Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Microsoft Identity and Access Administrator SC-300 Exam Guide
  • Table Of Contents Toc
  • Feedback & Rating feedback
Microsoft Identity and Access Administrator SC-300 Exam Guide

Microsoft Identity and Access Administrator SC-300 Exam Guide

By : Aaron Guilmette, James Hardiman, Doug Haven, Dwayne Natwick
Buy this Book
close
close
Microsoft Identity and Access Administrator SC-300 Exam Guide

Microsoft Identity and Access Administrator SC-300 Exam Guide

By: Aaron Guilmette, James Hardiman, Doug Haven, Dwayne Natwick

Overview of this book

In today’s cloud-driven environment, achieving SC-300 certification is essential for professionals looking to tackle real-world identity and access management (IAM) scenarios. SC-300 exam content has undergone significant changes, and this second edition aligns with the revised exam objectives. This updated edition gives you access to online exam prep resources such as chapter-wise practice questions, mock exams, interactive flashcards, and expert exam tips, providing you with all the tools you need for thorough exam preparation. You’ll get to grips with the creation, configuration, and management of Microsoft Entra identities, as well as understand the planning, implementation, and management of Microsoft Entra user authentication processes. You’ll learn to deploy and use new Global Secure Access features, design cloud application strategies, and manage application access and policies by using Microsoft Cloud App Security. You’ll also gain experience in configuring Privileged Identity Management for users and guests, working with the Permissions Creep Index, and mitigating associated risks. By the end of this book, you’ll have mastered the skills essential for securing Microsoft environments and be able to pass the SC-300 exam on your first attempt.
Table of Contents (21 chapters)
close
close
close
Preface
Preface
Who This Book Is For
What This Book Covers
How to Get the Most Out of This Book
Online Practice Resources
To Make the Most Out of This Book
Download the Example Code Files
Download the Color Images
Conventions Used
Get in Touch
Share Your Thoughts
Download a Free PDF Copy of This Book
Free Chapter
1
Chapter 1: Implementing and Configuring a Microsoft Entra Tenant
chevron up
Chapter 1: Implementing and Configuring a Microsoft Entra Tenant
Making the Most Out of This Book – Your Certification and Beyond
Provisioning a Tenant
Configuring and Managing Built-In and Custom Microsoft Entra Roles
Recommending When to Use Administrative Units
Configuring and Managing Administrative Units
Evaluating Effective Permissions for Microsoft Entra Roles
Configuring and Managing Custom Domains
Configuring Company Branding Settings
Configuring Tenant-Wide Settings and Properties
Summary
Exam Readiness Drill – Chapter Review Questions
2
Chapter 2: Creating, Configuring, and Managing Microsoft Entra Identities
Chapter 2: Creating, Configuring, and Managing Microsoft Entra Identities
Creating, Configuring, and Managing Users
Creating, Configuring, and Managing Groups
Managing Custom Security Attributes
Automating Bulk Operations by Using the Microsoft Entra Admin Center and PowerShell
Managing Device Join and Device Registration in Microsoft Entra ID
Assigning, Modifying, and Reporting on Licenses
Summary
Exam Readiness Drill – Chapter Review Questions
3
Chapter 3: Implementing and Managing Identities for External Users and Tenants
Chapter 3: Implementing and Managing Identities for External Users and Tenants
Managing External Collaboration Settings in Microsoft Entra ID
Inviting External Users, Individually or in Bulk
Managing External User Accounts in Microsoft Entra ID
Implementing Cross-Tenant Access Settings
Implementing and Managing Cross-Tenant Synchronization
Configuring External Identity Providers
Summary
Exam Readiness Drill – Chapter Review Questions
4
Chapter 4: Implementing and Managing Hybrid Identity
Chapter 4: Implementing and Managing Hybrid Identity
Preparing for Identity Synchronization
Implementing and Managing Microsoft Entra Connect Sync
Implementing and Managing Microsoft Entra Connect Cloud Sync
Implementing and Managing Password Hash Synchronization
Implementing and Managing Pass-Through Authentication
Implementing and Managing Seamless single sign-on
Migrating from AD FS to Other Authentication and Authorization Mechanisms
Implementing and Managing Microsoft Entra Connect Health
Summary
Exam Readiness Drill – Chapter Review Questions
5
Chapter 5: Planning, Implementing, and Managing Microsoft Entra User Authentication
Chapter 5: Planning, Implementing, and Managing Microsoft Entra User Authentication
Planning for Authentication
Implementing and Managing Authentication Methods
Implementing and Managing Tenant-Wide MFA Settings
Configuring and Deploying Self-Service Password Reset
Implementing and Managing Windows Hello for Business
Disabling Accounts and Revoking User Sessions
Deploying and Managing Entra Password Protection and Smart Lockout
Enabling Microsoft Entra Kerberos Authentication for Hybrid Identities
Implementing Certificate-Based Authentication in Microsoft Entra
Summary
Exam Readiness Drill – Chapter Review Questions
6
Chapter 6: Planning, Implementing, and Managing Microsoft Entra Conditional Access
Chapter 6: Planning, Implementing, and Managing Microsoft Entra Conditional Access
Planning Conditional Access Policies
Implementing Conditional Access Policy Assignments
Implementing Conditional Access Policy Controls
Implementing Session Management
Implementing Device-Enforced Restrictions
Implementing CAE
Creating a Conditional Access Policy from a Template
Summary
Exam Readiness Drill – Chapter Review Questions
7
Chapter 7: Managing Risk Using Microsoft Entra ID Protection
