In this article, we will share with you how to prepare and pass the SC-300 Microsoft Identity and Access Administrator certification exam successfully.
Table of Contents
Microsoft is keeping evolving its e-learning programs to help you and your career keep pace with today’s demanding IT environments. The new updated role-based certifications will help you to keep pace with today’s business requirements. Microsoft Learning is constantly evolving its e-learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities you’ve earned.
In February 2021, Microsoft announced new certifications exams that focus on Security, Compliance, and Identity (SCI) solutions which are available across the Azure platform (Microsoft Defender for Cloud), as well as Microsoft 365 (Microsoft 365 Defender).
|SC-200||Microsoft Security Operations Analyst|
|SC-300||Microsoft Identity and Access Administrator|
|SC-400||Microsoft Information Protection Administrator|
|SC-900||Microsoft Security, Compliance, and Identity Fundamentals|
For people in identity roles, Identity & Access Administrator Associate certification can help prove knowledge of core identity governance principles, as well as ensure a proper identity lifecycle.
- Azure Active Directory (AAD)
- Azure AD Connect
- Azure Multi-factor Authentication (MFA)
- Privileged Identity Management (PIM)
- Conditional Access
- Identity Governance
The Security Operations Analyst Associate certification can help demonstrate knowledge of threat mitigation using Microsoft SCI Solutions, as well as performing proactive threat-hunting activities using:
Please check the following guide to learn more on how to prepare for the SC-200: Microsoft Security Operations Analyst certification exam successfully.
For people in compliance administrator roles, Information Protection Administrator Associate certification can help prove knowledge of core data concepts and how they’re implemented using Azure data services.
- Information Protection
- Data Loss Prevention
- Information Governance
Please check the following guide to learn more on how to prepare for the SC-400: Microsoft Information Protection Administrator certification exam successfully.
The Security, Compliance, and Identity Fundamentals certification are for people looking to familiarize themselves with the fundamentals of SCI across cloud-based and related Microsoft services, developed for a broad audience that may include business stakeholders, students starting out in IT, or existing IT pros that have an interest in Microsoft SCI Solutions.
- Security, compliance, and identity
- Microsoft identity and access management solutions
- Microsoft security solutions
- Microsoft compliance solutions
Please check the following guide to learn more on how to prepare for the SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification exam successfully.
SC-300 Exam Preparation
How do you prepare for SC-300?
I would like to share with you how to prepare and pass the SC-300: Microsoft Identity and Access Administrator certification exam successfully based on my own experience.
Updated on 22/02/2021 – In this exam, I got 52 questions in total with 2 case studies, and the total time for this exam is 180 minutes (3 hours). The questions do pretty much match the list of skills measured below.
Updated on 22/07/2021 – In this exam, I got around 42 questions in total with 2 case studies, and the total time for this exam is 130 minutes (2.10 hours). The questions do pretty much match the list of skills measured below.
At the time of this writing, this exam is out of the Beta phase, and it’s Public.
Beta exams are not scored immediately because Microsoft is gathering data on the quality of the questions and the exam. I will update this article as soon as I get the exam results from Microsoft.
I am so happy and grateful now that I received the final report for the SC-300 Microsoft Identity and Access Administrator with a passing score as shown in the report below!
Updated on 18/02/2022 – For the renewal assessment, I got 22 questions in total without any case study.
Exam Target Audience
The Microsoft Identity and Access Administrator designs, implements, and operates an organization’s identity and access management systems by using Azure Active Directory (AAD). They manage tasks such as providing secure authentication and authorization access to enterprise applications. The administrator provides seamless experiences and self-service management capabilities for all users. Adaptive access and governance are core elements of the role. This role is also responsible for troubleshooting, monitoring, and reporting on the identity and access environment.
The Identity and Access Administrator may be a single individual or a member of a larger team. This role collaborates with many other roles in the organization to drive strategic identity projects to modernize identity solutions, implement hybrid identity solutions, and implement identity governance.
