SC-300

SC-300 Cheat Sheet 2026: Identity & Access Administrator Quick Reference

Every SC-300 domain condensed into quick-reference tables — Entra identities, authentication, Conditional Access and PIM, workload identities, and identity governance. Bookmark this for your final review.

Updated July 202615 min read

This cheat sheet is a fast, exam-focused review of everything on SC-300 (Microsoft Identity and Access Administrator). SC-300 is an associate-level exam built around real Entra ID administration, so treat this as a consolidation aid for your final days — pair it with a free developer tenant and hands-on practice, not instead of it.

Exam Snapshot

Passing Score

700 / 1000

Cost

$165 USD

Questions

40–60

Time

~120 minutes

User Identities

20–25%

Authentication & Access

25–30%

Workload Identities

20–25%

Identity Governance

20–25%

1. Manage User Identities

Identity types & sources

Cloud-only identityCreated and managed directly in Microsoft Entra ID.
Hybrid identitySynced from on-prem AD via Entra Connect (or Cloud Sync); password hash sync, pass-through auth, or federation.
Bulk operationsCSV-based bulk create, invite, and delete for users.
Custom security attributesBusiness-specific attribute-value pairs used in Conditional Access and RBAC conditions.

External identities

B2B collaborationInvite external users as guests; they authenticate with their home identity provider.
B2B direct connectMutual trust between organizations for Teams shared channels — no guest account needed.
External Identities cross-tenant access settingsControl inbound/outbound trust for MFA and device claims between tenants.
Entra ID for customers (CIAM)Customer-facing identity for your own apps (successor to Azure AD B2C).

Groups & licensing

Assigned vs dynamic groupAssigned = manual membership; dynamic = rule-based on user/device attributes.
Group-based licensingAssign licenses to a group so members inherit them automatically.
Restricted management admin unitsScope delegated admin permissions to a subset of users, groups, or devices.

Most-tested distinction: a dynamic group updates membership automatically from a rule; an assigned group requires manual add/remove. Use dynamic groups for licensing and Conditional Access scoping that should stay current without admin effort.

2. Authentication & Access Management

Authentication methods

MethodNotes
Password protectionGlobal + custom banned password lists; on-prem via Entra Password Protection proxy.
MFAAuthenticator app, SMS, voice call, FIDO2 key, certificate-based auth (CBA).
Windows Hello for BusinessDevice-bound biometric/PIN sign-in backed by a key or certificate.
PasswordlessFIDO2 security keys, Microsoft Authenticator phone sign-in, CBA.
SSPRSelf-service password reset; combined registration with MFA.
Smart lockoutLocks the account after repeated bad password attempts to slow brute force.

Conditional Access

AssignmentsUsers/groups, cloud apps, conditions (device platform, location, risk, client app).
Grant controlsRequire MFA, require compliant/hybrid-joined device, require approved app, block access.
Session controlsApp-enforced restrictions, Conditional Access App Control, sign-in frequency, persistent browser session.
What If tool & report-only modeTest policy impact before enforcing.

Roles & privileged access

Entra roles vs Azure RBACEntra roles manage the directory/tenant; Azure RBAC manages resources at a scope.
Custom rolesDefine specific permissions when built-in Entra roles are too broad.
PIMEligible vs active assignments; time-bound activation with approval, justification, or MFA.
PIM for groupsMake membership or ownership of a role-assignable group itself eligible and time-bound.
Identity ProtectionUser risk and sign-in risk policies; remediate with password reset or blocked access.

Most-tested distinction: Conditional Access gates access at sign-in based on real-time signals. PIM governs how long a privileged role stays active. Identity Protection supplies the risk signal that both can react to.

Test the concepts you just reviewed

Try 40 Free SC-300 Practice Questions

Scenario-based questions with detailed explanations. No credit card required.

