MICROSOFT CERTIFICATION
SC-300 Identity and Access Administrator Associate Practice Exam
Exam Number: 3162 | Last updated 16-Apr-26 | 776+ questions across 4 vendor-aligned objectives
The SC-300 Identity and Access Administrator Associate certification validates the skills of identity and access administrators who design and implement identity management solutions using Microsoft Entra ID. This exam measures your ability to work with Microsoft Entra ID, Conditional Access, Identity Protection, Privileged Identity Management, External Identities, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Implement Authentication and Access Management (25–30%), Implement Identities in Microsoft Entra ID (20–25%), and Plan and Implement Identity Governance in Microsoft Entra (20–25%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Implement Access Management for Applications (15–20%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
581
practice exam users
93.4%
satisfied users
90%
passed the exam
4.2/5
quality rating
Test your SC‑300 Identity & Access Admin knowledge
10 of 776+ questions
Question #1 - Implement Identities in Microsoft Entra ID
A company acquires another firm using a different identity provider. The IT team needs to bring the acquired firm’s users into Microsoft Entra ID while allowing continued use of their existing credentials during transition.
Which identity integration approach should be implemented?
A) Configure cross-tenant synchronization or B2B direct connect to enable gradual identity integration while preserving existing credentials
B) Delete all acquired user accounts and start fresh
C) Use shared generic accounts for the acquired team
D) Create new accounts for each user manually
Show solution
Correct answers: A – Explanation:
Cross-tenant sync or B2B direct connect enables gradual integration while users continue using existing credentials. Manual creation does not preserve credentials. Deletion loses user data and history. Shared accounts violate security and auditability principles. Source: Check Source
Question #2 - Implement Identities in Microsoft Entra ID
A company acquires another firm using a different identity provider. The IT team needs to bring the acquired firm’s users into Microsoft Entra ID while allowing continued use of their existing credentials during transition.
Which identity integration approach should be implemented?
A) Use shared generic accounts for the acquired team which does not address the stated requirement without meeting the core requirement
B) Delete all acquired user accounts and start fresh which does not address the stated requirement without meeting the core requirement
C) Create new accounts for each user manually which does not address the stated requirement without meeting the core requirement
D) Configure cross-tenant synchronization or B2B direct connect to enable gradual identity integration while preserving existing credentials
Show solution
Correct answers: D – Explanation:
Cross-tenant sync or B2B direct connect enables gradual integration while users continue using existing credentials. Manual creation does not preserve credentials. Deletion loses user data and history. Shared accounts violate security and auditability principles. Source: Check Source
Question #3 - Implement Identities in Microsoft Entra ID
An organization needs to allow external freelancers to access specific SharePoint sites and Teams channels using their personal email addresses. The freelancers should not need an organizational account.
Which Entra ID feature provides this access?
A) Share the SharePoint password which does not address the specific requirement described in this scenario
B) Create full member accounts for each freelancer enabling the specific functionality needed for this use case
C) Entra ID External Identities (B2B guest access) allowing invitation with their personal email and social identity providers
D) No external access is possible which does not address the specific requirement described in this scenario
Show solution
Correct answers: B – Explanation:
External Identities B2B invites guests using their existing email or social accounts, granting scoped access to specific resources without creating full member accounts. Full member accounts grant excessive access. Password sharing violates security. Entra ID fully supports external access. Source: Check Source
Question #4 - Implement Identities in Microsoft Entra ID
An HR department needs user accounts automatically created in Entra ID when employees are added in the Workday HR system, and disabled when they are terminated.
Which Entra ID feature automates this lifecycle management?
A) A shared spreadsheet tracking employees meeting the compliance and operational standards required here
B) Inbound provisioning from Workday with automatic account creation, updates, and deprovisioning based on HR system events
C) Manual account creation by IT which does not address the specific requirement described in this scenario
D) Azure DevOps pipeline for identity management configured for the specific requirements of this business scenario
Show solution
Correct answers: D – Explanation:
Inbound provisioning connectors (like Workday) automatically create, update, and deprovision Entra ID accounts based on HR system changes, ensuring identity lifecycle alignment. Manual creation delays onboarding. Spreadsheets are error-prone. DevOps pipelines are for software, not identity lifecycle. Source: Check Source
Question #5 - Implement Authentication and Access Management
A healthcare provider needs physicians to authenticate without passwords using their mobile phone. The solution must be phishing-resistant and meet FIDO2 standards.
Which authentication method should be configured?
