Microsoft Identity and Access Administrator SC-300 Exam Guide E-Book

Microsoft Identity and Access Administrator SC-300 Exam Guide

Second Edition

Pass the SC-300 exam with confidence by using exam-focused resources

Aaron Guilmette

James Hardiman

Doug Haven

Dwayne Natwick

Microsoft Identity and Access Administrator SC-300 Exam Guide Second Edition

Copyright © 2025 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Authors: Aaron Guilmette, James Hardiman, Doug Haven, and Dwayne Natwick

Reviewer: Bart Van Vught

Relationship Lead: Anindya Sil

Content Engineer: David Sugarman

Production Designer: Salma Patel

Editorial Board: Vijin Boricha, Alex Mazonowicz, Aaron Nash, Gandhali Raut, and Ankita Thakur

First Published: March 2022

Second Edition: March 2025

Production Reference: 1260325

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-83620-039-0

www.packt.com

Contributors

About the Authors

Aaron Guilmette is a VP of technology focusing on dragging the defense industrial base into the modern technology area. Previously, he worked as a senior program manager for Microsoft 365 Customer Experience. His career spans 25 years across public and private sector technology consulting. As an author of over 15 other IT books you’ve probably seen recommended by Amazon, he specializes in identity, messaging, and automation technologies.

When he’s not writing books or tools for his customers, trying to teach one of his kids to drive, or making tacos, Aaron can be found tinkering with cars and “investing” in Star Wars memorabilia. You can visit his blog at https://aka.ms/aaronblog or connect with him on LinkedIn at https://www.linkedin.com/in/aaronguilmette. Aaron resides in the metro Detroit area with his five children.

To Microsoft—thanks for constantly changing cloud technologies just enough to keep us on our toes and ensure we never run out of exams to take (or books to write).

To my kids—Liberty, Hudson, Glory, Anderson, and Victory—who remind me daily that troubleshooting technology problems is still easier than figuring out who left the empty pizza box in the fridge.

And to tacos, umbrella drinks, and fast cars—because if I ever do retire, I already know what paradise looks like.

– Aaron Guilmette

James Hardiman is a leading Identity and Access Management (IAM) expert with over two decades of experience in designing and implementing robust enterprise security solutions. His deep expertise encompasses identity governance, privileged access management, and cloud security, with a strong focus on ensuring compliance with evolving industry standards and regulations.

James holds a master of science degree in security studies with a concentration on cybersecurity from the University of Massachusetts and has earned numerous industry-recognized security certifications. Known for his ability to bridge the gap between technical complexity and business needs, James excels at aligning security architecture with strategic objectives. He prioritizes a user-centric approach, ensuring that security solutions enhance productivity while maintaining the highest levels of protection.

A resident of Massachusetts, James enjoys spending time with his wife and three children. He is passionate about driving innovation in the IAM field, particularly in safeguarding digital assets within highly regulated industries. Connect with James on LinkedIn: https://www.linkedin.com/in/jameshardimanjr.

Doug Haven is a security architect with over 20 years of experience in security engineering and architecture. His expertise spans policy development and security architecture across the manufacturing, government/DoD, transportation, financial services, and consulting industries. Throughout his career, Doug has worn many hats—including identity and access management architect, principal cloud security architect, network security architect, and enterprise security architect.

Doug earned a bachelor’s degree in computer science and an AS in cybersecurity technology from Keiser University in Ft. Lauderdale, FL. Doug is also a Microsoft Certified Trainer (MCT) and holds the Microsoft Identity and Access Administrator certification. His industry-recognized certifications also include CISSP, CompTIA Security+, AWS Solution Architect Professional, and AWS Security Specialty.

Originally from New York, Doug now soaks up the sun in Florida with his wife and son. When he’s not safeguarding digital realms, you might find him kayaking in the Everglades or playing guitar with his friends. To learn more about Doug’s professional journey or to connect with him, visit his LinkedIn profile athttps://www.linkedin.com/in/doughaven/.

I would like to extend my sincere appreciation to my family—my wife, Dawn, my son, Joshua, and my mother, Shirley—for their love and support.

I am also grateful to Aaron and my co-authors for their guidance throughout this project.

– Doug Haven

Dwayne Natwick is the CEO and principal architect of Captain Hyperscaler, a cloud and cybersecurity training company providing security and cloud certification training to IT professionals and organizations. He has been working in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP). Dwayne has a master’s degree in business IT from Walsh College, CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.

Dwayne can be found providing and sharing information on social media, at industry conferences, on his blog site, and on his YouTube channel. You can follow Dwayne at https://captainhyperscaler.comor connect with him on LinkedIn athttps://www.linkedin.com/in/dnatwick.

To my wife, Kristy, thank you for always being there and supporting me. You are the love of my life and my best friend. To my children, Austin, Jenna, and Aidan. Even with all my career accomplishments, you are what I am most proud of. You are all growing up to be such amazing people with kind hearts.

All four of you are my world and I could not make this journey without you.

All my love and support for everything that you do.

– Dwayne Natwick

About the Reviewer

Bart Van Vught has over 20 years of experience in helping organizations get the most out of their Microsoft products, both on and off the cloud. He is experienced in Microsoft 365 and Azure with a focus on modern security. Bart is a Microsoft Certified Trainer (MCT) and holds multiple certifications.

