SC-300: Microsoft Identity and Access Administrator

Plan, implement, and manage Microsoft Entra user authentication

• Plan for authentication
• Implement and manage authentication methods
• Implement and manage tenant-wide Multi-factor Authentication (MFA) settings
• Manage per-user MFA settings
• Configure and deploy self-service password reset (SSPR)
• Implement and manage Windows Hello for Business
• Disable accounts and revoke user sessions
• Implement and manage password protection and smart lockout
• Enable Microsoft Entra Kerberos authentication for hybrid identities
• Implement certificate-based authentication in Microsoft Entra

Plan, implement, and manage Microsoft Entra Conditional Access

• Plan Conditional Access policies
• Implement Conditional Access policy assignments
• Implement Conditional Access policy controls
• Test and troubleshoot Conditional Access policies
• Implement session management
• Implement device-enforced restrictions
• Implement continuous access evaluation
• Create a Conditional Access policy from a template

Manage risk by using Microsoft Entra ID Protection

• Implement and manage user risk policies
• Implement and manage sign-in risk policies
• Implement and manage MFA registration policies
• Monitor, investigate and remediate risky users
• Monitor, investigate, and remediate risky workload identities

Implement access management for Azure resources by using Azure roles

• Create custom Azure roles, including both control plane and data plane permissions
• Assign built-in and custom Azure roles
• Evaluate effective permissions for a set of Azure roles
• Assign Azure roles to enable Microsoft Entra ID login to Azure virtual machines
• Configure Azure Key Vault role-based access control (RBAC) and access policies

Plan and implement identities for applications and Azure workloads

• Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
• Create managed identities
• Assign a managed identity to an Azure resource
• Use a managed identity assigned to an Azure resource to access other Azure resources

Plan, implement, and monitor the integration of enterprise applications

• Configure and manage user and admin consent
• Discover apps by using AD FS application activity reports
• Plan and implement settings for enterprise applications, including application-level and tenant-level settings
• Assign appropriate Microsoft Entra roles to users to manage enterprise applications
• Monitor and audit activity in enterprise applications
• Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
• Design and implement integration for software as a service (SaaS) apps
• Assign, classify, and manage users, groups, and app roles for enterprise applications
• Create and manage application collections

Plan and implement app registrations

• Plan for app registrations
• Create app registrations
• Configure app authentication
• Configure API permissions
• Create app roles

Manage and monitor app access by using Microsoft Defender for Cloud Apps

• Configure and analyze cloud discovery results by using Defender for Cloud Apps
• Configure connected apps
• Implement application-enforced restrictions
• Configure Conditional Access app control
• Create access and session policies in Defender for Cloud Apps
• Implement and manage policies for OAuth apps
• Manage the Cloud app catalog

Plan and implement entitlement management in Microsoft Entra

• Plan entitlements
• Create and configure catalogs
• Create and configure access packages
• Manage access requests
• Implement and manage terms of use (ToU)
• Manage the lifecycle of external users
• Configure and manage connected organizations

Plan, implement, and manage access reviews in Microsoft Entra

• Plan for access reviews
• Create and configure access reviews
• Monitor access review activity
• Manually respond to access review activity

Plan and implement privileged access

• Plan and manage Azure roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
• Plan and manage Azure resources in PIM, including settings and assignments
• Plan and configure privileged access groups
• Manage the PIM request and approval process
• Analyze PIM audit history and reports
• Create and manage break-glass accounts

Monitor identity activity by using logs, workbooks, and reports

• Design a strategy for monitoring Microsoft Entra
• Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
• Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
• Monitor Microsoft Entra by using KQL queries in Log Analytics
• Analyze Microsoft Entra by using workbooks and reporting
• Monitor and improve the security posture by using Identity Secure Score

Plan and implement Microsoft Entra Permissions Management

• Onboard Azure subscriptions to Permissions Management
• Evaluate and remediate risks relating to Azure identities, resources, and tasks
• Evaluate and remediate risks relating to Azure highly privileged roles
• Evaluate and remediate risks relating to Permissions Creep Index (PCI) in Azure
• Configure activity alerts and triggers for Azure subscriptions