In this article, I will share with you how to prepare and pass the SC-300: Microsoft Identity and Access Administrator certification exam successfully.
Contents of this Article
Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. The new updated role-based certifications will help you to keep pace with today’s business requirements. Microsoft Learning is constantly evolving its learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities you’ve earned.
In February 2021, Microsoft announced new certifications exams that focus on Security, Compliance, and Identity (SCI) solutions which are available across the Azure platform (Azure Defender), as well as Microsoft 365 (Microsoft 365 Defender).
|SC-200||Microsoft Security Operations Analyst|
|SC-300||Microsoft Identity and Access Administrator|
|SC-400||Microsoft Information Protection Administrator|
|SC-900||Microsoft Security, Compliance, and Identity Fundamentals|
The Security Operations Analyst Associate certification can help demonstrate knowledge of threat mitigation using Microsoft SCI Solutions, as well as performing proactive threat hunting activities using:
Please check the following guide to learn more on how to prepare for the SC-200: Microsoft Security Operations Analyst certification exam successfully.
For people in identity roles, Identity & Access Administrator Associate certification can help prove knowledge of core identity governance principles, as well as ensuring a proper identity lifecycle.
- Azure Active Directory (AAD)
- Azure AD Connect
- Azure Multi-factor Authentication (MFA)
- Privileged Identity Management (PIM)
- Conditional Access
- Identity Governance
For people in compliance administrator roles, Information Protection Administrator Associate certification can help prove knowledge of core data concepts and how they’re implemented using Azure data services.
- Information Protection
- Data Loss Prevention
- Information Governance
Please check the following guide to learn more on how to prepare for the SC-400: Microsoft Information Protection Administrator certification exam successfully.
The Security, Compliance, and Identity Fundamentals certification are for people looking to familiarize themselves with the fundamentals of SCI across cloud-based and related Microsoft services, developed for a broad audience that may include business stakeholders, students starting out in IT, or existing IT pros that have an interest in Microsoft SCI Solutions.
- Security, compliance, and identity
- Microsoft identity and access management solutions
- Microsoft security solutions
- Microsoft compliance solutions
Please check the following guide to learn more on how to prepare for the SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification exam successfully.
While preparing to take this exam myself, I would like to share with you how to prepare and pass the SC-300: Microsoft Identity and Access Administrator certification exam successfully.
Updated on 22/02/2021 – In this exam, I got 52 questions in total with 2 case studies, and the total time for this exam is 180 minutes (3 hours). The questions do pretty much match the list of skills measured below.
At the time of this writing, this exam is in the Beta phase. Beta exams are not scored immediately because Microsoft is gathering data on the quality of the questions and the exam. I will update this article as soon as I get the exam results from Microsoft.
Exam Target Audience
The Microsoft Identity and Access Administrator designs, implements, and operates an organization’s identity and access management systems by using Azure Active Directory (AAD). They manage tasks such as providing secure authentication and authorization access to enterprise applications. The administrator provides seamless experiences and self-service management capabilities for all users. Adaptive access and governance are core elements of the role. This role is also responsible for troubleshooting, monitoring, and reporting for the identity and access environment.
The Identity and Access Administrator may be a single individual or a member of a larger team. This role collaborates with many other roles in the organization to drive strategic identity projects to modernize identity solutions, implement hybrid identity solutions, and implement identity governance.
Prerequisites study resources
If you are new to the Identity and Access Administrator role these references can help you understand security fundamentals.