Table of Contents

Preface

1

Implementing and Configuring a Microsoft Entra Tenant

Making the Most Out of This Book – Your Certification and Beyond

Provisioning a Tenant

Planning a Tenant

Provisioning a Tenant

Configuring and Managing Built-In and Custom Microsoft Entra Roles

Planning for Role Assignments

Managing Roles in the Microsoft 365 Admin Center

Managing Role Groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 Workloads

Recommending When to Use Administrative Units

Configuring and Managing Administrative Units

Creating Administrative Units

Viewing and Updating Administrative Units

Evaluating Effective Permissions for Microsoft Entra Roles

Configuring and Managing Custom Domains

Acquiring a Domain Name

Configuring a Domain Name

Managing DNS Records Manually

Configuring a Default Domain

Configuring Company Branding Settings

Microsoft 365 Admin Center

Microsoft Entra Admin Center

Configuring Tenant-Wide Settings and Properties

Services

Security and Privacy

Organization Profile

Summary

Exam Readiness Drill – Chapter Review Questions

2

Creating, Configuring, and Managing Microsoft Entra Identities

Creating, Configuring, and Managing Users

Creating and Managing Cloud Users

Creating and Managing Synchronized Users

Guest User Accounts

Creating, Configuring, and Managing Groups

Microsoft 365 Admin Center

Entra Admin Center

Managing Custom Security Attributes

Creating Custom Attribute Sets and Custom Security Attributes

Managing Access to Attributes

Assigning Attributes to Applications or Users

Deactivating Attribute Definitions

Automating Bulk Operations by Using the Microsoft Entra Admin Center and PowerShell

Entra Admin Center

PowerShell

Managing Device Join and Device Registration in Microsoft Entra ID

Assigning, Modifying, and Reporting on Licenses

Summary

Exam Readiness Drill – Chapter Review Questions

3

Implementing and Managing Identities for External Users and Tenants

Managing External Collaboration Settings in Microsoft Entra ID

Guest Access Settings

Guest Invite Settings

Self-Service Sign-Up Flows

Guest Leave Settings

Inviting External Users, Individually or in Bulk

Admin Center

PowerShell

Managing External User Accounts in Microsoft Entra ID

Managing Individual Objects

Using Entitlement Management

Implementing Cross-Tenant Access Settings

Configuring Default Settings

Configuring Cloud Settings

Adding an Organization

Implementing and Managing Cross-Tenant Synchronization

Configuring the Target Tenant

Configuring the Source Tenant

Configuring External Identity Providers

Creating an External Tenant

Configuring Google as an External Identity Provider

Configuring a Custom External Identity Provider

Summary

Exam Readiness Drill – Chapter Review Questions

4

Implementing and Managing Hybrid Identity

Preparing for Identity Synchronization

Implementing and Managing Microsoft Entra Connect Sync

Planning and Sizing

Installing the Synchronization Service

Configuring Entra Connect Filters

Implementing and Managing Microsoft Entra Connect Cloud Sync

Installing the Provisioning Agent

Configuring the Provisioning Service

Customizing the Provisioning Service

Implementing and Managing Password Hash Synchronization

Deploying Password Hash Synchronization

Managing Password Hash Synchronization

Implementing and Managing Pass-Through Authentication

Deploying Pass-Through Authentication

Identifying Limitations

Implementing and Managing Seamless single sign-on

Migrating from AD FS to Other Authentication and Authorization Mechanisms

Performing a Cutover Migration

Performing a Staged Rollout

Implementing and Managing Microsoft Entra Connect Health

Entra Connect Health

Entra Connect Health for Sync

Entra Connect Health for Directory Services

Entra Connect Health for Active Directory Federation Services

Summary

Exam Readiness Drill – Chapter Review Questions

5

Planning, Implementing, and Managing Microsoft Entra User Authentication

Planning for Authentication

Implementing and Managing Authentication Methods

Implementing Temporary Access Passes

Implementing OAuth

Implementing Microsoft Authenticator

Implementing FIDO2

Implementing and Managing Tenant-Wide MFA Settings

Configuring and Deploying Self-Service Password Reset

Legacy Authentication Methods

Combined Registration

Implementing and Managing Windows Hello for Business

Disabling Accounts and Revoking User Sessions

Deploying and Managing Entra Password Protection and Smart Lockout

Custom Smart Lockout

Custom Banned Passwords

Password Protection for Windows Server Active Directory

Enabling Microsoft Entra Kerberos Authentication for Hybrid Identities

Configuring a Storage Account

Configuring Enterprise Application Permissions

Updating Conditional Access Policies

Updating Endpoint Settings

Implementing Certificate-Based Authentication in Microsoft Entra

Configuring Certificates

Updating Authentication Methods

Updating Entra Connect

Logging In with CBA

Monitoring Logins

Summary

Exam Readiness Drill – Chapter Review Questions

6

Planning, Implementing, and Managing Microsoft Entra Conditional Access

Planning Conditional Access Policies

Implementing Conditional Access Policy Assignments

Implementing Conditional Access Policy Controls

Implementing Session Management

Implementing Device-Enforced Restrictions

Implementing CAE

Understanding CAE

Troubleshooting CAE

Creating a Conditional Access Policy from a Template

Summary

Exam Readiness Drill – Chapter Review Questions

7

Managing Risk Using Microsoft Entra ID Protection

Implementing and Managing User Risk Policies

Implementing and Managing Sign-In Risk Policies

Implementing and Managing MFA Registration Policies

Implementing MFA Registration Policies

Managing MFA Registration Policies

Monitoring, Investigating, and Remediating Risky Users

Configuring Risk Alerts

Investigating Risky Sign-Ins

Monitoring, Investigating, and Remediating Risky Workload Identities

Summary

Exam Readiness Drill – Chapter Review Questions

8

Implementing Access Management for Azure Resources by Using Azure Roles

Creating Custom Azure Roles

Determining Permissions

Creating a New Custom Role

Assigning Built-In and Custom Azure Roles

Evaluating Effective Permissions for a Set of Azure Roles

Assigning Azure Roles to Enable Microsoft Entra ID Login to Azure Virtual Machines

Configuring Azure Key Vault Role-Based Access Control (RBAC)

Choosing the Right Authorization System

Assigning Roles to Your Key Vault in the Azure Portal

Automating with Azure Tools

Controlling Access to the Key Vault

Summary

Exam Readiness Drill – Chapter Review Questions

9

Implementing Global Secure Access

What Is GSA?

