Summary | SC‑300 Study Portal

SC-300 Master Summary Sheets

Module 1: Implement Initial Configuration of Microsoft Entra ID

Core Concepts

Area	Key Points
Tenant Basics	Entra ID tenant = dedicated instance of Microsoft cloud identity service. Each tenant has a global unique name (contoso.onmicrosoft.com).
Default Domain	Created automatically. You can add custom domains (must be DNS-verified).
Licensing	Free, P1, P2. P1 adds Conditional Access; P2 adds Identity Governance.
Company Branding	Add logo, background, custom helpdesk URL for sign-in pages.
Directory Roles	Global Admin (highest), User Admin, Billing Admin, etc. Use PIM for JIT elevation.
Organizational Relationships	Create connections with external tenants for collaboration.
Security Defaults	Enforce MFA for admins and block legacy authentication (on by default).
Admin Units (AUs)	Logical containers to delegate admin rights by department or region.
Tenant Properties	Name, domain, licenses, branding, and usage location.

Exam Focus

Know difference between tenant, subscription, and directory.
Security defaults vs Conditional Access.
Where to configure company branding (Entra Admin Center → Identity → Overview → Branding).

Module 2: Create, Configure, and Manage Identities

Identity Types

Type	Description
Cloud-only	Created in Entra ID only.
Synchronized	From on-prem AD via Entra Connect.
Federated	Authenticates using external IdP (e.g., AD FS).

User Management

User creation: Portal, PowerShell, Graph API.
Bulk create: CSV upload.
Attributes: userPrincipalName, objectId, immutableId.
License assignment: Manual or group-based.

Group Management

Security Groups – manage access.
Microsoft 365 Groups – collaboration.
Dynamic Membership – auto-add based on attributes (P1).

Administrative Units

Delegate admin control to region/division.
Scoped role assignments (e.g., “User Administrator for HR AU only”).

Password Management

Self-Service Password Reset (SSPR).
Combine SSPR + MFA for secure recovery.

Hybrid Identities

Set up Entra Connect for synchronization.
Configure filtering, writeback, and password hash sync.

Exam Focus

Attributes: SourceAnchor ↔ ImmutableId.
When to use Pass-through Auth, Federation, or Password Hash Sync.
Understand hard vs soft match in sync scenarios.

Module 3: Implement and Manage Hybrid Identity

Identity Synchronization

Microsoft Entra Connect handles import, sync, export.
SourceAnchor uniquely identifies objects (often objectGUID).
Configure OU filtering, attribute filtering, writeback features.

Authentication Methods

Method	Description	Use Case
Password Hash Sync (PHS)	Hash of on-prem password synced to Entra.	Simple, resilient.
Pass-Through Authentication (PTA)	Auth happens on-prem via agent.	When password must stay on-prem.
Federation (AD FS)	Uses WS-Federation/SAML to redirect login.	Complex SSO or custom policies.

Entra Connect Health

Monitors sync, AD FS, and on-prem identity health.
Requires Entra ID Premium P1.
Agents upload telemetry → Azure portal.

Common Sync Errors

Error	Cause	Fix
InvalidSoftMatch	Duplicate ProxyAddresses/UPN.	Remove duplicates.
ObjectTypeMismatch	Same attribute used by different object types.	Fix conflicting entry.
AttributeValueMustBeUnique	Duplicate unique attribute values.	Correct duplication.
FederatedDomainChangeError	UPN moved between federated domains.	Re-sync or adjust domain federation.
LargeObject	Attribute exceeds schema limit.	Reduce attribute size.

Hybrid Identity Tools

Connect Health portal → alerts, metrics.
PowerShell & Graph → troubleshooting.

Exam Focus

Understand how Entra Connect operations work: Import → Sync → Export.
Recognize sync error causes & resolutions.
Remember port 443 (and optional 5671) for Connect Health agents.

Module 4: Implement and Manage External Identities

B2B Collaboration

Invite external users (partners, vendors) as Guests.
Guests authenticate with their own credentials (work, Google, OTP, etc.).
Guest UserType = Guest, identifiable by #EXT# in UPN.

Invitation & Redemption

Admins can invite individually or in bulk via CSV.
Redemption checks for existing Entra/Google/MSA account → redirects accordingly.
Email one-time passcode (OTP) used if no IdP found.

External Collaboration Settings

Setting	Purpose
Guest invite control	Who can invite (admins, guest inviters, all users).
Guest access level	What guests can see (most restrictive = own profile only).
Domain allow/block lists	Control which external domains can be invited.

Managing Guest Accounts

View under Users → All Users → Filter: Guest.
Use PIM to grant temporary admin roles.
Can change UserType (Member/Guest) via PowerShell (but not recommended).
Use Dynamic Groups to apply Conditional Access to all guests.

Dynamic Groups

Auto-manage membership using rules (user.userType eq "Guest").
Require Entra ID Premium P1/P2.

Verified ID

Decentralized identity using verifiable credentials.
Entities: Issuer, Holder, Verifier.
Needs Entra Premium, Key Vault, and tenant setup.