Chapter 7: Managing Risk Using Microsoft Entra ID Protection
Implementing and Managing User Risk Policies
Implementing and Managing Sign-In Risk Policies
Implementing and Managing MFA Registration Policies
Monitoring, Investigating, and Remediating Risky Users
Monitoring, Investigating, and Remediating Risky Workload Identities
Summary
Exam Readiness Drill – Chapter Review Questions
8
Chapter 8: Implementing Access Management for Azure Resources by Using Azure Roles
Chapter 8: Implementing Access Management for Azure Resources by Using Azure Roles
Creating Custom Azure Roles
Assigning Built-In and Custom Azure Roles
Evaluating Effective Permissions for a Set of Azure Roles
Assigning Azure Roles to Enable Microsoft Entra ID Login to Azure Virtual Machines
Configuring Azure Key Vault Role-Based Access Control (RBAC)
Summary
Exam Readiness Drill – Chapter Review Questions
9
Chapter 9: Implementing Global Secure Access
Chapter 9: Implementing Global Secure Access
What Is GSA?
Deploying GSA Clients
Deploying Private Access
Deploying Internet Access
Deploying Internet Access for Microsoft 365
Enhancing Global Secure Access with Conditional Access
Summary
Exam Readiness Drill – Chapter Review Questions
10
Chapter 10: Planning and Implementing Identities for Applications and Azure Workloads
Chapter 10: Planning and Implementing Identities for Applications and Azure Workloads
Selecting Appropriate Identities for Applications and Azure Workloads
Creating Managed Identities
Using a Managed Identity Assigned to an Azure Resource
Summary
Exam Readiness Drill – Chapter Review Questions
11
Chapter 11: Planning, Implementing, and Monitoring the Integration of Enterprise Applications
Chapter 11: Planning, Implementing, and Monitoring the Integration of Enterprise Applications
Planning and Implementing Settings for Enterprise Applications
Assigning Appropriate Microsoft Entra Roles to Users to Manage Enterprise Applications
Designing and Implementing Integration for On-Premises Apps by Using Microsoft Entra Application Proxy
Designing and Implementing Integration for SaaS Apps
Assigning, Classifying, and Managing Users, Groups, and App Roles for Enterprise Applications
Summary
Exam Readiness Drill – Chapter Review Questions
12
Chapter 12: Planning and Implementing App Registrations
Chapter 12: Planning and Implementing App Registrations
Planning for App Registrations
Creating App Registrations
Configuring App Authentication
Configuring API Permissions
Creating App Roles
Summary
Exam Readiness Drill – Chapter Review Questions
13
Chapter 13: Managing and Monitoring App Access Using Microsoft Defender for Cloud Apps
Chapter 13: Managing and Monitoring App Access Using Microsoft Defender for Cloud Apps
Configuring and Analyzing Cloud Discovery Results by Using Defender for Cloud Apps
Configuring Connected Apps
Implementing Application-Enforced Restrictions
Configuring Conditional Access App Control
Creating Access and Session Policies in Defender for Cloud Apps
Implementing and Managing Policies for OAuth Apps
Managing the Cloud App Catalog
Summary
Exam Readiness Drill – Chapter Review Questions
14
Chapter 14: Planning and Implementing Entitlement Management
Chapter 14: Planning and Implementing Entitlement Management
Planning Entitlements
Creating and Configuring Catalogs
Creating and Configuring Access Packages
Managing Access Requests
Implementing and Managing Terms of Use
Managing the Lifecycle of External Users
Configuring and Managing Connected Organizations
Summary
Exam Readiness Drill – Chapter Review Questions
15
Chapter 15: Planning, Implementing, and Managing Access Reviews in Microsoft Entra
Chapter 15: Planning, Implementing, and Managing Access Reviews in Microsoft Entra
Planning for Access Reviews
Creating and Configuring Access Reviews
Monitoring Access Review Activity
Manually Responding to Access Review Activity
Summary
Exam Readiness Drill – Chapter Review Questions
16
Chapter 16: Planning and Implementing Privileged Access
Chapter 16: Planning and Implementing Privileged Access
Planning and Managing Microsoft Entra Roles
Planning and Managing Azure Resources in PIM
Planning and Configuring Groups Managed by PIM
Managing the PIM Request and Approval Process
Analyzing PIM Audit History and Reports
Creating and Managing Break-Glass Accounts
Summary
Exam Readiness Drill – Chapter Review Questions
17
Chapter 17: Monitoring Identity Activity Using Logs, Workbooks, and Reports
Chapter 17: Monitoring Identity Activity Using Logs, Workbooks, and Reports
Designing a Strategy for Monitoring Microsoft Entra
Reviewing and Analyzing Sign-In, Audit, and Provisioning Logs
Configuring Diagnostic Settings
Monitoring Microsoft Entra by Using KQL Queries in Log Analytics
Using Logs, Workbooks, and Reports to Monitor Identity Activity
Monitoring and Improving the Security posture by using the Identity Secure Score
Summary
Exam Readiness Drill – Chapter Review Questions
18
Chapter 18: Planning and Implementing Microsoft Entra Permissions Management
Chapter 18: Planning and Implementing Microsoft Entra Permissions Management
Onboarding Azure Subscriptions to Permissions Management
Evaluating and Remediating Risks Relating to Azure Identities, Resources, and Tasks
Evaluating and Remediating Risks Relating to Azure’s Highly Privileged Roles
Evaluating and Remediating Risks Relating to the Permission Creep Index (PCI)
Configuring Activity Alerts and Triggers for Azure Subscriptions
Summary
Exam Readiness Drill – Chapter Review Questions
19
Chapter 19: Accessing the Online Practice Resources
Chapter 19: Accessing the Online Practice Resources
How to Access These Materials
Troubleshooting Tips
Back to the Book
Why subscribe?
20
Other Books You May Enjoy
Other Books You May Enjoy
Share Your Thoughts
Download a Free PDF Copy of This Book