Deploying GSA Clients

Enabling GSA

Client Types and Deployment Methods

Client Configuration and Policy Management

Deploying Private Access

Deploying Private Access Infrastructure

Configuring Quick Access

Configuring a Private Access Application

Enabling the Private Access Traffic Forwarding Profile

Deploying Internet Access

Deploying Internet Access for Microsoft 365

Enhancing Global Secure Access with Conditional Access

Summary

Exam Readiness Drill – Chapter Review Questions

10

Planning and Implementing Identities for Applications and Azure Workloads

Selecting Appropriate Identities for Applications and Azure Workloads

Managed Identities

Service Principals

Logic Apps, Function Apps, and Azure App Service

Choosing an Identity Type

Creating Managed Identities

Creating a System-Assigned Managed Identity

Creating a User-Assigned Managed Identity

Using a Managed Identity Assigned to an Azure Resource

Creating a Key Vault

Granting Access to a Key Vault

Storing a Secret in the Key Vault

Accessing a Stored Secret

Summary

Exam Readiness Drill – Chapter Review Questions

11

Planning, Implementing, and Monitoring the Integration of Enterprise Applications

Planning and Implementing Settings for Enterprise Applications

Tenant-Level Settings

Application-Level Settings

Assigning Appropriate Microsoft Entra Roles to Users to Manage Enterprise Applications

Application Administrator Role

Cloud Application Administrator Role

Designing and Implementing Integration for On-Premises Apps by Using Microsoft Entra Application Proxy

Configuring App Proxy

Configuring an Application with Application Proxy

Designing and Implementing Integration for SaaS Apps

Assigning, Classifying, and Managing Users, Groups, and App Roles for Enterprise Applications

Summary

Exam Readiness Drill – Chapter Review Questions

12

Planning and Implementing App Registrations

Planning for App Registrations

Application Type

Authentication and Authorization

Permissions and Consent

Enterprise Integration

Operational Best Practices

Creating App Registrations

Configuring App Authentication

Understanding Authentication Protocols and the Redirect URI

Finishing the Application Registration

Configuring API Permissions

Creating App Roles

Summary

Exam Readiness Drill – Chapter Review Questions

13

Managing and Monitoring App Access Using Microsoft Defender for Cloud Apps

Configuring and Analyzing Cloud Discovery Results by Using Defender for Cloud Apps

Setting Up Cloud Discovery

Configuring Cloud Discovery

Analyzing Cloud Discovery Results

Configuring Connected Apps

Implementing Application-Enforced Restrictions

Creating an Application-Enforced Restrictions Policy

Configuring App-Enforced Restrictions in SharePoint

Configuring App-Enforced Restrictions in Exchange

Configuring Conditional Access App Control

Creating Access and Session Policies in Defender for Cloud Apps

Implementing and Managing Policies for OAuth Apps

Managing the Cloud App Catalog

Calculating the Risk Score

Customizing the Risk Score

Overriding the Risk Score

Summary

Exam Readiness Drill – Chapter Review Questions

14

Planning and Implementing Entitlement Management

Planning Entitlements

Creating and Configuring Catalogs

Creating and Configuring Access Packages

Managing Access Requests

Implementing and Managing Terms of Use

Managing the Lifecycle of External Users

Configuring and Managing Connected Organizations

Summary

Exam Readiness Drill – Chapter Review Questions

15

Planning, Implementing, and Managing Access Reviews in Microsoft Entra

Planning for Access Reviews

Creating and Configuring Access Reviews

Monitoring Access Review Activity

Manually Responding to Access Review Activity

Summary

Exam Readiness Drill – Chapter Review Questions

16

Planning and Implementing Privileged Access

Planning and Managing Microsoft Entra Roles

Planning and Managing Azure Resources in PIM

Adding an Assignment for a Role

Configuring Settings for Role Elevation

Planning and Configuring Groups Managed by PIM

Adding a Group to PIM

Adding an Assignment to a Group

Managing the PIM Request and Approval Process

Activating an Assignment

Approving an Assignment Request

Analyzing PIM Audit History and Reports

Creating and Managing Break-Glass Accounts

Creating a Break-Glass Account

Monitoring Break-Glass Accounts

Summary

Exam Readiness Drill – Chapter Review Questions

17

Monitoring Identity Activity Using Logs, Workbooks, and Reports

Designing a Strategy for Monitoring Microsoft Entra

Proactive Monitoring and Alerts

Leveraging Powerful Tools

Reviewing and Analyzing Sign-In, Audit, and Provisioning Logs

Configuring Diagnostic Settings

Choosing Log Categories

Troubleshooting Diagnostic Settings for Entra ID

Monitoring Microsoft Entra by Using KQL Queries in Log Analytics

Understanding Log Schemas

Understanding KQL Syntax

Using Logs, Workbooks, and Reports to Monitor Identity Activity

Using a Prebuilt Workbook

Customizing a Workbook

Monitoring and Improving the Security posture by using the Identity Secure Score

Summary

Exam Readiness Drill – Chapter Review Questions

18

Planning and Implementing Microsoft Entra Permissions Management

Onboarding Azure Subscriptions to Permissions Management

Evaluating and Remediating Risks Relating to Azure Identities, Resources, and Tasks

Evaluating and Remediating Risks Relating to Azure’s Highly Privileged Roles

Evaluating and Remediating Risks Relating to the Permission Creep Index (PCI)

Evaluating Risks

Remediating Risks

Configuring Activity Alerts and Triggers for Azure Subscriptions

Summary

Exam Readiness Drill – Chapter Review Questions

19

Accessing the Online Practice Resources

Other Books You May Enjoy

Preface

Identity and access management (IAM) is foundational for securing organizations. While it’s long been an important operational concept, it was largely relegated to service desk operations for creating identities and assigning group memberships.

