Study guide for Exam SC-300: Microsoft Identity and Access Administrator
Purpose of this document
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
| Useful links | Description |
|---|---|
| Review the skills measured as of January 31, 2024 | This list represents the skills measured AFTER the date provided. Study this list if you plan to take the exam AFTER that date. |
| Review the skills measured prior to January 31, 2024 | Study this list of skills if you take your exam PRIOR to the date provided. |
| Change log | You can go directly to the change log if you want to see the changes that will be made on the date provided. |
| How to earn the certification | Some certifications only require passing one exam, while others require passing multiple exams. |
| Certification renewal | Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn. |
| Your Microsoft Learn profile | Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates. |
| Exam scoring and score reports | A score of 700 or greater is required to pass. |
| Exam sandbox | You can explore the exam environment by visiting our exam sandbox. |
| Request accommodations | If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation. |
| Take a free Practice Assessment | Test your skills with practice questions to help you prepare for the exam. |
Updates to the exam
Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.
We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. Although Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured as of January 31, 2024
Audience profile
As a Microsoft identity and access administrator, you design, implement, and operate an organization’s identity and access management by using Microsoft Entra ID. You configure and manage the full cycle of identities for:
Users
Devices
Microsoft Azure resources
Applications
As an identity and access administrator, you provide seamless experiences and self-service management capabilities for users. You plan and implement identity, authorization, and access to connect applications and resources in Azure. You’re also responsible for troubleshooting, monitoring, and reporting on identity and access. You collaborate with many other roles in the organization to:
Drive strategic identity projects.
Modernize identity solutions.
Implement hybrid identity solutions.
Implement identity governance.
You should be familiar with Azure, Microsoft 365 services and workloads, and Active Directory Domain Services (AD DS). You should have experience:
Automating the management of Microsoft Entra ID using PowerShell.
Analyzing events using Kusto Query Language (KQL).
Skills at a glance
Implement and manage user identities (20–25%)
Implement authentication and access management (25–30%)
Plan and implement workload identities (20–25%)
Plan and implement identity governance (20–25%)
Implement and manage user identities (20–25%)
Configure and manage a Microsoft Entra tenant
Configure and manage built-in and custom Microsoft Entra roles
Recommend when to use administrative units
Configure and manage administrative units
Evaluate effective permissions for Microsoft Entra roles
Configure and manage custom domains
Configure Company branding settings
Configure tenant properties, user settings, group settings, and device settings
Create, configure, and manage Microsoft Entra identities
Create, configure, and manage users
Create, configure, and manage groups
Manage custom security attributes
Automate the management of users and groups by using PowerShell
Assign, modify, and report on licenses
Implement and manage identities for external users and tenants
Manage External collaboration settings in Microsoft Entra ID
Invite external users, individually or in bulk
Manage external user accounts in Microsoft Entra ID
Implement Cross-tenant access settings
Implement and manage cross-tenant synchronization
Configure identity providers, including SAML and WS-Fed
Create and manage a Microsoft Entra B2C tenant (Microsoft Entra External ID)
Implement and manage hybrid identity
Implement and manage Microsoft Entra Connect
Implement and manage Microsoft Entra Connect cloud sync
Implement and manage password hash synchronization
Implement and manage pass-through authentication
Implement and manage seamless single sign-on (SSO)
Implement and manage federation, excluding manual Active Directory Federation Services (AD FS) deployments
Implement and manage Microsoft Entra Connect Health
Troubleshoot synchronization errors
Implement authentication and access management (25–30%)
Plan, implement, and manage Microsoft Entra user authentication
Plan for authentication
Implement and manage authentication methods
Implement and manage tenant-wide Multi-factor Authentication (MFA) settings
Manage per-user MFA settings
Configure and deploy self-service password reset (SSPR)
Implement and manage Windows Hello for Business
