This cheat sheet is a fast, exam-focused review of everything on SC-300 (Microsoft Identity and Access Administrator). SC-300 is an associate-level exam built around real Entra ID administration, so treat this as a consolidation aid for your final days — pair it with a free developer tenant and hands-on practice, not instead of it.
Exam Snapshot
Passing Score
700 / 1000
Cost
$165 USD
Questions
40–60
Time
~120 minutes
User Identities
20–25%
Authentication & Access
25–30%
Workload Identities
20–25%
Identity Governance
20–25%
1. Manage User Identities
Identity types & sources
| Cloud-only identity | Created and managed directly in Microsoft Entra ID. |
| Hybrid identity | Synced from on-prem AD via Entra Connect (or Cloud Sync); password hash sync, pass-through auth, or federation. |
| Bulk operations | CSV-based bulk create, invite, and delete for users. |
| Custom security attributes | Business-specific attribute-value pairs used in Conditional Access and RBAC conditions. |
External identities
| B2B collaboration | Invite external users as guests; they authenticate with their home identity provider. |
| B2B direct connect | Mutual trust between organizations for Teams shared channels — no guest account needed. |
| External Identities cross-tenant access settings | Control inbound/outbound trust for MFA and device claims between tenants. |
| Entra ID for customers (CIAM) | Customer-facing identity for your own apps (successor to Azure AD B2C). |
Groups & licensing
| Assigned vs dynamic group | Assigned = manual membership; dynamic = rule-based on user/device attributes. |
| Group-based licensing | Assign licenses to a group so members inherit them automatically. |
| Restricted management admin units | Scope delegated admin permissions to a subset of users, groups, or devices. |
Most-tested distinction: a dynamic group updates membership automatically from a rule; an assigned group requires manual add/remove. Use dynamic groups for licensing and Conditional Access scoping that should stay current without admin effort.
2. Authentication & Access Management
Authentication methods
| Method | Notes |
|---|---|
| Password protection | Global + custom banned password lists; on-prem via Entra Password Protection proxy. |
| MFA | Authenticator app, SMS, voice call, FIDO2 key, certificate-based auth (CBA). |
| Windows Hello for Business | Device-bound biometric/PIN sign-in backed by a key or certificate. |
| Passwordless | FIDO2 security keys, Microsoft Authenticator phone sign-in, CBA. |
| SSPR | Self-service password reset; combined registration with MFA. |
| Smart lockout | Locks the account after repeated bad password attempts to slow brute force. |
Conditional Access
| Assignments | Users/groups, cloud apps, conditions (device platform, location, risk, client app). |
| Grant controls | Require MFA, require compliant/hybrid-joined device, require approved app, block access. |
| Session controls | App-enforced restrictions, Conditional Access App Control, sign-in frequency, persistent browser session. |
| What If tool & report-only mode | Test policy impact before enforcing. |
Roles & privileged access
| Entra roles vs Azure RBAC | Entra roles manage the directory/tenant; Azure RBAC manages resources at a scope. |
| Custom roles | Define specific permissions when built-in Entra roles are too broad. |
| PIM | Eligible vs active assignments; time-bound activation with approval, justification, or MFA. |
| PIM for groups | Make membership or ownership of a role-assignable group itself eligible and time-bound. |
| Identity Protection | User risk and sign-in risk policies; remediate with password reset or blocked access. |
Most-tested distinction: Conditional Access gates access at sign-in based on real-time signals. PIM governs how long a privileged role stays active. Identity Protection supplies the risk signal that both can react to.
Test the concepts you just reviewed
Try 40 Free SC-300 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →3. Workload Identities
| Concept | What it means |
|---|---|
| App registration | Defines an app's identity in your tenant — API permissions, redirect URIs, certificates/secrets. |
| Enterprise application | The service principal instance of an app (yours or a gallery app) used to assign users/groups and consent. |
| Service principal | The identity an application uses to authenticate and access resources. |
| Managed identity | Entra-managed credential for Azure resources — system-assigned (one resource) or user-assigned (reusable). No secrets to rotate. |
| Delegated vs application permissions | Delegated acts as the signed-in user; application permissions act as the app itself (needs admin consent). |
| Admin consent workflow | Lets non-admin users request approval for apps requiring elevated permissions. |
| Entra Application Proxy | Publishes on-prem web apps for remote access with Entra pre-authentication — no VPN. |
| Workload identity federation | Trust an external workload (e.g., GitHub Actions, Kubernetes) without managing a secret. |
Most-tested distinction: use a managed identity whenever an Azure resource needs to call another Azure service — it eliminates stored credentials entirely. A regular service principal is still required for apps outside Azure or that need custom certificate/secret handling.
4. Identity Governance
| Capability | What it does |
|---|---|
| Entitlement management | Access packages bundle resources (groups, apps, sites) with request, approval, and expiry policies. |
| Access reviews | Periodically recertify who should keep access to a group, app, or role — self, manager, or reviewer. |
| Lifecycle workflows | Automate joiner/mover/leaver tasks (e.g., send welcome email, disable account, remove licenses). |
| Terms of use | Require users to accept a policy document before accessing resources; tracked per user. |
| Entra ID Governance dashboard | Centralized view of access reviews, entitlement, PIM, and lifecycle workflow health. |
Most-tested distinction: entitlement management controls how access is requested and granted; access reviews control whether access already granted should continue. Use both together for full lifecycle governance.
5. Acronym Quick List
PIM — Privileged Identity Management
CA — Conditional Access
MFA — Multi-Factor Authentication
SSPR — Self-Service Password Reset
CBA — Certificate-Based Authentication
WHfB — Windows Hello for Business
RBAC — Role-Based Access Control
B2B / B2C — Business-to-Business / Business-to-Consumer identities
CIAM — Customer Identity and Access Management
SSO — Single Sign-On
IdP — Identity Provider
SCIM — System for Cross-domain Identity Management (provisioning)
SAML / OIDC — Federation protocols used for SSO
App Proxy — Microsoft Entra Application Proxy
ToU — Terms of Use
JML — Joiner / Mover / Leaver (lifecycle workflows)
Reviewed the cheat sheet? Now prove you're ready.
Take the free 5-minute SC-300 readiness quiz — no signup required — or jump into 40 free practice questions calibrated harder than the real exam.
Common Questions
Is a cheat sheet enough to pass SC-300?
No. SC-300 is an associate-level exam with scenario and configuration questions that assume hands-on Entra ID experience. This cheat sheet is a fast consolidation aid for your final review — pair it with a free Entra tenant, hands-on labs, and practice questions, not instead of them.
What is the difference between Conditional Access and PIM?
Conditional Access decides whether to grant, block, or challenge access at sign-in based on signals like user, device, location, and risk. PIM makes privileged roles eligible and time-bound rather than always active, requiring activation with justification, approval, or MFA. They solve different problems and are frequently used together.
What is the difference between a service principal and a managed identity?
A service principal is the identity an application or service uses to access resources, created from an app registration. A managed identity is an Entra-managed service principal that Azure automatically maintains — no credentials to store or rotate. Use a managed identity whenever an Azure resource needs to authenticate, and a regular service principal for apps outside Azure or that need custom credential handling.
What is the passing score for SC-300?
700 out of 1000 (roughly 70%). The exam has around 40–60 questions, a 120-minute time limit, and costs $165 USD.
About MSCertQuiz
MSCertQuiz provides 500 practice questions per certification, calibrated harder than the real exam so test day feels easier. Questions are built by certified professionals and updated for 2026 exam objectives. Start with 40 free questions — no credit card required.