

Answers

We recommend that you review these answers after attempting to answer the questions. Check your answers and review the sections within the chapters for additional clarification:

1. B. The most accurate statement is that identity is who you are and access is the permission that is granted. Your identity may include your password and username, and access may include your authorized applications and administrative privileges, but these are not the most accurate statements in these responses. For additional details, see Chapter 2, Defining Identity and Access Management.
2. E. All of these choices are examples of where we would use identity and access management. For additional details, see Chapter 2, Defining Identity and Access Management.
3. A. The principle of least privilege is the concept that a user or resource only has access to the applications and information required to perform their specific duties. For additional details, see Chapter 2, Defining Identity and Access Management.
4. C. Within an optimal IAM infrastructure, SSO should be present for all cloud and on-premises applications. For additional details, see Chapter 2, Defining Identity and Access Management.
5. B. When creating a tenant in AAD, the initial tenant is the name that you assign and then onmicrosoft.com. This domain name will remain within your tenant and cannot be removed. After creating your tenant, you can then add a custom domain name that is more suited for business use. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
6. C. The Global Administrator has full administrative control over the tenant and subscription and should only be assigned to 3-5 select users. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
7. A. Azure RBAC roles are based on owner, contributor, and reader roles for Azure resources. When a role is administrator, this is an AAD role. Both AAD and RBAC have reader roles, but in this example, the reader role is for Azure resources, which makes it RBAC. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
8. E. It is not required that you purchase a domain from Microsoft to use it on the AAD tenant. You can use any domain registrar, including the ones that are in the list provided. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
9. B. For AAD tenants that are not federated with an on-premises Active Directory, the maximum number of custom domains is 900. If AAD is federated with an on-premises Active Directory, this number decreases to 450. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
10. C. The most common way to manage a personal device within AAD is to register the device in AAD. This allows the device to be managed with Microsoft Intune without requiring a full AAD join. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
11. C. A feature of security defaults is blocking legacy authentication, that is, not allowing it. All other choices are features of security defaults. For additional details, see Chapter 3, Implementing and Configuring Azure Active Directory.
12. D. A cloud-native user on AAD is a member user. A Windows user is a synchronized user from AAD Connect in a Hybrid Identity infrastructure. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
13. A and C. The only fields that you are required to populate are User name and Name (display name). Usage location is required for assigning licenses to the user, but it is not required for user creation within AAD. It is a requirement when using the Microsoft 365 admin portal to create a user. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
14. D. The Microsoft 365 security portal cannot be used to add users to AAD. All of the other options can be used, with PowerShell and CSV bulk import as ways to add multiple users simultaneously. For additional details, see Chapter 4, Creating, Creating, Configuring, and Managing Identities.
15. C. The only field that is required to invite a guest user to the AAD tenant is the email address of the person that is being invited. For additional details, see Chapter 4, Creating, Configuring, and Managing Users, and Chapter 5, Implementing and Managing External Identities and Guests.
16. A and D. Within the AAD portal, the group type options are Microsoft 365 and security groups only. Distribution and mail-enabled security groups are group options that are available only within the Microsoft 365 admin portal. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
17. C and D. Dynamic groups are supported with AAD Premium P1 and Premium P2 licensing. They are not available with AAD Free or Office 365 Apps licensing. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
18. A and D. Microsoft 365 and security group types support dynamic groups. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
19. D. Since User name and Name are the only required fields to create a member user within the AAD portal, the user will be created without a usage location. However, this will cause an error when attempting to assign licenses to the user. For additional details, see Chapter 4, Creating, Configuring, and Managing Identities.
20. C. When a partner relationship is established between two companies within AAD, this is a B2B, or business-to-business, relationship. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
21. A. This is an example of a B2C, or business-to-consumer, relationship. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
22. E. All of these are options for guest invite restrictions. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
23. B. Allowing and denying invitations to specific domains can be configured under Collaboration restrictions. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
24. D. The Microsoft 365 security portal cannot be used to add guest users to AAD. All of the other options can be used, with PowerShell and CSV bulk import as ways to add multiple users simultaneously. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