- Introduction to Azure Security
- Azure identity management security overview
- Security, Compliance, and Identity Fundamentals
- SC-900 Part 1: Describe the concepts of security, compliance, and identity
- SC-900 Part 2: Describe the capabilities of Microsoft identity and access management
- SC-900 Part 3: Describe the capabilities of Microsoft security solutions
- SC-900 Part 4: Describe the capabilities of Microsoft compliance solutions
- Microsoft Azure Well-Architected Framework Security
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Implement an identity management solution (25-30%)
Implement initial configuration of Azure Active Directory
- Configure and manage Azure AD directory roles
- Configure and manage custom domains
- Configure and manage device registration options
- Configure delegation by using administrative units
- Configure tenant-wide settings
Create, configure, and manage identities
- Create, configure, and manage users
- Create, configure, and manage groups
- Manage licenses
Implement and manage external identities
- Manage external collaboration settings in Azure Active Directory
- Invite external users (individually or in bulk)
- Manage external user accounts in Azure Active Directory
- Configure identity providers (social and SAML/WS-fed)
Implement and manage hybrid identity
- Implement and manage Azure Active Directory Connect (AADC)
- Implement and manage Password Hash Synchronization (PHS)
- Implement and manage Pass-Through Authentication (PTA)
- Implement and manage seamless Single Sign-On (SSO)
- Implement and manage Federation excluding manual ADFS deployments
- Implement and manage Azure Active Directory Connect Health
- Troubleshoot synchronization errors
Learning Path: Implement an Identity management solution
Implement an authentication and access management solution (25-30%)
Plan and implement Azure Multifactor Authentication (MFA)
- Plan Azure MFA deployment (excluding MFA Server)
- Implement and manage Azure MFA settings
- Manage MFA settings for users
Manage user authentication
- Administer authentication methods (FIDO2 / Passwordless)
- Implement an authentication solution based on Windows Hello for Business
- Configure and deploy self-service password reset
- Deploy and manage password protection
- Implement and manage tenant restrictions
Plan, implement and administer conditional access
- Plan and implement security defaults
- Plan conditional access policies
- Implement conditional access policy controls and assignments (targeting, applications, and conditions)
- Testing and troubleshooting conditional access policies
- Implement application controls
- Implement session management
- Configure smart lockout thresholds
Manage Azure AD Identity Protection
- Implement and manage a user risk policy
- Implement and manage sign-in risk policies
- Implement and manage MFA registration policy
- Monitor, investigate, and remediate elevated risky users
Learning Path: Implement an Authentication and Access Management solution
Implement Access Management for Apps (10-15%)
Plan, implement and monitor the integration of Enterprise Apps for Single Sign-On (SSO)
- Implement and configure consent settings
- Discover apps by using MCAS or ADFS app report
- Design and implement access management for apps
- Design and implement app management roles
- Monitor and audit access / Sign-Ons to Azure Active Directory-integrated enterprise applications
- Integrate on-premises apps by using Azure AD application proxy
- Integrate custom SaaS apps for SSO
- Configure pre-integrated (gallery) SaaS apps
- Implement application user provisioning
Implement app registrations
- Plan your line of business application registration strategy
- Implement application registrations
- Configure application permissions
- Implement application authorization
- Plan and configure multi-tier application permissions
Learning Path: Implement Access Management for Apps
Plan and implement an Identity Governance Strategy (25-30%)
Plan and implement entitlement management
- Define catalogs / Define access packages
- Plan, implement and manage entitlements
- Manage the lifecycle of external users in Azure AD Identity Governance settings
Plan, implement and manage access reviews
- Plan for access reviews
- Create access reviews for groups and apps
- Monitor access review findings
- Manage licenses for access reviews
- Automate access review management tasks
- Configure recurring access reviews
Plan and implement privileged access
- This article covers all the below Privileged Identity Management (PIM) topics:
- Define a privileged access strategy for administrative users (resources, roles, approvals, thresholds)
- Configure Privileged Identity Management for Azure AD roles
- Configure Privileged Identity Management for Azure resources
- Assign roles
- Manage PIM requests
- Analyze PIM audit history and reports
- Create and manage break-glass accounts
Monitor and maintain Azure Active Directory
- Analyze and investigate sign-in logs to troubleshoot access issues
- Review and monitor Azure AD audit logs
- Enable and integrate Azure AD diagnostic logs with Log Analytics / Azure Sentinel
- Export sign-in and audit logs to a third-party SIEM
- Review Azure AD activity by using Log Analytics / Azure Sentinel (excluding KQL use)
- Analyze Azure Active Directory workbooks/reporting
- Configure notifications
Learning Path: Plan and implement an identity governance strategy
MS-500 | Microsoft 365 Certified: Security Administrator Associate
I have included the MS-500 older exam here as an example of the overall skills measured in this exam. You can see that it measures your skills on a broad range of security solutions compared to the new exams which are more specific.