Start Free Practice →

3. Workload Identities

ConceptWhat it means
App registrationDefines an app's identity in your tenant — API permissions, redirect URIs, certificates/secrets.
Enterprise applicationThe service principal instance of an app (yours or a gallery app) used to assign users/groups and consent.
Service principalThe identity an application uses to authenticate and access resources.
Managed identityEntra-managed credential for Azure resources — system-assigned (one resource) or user-assigned (reusable). No secrets to rotate.
Delegated vs application permissionsDelegated acts as the signed-in user; application permissions act as the app itself (needs admin consent).
Admin consent workflowLets non-admin users request approval for apps requiring elevated permissions.
Entra Application ProxyPublishes on-prem web apps for remote access with Entra pre-authentication — no VPN.
Workload identity federationTrust an external workload (e.g., GitHub Actions, Kubernetes) without managing a secret.

Most-tested distinction: use a managed identity whenever an Azure resource needs to call another Azure service — it eliminates stored credentials entirely. A regular service principal is still required for apps outside Azure or that need custom certificate/secret handling.

4. Identity Governance

CapabilityWhat it does
Entitlement managementAccess packages bundle resources (groups, apps, sites) with request, approval, and expiry policies.
Access reviewsPeriodically recertify who should keep access to a group, app, or role — self, manager, or reviewer.
Lifecycle workflowsAutomate joiner/mover/leaver tasks (e.g., send welcome email, disable account, remove licenses).
Terms of useRequire users to accept a policy document before accessing resources; tracked per user.
Entra ID Governance dashboardCentralized view of access reviews, entitlement, PIM, and lifecycle workflow health.

Most-tested distinction: entitlement management controls how access is requested and granted; access reviews control whether access already granted should continue. Use both together for full lifecycle governance.

5. Acronym Quick List

PIM — Privileged Identity Management

CA — Conditional Access

MFA — Multi-Factor Authentication

SSPR — Self-Service Password Reset

CBA — Certificate-Based Authentication

WHfB — Windows Hello for Business

RBAC — Role-Based Access Control

B2B / B2C — Business-to-Business / Business-to-Consumer identities

CIAM — Customer Identity and Access Management

SSO — Single Sign-On

IdP — Identity Provider

SCIM — System for Cross-domain Identity Management (provisioning)

SAML / OIDC — Federation protocols used for SSO

App Proxy — Microsoft Entra Application Proxy

ToU — Terms of Use

JML — Joiner / Mover / Leaver (lifecycle workflows)

Reviewed the cheat sheet? Now prove you're ready.

Take the free 5-minute SC-300 readiness quiz — no signup required — or jump into 40 free practice questions calibrated harder than the real exam.

Common Questions

Is a cheat sheet enough to pass SC-300?

No. SC-300 is an associate-level exam with scenario and configuration questions that assume hands-on Entra ID experience. This cheat sheet is a fast consolidation aid for your final review — pair it with a free Entra tenant, hands-on labs, and practice questions, not instead of them.

What is the difference between Conditional Access and PIM?

Conditional Access decides whether to grant, block, or challenge access at sign-in based on signals like user, device, location, and risk. PIM makes privileged roles eligible and time-bound rather than always active, requiring activation with justification, approval, or MFA. They solve different problems and are frequently used together.

What is the difference between a service principal and a managed identity?

A service principal is the identity an application or service uses to access resources, created from an app registration. A managed identity is an Entra-managed service principal that Azure automatically maintains — no credentials to store or rotate. Use a managed identity whenever an Azure resource needs to authenticate, and a regular service principal for apps outside Azure or that need custom credential handling.

What is the passing score for SC-300?

700 out of 1000 (roughly 70%). The exam has around 40–60 questions, a 120-minute time limit, and costs $165 USD.

About MSCertQuiz

MSCertQuiz provides 500 practice questions per certification, calibrated harder than the real exam so test day feels easier. Questions are built by certified professionals and updated for 2026 exam objectives. Start with 40 free questions — no credit card required.