Configuring and Managing Built-In and Custom Microsoft Entra Roles

Entra ID roles are used to delegate permissions to perform tasks in Entra ID, Microsoft 365, and Azure. Many people are familiar with the Global Administrator role, as it is the first role that’s granted when you create a tenant. However, there are dozens of other roles available that can be used to provide a refined level of delegation throughout the environment. As the number of applications and services available in the Microsoft 365 ecosystem has grown, so has the number of security and administrative roles.

Roles for applications, services, and functions are intuitively named and generally split into two groups: Administrator and Reader. However, there are some roles that either don’t follow that nomenclature or have additional levels of permission associated with them (such as Printer Technician or Attack Simulator Payload Author).

The Global Administrator role can administer all parts of the tenant organization, including creating and modifying users or groups and delegating other administrative roles. In most cases, users with the Global Administrator role can access and modify all parts of an individual Microsoft 365 service—for example, editing Exchange transport rules, creating SharePoint Online sites, or setting up directory synchronization. Some features, such as eDiscovery, require specific roles in order to use them. Even though the Global Administrator role doesn’t have the ability to perform all tasks initially, the role does allow you to grant application- or workload-specific roles to enable their use.

Further reading

There are currently over 70 built-in administrative roles specific to Entra ID services and applications. For an up-to-date list of the roles available, see https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference.

For the SC-300 exam, you should be familiar with the core Microsoft 365 and Entra ID roles, as described in Table 1.2:

Role name

Role description

Global Administrator

Can manage all aspects of Entra ID and Microsoft 365 services.

Hybrid Identity Administrator

Can manage Entra Connect and Entra Cloud Sync configuration settings, including pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (SSO), and federation settings.

Billing Administrator

Can perform billing tasks such as updating payment information.