Several years ago, Microsoft started down the route of zero trust networking, with a foundational concept being identity as one of the key security boundaries.

Identity is increasingly used as a gateway to all of an organization’s services—whether they’re on-premises, in the Microsoft 365 cloud, or hosted by third-party cloud app providers. Being able to provision, manage, secure, and restrict the flow of data based on identity, device health or compliance, and access risk factors has become the preeminent way of protecting an organization’s assets.

Throughout this book, we’ll explore a broad range of IAM concepts, ranging from identity models such as cloud and hybrid identity to risk-based access and authorization policies. You’ll discover cross-organization identity synchronization capabilities, design entitlement management strategies, and learn how to integrate third-party applications in a secure fashion—all of which will prepare you to successfully navigate the Microsoft Identity and Access Administrator exam.

Who This Book Is For

This book is intended for individuals who work in securing identity and workloads in a Microsoft 365 environment. This includes primarily identity and access administrators, but also security operations analysts and cybersecurity architects.

The content in this book assumes you have a basic understanding of Microsoft 365 concepts. You’ll build on your foundational knowledge to gain the skills to be able to pass the SC-300 exam.

What This Book Covers

Chapter 1, Implementing and Configuring a Microsoft Entra Tenant, introduces the concepts of provisioning and administering a Microsoft 365 tenant.

Chapter 2, Creating, Configuring, and Managing Microsoft Entra Identities, walks through the steps necessary to create and modify users and groups, as well as assigning licenses.

Chapter 3, Implementing and Managing Identities for External Users and Tenants, introduces the concepts of external or guest users.

Chapter 4, Implementing and Managing Hybrid Identity, introduces hybrid identity models, managed through Entra Connect and Entra Connect Cloud Sync.

Chapter 5, Planning, Implementing, and Managing Microsoft Entra User Authentication, focuses on configuring authentication methods and capabilities such as multi-factor authentication and Windows Hello for Business.

Chapter 6, Planning, Implementing, and Managing Microsoft Entra Conditional Access, explores one of the core security technologies of Microsoft Entra—Conditional Access policies.

Chapter 7, Managing Risk by Using Microsoft Entra ID Protection, describes how to use risk-based policies with Microsoft Entra to protect user and workload identities.

Chapter 8, Implementing Access Management for Azure Resources by Using Azure Roles, demonstrates concepts such as role-based access controls and technologies such as Azure Key Vault.

Chapter 9, Implementing Global Secure Access, introduces the new Global Secure Access service for securing connectivity between endpoints and the Microsoft cloud.

Chapter 10, Planning and Implementing Identity for Applications and Azure Workloads, explains how to configure and secure identity for Azure services, applications, and workloads.

Chapter 11, Planning, Implementing, and Monitoring the Integration of Enterprise Applications, instructs on designing strategies for connecting and securing enterprise software-as-a-service apps, as well as using Microsoft Entra application proxy to publish on-premises applications.

Chapter 12, Planning and Implementing App Registrations, presents information on configuring app registrations, app roles, and API permissions.

Chapter 13, Managing and Monitoring App Access Using Microsoft Defender for Cloud Apps, explores using Defender for Cloud Apps to discover shadow IT and create policies to restrict access to apps and resources.

Chapter 14, Planning and Implementing Entitlement Management, leverages access packages for granting access to sites and applications, as well as managing the life cycle of external user accounts.

Chapter 15, Planning, Implementing, and Managing Access Reviews in Microsoft Entra, demonstrates how to use access reviews to manage the life cycle of access to resources in the Microsoft 365 tenant.

Chapter 16, Planning and Implementing Privileged Access, walks through deploying Privileged Identity Management to remove standing permissions to resources.

Chapter 17, Monitoring Identity Activity Using Logs, Workbooks, and Reports, outlines how to use the Kusto Query Language (KQL) to interpret logs and discover insights about identity and access in the Microsoft 365 environment.

Chapter 18, Planning and Implementing Microsoft Entra Permissions Management, introduces the new Entra Permissions Management product, allowing identity and access administrators to monitor permissions assignments and discover the over-granting of permissions in a Microsoft Entra environment.

How to Get the Most Out of This Book

This book is directly aligned with the Microsoft Certified: Identity and Access Administrator Associate exam and covers all the topics that an SC-300 aspirant needs to grasp in order to pass the exam.

It is advisable to stick to the following steps when preparing for the SC-300 exam:

Step 1: Read the complete book.

Step 2: Attempt the end-of-chapter practice questions in each chapter before moving on to the next one.

Step 3: Memorize key concepts using the flashcards on the website. (refer to the section Online Practice Resources)

Step 4: Attempt the online practice question sets. Make a note of the concepts you are weak in, revisit those in the book, and re-attempt the practice questions. (refer to the section Online Practice Resources)

Step 5: Review exam tips on the website. (refer to the section Online Practice Resources)

SC-300 aspirants will gain a lot of confidence if they approach their preparation as per the mentioned steps.

Online Practice Resources

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.

How to access the resources

To learn how to access the online resources, refer to Chapter 19, Accessing the Online Practice Resources at the end of this book.

Figure 0.1 – Online exam-prep platform on a desktop device

Sharpen your knowledge of Identity and Access Administrator concepts with multiple sets of mock exams, interactive flashcards, and exam tips accessible from all modern web browsers.

To Make the Most Out of This Book

To get the most out of your studying experience, we recommend the following components:

Download the Example Code Files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Microsoft-Identity-and-Access-Administrator-SC-300-Exam-Guide. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the Color Images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/L7Nt0.