Prerequisites Study Resources
If you are new to the Identity and Access Administrator role these references can help you understand security fundamentals.
- Introduction to Azure Security
- Azure identity management security overview
- Security, Compliance, and Identity Fundamentals
- SC-900 Part 1: Describe the concepts of security, compliance, and identity
- SC-900 Part 2: Describe the capabilities of Microsoft identity and access management
- SC-900 Part 3: Describe the capabilities of Microsoft security solutions
- SC-900 Part 4: Describe the capabilities of Microsoft compliance solutions
- Microsoft Azure Well-Architected Framework Security
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Implement identities in Azure AD (20-25%)
Configure and manage an Azure AD tenant
- Configure and manage Azure AD directory roles
- Configure and manage custom domains
- Configure and manage device registration options
- Configure delegation by using administrative units
- Configure tenant-wide settings
Create, configure, and manage Azure AD identities
- Create, configure, and manage users
- Create, configure, and manage groups
- Manage licenses
Implement and manage external identities
- Manage external collaboration settings in Azure Active Directory
- Invite external users (individually or in bulk)
- Manage external user accounts in Azure Active Directory
- Configure identity providers (social and SAML/WS-fed)
Implement and manage hybrid identity
- Implement and manage Azure Active Directory Connect (AADC)
- Implement and manage Password Hash Synchronization (PHS)
- Implement and manage Pass-Through Authentication (PTA)
- Implement and manage seamless Single Sign-On (SSO)
- Implement and manage Federation excluding manual ADFS deployments
- Implement and manage Azure Active Directory Connect Health
- Troubleshoot synchronization errors
Learning Path: Implement an Identity management solution
Implement authentication and access management (25-30%)
Plan, implement, and manage Azure Multifactor Authentication (MFA) and self-service password reset
- Plan Azure MFA deployment (excluding MFA Server)
- Implement and manage Azure MFA settings
- Manage MFA settings for users
Plan, implement, and manage Azure AD user authentication
- Administer authentication methods (FIDO2 / Passwordless)
- Implement an authentication solution based on Windows Hello for Business
- Configure and deploy self-service password reset
- Deploy and manage password protection
- Implement and manage tenant restrictions
Plan, implement, and manage Azure AD conditional access
- Plan and implement security defaults
- Plan conditional access policies
- Implement conditional access policy controls and assignments (targeting, applications, and conditions)
- Testing and troubleshooting conditional access policies
- Implement application controls
- Implement session management
- Configure smart lockout thresholds
Manage Azure AD Identity Protection
- Implement and manage a user risk policy
- Implement and manage sign-in risk policies
- Implement and manage the MFA registration policy
- Monitor, investigate, and remediate elevated risky users
Implement access management for Azure resources
- Assign Azure roles
- Configure custom Azure roles
- Create and configure managed identities
- Use managed identities to access Azure resources
- Analyze Azure role permissions
- Configure Azure Key Vault RBAC and policies
Learning Path: Implement an Authentication and Access Management solution
Implement Access Management for Applications (15-20%)
Manage and monitor application access by using Microsoft Defender for Cloud Apps
- Discover and manage apps by using Microsoft Defender for Cloud Apps
- Configure connectors to apps
- Implement application-enforced restrictions
- Configure conditional access app control
- Create access and session policies in Microsoft Defender for Cloud Apps
- Implement and manage policies for OAUTH apps
Plan, implement, and monitor the integration of Enterprise applications
- Implement and configure consent settings
- Discover apps by using MCAS or ADFS app report
- Design and implement access management for apps
- Design and implement app management roles
- Monitor and audit access / Sign-Ons to Azure Active Directory-integrated enterprise applications
- Integrate on-premises apps by using Azure AD application proxy
- Integrate custom SaaS apps for SSO
- Configure pre-integrated (gallery) SaaS apps
- Implement application user provisioning
Plan and implement application registrations
- Plan your line of business application registration strategy
- Implement application registrations
- Configure application permissions
- Implement application authorization
- Plan and configure multi-tier application permissions
Learning Path: Implement Access Management for Apps
Plan and implement Identity Governance in Azure AD (20-25%)
Plan and implement entitlement management
- Define catalogs / Define access packages
- Plan, implement and manage entitlements
- Manage the lifecycle of external users in Azure AD Identity Governance settings
Plan, implement and manage access reviews
- Plan for access reviews
- Create access reviews for groups and apps
- Monitor access review findings
- Manage licenses for access reviews
- Automate access review management tasks
- Configure recurring access reviews
Plan and implement privileged access
- This article covers all the below Privileged Identity Management (PIM) topics:
- Define a privileged access strategy for administrative users (resources, roles, approvals, thresholds)
- Configure Privileged Identity Management for Azure AD roles
- Configure Privileged Identity Management for Azure resources
- Assign roles
- Manage PIM requests
- Analyze PIM audit history and reports
- Create and manage break-glass accounts
Monitor Azure Active Directory
- Analyze and investigate sign-in logs to troubleshoot access issues
- Review and monitor Azure AD audit logs
- Enable and integrate Azure AD diagnostic logs with Log Analytics / Azure Sentinel
- Export sign-in and audit logs to a third-party SIEM
- Review Azure AD activity by using Log Analytics / Azure Sentinel (excluding KQL use)
- Analyze Azure Active Directory workbooks/reporting
- Configure notifications
Learning Path: Plan and implement an identity governance strategy
MS-500 | Microsoft 365 Certified: Security Administrator Associate
I have included the MS-500 older exam here as an example of the overall skills measured in this exam.
You can see that it measures your skills on a broad range of security solutions compared to the new exams which are more specific.
- Implement and manage identity and access
- Implement and manage threat protection
- Implement and manage information protection
- Manage governance and compliance features in Microsoft 365
If you are interested to take the MS-500 exam, please check my step-by-step guide on how to prepare and pass the MS-500 exam successfully.
SC-300 Training Labs
There are several workshops that might be of interest to identity and access administrators. Check the following step-by-step hands-on labs developed by Microsoft Cloud Workshop (MCW) that will help you to gain more practical experience:
- Hybrid identity: Learn to set up and configure a hybrid identity solution that integrates an existing on-premises identity solution with Azure.
- Security baseline on Azure: Implement Azure Security Center and Microsoft Compliance Manager to ensure a secure and privacy-focused cloud-based architecture that follows compliance standards.
You can also check the following stand-alone labs prepared by Microsoft for the SC-300 course:
- Lab 01: Manage user roles
- Lab 02: Working with tenant properties
- Lab 03: Assigning licenses using group membership
- Lab 04: Configure external collaboration settings
- Lab 05: Add guest users to the directory
- Lab 06: Add a federated identity provider
- Lab 07: Add Hybrid Identity with Azure AD Connect
- Lab 08: Enable Azure AD multi-factor authentication
- Lab 09: Enable Azure AD self-service password reset
- Lab 10: Azure AD Authentication for Windows and Linux Virtual Machines
- Lab 11: Assign Azure resource roles in Privileged Identity Management
- Lab 12: Manage Azure AD smart lockout values
- Lab 13: Implement and test a conditional access policy
- Lab 14: Enable sign-in and user risk policies
- Lab 15: Configure an Azure AD multi-factor authentication registration policy
- Lab 16: Using Azure Key Vault for Managed Identities
- Lab 17: Defender for Cloud Apps application discovery and enforcing restrictions
- Lab 18: Defender for Cloud Apps Access Policies
- Lab 19: Register an application
- Lab 20: Implement access management for apps
- Lab 21: Grant tenant-wide admin consent to an application
- Lab 22: Create and manage a catalog of resources in Azure AD entitlement management
- Lab 24: Manage the lifecycle of external users in Azure AD Identity Governance settings
- Lab 25: Creating Access Reviews for Internal and External Users
- Lab 26: Configure Privileged Identity Management for Azure AD roles
- Lab 27: Microsoft Sentinel Kusto Queries for Azure AD data sources
- Lab 28: Monitor and manage security posture with Identity Secure Score
If you have access to a LinkedIn Learning platform, then I highly recommend going through the following fast preparation path in just 2 hours:
At the time of this writing, there are two books that you can use to prepare for this exam.
