Microsoft SC-300 - Microsoft Identity and Access Administrator

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and official Microsoft Learn documentation (“Configure how end-users consent to applications”) , application consent management in Microsoft Entra ID is governed by the Admin consent settings under Enterprise applications → Consent and permissions → User consent settings.

By default, users can grant delegated permissions to apps, but organizations often need to restrict which permissions users may consent to — for example, allowing consent only to low-impact permissions like User.Read (basic profile information).

Microsoft Documentation Reference:

“In the Admin consent settings, you can control how end users grant consent to applications. You can limit user consent to low-risk permissions, such as permissions that only allow apps to access the user’s basic profile data.”

The configuration steps outlined in Microsoft’s official SC-300 training materials are:

In the Entra admin center, go to Enterprise applications → Consent and permissions → User consent settings.

Under User consent for applications, choose Allow user consent for apps from verified publishers for selected permissions (recommended).

Under Select permissions to allow, specify User.Read and User.ReadBasic.All, which correspond to User.Read and User.Read profile delegated permissions.

This ensures that users can only consent to applications accessing their basic profile data and no additional permissions beyond what’s explicitly approved.

Why not the other options:

A. Security defaults: Controls basic security policies (e.g., MFA, legacy authentication) — unrelated to app consent.

C. Permission classifications: Used for labeling permission risk levels but doesn’t enforce consent behavior.

D. Identity Protection settings: Related to risky user or sign-in detections, not app consent control.

The issue described is that disabled on-premises AD accounts can still authenticate to Azure AD for up to 30 minutes. This behavior occurs when Password Hash Synchronization (PHS) is used, as authentication happens directly against the cloud copy of the password hash, which syncs periodically (every 30 minutes by default).

The proposed solution — configuring password writeback — allows users to reset or change their on-premises password from Azure AD (via self-service password reset). However, it does not affect the authentication flow or timing of disabled account status replication between AD and Azure AD.

From Microsoft documentation:

“Password writeback enables users to reset their on-premises passwords from the cloud but does not impact authentication or account disable synchronization.”

Therefore, configuring password writeback does not prevent a disabled user from authenticating in Azure AD until the next sync occurs.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Implement and Manage Microsoft Entra Connect” , when organizations need authentication to always validate user passwords directly against the on-premises Ac tive Directory Domain Services (AD DS) environment, the correct configuration is Pass-through Authentication (PTA).

Here’s why:

Pass-through Authentication (PTA) ensures that when a user attempts to sign in to Microsoft Entra ID (formerly Azure AD), their credentials are not validated in the cloud. Instead, the authentication request is securely passed to an on-premises authentication agent, which validates the credentials against the on-premises AD DS domain controller in real time.

This configuration provides an immediate reflection of on-premises account states — if an account is disabled, locked, or the password is changed, those changes take effect instantly for cloud authentication as well.

To configure PTA, you must use Microsoft Entra Connect, which is the hybrid identity synchronization tool that links on-premises directories to Microsoft Entra ID. During Entra Connect setup, administrators can choose between Password Hash Synchronization, Pass-through Authentication, or Federation as the sign-in method.

Microsoft documentation explicitly states:

“Pass-through Authentication allows users to sign in to both on-premises and cloud-based applications using the same passwords. Authentication occurs against your on-premises Active Directory.”

Therefore, to meet the requirement that authentication always validates passwords against the on-premises AD DS domain:

ï‚· User1 can perform an access review for User1: No

ï‚· User1 can perform an access review for Managed2: Yes

ï‚· User1 can perform an access review for User3: Yes

In this scenario, an access review named Review1 has been configured for Group1, with the following conditions:

Review scope: Teams + Groups

Group: Group1

Scope: All users

Reviewers: Group owner(s)

Fallback reviewers: None

From the configuration, the reviewers of the access review are the owners of Group1 — namely User1 and User4. Therefore, both of these users are authorized to review all members of Group1.

Group1 includes the following members:

User1 (User, also owner)

Managed2 (Managed identity)

Group2 (which includes User3)

Since the scope is set to All users, it includes both internal and external members. However, the SC-300 materials emphasize that reviewers cannot review their own access; Microsoft Learn states:

“Reviewers cannot approve or deny their own access in an access review, even if they are members of the group under review.”

Therefore:

User1 cannot review themselves → No

User1 can review Managed2 → Yes, because Managed2 is a member of Group1

User1 can review User3 → Yes, because User3 is a member of Group2, and Group2 is itself a member of Group1, meaning User3’s membership is indirectly part of the review scope

This behavior aligns with SC-300 guidance that nested group members are included when the review scope is “All users,” and reviewers (owners) can assess all included members except themselves.

SC-300 teaches that group-based licensing supports security groups and Microsoft 365 groups, with assigned or dynamic user membership. The guide states: “Licenses can be assigned to groups whose members are users ; nested groups aren’t processed and devices cannot be licensed .” Applying this to the table: Group1 (Security-Assigned) and Group2 (Security-Dynamic User) are valid; Group4 (Microsoft 365-Assigned) and Group5 (Microsoft 365-Dynamic User) are also valid. Group3 is a Security-Dynamic Device group and therefore ineligible because “device objects do not receive user licenses.” Consequently, the Office 365 E5 license can be assigned directly to Group1, Group2, Group4, and Group5 only.

According to the official Microsoft Identity and Access Administrator (SC-300) Study Guide and the Azure Active Directory documentation under “Enable and configure self-service password reset (SSPR)”, when self-service password reset is enabled, the available authentication methods depend on the user’s role within Azure AD. Specifically, administrative roles require stronger authentication methods than regular users.

The Microsoft documentation states:

“Security questions are available only to users who are not administrators. Any user assigned an administrative role must use secure authentication methods such as email, mobile app, or phone verification.”

This restriction ensures that privileged accounts (e.g., User Administrator, Password Administrator, Global Administrator, Security Administrator, etc.) use stronger, phishing-resistant recovery options.

In the provided table:

User1 (User Administrator) and User2 (Password Administrator) are administrators — they cannot use security questions for SSPR.

User3 (Security Reader) and User4 (User) are non-administrative roles, therefore, they can use security questions when resetting their passwords.

Hence, only User3 and User4 will be required to answer security questions during password reset.

ï‚· The users must first: Register for multi-factor authentication (MFA)

ï‚· You must configure: A user risk policy

According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator , when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.

Two types of policies can be created:

Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).

User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).

The documentation specifies:

“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”

Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.

Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.