Conventions Used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and X handles. Here is an example: “Microsoft will update your organization’s SPF record with v=spf1 include:spf.protection.outlook.com -all.”

A block of code is set as follows:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Roles can be easily managed within the Microsoft 365 admin center by expanding the navigation menu, expanding Roles, and then selecting Role assignments.”

Tips or important notes

Appear like this.

Get in Touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form. We ensure that all valid errata are promptly updated in the GitHub repository at https://github.com/PacktPublishing/Microsoft-Identity-and-Access-Administrator-SC-300-Exam-Guide.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Now you’ve finished Microsoft Identity and Access Administrator SC-300 Exam Guide, Second Edition, we’d love to hear your thoughts! If you purchased the book from Amazon, please click here to go straight to the Amazon review page for this book and share your feedback or leave a review on the site that you purchased it from.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a Free PDF Copy of This Book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781836200390

1

Implementing and Configuring a Microsoft Entra Tenant

The Microsoft 365 tenant serves as the primary boundary for security and content for your organization inside the Microsoft cloud, logically separating your organization’s identities and data from that of other organizations also using the Microsoft 365 service. Although the initial setup of a tenant may seem straightforward—requiring just the input of contact information and payment details—the design and implementation of a tenant and its features involve multiple considerations to ensure secure access to an organization’s data.

Making the Most Out of This Book – Your Certification and Beyond

This book and its accompanying online resources are designed to be a complete preparation tool for your SC-300 Exam.

The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, chapter review questions, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 19, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:

This chapter will cover the following main topics:

In this chapter, you will explore the essential elements of planning your Microsoft 365 experience, particularly as they map to the SC-300 exam. The objectives and skills covered in this chapter include the following:

By the end of this chapter, you should be able to perform the initial configuration steps for a Microsoft 365 tenant and explain how to administer organization-wide settings.

Provisioning a Tenant

A tenant, from a Microsoft 365 perspective, is the top-level container that both identifies your organization and provides its security boundary. The tenant container object is a logical boundary that separates your organization’s users, applications, and data from that of other organizations using the Microsoft 365 service. Creating a tenant is the prerequisite step to working with Microsoft 365.

While provisioning a tenant itself isn’t on the SC-300 exam, you should be familiar with how the process works, as some of the choices you make up front may determine what features and capabilities your tenant will use.

Planning a Tenant

The first choice you need to make is which kind of tenant you’ll acquire. Tenants are available for various different types of organizations. You’ll choose a tenant based on a number of factors, including what size organization you have, as well as potentially what industry or vertical your organization is in.

Selecting a Tenant Type

Microsoft has made a variety of suites and packages available, targeting different types of organizations, as shown in Figure 1.2:

Figure 1.2: Types of tenants

Table 1.1 lists the types of tenants available and their target customers:

Tenant type

Target customer

Microsoft 365 Personal

Single person or home user

Microsoft 365 Family

Single person, up to 6 users

Microsoft 365 Business

Up to 300 users

Microsoft 365 Enterprise

Unlimited users

Microsoft 365 Government

Unlimited users

Microsoft 365 Education

Unlimited users

Table 1.1: Tenant types and target customers

The SC-300 exam tests you on the Microsoft 365 Enterprise plans and features available in the worldwide commercial cloud. The exam may question you about which tenant type is appropriate for your organization based on the organization’s size.

Tenant type deep dive

The SC-300 exam focuses on the feature set and service bundles available in Microsoft 365 Enterprise plans, though the technologies available are largely the same across all plans. Microsoft 365 Government (also known as Government Community Cloud or GCC) is available only for local, state, and federal US government customers (and their partners or suppliers) and has a subset of the currently commercially available features. Microsoft 365 Education exists in the Worldwide Commercial cloud, has the same feature set as the commercial enterprise set, but also has a few added features targeted to educational institutions. Microsoft 365 for Education is only available to schools and universities.

Selecting a Managed Domain

After choosing what type of tenant you’ll acquire, one of the next choices you’ll need to make is selecting a tenant name. When you start a Microsoft 365 subscription, you are prompted to choose a name in Microsoft’s onmicrosoft.com managed namespace. The tenant name must be unique across all other Microsoft 365 customers.

Tenant name considerations

After many (many!) years of customer requests, the tenant-managed domain name can be changed after it has been selected. Technically, you can’t change the tenant domain, but you can add a new tenant fallback domain. As such, it’s still important to choose something that is appropriate for your organization. The tenant name is visible in a handful of locations, so be sure to select a name that doesn’t reveal any personally identifiable information or trade secrets and looks professionally appropriate for the type of organization you’re representing. There is also a SharePoint tenant rename process in preview, but it’s limited to organizations that have less than 10,000 sites provisioned. For more information, see https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-or-replace-your-onmicrosoftcom-domain?view=o365-worldwide.

Provisioning a Tenant

Provisioning a tenant is a relatively simple task requiring you to fill out a basic contact form and choose a tenant name. Microsoft offers a variety of trial subscriptions to help people understand the capabilities of the platform.

Trial information

Microsoft has updated its subscription plans by removing Teams from the included applications. The offers are now labeled No Teams, though Teams can be added through the Microsoft 365 admin center once the trial is activated. You can view available Microsoft 365 and Office 365 offers here: https://www.microsoft.com/en-us/microsoft-365/enterprise/microsoft365-plans-and-pricing.

Currently, available trial subscriptions require you to provide payment information. Trials will roll over as a fully paid subscription after the trial period ends. If you’re standing up a trial tenant to study for the exam, you’ll want to make sure you cancel it as soon as you’re done using it. Figure 1.3 shows the trial sign-up page:

Figure 1.3: Starting a trial subscription

The sign-up process may prompt you for a phone number to be used during verification (either through a text/SMS or call) to help ensure that you’re a valid potential customer and not an automated system.