25. B. Since guest users are not provided a password within the AAD tenant, they cannot use SSPR to manage their password. If they need to reset their password, they will use the identity provider in which they are a member. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
26. A. Guest users on the AAD tenant can be configured and required to use AAD MFA on the tenant. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
27. A, B, and D. Google, Facebook, and SAML/WS-fed identity providers can be configured within the AAD portal. There is currently no direct configuration option for Amazon Web Services. However, by using AWS SAML roles for IAM, this option can be used. For additional details, see Chapter 5, Implementing and Managing External Identities and Guests.
28. C. AAD Connect is used to synchronize on-premises users and groups with AAD. Application Proxy can be used for hybrid infrastructures, but it utilizes AAD for identity and access, not on-premises directly. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
29. A. Password Hash synchronization is the least complex and the option that would be configured with Express settings. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
30. C. AD FS is required to synchronize with AAD when using a third-party MFA solution. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
31. B. Pass-through should be used if authenticating with an unregistered domain name, such as domain.local. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
32. A and C. Hybrid Identity Administrator in AAD and Domain Enterprise Administrator in Windows Active Directory are the best roles to have while adhering to the principle of least privilege. Global Administrator can be used instead of Hybrid Identity Administrator but assigning this role for this task is not a best practice. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
33. B. Password writeback is required to utilize seamless SSO with pass-through authentication with AAD Connect. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
34. B. AAD Connect Health is installed on the on-premises Windows Active Directory server to monitor the connection to AAD. For additional details, see Chapter 6, Implementing and Managing Hybrid Identities.
35. D. MFA consists of using two forms to verify identity. These can be a combination of something you know, something you have, and something you are. For additional details, see Chapter 7, Planning and Implementing Azure Multi-Factor Authentication and Self-Service Password Reset.
36. C. A PIN number is something that you know, and so is a password. Therefore, it does not meet the requirements for MFA. For additional details, see Chapter 7, Planning and Implementing Azure Multi-Factor Authentication and Self-Service Password Reset.
37. C. MFA does not use security questions as a valid factor for verification but can be used for SSPR. For additional details, see Chapter 7, Planning and Implementing Azure Multi-Factor Authentication and Self-Service Password Reset.
38. C. Global banned passwords are included by default within your AAD tenant and there is no need to configure this list. For additional details, see Chapter 7, Planning and Implementing Azure Multi-Factor Authentication and Self-Service Password Reset.
39. B. This statement is false. Using password-less authentication provides a high level of usability and security without additional complexity. For additional details, see Chapter 8, Planning and Managing Password-Less Authentication Methods.
40. A. Forms of password-less authentication, Windows Hello, FIDO/2, and an authenticator app, all require two factors of verification for authentication. In FIDO/2 and an authenticator app, these are something you are and something you have. Windows Hello has a PIN embedded behind BitLocker on the hardware and facial recognition. For additional details, see Chapter 8, Planning and Managing Password-Less Authentication Methods.
41. A, C, and D. The zero-trust model for identity has a workflow that includes a signal that initiates a decision that enforces the final result of authorizing or denying access. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
42. D. Conditional Access policies follow the zero-trust workflow to enforce zero-trust verification of identities. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
43. C. Running the What If feature against users, locations, applications, and devices will show which Conditional Access policies will and won't apply. If you receive a result that you did not expect, you can reconfigure the policy before turning it on. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
44. D. Configuring smart lockout in AAD Identity Protection protects users against a brute-force dictionary attack where an attacker is attempting to guess the user password by running multiple attempts. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
45. B. Atypical travel identifies a potential sign-in risk. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
46. A. Leaked credentials identify a potential user risk. For additional details, see Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection.
47. B and D. Microsoft Defender for Cloud Apps and AD FS can be used to identify applications that are being accessed by users. For additional details, see Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO).
48. A. This is a true statement. For additional details, see Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO).
49. B. AAD Application Proxy can be installed on-premises to create a cloud-only SSO experience for on-premises applications. For additional details, see Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO).
50. D. All of these are reasons to register on-premises applications into AAD. For additional details, see Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO).
51. B. The current list of cloud applications that are available to be registered to AAD can be found in the AAD gallery. For additional details, see Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO).
52. A. Microsoft Defender for Cloud Apps can discovery apps that are being used on your network and help you monitor and protect against shadow IT. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
53. F. These are all Conditional Access policies within Microsoft Defender for Cloud Apps. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
54. B and C. File policies govern over SharePoint and OneDrive for Business. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
55. C. There are two policies that monitor potential shadow IT applications. These are app discovery policies and Cloud Discovery anomaly detection policies. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
56. D. The OAuth policy investigates permissions to an app and can approve or revoke permissions and access to the app to mitigate against potential threats. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
57. A, B, C, and D. Identity is not a section that is scored in Microsoft Defender for Cloud Apps. For additional details, see Chapter 11, Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps.
58. A. Entitlement management allows non-administrators to assign access to applications and SharePoint sites for specific uses, such as a project. For additional details, see Chapter 12, Planning and Implementing Entitlement Management.
59. B. A catalog is a collection of users and groups, applications, and SharePoint sites. For additional details, see Chapter 12, Planning and Implementing Entitlement Management.
60. C. The access package defines the catalog, how to handle requests, and the life cycle of user and group access. For additional details, see Chapter 12, Planning and Implementing Entitlement Management.
61. D. Access reviews provide life cycle management and can be configured to take place regularly to evaluate and govern over continued membership to an access package. For additional details, see Chapter 12, Planning and Implementing Entitlement Management.
62. A. Terms of use are company-provided documents that can be used for user understanding and compliance to application or site use. For additional details, see Chapter 12, Planning and Implementing Entitlement Management.
63. C. Privileged Identity Management provides just-in-time access to administrator roles. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
64. B. All assignments to privileged administrator roles should have a time-bound expiration. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
65. A and B. Break-glass accounts should never have MFA enforced and should also be excluded from all Conditional Access policies. You should have a strong password for these accounts and a documented procedure for how to access and use these accounts. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
66. B, C, and D. A guest user should never self-review their access review. This should be performed by someone from the host company. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
67. A. When you configure automated tasks for an access review, there is an option to remove a user's access if the reviewer does not respond. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
68. D. When an access review begins, the reviewer is notified through email. For additional details, see Chapter 13, Planning and Implementing Privileged Access and Access Reviews.
69. B, C, and D. Risky sign-ins and user risk are in the security reporting category. For additional details, see Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users.
70. A and E. Risky sign-ins and user risk are in the security reporting category. For additional details, see Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users.
71. D. Activity reporting logs can be found under the Monitoring header in the AAD menu. These can also be found under Activity under the User and Groups section of AAD, for more specific information. For additional details, see Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users.
72. E. You can find sign-in and audit logs for all of these services. The AAD portal provides the most comprehensive data. For additional details, see Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users.
73. C. Usage and insights can be used to access this information for specific applications within enterprise applications. There are also templates that can be accessed in the AAD portal under Monitoring – Workbooks. For additional details, see Chapter 14, Analyzing and Investigating Sign-in Logs and Elevated Risk Users.
74. B. Microsoft Sentinel is not an XDR solution. Microsoft Defender provides XDR solutions that can be used with Sentinel SIEM and SOAR solutions. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
75. B. Microsoft Sentinel's workflow is to collect, detect, investigate, and respond. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
76. C. Before you can set up Microsoft Sentinel, you must connect a Log Analytics workspace to Microsoft Sentinel. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
77. C. Security Administrator is required to connect AAD log data to Microsoft Sentinel. Global Administrator can also complete this task. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
78. D. ArcSight does not have integration with AAD audit logs, only activity logs. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
79. C. This is the process for integrating IBM QRadar with Azure Monitor. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.
80. B. Splunk has a direct add-on for Azure Monitor. For additional details, see Chapter 15, Enabling and Integrating Azure AD Logs with SIEM Solutions.

Summary

This completes your assessment and preparation for the SC-300 Microsoft Identity and Access Administrator Associate exam. Good luck and I hope you see continued success in your certification and professional journey.