SC-300 無料問題集「Microsoft Identity and Access Administrator」
You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com. Contoso is working on a project with the following two partner companies:
* A company named A Datum Corporation that has a Microsoft Entra tenant named adatum.com
* A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabtikam.com When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.
You can successfully invite a new guest user from fabiikam.com to contoso.com. You need to be able to invite new guest users from adatum.com to contoso.com. What should you configure?
* A company named A Datum Corporation that has a Microsoft Entra tenant named adatum.com
* A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabtikam.com When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.
You can successfully invite a new guest user from fabiikam.com to contoso.com. You need to be able to invite new guest users from adatum.com to contoso.com. What should you configure?
正解:B
解答を投票する
You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains a registered app named App1. You have a partner organization that has a Microsoft Entra tenant. The tenant contains a registered app named App2. You need to ensure that App1 can access App2.
Which two types of credentials can App1 use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Which two types of credentials can App1 use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
正解:A、B
解答を投票する
You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1 is assigned the Security administrator role.
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of nonadministrative users. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of nonadministrative users. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have an Azure subscription named Sub1 that contains three users named User1. User2, and User3. Sub1 has a storage account named storage1 that contains the resources shown in the following table.
Sub1 contains the users shown in the following table.
Which users can read File1, and which users can read File2? To answer, select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.
Sub1 contains the users shown in the following table.
Which users can read File1, and which users can read File2? To answer, select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.
正解:
Explanation:
You have an Azure AD tenant.
You perform the tasks shown in the following table.
On April 5, an administrator deletes App1, App2, App3, and App4.
You need to restore the apps and the settings.
Which apps can you restore on April 16, and which settings can you restore for App4 on April 16? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You perform the tasks shown in the following table.
On April 5, an administrator deletes App1, App2, App3, and App4.
You need to restore the apps and the settings.
Which apps can you restore on April 16, and which settings can you restore for App4 on April 16? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Task 10
You need to create a group named Audit. The solution must ensure that the members of Audit can activate the Security Reader role.
You need to create a group named Audit. The solution must ensure that the members of Audit can activate the Security Reader role.
正解:
See the Explanation for the complete step by step solution.
Explanation:
To create a group named "Audit" and ensure that its members can activate the Security Reader role, follow these steps:
* Open the Microsoft Entra admin center:
* Sign in with an account that has the Security Administrator or Global Administrator role.
* Navigate to Groups:
* Go to Teams & groups > Active teams and groups1.
* Create the security group:
* Select Add a security group.
* On the Set up the basics page, enter "Audit" as the group name.
* Add a description if necessary and choose Next1.
* Edit settings:
* On the Edit settings page, select whether you want Microsoft Entra roles to be assignable to this group and select Next1.
* Assign roles:
* After creating the group, go to Roles > All roles.
* Find and select the Security Reader role.
* Under Assignments, choose Assign.
* Select the "Audit" group to assign the role to its members2.
* Review and finish:
* Review the settings to ensure the "Audit" group is created with the ability for its members to activate the Security Reader role.
* Finish the setup and save the changes.
By following these steps, you will have created the "Audit" group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.
Explanation:
To create a group named "Audit" and ensure that its members can activate the Security Reader role, follow these steps:
* Open the Microsoft Entra admin center:
* Sign in with an account that has the Security Administrator or Global Administrator role.
* Navigate to Groups:
* Go to Teams & groups > Active teams and groups1.
* Create the security group:
* Select Add a security group.
* On the Set up the basics page, enter "Audit" as the group name.
* Add a description if necessary and choose Next1.
* Edit settings:
* On the Edit settings page, select whether you want Microsoft Entra roles to be assignable to this group and select Next1.
* Assign roles:
* After creating the group, go to Roles > All roles.
* Find and select the Security Reader role.
* Under Assignments, choose Assign.
* Select the "Audit" group to assign the role to its members2.
* Review and finish:
* Review the settings to ensure the "Audit" group is created with the ability for its members to activate the Security Reader role.
* Finish the setup and save the changes.
By following these steps, you will have created the "Audit" group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.
You need to implement the planned changes and technical requirements for the marketing department.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-organization
You have a Microsoft 365 tenant.
You need to Identity users who have leaked credentials. The solution must meet the following requirements:
* Identity sign-ms by users who are suspected of having leaked credentials.
* Flag the sign-ins as a high-risk event.
* Immediately enforce a control to mitigate the risk, while still allowing the user to access applications.
What should you use? To answer, select the appropriate options m the answer area.
You need to Identity users who have leaked credentials. The solution must meet the following requirements:
* Identity sign-ms by users who are suspected of having leaked credentials.
* Flag the sign-ins as a high-risk event.
* Immediately enforce a control to mitigate the risk, while still allowing the user to access applications.
What should you use? To answer, select the appropriate options m the answer area.
正解:
Explanation:
Task 7
You need to lock out accounts for five minutes when they have 10 failed sign-in attempts.
You need to lock out accounts for five minutes when they have 10 failed sign-in attempts.
正解:
See the Explanation for the complete step by step solution.
Explanation:
To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign- in attempts, you can follow these steps:
* Open the Microsoft Entra admin center:
* Sign in with an account that has the Security Administrator or Global Administrator role.
* Navigate to the lockout settings:
* Go to Security > Authentication methods > Password protection.
* Adjust the Smart Lockout settings:
* Set the Lockout threshold to 10 failed sign-in attempts.
* Set the Lockout duration (in minutes) to 5.
Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts. However, you can customize these settings to meet your organization's requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.
Explanation:
To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign- in attempts, you can follow these steps:
* Open the Microsoft Entra admin center:
* Sign in with an account that has the Security Administrator or Global Administrator role.
* Navigate to the lockout settings:
* Go to Security > Authentication methods > Password protection.
* Adjust the Smart Lockout settings:
* Set the Lockout threshold to 10 failed sign-in attempts.
* Set the Lockout duration (in minutes) to 5.
Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts. However, you can customize these settings to meet your organization's requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.
You have an Azure Active Directory (Azure AD) tenant that contains an administrative unit named Department1.
Department1 has the users shown in the Users exhibit. (Click the Users tab.)
Department1 has the groups shown in the Groups exhibit. (Click the Groups tab.)
Department1 has the user administrator assignments shown in the Assignments exhibit. (Click the Assignments tab.)
The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Department1 has the users shown in the Users exhibit. (Click the Users tab.)
Department1 has the groups shown in the Groups exhibit. (Click the Groups tab.)
Department1 has the user administrator assignments shown in the Assignments exhibit. (Click the Assignments tab.)
The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units