Federation & IdPs

Provider	Type	Purpose
SAML / WS-Fed	Enterprise IdPs (AD FS, Okta).	Use existing org accounts.
Google	Social (Gmail only).	B2B sign-in via Google OAuth.
Facebook	Social (for self-service sign-up only).	Public app registration.

Note: Federated domain must not be DNS-verified in any Entra tenant.

Cross-Tenant Access Controls

Type	Description
Inbound Access	External users accessing your tenant.
Outbound Access	Your users accessing partner tenants.
Trust Settings	Accept MFA/device compliance from partner.
Org-Specific Rules	Customize per partner tenant.
B2B Direct Connect	Mutual trust → Teams shared channels SSO.

Governance

Use Access Reviews for guests.
Apply Conditional Access to enforce MFA.
Regularly audit inactive guests.

Exam Focus

B2B vs B2C difference.
UserType meaning & management.
Federation setup attributes (SAML assertions, redirect URIs).
Cross-tenant inbound/outbound and Direct Connect behavior.
Verified ID roles (issuer / holder / verifier).

📘 Quick Recall Table

Topic	Remember This
SourceAnchor = ImmutableID	Links on-prem AD → Entra object.
Security Defaults	Basic MFA & legacy-auth block (no CA needed).
PHS vs PTA vs Federation	PHS = simplest, PTA = on-prem auth, Federation = custom SSO.
Dynamic Groups	Attribute-based; require Premium P1.
Entra Connect Health	Needs port 443 and Premium P1.
Guest Invites	Controlled in External Collaboration Settings.
Cross-Tenant Access	Inbound/outbound + MFA trust.
Verified ID	Decentralized, privacy-focused credentialing.

✅ Final SC-300 Strategy Tips

Understand relationships — Tenant ↔ Subscription ↔ Directory.
Memorize core portals — Entra Admin Center (entra.microsoft.com), M365 Admin Center (admin.microsoft.com).
Know key roles:
Global Admin = full control.
Guest Inviter = can invite external users.
User Admin = manage users/groups only.
Scenario readiness: expect case-based questions — “Contoso merges with Fabrikam,” “setup hybrid identity,” etc.
Use least privilege & governance mindset — recurring exam theme.
Conditional Access + MFA + Dynamic Groups = Microsoft’s secure foundation.

SC-300 Rapid Review Handbook

Comprehensive summary of all four modules of Microsoft’s SC-300: Microsoft Identity and Access

Administrator certification exam.

Module 1: Implement Initial Configuration of Microsoft Entra ID

Covers foundational setup of tenants, domains, and administrative settings for Microsoft Entra ID

(Azure AD).

Core Concepts

Tenant = unique Entra ID instance; domain = namespace like contoso.com; subscription = billing

container.

Add and verify custom domains. Configure company branding and security defaults to enforce MFA

and block legacy auth.

Exam Focus

Understand tenant vs directory, role types, and where to apply branding and defaults.

Module 2: Create, Configure, and Manage Identities

Identity Types

• Cloud-only – Created in Entra ID. • Directory-synced – From on-prem AD. • Federated – Auth via

external IdP.

Groups and Licensing

Security and Microsoft 365 groups; use dynamic membership for automation. Group-based

licensing simplifies management.

Exam Focus

Understand UPN, ImmutableID, and synchronization models (PHS, PTA, Federation).

Module 3: Implement and Manage Hybrid Identity

Synchronization and Authentication

Microsoft Entra Connect performs import, sync, and export. SourceAnchor links AD to Entra

(ImmutableID).

Authentication options: Password Hash Sync, Pass-through Auth, Federation via AD FS.

Common Errors

InvalidSoftMatch, ObjectTypeMismatch, AttributeValueMustBeUnique – caused by duplicate

attributes or misaligned source anchors.

Exam Tip

Know how Connect Health monitors AD FS and sync health. Port 443 required. Premium P1 license

needed.

Module 4: Implement and Manage External Identities

B2B Collaboration

Invite external users as Guests. Guests use own credentials. Controlled via External Collaboration

settings (who can invite, visibility level).

Federation and Identity Providers

Supports SAML/WS-Fed IdPs, Google, and Facebook federation. Enables external sign-ins without

Microsoft accounts.

Cross-Tenant Access and Direct Connect

Control inbound/outbound access and trust MFA/compliance. Direct Connect enables Teams

shared channels across tenants.

Verified ID

Decentralized identity for issuing verifiable credentials. Involves Issuer, Holder, and Verifier roles.

Exam Focus

Know difference between B2B, B2C, and Direct Connect. Remember where to configure settings:

Entra Admin Center ® External Identities.

Final Review Tips

1. Memorize relationship between Tenant, Subscription, and Directory.

2. Security defaults = baseline MFA; Conditional Access = customizable MFA.

3. PHS (simple), PTA (on-prem auth), Federation (custom SSO).

4. Use Dynamic Groups + Conditional Access for automated governance.

5. Review federation claim requirements for SAML and WS-Fed IdPs.

6. Understand Verified ID purpose: decentralized identity management.

7. Always apply least privilege and review guest accounts regularly.

SC‑300 Study Portal Dark