A) FIDO2 security keys or Microsoft Authenticator passwordless sign-in configured via Authentication Methods policies
B) Username and password only which does not address the stated requirement without meeting the core requirement
C) SMS-based one-time passcodes which does not address the stated requirement without meeting the core requirement
D) Security questions which does not address the stated requirement without meeting the core requirement
Show solution
Correct answers: A – Explanation:
FIDO2 keys and Authenticator passwordless provide phishing-resistant, standards-based authentication without passwords. Password-only is the weakest option. SMS codes are interceptable and not phishing-resistant. Security questions are easily compromised through social engineering. Source: Check Source
Question #6 - Implement Authentication and Access Management
A company needs Conditional Access policies that require MFA for all users accessing corporate apps from outside the corporate network, but allow single-factor authentication from trusted office IPs.
Which Conditional Access configuration achieves this?
A) A Conditional Access policy with a named location condition: exclude trusted office IPs from the MFA requirement while requiring MFA for all other locations
B) Require MFA for all users always enabling the specific functionality needed for this use case
C) Disable MFA entirely which does not designed for enterprise-scale deployment and management operations
D) Use IP-based firewall rules instead of Conditional Access
Show solution
Correct answers: B – Explanation:
Named locations in Conditional Access define trusted IP ranges. The policy requires MFA when the user is outside these locations while allowing single-factor from trusted IPs. Always-MFA ignores the trusted network concept. Disabling MFA removes protection. Firewall rules control network access, not authentication strength. Source: Check Source
Question #7 - Implement Authentication and Access Management
The security team discovers compromised credentials on the dark web matching several employee accounts. They need an automated response that forces password reset and MFA re-registration for affected accounts.
Which Entra ID feature detects and responds to this risk?
A) Monthly password rotation for all users meeting the compliance and operational s
B) Manual notification to affected users providing capabilities aligned with organi
C) Disable all affected accounts permanently for this requirement for this requirement
D) Identity Protection risk-based policies that detect leaked credentials and automatically enforce password change and MFA re-registration
Show solution
Correct answers: C – Explanation:
Identity Protection detects leaked credential risk signals and triggers automated remediation (password change, MFA re-registration) through risk-based Conditional Access. Manual notification relies on user compliance. Blanket rotation is unnecessary for unaffected users. Permanent disabling blocks legitimate access. Source: Check Source
Question #8 - Implement Access Management for Applications
A company deploys 50 SaaS applications (Salesforce, ServiceNow, Workday, etc.). They want single sign-on from Entra ID to all apps and automatic user provisioning/deprovisioning.
Which Entra ID capabilities should be configured for each app?
A) Separate credentials per app for this requirement
B) Shared service accounts per app
C) A VPN connection to each SaaS vendor
D) Enterprise Application registration with SAML/OIDC SSO and SCIM-based automatic user provisioning
Show solution
Correct answers: A – Explanation:
Enterprise Applications with federated SSO (SAML/OIDC) provide single sign-on, and SCIM provisioning automates user lifecycle across SaaS apps. Separate credentials create password fatigue. VPN does not provide SSO. Shared accounts eliminate individual accountability. Source: Check Source
Question #9 - Implement Access Management for Applications
A custom internal web application needs to authenticate users via Entra ID and obtain tokens for calling a protected backend API. The app uses OAuth 2.0 authorization code flow.
Which Entra ID component must be configured for this app?
A) A DNS record providing capabilities aligned with organizational s
B) A user assignment policy only
C) An App Registration with redirect URIs, API permissions, and client credentials configured for the authorization code flow
D) An Azure Firewall rule designed for enterprise-scale deployment a
Show solution
Correct answers: A – Explanation:
App Registration defines the application’s identity in Entra ID, configures redirect URIs for token delivery, grants API permissions, and supports OAuth flows. User assignment controls who can use the app but requires registration first. Firewall rules control network access. DNS resolves names, not authentication. Source: Check Source
Question #10 - Plan and Implement Identity Governance in Microsoft Entra
A company needs to ensure that user access to sensitive applications is reviewed quarterly. Managers should confirm or revoke their direct reports’ access to each application.
Which Entra ID Governance feature should be configured?
A) Self-attestation by users which does not address the stated requirement without meeting the core requirement
B) Access Reviews configured for each sensitive application with manager-based review on a quarterly recurrence
C) Manual email reminders to managers which does not address the stated requirement without meeting the core requirement
D) Annual audit by external consultants only which does not address the stated requirement
Show solution
Correct answers: B – Explanation:
Access Reviews automate periodic certification campaigns where reviewers (managers) confirm or revoke access. Email reminders are manual and untracked. Annual external audits are too infrequent. Self-attestation lacks independent verification. Source: Check Source
Get 776+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the SC‑300 Identity & Access Admin exam measures
- Implement Identities in Microsoft Entra ID (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement Authentication and Access Management (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement Access Management for Applications (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Plan and Implement Identity Governance in Microsoft Entra (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Identity and Access Administrator: $100,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- IAM Engineer: $105,000–$145,000 per year (based on Glassdoor and ZipRecruiter data)
- Security Administrator – Identity: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the SC-300 Identity and Access Administrator Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.