Disable accounts and revoke user sessions
Implement and manage password protection and smart lockout
Enable Microsoft Entra Kerberos authentication for hybrid identities
Implement certificate-based authentication in Microsoft Entra
Plan, implement, and manage Microsoft Entra Conditional Access
Plan Conditional Access policies
Implement Conditional Access policy assignments
Implement Conditional Access policy controls
Test and troubleshoot Conditional Access policies
Implement session management
Implement device-enforced restrictions
Implement continuous access evaluation
Create a Conditional Access policy from a template
Manage risk by using Microsoft Entra ID Protection
Implement and manage user risk policies
Implement and manage sign-in risk policies
Implement and manage MFA registration policies
Monitor, investigate and remediate risky users
Monitor, investigate, and remediate risky workload identities
Implement access management for Azure resources by using Azure roles
Create custom Azure roles, including both control plane and data plane permissions
Assign built-in and custom Azure roles
Evaluate effective permissions for a set of Azure roles
Assign Azure roles to enable Microsoft Entra ID login to Azure virtual machines
Configure Azure Key Vault role-based access control (RBAC) and access policies
Plan and implement workload identities (20–25%)
Plan and implement identities for applications and Azure workloads
Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
Create managed identities
Assign a managed identity to an Azure resource
Use a managed identity assigned to an Azure resource to access other Azure resources
Plan, implement, and monitor the integration of enterprise applications
Configure and manage user and admin consent
Discover apps by using AD FS application activity reports
Plan and implement settings for enterprise applications, including application-level and tenant-level settings
Assign appropriate Microsoft Entra roles to users to manage enterprise applications
Monitor and audit activity in enterprise applications
Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
Design and implement integration for software as a service (SaaS) apps
Assign, classify, and manage users, groups, and app roles for enterprise applications
Create and manage application collections
Plan and implement app registrations
Plan for app registrations
Create app registrations
Configure app authentication
Configure API permissions
Create app roles
Manage and monitor app access by using Microsoft Defender for Cloud Apps
Configure and analyze cloud discovery results by using Defender for Cloud Apps
Configure connected apps
Implement application-enforced restrictions
Configure Conditional Access app control
Create access and session policies in Defender for Cloud Apps
Implement and manage policies for OAuth apps
Manage the Cloud app catalog
Plan and implement identity governance (20–25%)
Plan and implement entitlement management in Microsoft Entra
Plan entitlements
Create and configure catalogs
Create and configure access packages
Manage access requests
Implement and manage terms of use (ToU)
Manage the lifecycle of external users
Configure and manage connected organizations
Plan, implement, and manage access reviews in Microsoft Entra
Plan for access reviews
Create and configure access reviews
Monitor access review activity
Manually respond to access review activity
Plan and implement privileged access
Plan and manage Azure roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
Plan and manage Azure resources in PIM, including settings and assignments
Plan and configure privileged access groups
Manage the PIM request and approval process
Analyze PIM audit history and reports
Create and manage break-glass accounts
Monitor identity activity by using logs, workbooks, and reports
Design a strategy for monitoring Microsoft Entra
Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
Monitor Microsoft Entra by using KQL queries in Log Analytics
Analyze Microsoft Entra by using workbooks and reporting
Monitor and improve the security posture by using Identity Secure Score
Plan and implement Microsoft Entra Permissions Management
Onboard Azure subscriptions to Permissions Management
Evaluate and remediate risks relating to Azure identities, resources, and tasks
Evaluate and remediate risks relating to Azure highly privileged roles
Evaluate and remediate risks relating to Permissions Creep Index (PCI) in Azure
Configure activity alerts and triggers for Azure subscriptions
Study resources
We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.
Change log
Key to understanding the table: The topic groups (also known as functional groups) are in bold typeface followed by the objectives within each group. The table is a comparison between the two versions of the exam skills measured and the third column describes the extent of the changes.