After verifying your status as a human, you’ll be prompted to select your managed domain, as shown in Figure 1.4:

Figure 1.4: Choosing a managed domain

In the Domain name field, you’ll be prompted to enter a domain name. If the domain name value you select is already taken, you’ll receive an error and will be prompted to select a new name.

After you’ve finished, you can enter payment information for a trial subscription. Note the end date of the trial; if you fail to cancel by this date, you’ll be automatically billed for the number of licenses you have configured during your trial!

Now that you’ve got a tenant activated, it’s time to move on to the actual SC-300 objectives as discussed in the next section!

Advanced setup guides

While this book focuses primarily on the requirements for the SC-300 exam objectives, there is a lot to learn in a tenant. You can use the advanced deployment guides in the admin center to explore and set up other features of your Microsoft 365 environment. For more information, see https://learn.microsoft.com/en-us/microsoft-365/enterprise/setup-guides-for-microsoft-365?view=o365-worldwide.

Configuring and Managing Built-In and Custom Microsoft Entra Roles

Entra ID roles are used to delegate permissions to perform tasks in Entra ID, Microsoft 365, and Azure. Many people are familiar with the Global Administrator role, as it is the first role that’s granted when you create a tenant. However, there are dozens of other roles available that can be used to provide a refined level of delegation throughout the environment. As the number of applications and services available in the Microsoft 365 ecosystem has grown, so has the number of security and administrative roles.

Roles for applications, services, and functions are intuitively named and generally split into two groups: Administrator and Reader. However, there are some roles that either don’t follow that nomenclature or have additional levels of permission associated with them (such as Printer Technician or Attack Simulator Payload Author).

The Global Administrator role can administer all parts of the tenant organization, including creating and modifying users or groups and delegating other administrative roles. In most cases, users with the Global Administrator role can access and modify all parts of an individual Microsoft 365 service—for example, editing Exchange transport rules, creating SharePoint Online sites, or setting up directory synchronization. Some features, such as eDiscovery, require specific roles in order to use them. Even though the Global Administrator role doesn’t have the ability to perform all tasks initially, the role does allow you to grant application- or workload-specific roles to enable their use.

Further reading

There are currently over 70 built-in administrative roles specific to Entra ID services and applications. For an up-to-date list of the roles available, see https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference.

For the SC-300 exam, you should be familiar with the core Microsoft 365 and Entra ID roles, as described in Table 1.2:

Role name

Role description

Global Administrator

Can manage all aspects of Entra ID and Microsoft 365 services.

Hybrid Identity Administrator

Can manage Entra Connect and Entra Cloud Sync configuration settings, including pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (SSO), and federation settings.

Billing Administrator

Can perform billing tasks such as updating payment information.

Compliance Administrator

Can read and manage the compliance configuration and reporting in Entra ID and Microsoft 365.

Exchange Administrator

Can manage all aspects of the Exchange Online service.

Guest Inviter

Can invite guest users regardless of the Members can invite guests setting.

Office Apps Administrator

Can manage Office apps, including policy and settings management.

Reports Reader

Can read sign-in and audit reports.

Security Reader

Can read security information and reports in Entra ID and Office 365.

SharePoint Administrator

Can manage all aspects of the SharePoint service.

Teams Administrator

Can manage all aspects of the Microsoft Teams service.

User Administrator

Can manage all aspects of users and groups, including resetting passwords for limited admins.

Table 1.2: Core Entra ID and Microsoft 365 roles

Planning for Role Assignments

One of the core tenets of security is the use of a least-privilege model. Least privilege means delegating the minimum level of permissions to accomplish a particular task, such as creating a user or resetting a password. In the context of Microsoft 365 and Entra ID, this translates to using the built-in roles for services, applications, and features where possible instead of granting the Global Administrator role. Limiting the administrative scope for services based on roles is commonly referred to as role-based access control (RBAC).

In order to help organizations plan for a least-privileged deployment, Microsoft currently maintains a list of least-privileged roles necessary to accomplish certain tasks, grouped by application or content area: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task. Related tasks are grouped into roles. These roles can then be assigned to users based on their job duties.

When planning for role assignments in your organization, you can choose to assign roles directly to users or via a specially designated Entra ID group. If you have several users that need a variety of roles, you may want to create a group to ease the administrative burden of adding multiple users to multiple roles.

If you want to create and use groups for role assignment, you must enable the group for role assignment (the Entra ID isAssignableToRole property) during the group creation. For example, when using the Azure portal to create a group as shown in Figure 1.5, the Azure AD roles can be assigned to the group toggle needs to be set to Yes in order for the group to be provisioned with that capability.

Note

The role assignment property cannot be updated once the group has been created. If you create a group that you want to be used for role assignment and you fail to set this option during group creation, you’ll need to delete the group and start over. This is to prevent privilege escalation attempts.

Figure 1.5: Configuring the isAssignableToRole property on a new group

If you want to create role-eligible groups in Entra ID, those groups must be configured to use assigned membership. As soon as you move the slider to enable a role-assignable group, the ability to change the membership type is grayed out to prevent accidentally elevating a user to a privileged role through a dynamic rule.

Managing Roles in the Microsoft 365 Admin Center

Roles can be easily managed within the Microsoft 365 admin center by expanding the navigation menu, expanding Roles, and then selecting Role assignments.

Figure 1.6: Role assignments

Roles are displayed across four tabs: Azure AD, Exchange, Intune, and Billing, as shown in Figure 1.7:

Figure 1.7: The Role assignments page

To add people to a role, simply select the role from the list, choose the Assigned tab, and then add either users or groups to the particular role.