- Implement and manage identity and access
- Implement and manage threat protection
- Implement and manage information protection
- Manage governance and compliance features in Microsoft 365
If you are interested to take the MS-500 exam, please check my step-by-step guide on how to prepare and pass the MS-500 exam successfully.
There are several workshops that might of interest to identity and access administrators. Check the following step by step hands-on labs developed by Microsoft Cloud Workshop (MCW) that will help you to gain more practical experience:
- Hybrid identity: Learn to set up and configure a hybrid identity solution that integrates an existing on-premises identity solution with Azure.
- Security baseline on Azure: Implement Azure Security Center and Microsoft Compliance Manager to ensure a secure and privacy-focused cloud-based architecture that follows compliance standards.
You can also check the following stand-alone labs for this course. At the time of this writing, these labs are still new and they will evolve over time as the exam/training comes out of beta:
- LAB-01: Deploying Azure Resource Manage Templates
- LAB-02: Manage user roles
- LAB-03: Working with tenant properties
- LAB-04: Assigning licenses using group membership
- LAB-05: Configure external collaboration settings
- LAB-06: Add guest users to the directory
- LAB-07: Restore a deleted user
- LAB-08: Adding groups to Azure AD
- LAB-09: Invite guest users in bulk
- LAB-10: Change group license assignments
- LAB-11: Working with dynamic groups
- LAB-12: Change user account license assignments
- LAB-13: Configure external collaboration settings
- LAB-14: Add guest users to the directory
- LAB-15: Invite guest users in bulk
- LAB-16: Enable Azure AD multi-factor authentication
- LAB-17: Configure and deploy self-service password reset
- LAB-18: Working with security defaults
- LAB-19: Implement and test a conditional access policy
- LAB-20: Configure authentication session controls
- LAB-21: Manage Azure AD smart lockout values
- LAB-22: Enable sign-in and user risk policies
- LAB-23: Configure an Azure AD multi-factor authentication registration policy
- LAB-24: Implement access management for apps
- LAB-25: Create a new custom role to grant access to manage app registrations
- LAB-26: Register an application
- LAB-27: Grant tenant-wide admin consent to an application
- LAB-28: Add app roles to your app and receive them in the token
- LAB-29: Create and manage a catalog of resources in Azure AD entitlement management
- LAB-31: Manage the lifecycle of external users in Azure AD Identity Governance settings
- LAB-32: Configure Privileged Identity Management for Azure AD roles
- LAB-33: Assign Azure resource roles in Privileged Identity Management
- LAB-34: Connect data from Azure Active Directory (Azure AD) to Azure Sentinel
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding all the security concepts in Azure Active Directory will help you to pass this exam. The key success to pass this exam is to work with Microsoft Azure on a daily basis, and especially identity governance and conditional access.
As announced by Microsoft Worldwide learning due to the pandemic situation, it appears they have suspended performance-based lab questions given their need to reserve Azure capacity for paying customers. So you better get your exams registered as soon as possible to take advantage of this situation. The biggest subject areas that I saw on the SC-300 exam are the following:
- Azure Active Directory (Azure AD)
- Conditional Access
- Identity Governance
- Azure AD Connect
- Multi-Factor Authentication
- Application Proxy
- App registrations
- Custom domain names
- Sign-ins logs
- Audit Logs
- Password reset
- Azure AD Security Groups
- Monitoring (Diagnostic settings)
- Azure AD Privileged Identity Management (PIM)
- Azure AD Identity Protection
Overall, I think Microsoft Worldwide Learning is doing a good job of gradually shaping these exams to reflect real-world Azure security best practice scenarios. The SC-300 exam is logically organized and focused solely on Azure AD identity and security.
Schedule SC-300 Exam
At the time of this writing, Microsoft launched the SC-300 exam in beta mode, if you would like to take the beta exam and receive the 80% discount*, use the code below when prompted for payment: SC300VANDALIA. You must register for the exam on or before March 15, 2021. The seats are offered on a first-come, first-served basis.
Once you are ready, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.