| Skill area prior to January 31, 2024 | Skill area as of January 31, 2024 | Change |
|---|---|---|
| Audience profile | Minor | |
| Implement and manage user identities | Implement and manage user identities | No change |
| Configure and manage a Microsoft Entra tenant | Configure and manage a Microsoft Entra tenant | No change |
| Create, configure, and manage Microsoft Entra identities | Create, configure, and manage Microsoft Entra identities | No change |
| Implement and manage identities for external users and tenants | Implement and manage identities for external users and tenants | No change |
| Implement and manage hybrid identity | Implement and manage hybrid identity | No change |
| Implement authentication and access management | Implement authentication and access management | No change |
| Plan, implement, and manage Microsoft Entra ID user authentication | Plan, implement, and manage Microsoft Entra user authentication | Minor |
| Plan, implement, and manage Microsoft Entra Conditional Access | Plan, implement, and manage Microsoft Entra Conditional Access | No change |
| Manage risk by using Microsoft Entra Identity Protection | Manage risk by using Microsoft Entra ID Protection | Minor |
| Implement access management for Azure resources by using Azure roles | Implement access management for Azure resources by using Azure roles | No change |
| Plan and implement workload identities | Plan and implement workload identities | No change |
| Plan and implement identities for applications and Azure workloads | Plan and implement identities for applications and Azure workloads | No change |
| Plan, implement, and monitor the integration of enterprise applications | Plan, implement, and monitor the integration of enterprise applications | No change |
| Plan and implement application registrations | Plan and implement application registrations | No change |
| Manage and monitor app access by using Microsoft Defender for Cloud Apps | Manage and monitor app access by using Microsoft Defender for Cloud Apps | No change |
| Plan and implement identity governance | Plan and implement identity governance | No change |
| Plan and implement entitlement management in Microsoft Entra | Plan and implement entitlement management in Microsoft Entra | No change |
| Plan, implement, and manage access reviews in Microsoft Entra | Plan, implement, and manage access reviews in Microsoft Entra | No change |
| Plan and implement privileged access | Plan and implement privileged access | No change |
| Monitor identity activity by using logs, workbooks, and reports | Monitor identity activity by using logs, workbooks, and reports | No change |
| Plan and implement Microsoft Entra Permissions Management | Plan and implement Microsoft Entra Permissions Management | No change |
Skills measured prior to January 31, 2024
Audience profile
As a Microsoft identity and access administrator, you design, implement, and operate an organization’s identity and access management by using Microsoft Entra ID (ID). You configure and manage the full cycle of identities for:
Users
Devices
Microsoft Azure resources
Applications
As an identity and access administrator, you provide seamless experiences and self-service management capabilities for users. You plan and implement identity, authorization, and access to connect applications and resources in Azure. You’re also responsible for troubleshooting, monitoring, and reporting on identity and access. You collaborate with many other roles in the organization to:
Drive strategic identity projects.
Modernize identity solutions.
Implement hybrid identity solutions.
Implement identity governance.
You should be familiar with Azure, Microsoft 365 services and workloads, and Active Directory Domain Services (AD DS). You should have experience:
Automating the management of Microsoft Entra ID using PowerShell.
Analyzing events using Kusto Query Language (KQL).
Skills at a glance
Implement and manage user identities (20–25%)
Implement authentication and access management (25–30%)
Plan and implement workload identities (20–25%)
Plan and implement identity governance (20–25%)
Implement and manage user identities (20–25%)
Configure and manage a Microsoft Entra tenant
Configure and manage built-in and custom Microsoft Entra roles
Recommend when to use administrative units
Configure and manage administrative units
Evaluate effective permissions for Microsoft Entra roles
Configure and manage custom domains
Configure Company branding settings
Configure tenant properties, user settings, group settings, and device settings
Create, configure, and manage Microsoft Entra identities
Create, configure, and manage users
Create, configure, and manage groups
Manage custom security attributes
Automate the management of users and groups by using PowerShell
Assign, modify, and report on licenses
Implement and manage identities for external users and tenants
Manage External collaboration settings in Microsoft Entra ID
Invite external users, individually or in bulk
Manage external user accounts in Microsoft Entra ID
Implement Cross-tenant access settings
Implement and manage cross-tenant synchronization
Configure identity providers, including SAML and WS-Fed
Create and manage a Microsoft Entra B2C tenant (Microsoft Entra External ID)
Implement and manage hybrid identity