Figure 1.8: Making role assignments

Depending on the role being granted through this interface, you may be able to use Microsoft 365 groups, role-assignable security groups, or mail-enabled security groups.

Managing Role Groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 Workloads

Now that you’re familiar with role groups and concepts, you will learn how to manage roles for the following specific workload and feature areas of Microsoft 365:

There are some nuances of managing each that are covered in the following sub-sections.

Microsoft Defender

Like other products in the Microsoft 365 suite, Defender uses roles to manage groups of permissions for tasks. All of the Microsoft Defender roles can be administered from either the Entra admin center (https://entra.microsoft.com) or the Azure portal (https://portal.azure.com). Both interfaces also provide the ability to define custom roles or role groups. Microsoft 365 Defender also has a new RBAC model available. The Microsoft 365 Defender RBAC model is in preview and is subject to change.

Microsoft 365 Defender users can be configured to use either the global Entra ID roles or custom roles from the Microsoft 365 Defender portal. When using Entra ID’s global roles to assign permissions for Microsoft 365 Defender, it’s important to note that the Entra ID roles will grant access to multiple workloads.

By default, Global Administrators and Security Administrators have access to Microsoft 365 Defender features. To delegate individual administrative duties where a broader Microsoft 365 Defender role might not be appropriate for your organization’s needs, you can use custom roles, as shown in Figure 1.9:

Figure 1.9: Microsoft 365 Defender permissions

To create a custom role, follow these steps:

Figure 1.10: Creating a new custom role

Figure 1.11: Selecting permissions

Figure 1.12: Adding user and data assignments

Figure 1.13: Selecting assignment options

Figure 1.14: Confirming configuration

Once roles and assignments have been configured, users can log in and view or manage the features to which they’ve been granted permission.

Further reading

For more information on the nuances of the Microsoft 365 Defender custom roles and available permissions, see https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-permissions-details.

Next, you will explore the roles and permissions for Microsoft Purview.

Microsoft Purview

Like Microsoft 365 Defender, Microsoft Purview can leverage both Entra ID global roles (available throughout the Microsoft 365 platform) as well as roles and role groups specifically designed for Microsoft Purview that are only available in Microsoft Purview. Some features (such as eDiscovery) can only be configured using the Purview-specific roles.

You can view the global Entra ID roles by navigating to the Microsoft Purview compliance center, expanding Roles & scopes, selecting Permissions, and then selecting Roles under Azure AD. See Figure 1.15:

Figure 1.15: Azure AD roles in Microsoft Purview permissions

The Microsoft Purview-specific roles can be seen in the Microsoft Purview compliance center (https://compliance.microsoft.com) by expanding Roles & scopes, selecting Permissions, and then selecting Roles under Microsoft Purview solutions. See Figure 1.16:

Figure 1.16: Microsoft Purview solutions roles

Like Microsoft 365 Defender, you can also create custom role groups for Microsoft Purview solutions. Microsoft Purview roles also support scoping with administrative units. Currently, the following features support administrative units:

Solution or feature

Configuration areas

Data life cycle management

Retention policies, retention label policies, role groups

Data loss prevention (DLP)

DLP policies, role groups

Communications compliance

Adaptive scopes

Records management

Retention policies, retention label policies, adaptive scopes, role groups

Sensitivity labels

Sensitivity label policies, auto-labeling policies, role groups

Table 1.3: Microsoft Purview support for administrative units

Next, you will review role groups for Microsoft 365 workloads and how they can be managed.

Microsoft 365 Workloads

The core Microsoft 365 workloads, such as Exchange Online and SharePoint Online, have built-in support for a number of role groups. In the case of Exchange Online, there are additional management roles that can be assigned within the Exchange admin center’s existing RBAC mechanisms. They’re only visible inside the Exchange service and only apply to Exchange-specific features.

Figure 1.17: Microsoft 365 workload roles

While many workloads will have a single role group (such as Kaizala Administrator or SharePoint Administrator), some workloads such as Teams have multiple role groups that can be used to further delegate administration. You can review the current list of roles available in the Microsoft 365 admin center by navigating to the admin center (https://admin.microsoft.com), expanding Roles, and selecting Role assignments.

Next, we’ll explore the role administrative units play in delegated administration.

Recommending When to Use Administrative Units

Administrative units are groups of users and devices that can be managed by specific administrators.

In an on-premises Active Directory setup, you can delegate administrative functions using the Delegation of Control wizard in Active Directory Users and Computers or Active Directory Administrative Center.

Unlike the hierarchical structure of on-premises Active Directory, Entra requires defining boundaries such as administrative units to delegate control. Administrative units are logical boundaries that can contain users, groups, and devices.

Administrative units in Entra can be role-scoped, allowing administrators to be granted specific roles (such as Helpdesk Administrator), thereby limiting their administrative capabilities to only the assigned administrative units.

Configuring and Managing Administrative Units

The easiest way to create and manage administrative units is through the Microsoft 365 admin center (though they can also be created and managed inside the Entra ID portal).

In this section, we’ll explore how to create and manage administrative units.

Creating Administrative Units

In this example, you will create an administrative unit called California that will be used to manage users who live and work in that geographical region. During creation, you will configure administrators to be able to perform role-scoped activities inside that administrative unit:

Figure 1.18: Administrative units page

Figure 1.19: The Basics page

Figure 1.20: The Add members page

Figure 1.21: Adding roles

Figure 1.22: The User Administrator flyout

Figure 1.23: Adding users to a role

One of the features of role-scoped administration is the ability to limit what objects can be impacted by a particular administrator. As you noticed during the configuration, only a subset of the roles available in the tenant honor administrative unit scoping. You may want to periodically review your administrative unit configuration to see whether any additional scoped roles are available to be added to it. This will be discussed next.