Compliance Administrator

Can read and manage the compliance configuration and reporting in Entra ID and Microsoft 365.

Exchange Administrator

Can manage all aspects of the Exchange Online service.

Guest Inviter

Can invite guest users regardless of the Members can invite guests setting.

Office Apps Administrator

Can manage Office apps, including policy and settings management.

Reports Reader

Can read sign-in and audit reports.

Security Reader

Can read security information and reports in Entra ID and Office 365.

SharePoint Administrator

Can manage all aspects of the SharePoint service.

Teams Administrator

Can manage all aspects of the Microsoft Teams service.

User Administrator

Can manage all aspects of users and groups, including resetting passwords for limited admins.

Table 1.2: Core Entra ID and Microsoft 365 roles

Planning for Role Assignments

One of the core tenets of security is the use of a least-privilege model. Least privilege means delegating the minimum level of permissions to accomplish a particular task, such as creating a user or resetting a password. In the context of Microsoft 365 and Entra ID, this translates to using the built-in roles for services, applications, and features where possible instead of granting the Global Administrator role. Limiting the administrative scope for services based on roles is commonly referred to as role-based access control (RBAC).

In order to help organizations plan for a least-privileged deployment, Microsoft currently maintains a list of least-privileged roles necessary to accomplish certain tasks, grouped by application or content area: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task. Related tasks are grouped into roles. These roles can then be assigned to users based on their job duties.

When planning for role assignments in your organization, you can choose to assign roles directly to users or via a specially designated Entra ID group. If you have several users that need a variety of roles, you may want to create a group to ease the administrative burden of adding multiple users to multiple roles.

If you want to create and use groups for role assignment, you must enable the group for role assignment (the Entra ID isAssignableToRole property) during the group creation. For example, when using the Azure portal to create a group as shown in Figure 1.4, the Azure AD roles can be assigned to the group toggle needs to be set to Yes in order for the group to be provisioned with that capability.

Note

The role assignment property cannot be updated once the group has been created. If you create a group that you want to be used for role assignment and you fail to set this option during group creation, you’ll need to delete the group and start over. This is to prevent privilege escalation attempts.

Figure 1.5: Configuring the isAssignableToRole property on a new group

Figure 1.4: Configuring the isAssignableToRole property on a new group

If you want to create role-eligible groups in Entra ID, those groups must be configured to use assigned membership. As soon as you move the slider to enable a role-assignable group, the ability to change the membership type is grayed out to prevent accidentally elevating a user to a privileged role through a dynamic rule.

Managing Roles in the Microsoft 365 Admin Center

Roles can be easily managed within the Microsoft 365 admin center by expanding the navigation menu, expanding Roles, and then selecting Role assignments.

Figure 1.6: Role assignments

Figure 1.5: Role assignments

Roles are displayed across four tabs: Azure AD, Exchange, Intune, and Billing, as shown in Figure 1.6:

Figure 1.7: The Role assignments page

Figure 1.6: The Role assignments page

To add people to a role, simply select the role from the list, choose the Assigned tab, and then add either users or groups to the particular role.

Figure 1.8: Making role assignments

Figure 1.7: Making role assignments

Depending on the role being granted through this interface, you may be able to use Microsoft 365 groups, role-assignable security groups, or mail-enabled security groups.

Managing Role Groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 Workloads

Now that you’re familiar with role groups and concepts, you will learn how to manage roles for the following specific workload and feature areas of Microsoft 365:

  • Microsoft Defender
  • Microsoft Purview
  • Microsoft 365 workloads

There are some nuances of managing each that are covered in the following sub-sections.

Microsoft Defender

Like other products in the Microsoft 365 suite, Defender uses roles to manage groups of permissions for tasks. All of the Microsoft Defender roles can be administered from either the Entra admin center (https://entra.microsoft.com) or the Azure portal (https://portal.azure.com). Both interfaces also provide the ability to define custom roles or role groups. Microsoft 365 Defender also has a new RBAC model available. The Microsoft 365 Defender RBAC model is in preview and is subject to change.

Microsoft 365 Defender users can be configured to use either the global Entra ID roles or custom roles from the Microsoft 365 Defender portal. When using Entra ID’s global roles to assign permissions for Microsoft 365 Defender, it’s important to note that the Entra ID roles will grant access to multiple workloads.