Implement and manage Microsoft Entra Connect
Implement and manage Microsoft Entra Connect cloud sync
Implement and manage password hash synchronization
Implement and manage pass-through authentication
Implement and manage seamless single sign-on (SSO)
Implement and manage federation, excluding manual Active Directory Federation Services (AD FS) deployments
Implement and manage Microsoft Entra Connect Health
Troubleshoot synchronization errors
Implement authentication and access management (25–30%)
Plan, implement, and manage Microsoft Entra ID user authentication
Plan for authentication
Implement and manage authentication methods
Implement and manage tenant-wide Multi-factor Authentication (MFA) settings
Manage per-user MFA settings
Configure and deploy self-service password reset (SSPR)
Implement and manage Windows Hello for Business
Disable accounts and revoke user sessions
Implement and manage password protection and smart lockout
Enable Microsoft Entra Kerberos authentication for hybrid identities
Implement certificate-based authentication in Microsoft Entra
Plan, implement, and manage Microsoft Entra Conditional Access
Plan Conditional Access policies
Implement Conditional Access policy assignments
Implement Conditional Access policy controls
Test and troubleshoot Conditional Access policies
Implement session management
Implement device-enforced restrictions
Implement continuous access evaluation
Create a Conditional Access policy from a template
Manage risk by using Microsoft Entra Identity Protection
Implement and manage user risk policies
Implement and manage sign-in risk policies
Implement and manage MFA registration policies
Monitor, investigate and remediate risky users
Monitor, investigate, and remediate risky workload identities
Implement access management for Azure resources by using Azure roles
Create custom Azure roles, including both control plane and data plane permissions
Assign built-in and custom Azure roles
Evaluate effective permissions for a set of Azure roles
Assign Azure roles to enable Microsoft Entra ID login to Azure virtual machines
Configure Azure Key Vault role-based access control (RBAC) and access policies
Plan and implement workload identities (20–25%)
Plan and implement identities for applications and Azure workloads
Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
Create managed identities
Assign a managed identity to an Azure resource
Use a managed identity assigned to an Azure resource to access other Azure resources
Plan, implement, and monitor the integration of enterprise applications
Configure and manage user and admin consent
Discover apps by using AD FS application activity reports
Plan and implement settings for enterprise applications, including application-level and tenant-level settings
Assign appropriate Microsoft Entra roles to users to manage enterprise applications
Monitor and audit activity in enterprise applications
Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
Design and implement integration for software as a service (SaaS) apps
Assign, classify, and manage users, groups, and app roles for enterprise applications
Create and manage application collections
Plan and implement app registrations
Plan for app registrations
Create app registrations
Configure app authentication
Configure API permissions
Create app roles
Manage and monitor app access by using Microsoft Defender for Cloud Apps
Configure and analyze cloud discovery results by using Defender for Cloud Apps
Configure connected apps
Implement application-enforced restrictions
Configure Conditional Access app control
Create access and session policies in Defender for Cloud Apps
Implement and manage policies for OAuth apps
Manage the Cloud app catalog
Plan and implement identity governance (20–25%)
Plan and implement entitlement management in Microsoft Entra
Plan entitlements
Create and configure catalogs
Create and configure access packages
Manage access requests
Implement and manage terms of use (ToU)
Manage the lifecycle of external users
Configure and manage connected organizations
Plan, implement, and manage access reviews in Microsoft Entra
Plan for access reviews
Create and configure access reviews
Monitor access review activity
Manually respond to access review activity
Plan and implement privileged access
Plan and manage Azure roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
Plan and manage Azure resources in PIM, including settings and assignments
Plan and configure privileged access groups
Manage the PIM request and approval process
Analyze PIM audit history and reports
Create and manage break-glass accounts
Monitor identity activity by using logs, workbooks, and reports
Design a strategy for monitoring Microsoft Entra
Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
Monitor Microsoft Entra by using KQL queries in Log Analytics
Analyze Microsoft Entra by using workbooks and reporting
Monitor and improve the security posture by using Identity Secure Score
Plan and implement Microsoft Entra Permissions Management
Onboard Azure subscriptions to Permissions Management
Evaluate and remediate risks relating to Azure identities, resources, and tasks
Evaluate and remediate risks relating to Azure highly privileged roles
Evaluate and remediate risks relating to Permissions Creep Index (PCI) in Azure
Configure activity alerts and triggers for Azure subscriptions