Viewing and Updating Administrative Units

After you create administrative units, you can review them and modify their members and administrators from either the Azure AD portal or the Microsoft 365 admin center under Roles | Administrative units.

Figure 1.24: Viewing administrative units

By selecting a group, you can assign users and groups to the administrative unit.

While you can assign groups to administrative units, this does not automatically add the group member objects to the administrative scope—it only enables managing the properties of the group itself. You need to add the members of the group to the administrative unit separately in order for them to also be in scope.

Note

Dynamic administrative units are a preview feature that allows you to use filters and queries to automatically populate administrative units. Like dynamic groups, dynamic administrative units can only have one object type (either users or devices). Dynamic administrative units can only be configured in the Entra ID portal at this time. This feature is not available in GCC High currently.

When setting up administrative structures and delegation in your organization, ensure that you understand the limits of scoping controls. For example, if you assign an administrator to both an administrative unit and a role such as Exchange or SharePoint Administrator, they can modify users within their administrative unit. However, they might also be able to change application settings that impact all users across the entire tenant.

Note

Exchange Online features additional RBAC scoping controls to offer finer-grained administration delegation.

Next, we’ll look at a few ways to retrieve permissions data for Microsoft Entra roles.

Evaluating Effective Permissions for Microsoft Entra Roles

When it comes to managing permissions and roles in Entra ID, it’s important to understand that Entra role assignments are based on an additive model. This means that your effective permissions are the sum of all your role assignments.

You can explore the output of all role assignments (including privileged assignment escalations) in the Entra admin center (https://entra.microsoft.com) by expanding Identity, selecting Roles & admins, and then clicking Download assignments.

Figure 1.25: Downloading role assignment data

You can also explore the Entra admin center on a per-role basis and look for groups with memberships. The Assignments column only shows active roles, so it’s recommended to periodically review them.

Further reading

The Microsoft 365 admin center and Entra admin center don’t provide a great interface to be able to see all role assignments at a glance. To get this information, you’ll have to resort to either PowerShell or the Microsoft Graph API. To make this task a little easier, you can use a tool such as Vasil Michev’s role reporting script: https://github.com/michevnew/PowerShell/blob/master/AADRolesInventory-Graph.ps1.

Next, we’ll shift gears to configuring a tenant to support custom (sometimes called vanity) domains.

Configuring and Managing Custom Domains

The managed domain you choose when provisioning a tenant remains integral to the Microsoft 365 tenant throughout its entire life cycle. It functions as a fully operational domain namespace, equipped with a Microsoft-managed publicly available domain name. However, most organizations prefer to use their own domain names for activities such as email communication and Microsoft Teams interactions.

Note

Custom Domain Name System (DNS) records cannot be added to the Microsoft-managed namespace.

Organizations can add any public domain name to their Microsoft 365 tenant. Microsoft supports the configuration of up to 5,000 domains within a single tenant. This includes both top-level domains (for example, contoso.com) and subdomains (for example, businessunit1.contoso.comor businessunit2.contoso.com).

Acquiring a Domain Name

Most organizations come to Microsoft 365 with existing domain names. Those domain names can easily be added to your tenant. In addition, you can purchase new domain names to be associated with your tenant.

Third-Party Registrar

Most large organizations have existing relationships with third-party domain registrars, such as Network Solutions or GoDaddy. You can use any ICANN-accredited registrar for your region to purchase domain names.

About ICANN

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization established in 1998 to provide guidance and policy for the internet’s unique identifiers, including domain names. Before ICANN’s formation, Network Solutions managed the global DNS registry under a subcontract from the United States Defense Information Systems Agency.

You can start your search for a domain with a registrar. A partial list of domain registrars is available here: https://www.icann.org/en/accredited-registrars.

Microsoft

Some organizations may wish to use Microsoft as the registrar. Depending on your subscription, you may be able to purchase domains from within the Microsoft 365 admin center, as shown in Figure 1.25:

Figure 1.26: Purchasing a domain through the Microsoft 365 admin center

When purchasing a domain through the Microsoft admin center, you may be able to purchase directly from Microsoft or may be redirected to a traditional domain registrar partner. Also, if you’ve purchased Microsoft 365 through a partner, you may be redirected to the partner’s website, depending on their relationship with Microsoft. If purchasing directly from Microsoft, you can select from the following top-level domains:

Domain purchases are billed separately from your Microsoft 365 subscription services. When purchasing a domain from Microsoft, you’ll have very limited ability to manage DNS records. If you require custom DNS record configuration (such as configuring a mail exchanger (MX) record to point to a third-party mail gateway), you’ll want to purchase your domains separately.

Configuring a Domain Name

Configuring a domain for your tenant is straightforward and requires access to your organization’s public DNS service provider. Some large organizations host and manage their own DNS, while others opt to use external service providers, such as domain registrars, to provide these services.

Tip

If you’re unsure of where the DNS for your domain is hosted, you can use a service such as https://www.whois.com.

In order to be compatible with Microsoft 365, a DNS service must support configuring the following types of records:

In order to use a custom domain (sometimes referred to as a vanity domain) with Microsoft 365, you’ll need to add it to your tenant.

To add a custom domain, follow these steps:

Figure 1.27: The Domains page of the Microsoft 365 admin center

Figure 1.28: The Add a domain page

If your domain is registered at a host that supports Domain Connect, you can click Verify and then enter your registrar’s credentials, as shown in Figure 1.29. Microsoft will automatically configure the necessary domain records on your behalf.

Figure 1.29: Authorizing Domain Connect with GoDaddy to update DNS records

You can also select More options to see all the potential verification methods available:

Figure 1.30: Completing verification records manually

If you are creating records manually, it may take anywhere from 10 minutes to 48 hours for the wizard to be able to detect the records.

Figure 1.31: Adding DNS records