Scenario-based SC-300 practice questions that mirror the style of the real Microsoft exam. Covers all four exam domains — with full explanations for every answer. Before diving in, it helps to understand how hard SC-300 really is and how it differs from other security certifications — read our SC-300 vs AZ-500 comparisonor the SC-900 vs SC-300 breakdown. When you're ready to go further, practice on our SC-300 certification quiz page.
About These Questions
These 10 questions (with 5 more at the bottom) are written to match the scenario-based format of the real SC-300 exam. Each question tests your ability to select the best solution for a business scenario — not just recall a definition. Click "Show Answer" to reveal the explanation after attempting each question.
Your organization requires that all users authenticate using MFA when accessing cloud apps from outside the corporate network. The solution must not affect users on the corporate network. Users on the corporate network connect through a known IP range of 203.0.113.0/24. What should you configure?
Reveal Answer & Explanation
Correct Answer: B
The correct approach is a Conditional Access policy that requires MFA, with the corporate network's IP range defined as a Named Location and that Named Location excluded from the MFA requirement (or included as a trusted location). Per-user MFA (A) doesn't support location-based exclusions elegantly. Blocking sign-ins from outside (C) prevents remote work. Security Defaults (D) cannot be customized with Named Locations.
An employee is leaving the organization in 30 days. They are currently an eligible owner of the Billing Administrators role in PIM. Their manager wants to ensure the employee cannot activate this role during their remaining 30 days while keeping their account active for knowledge transfer. What is the most efficient solution?
Reveal Answer & Explanation
Correct Answer: A
Removing the eligible role assignment in PIM (A) directly prevents the user from activating the role while keeping their account active for normal work. A Conditional Access policy (B) cannot target PIM role activation specifically at the grant level. Changing to active (C) would give permanent access — the opposite of the goal. Disabling the account (D) would prevent all work, not just the role activation.
A developer has registered an application in Entra ID that will run as a background service without user interaction. The app needs to send emails as any user in the organization using Microsoft Graph. Which permission type and scope should you grant?
Reveal Answer & Explanation
Correct Answer: B
Application permissions (not delegated) are required when an app runs without a signed-in user. Mail.Send as an application permission allows the app to send email as any user. Delegated permissions (A, C) require a signed-in user context — a background service has no user context. Mail.ReadWrite.All (D) grants broader read/write access which is more than needed and violates least privilege.
Users in the Sales group report they cannot access Salesforce after a new Conditional Access policy was deployed. The policy requires a compliant device for all cloud apps. The Sales team uses personal iOS devices that are enrolled in Intune but do not meet the compliance policy because they are running an older iOS version. The IT manager wants Sales to still be able to access Salesforce from their devices immediately, with minimum policy changes. What should you do?
Reveal Answer & Explanation
Correct Answer: D
Changing to "Require one of the selected controls" with both compliant device AND approved client app means users can satisfy either condition. Sales users with non-compliant devices can still access Salesforce via an approved client app (like the Salesforce mobile app through Intune-managed policies). Excluding Sales entirely (A) removes all protection. A separate policy (B) works but creates policy sprawl. Updating the compliance policy (C) lowers security for all devices.
Your organization uses Microsoft Entra Connect to sync on-premises Active Directory to Entra ID using Password Hash Sync. Users report they can sign in to Entra ID but their on-premises AD passwords are not being updated when they reset via SSPR in Entra ID. What is the most likely cause?
Reveal Answer & Explanation
Correct Answer: B
Password writeback must be explicitly enabled in Microsoft Entra Connect configuration to allow cloud-initiated password resets to propagate back to on-premises AD. Password Hash Sync (A) only syncs password hashes from on-premises to cloud — it does not provide writeback. SSPR (C) requires Entra ID P1 or P2, and since users can sign in successfully, licensing is not the issue. If accounts were cloud-only (D), there would be no on-premises AD to write back to.
A project team of 15 contractors needs access to three SharePoint sites and a Teams channel for 6 months. After 6 months, access should be automatically removed. The solution must allow contractors to self-request access and require manager approval. What should you configure?
Reveal Answer & Explanation
Correct Answer: B
Entitlement Management access packages are exactly designed for this scenario: bundling multiple resources (SharePoint sites, Teams), enabling self-service request, requiring approval, and automatically removing access at expiration. Group expiration (A) applies to the group lifecycle, not access expiration for specific resources. Manual process (C) is error-prone and doesn't support self-request. Conditional Access (D) blocks all access, not a graceful removal of specific resources.
A Global Administrator needs to ensure that users who are flagged as high-risk by Entra ID Protection are required to change their password immediately on their next sign-in. What should you configure?
Reveal Answer & Explanation
Correct Answer: D
Both configuring a Conditional Access policy with User risk condition and require password change grant (B) and the legacy Entra ID Protection User risk policy (C) achieve the same outcome. Microsoft recommends using Conditional Access policies (B) for new configurations because they provide more control and visibility. However, the legacy User risk policy in Identity Protection (C) is still valid and functional. The exam may accept either — but if only one answer is accepted, choose B (CA policy is the recommended approach).
An organization wants to allow users to consent to apps requesting low-risk permissions without admin involvement. High-risk permissions must always require admin consent. How should you configure this?
Reveal Answer & Explanation
Correct Answer: C
The app consent policy in Entra ID allows granular control: users can consent to apps from verified publishers requesting only low-impact permissions (like read profile), while any high-risk permission requires admin consent. This balances user productivity with security. Allowing all user consent (A) is too permissive. Disabling all user consent (B) creates administrative bottlenecks. Conditional Access (D) does not control app consent.
You are configuring an Access Review for members of the Global Administrator role. The review should run quarterly, reviewers should be the managers of each Global Administrator, and users whose access is not reviewed should have their access automatically removed. What should you configure?
Reveal Answer & Explanation
Correct Answer: B
Access reviews for Entra ID roles (like Global Administrator) must be created within PIM (Privileged Identity Management), not in the general Identity Governance Access Reviews section. Creating the review in PIM (B) with "Managers of users" as reviewers, quarterly recurrence, and auto-remove when reviewers don't respond meets all requirements. Answer A would not capture role members correctly. C lacks auto-remove. D defeats the purpose of having a review.
An administrator needs to create 500 user accounts in Entra ID from a CSV file export from an HR system. What is the most efficient method?
Reveal Answer & Explanation
Correct Answer: B
The Entra ID portal supports bulk user creation by uploading a CSV file — this is the most efficient built-in method for creating many users at once without code. Manual creation (A) is impractical for 500 users. PowerShell (C) and Azure CLI (D) work but require scripting knowledge and the question asks for the "most efficient" method, which for a non-developer admin is the built-in bulk operation.
Want 500 More SC-300 Questions?
Full question bank covering all SC-300 domains with practice mode and timed exam simulation.
40 questions free — no credit card required.
Start Free Practice →SC-300 Question Patterns to Know
After reviewing thousands of SC-300 exam reports from candidates, here are the most common question patterns you'll encounter on exam day:
"Least privilege / minimum permissions" questions
The exam frequently asks for the solution that grants the minimum access required. Always scan all answers for the most restrictive option that still meets the requirement.
"Which feature should you use" scenario questions
Given a business requirement, identify the correct Entra ID feature (PIM vs Access Reviews vs Entitlement Management vs Conditional Access). These require you to know not just what each feature does but when to use each one.
Drag-and-drop and ordering questions
Some questions ask you to order configuration steps or match features to requirements. These can't be guessed — they require procedural knowledge.
Multi-requirement scenarios
Questions with 3–4 requirements in a single scenario are common. You need to identify the single answer that meets ALL requirements, not just most of them.