By default, Global Administrators and Security Administrators have access to Microsoft 365 Defender features. To delegate individual administrative duties where a broader Microsoft 365 Defender role might not be appropriate for your organization’s needs, you can use custom roles, as shown in Figure 1.8:

Figure 1.9: Microsoft 365 Defender permissions

Figure 1.8: Microsoft 365 Defender permissions

To create a custom role, follow these steps:

  1. Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com) with an account that is either a member of Global Administrators or Security Administrators.
  2. In the navigation menu, select Permissions.
  3. Click Create custom role.
  4. On the Basics page, enter a Role name value and click Next.
Figure 1.10: Creating a new custom role

Figure 1.9: Creating a new custom role

  1. Select permissions from the available permissions groups. For example, select Security Operations, then choose the Select all read-only permissions radio button as shown in Figure 1.10, and click Apply. Then, click Next.
Figure 1.11: Selecting permissions

Figure 1.10: Selecting permissions

  1. On the Assignments page, click Add assignment.
Figure 1.12: Adding user and data assignments

Figure 1.11: Adding user and data assignments

  1. On the Add assignment page, enter an Assignment name value for this permissions assignment.
  2. On the Add assignment page, select the data sources to which this assignment applies. You can select Choose all data sources (including current and future supported data sources) to make a broadly scoped role or select specific individual data sources.
  3. On the Add assignment page, select which users or groups will be configured with this assignment, as shown in Figure 1.12. Click Add when finished.
Figure 1.13: Selecting assignment options

Figure 1.12: Selecting assignment options

  1. Add any other assignments if necessary and then click Next to continue.
  2. On the Review and finish page, confirm the selections and then click Submit. See Figure 1.13.
Figure 1.14: Confirming configuration

Figure 1.13: Confirming configuration

Once roles and assignments have been configured, users can log in and view or manage the features to which they’ve been granted permission.

Further reading

For more information on the nuances of the Microsoft 365 Defender custom roles and available permissions, see https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-permissions-details.

Next, you will explore the roles and permissions for Microsoft Purview.

Microsoft Purview

Like Microsoft 365 Defender, Microsoft Purview can leverage both Entra ID global roles (available throughout the Microsoft 365 platform) as well as roles and role groups specifically designed for Microsoft Purview that are only available in Microsoft Purview. Some features (such as eDiscovery) can only be configured using the Purview-specific roles.

You can view the global Entra ID roles by navigating to the Microsoft Purview compliance center, expanding Roles & scopes, selecting Permissions, and then selecting Roles under Azure AD. See Figure 1.14:

Figure 1.15: Azure AD roles in Microsoft Purview permissions

Figure 1.14: Azure AD roles in Microsoft Purview permissions

The Microsoft Purview-specific roles can be seen in the Microsoft Purview compliance center (https://compliance.microsoft.com) by expanding Roles & scopes, selecting Permissions, and then selecting Roles under Microsoft Purview solutions. See Figure 1.15:

Figure 1.16: Microsoft Purview solutions roles

Figure 1.15: Microsoft Purview solutions roles

Like Microsoft 365 Defender, you can also create custom role groups for Microsoft Purview solutions. Microsoft Purview roles also support scoping with administrative units. Currently, the following features support administrative units:

Solution or feature

Configuration areas

Data life cycle management

Retention policies, retention label policies, role groups

Data loss prevention (DLP)

DLP policies, role groups

Communications compliance

Adaptive scopes

Records management

Retention policies, retention label policies, adaptive scopes, role groups

Sensitivity labels

Sensitivity label policies, auto-labeling policies, role groups

Table 1.3: Microsoft Purview support for administrative units

Next, you will review role groups for Microsoft 365 workloads and how they can be managed.

Microsoft 365 Workloads

The core Microsoft 365 workloads, such as Exchange Online and SharePoint Online, have built-in support for a number of role groups. In the case of Exchange Online, there are additional management roles that can be assigned within the Exchange admin center’s existing RBAC mechanisms. They’re only visible inside the Exchange service and only apply to Exchange-specific features.

Figure 1.17: Microsoft 365 workload roles

Figure 1.16: Microsoft 365 workload roles

While many workloads will have a single role group (such as Kaizala Administrator or SharePoint Administrator), some workloads such as Teams have multiple role groups that can be used to further delegate administration. You can review the current list of roles available in the Microsoft 365 admin center by navigating to the admin center (https://admin.microsoft.com), expanding Roles, and selecting Role assignments.

Next, we’ll explore the role administrative units play in delegated administration.

End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY