SC-300 Practice Questions

In Azure, enabling a system-assigned managed identity on a virtual machine is done on the VM resource itself. With the Az PowerShell module, you first retrieve the VM object and then update it to enable the identity. The correct sequence is to call Get-AzVM to load VM1 into a vari able and then Update-AzVM -IdentityType SystemAssigned to turn on the built-in identity for that VM. After the identity is enabled, Azure AD automatically creates a service principal that represents the VM’s managed identity. To add this identity to an Azure AD security group (Group1), you must reference that service principal. The Az.Resources cmdlet Get-AzADServicePrincipal -DisplayName " vm1 " returns the service principal object for the VM’s system-assigned identity. You then look up the target group with Get-AzADGroup and add the service principal as a member using Add-AzureADGroupMember , passing the group’s ObjectId and the service principal’s Id. This aligns with Microsoft guidance that VM system-assigned identities are represented in Entra ID as service principals , and that group membership operations use the service principal’s object id when adding an application/managed identity to a group.

Filled script:

$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name vm1

Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned

$displayname = Get-AzADServicePrincipal -DisplayName " vm1 "

$group = Get-AzADGroup -SearchString " group1 "

Add-AzureADGroupMember -ObjectId $group.Id -RefObjectId $displayname.Id

In SC-300 materials covering Microsoft Entra application identities and managed identities for Azure resources, an app you register in the tenant is represented for access control by a service principal : “An application registration creates an application object in its home tenant and a corresponding service principal in any tenant where the app is used. The service principal is the identity used for sign-in, consent, and authorization to resources.” This aligns with App1 being a registered app that must authenticate to Storage by Microsoft Entra; the principal you grant roles to on the storage account is the service principal of that app.

For App2, the requirement is to access Storage “by using a single Microsoft Entra identity” while the workload runs on two VMs (VM1 and VM2). SC-300 explains: “A user-assigned managed identity is an independent Azure resource. You can assign the same user-assigned identity to one or more Azure resources.” In contrast, “A system-assigned managed identity is enabled on a single Azure resource and is deleted with that resource.” Because App2 must share one identity across multiple hosts, the correct choice is a user-assigned managed identity , which provides a single, reusable identity whose lifecycle is separate from VM1 and VM2 and can be granted Storage roles once and used by both machines.

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses ) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq " E5 " ) ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “ provides secure remote access to on-premises applications ” and that apps published through it can have “ Conditional Access policies, including multifactor authentication ” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “ control and limit activities in real time ” and, for SharePoint Online and other Microsoft 365 apps, “ monitor user sessions and block download, cut, copy, and print ” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.