The first one is the official Exam Ref SC-300 Microsoft Identity and Access Administrator from Microsoft Press by Pearson. This Exam Ref book Organizes its coverage by exam objectives and features strategically. It focuses on helping modern IT professionals demonstrate real-world mastery of designing, implementing, and operating an organization’s identity and access management systems by using Azure AD.
You can place the order now, the publication date for the Exam Ref Book is December 28th, 2022.
The second book, Microsoft Identity and Access Administrator Exam Guide is published by Packt Publishing and written by fellow Microsoft MVP, Dwayne Natwick security expert. You can purchase this book from Amazon.
The book starts with an overview of the SC-300 exam and helps you understand identity and access management. As you progress to the implementation of IAM solutions, you’ll learn to deploy secure identity and access within Microsoft 365 and Azure Active Directory.
This book is for cloud security engineers, Microsoft 365 administrators, Microsoft 365 users, Microsoft 365 identity administrators, and anyone who wants to learn about IAM and gain SC-300 certification. It would help if you had a basic understanding of the basic services within Microsoft 365 and Azure Active Directory before getting started with this book.
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding of all the security concepts in Azure Active Directory will help you to pass this exam. The key to success in passing this exam is to work with Microsoft Azure on a daily basis, especially with identity governance and conditional access.
As announced by Microsoft Worldwide learning due to the pandemic situation, it appears they have suspended performance-based lab questions given their need to reserve Azure capacity for paying customers. So you better get your exams registered as soon as possible to take advantage of this situation. The biggest subject areas that I saw on the SC-300 exam are the following:
- Azure Active Directory (Azure AD)
- Conditional Access
- Identity Governance
- Azure AD Connect
- Multi-Factor Authentication
- Application Proxy
- App registrations
- Custom domain names
- Sign-ins logs
- Audit Logs
- Password reset
- Azure AD Security Groups
- Monitoring (Diagnostic settings)
- Azure AD Privileged Identity Management (PIM)
- Azure AD Identity Protection
Overall, I think Microsoft Worldwide Learning is doing a good job of gradually shaping these exams to reflect real-world Azure security best practice scenarios. The SC-300 exam is logically organized and focused solely on Azure AD identity and security.
Validate your skills
If you wish to validate your skills before taking the real exam, I highly encourage you to purchase the following practice test:
SC-300: Microsoft Identity and Access Administrator Microsoft Official Practice Test. The MeasureUp SC-300: Microsoft Identity and Access Administrator practice test from mind hub is designed to help you prepare for and pass the Microsoft SC-300 exam. This exam is aimed at access administrators who want to validate their skills. You should have knowledge of how to design, implement and operate an organization’s identity and access management systems, and you should know how to use Azure Active Directory for this purpose.
Exam SC-300: FAQs
How long is the SC-300 exam?
The exam duration is 120 minutes (2 hours).
Does SC-300 have labs?
Microsoft starts introducing lab questions in the exam. You should prepare for the performance-based testing (PBT) lab questions. You would expect to see lab questions for the SC-300 exam. It’s important to know you do NOT have to wait for deployments to complete these performance-based (lab) tests.
As long as the deployment passes validation, you’re good to go, because every minute counts on the exam.
Check the hands-on labs above for the best way of demonstrating ability.
How many questions are in the SC-300 exam?
The number of questions can vary between 40 to 60 questions.
Schedule SC-300 Exam
At the time of this writing, Microsoft launched the SC-300 exam in beta mode, if you would like to take the beta exam and receive the 80% discount*, use the code below when prompted for payment:
This exam is out of the Beta phase now and it’s Public. The beta code above is NOT available anymore.
Once you are ready, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.