Practice Free SC-300 Exam Online Questions – Page 3

Question #21

You have an Azure subscription that contains a user named User1 and an Azure Key Vault named Vault1.

You need to ensure that User1 can read the metadata of certificates, keys, and secrets stored in Vault1. The solution must follow the principle of least privilege.

Which role should you assign to User1?

A . Key Vault Crypto User
B . Key Vault Crypto Officer
C . Key Vault Reader
D . Key Vault Secrets User

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Comprehensive and Detailed In-Depth

Let’s break this down step by step based on Azure Key Vault roles, permissions, and the principle of least privilege, as outlined in Microsoft Identity and Access Administrator documentation. Understanding Azure Key Vault and the Requirement:

Azure Key Vault is a service that securely stores and manages cryptographic keys, secrets, and certificates. It uses role-based access control (RBAC) to manage permissions for users, groups, and applications.

The question requires that User1 canread the metadata of certificates, keys, and secrets in Vault1. In Azure Key Vault, "metadata" refers to the properties of these objects (e.g., name, creation date, expiration date), not the actual content (e.g., the secret value, key value, or certificate private key). The solution must follow the principle of least privilege, meaning User1 should be granted the minimum permissions necessary to perform the task, without access to unnecessary actions (e.g., modifying or deleting objects).

Azure Key Vault RBAC Roles and Permissions:

Azure Key Vault supports built-in RBAC roles that define specific permissions for managing keys, secrets, and certificates. Let’s examine each role in the options: Key Vault Crypto User:

This role allows a user to perform cryptographic operations using keys (e.g., encrypt, decrypt, sign, verify) and to read key metadata.

Permissions include: Microsoft.KeyVault/vaults/keys/read (read key metadata) and cryptographic operations like encrypt, decrypt, etc.

However, this role does not grant permissions to read metadata for secrets or certificates, and it includes cryptographic operation permissions, which are not needed for the task. Key Vault Crypto Officer:

This role is designed for managing keys and performing cryptographic operations. It includes permissions to create, delete, update, and read keys, as well as perform cryptographic operations. Permissions include: Microsoft.KeyVault/vaults/keys/* (full control over keys).

This role does not grant access to secrets or certificates and provides more permissions than needed

(e.g., create, delete), violating the principle of least privilege.

Key Vault Reader:

This role provides read-only access to the metadata of all objects in the Key Vault (keys, secrets, and certificates).

Permissions include: Microsoft.KeyVault/vaults/read (read vault properties) and Microsoft.KeyVault/vaults/*/read (read metadata for keys, secrets, and certificates). Importantly, this role does not allow access to the actual content of the objects (e.g., the secret value, key value, or certificate private key), only the metadata. It also does not allow write operations (e.g., create, update, delete).

This aligns perfectly with the requirement to "read the metadata" and follows the principle of least privilege.

Key Vault Secrets User:

This role allows a user to read the content of secrets (not just metadata) and perform operations like getting the secret value.

Permissions include: Microsoft.KeyVault/vaults/secrets/get (read secret values) and Microsoft.KeyVault/vaults/secrets/read (read secret metadata).

This role does not grant access to keys or certificates, and it provides more access than needed (reading the secret value, not just metadata), violating the principle of least privilege. Applying the Principle of Least Privilege:

The task requires User1 to read the metadata of certificates, keys, and secrets, but not to access their content or perform any write operations.

Key Vault Readeris the most appropriate role because:

It grants read-only access to the metadata of all objects (keys, secrets, certificates).

It does not allow access to the content of the objects (e.g., secret values), which is not required.

It does not allow write operations (e.g., create, delete), adhering to the principle of least privilege. The other roles either provide too much access (e.g., Key Vault Crypto Officer, Key Vault Secrets User) or do not cover all required objects (e.g., Key Vault Crypto User, Key Vault Secrets User).

Analysis of the Options:

Question #22

You have a Microsoft 365 tenant.

You have an Active Directory domain that syncs to the Azure Active Directory {Azure AD) tenant. Users connect to the internet by using a hardware firewall at your company. The users authenticate to the firewall by using their Active Directory credentials.

You plan to manage access to external applications by using Azure AD.

You need to use the firewall logs to create a list of unmanaged external applications and the users who access them.

What should you use to gather the information?

A . Cloud App Discovery in Microsoft Defender for Cloud Apps
B . enterprise applications in Azure AD
C . access reviews in Azure AD
D . Application Insights in Azure Monitor

Reveal Solution Hide Solution

Question #23

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1. You need to be notified if a user downloads more than 50 files in one minute from Site1.

Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?

A . session policy
B . anomaly detection policy
C . activity policy
D . file policy

Reveal Solution Hide Solution

Question #24

You have an Azure AD tenant.

You deploy a new enterprise application named App1.

When users attempt to provide App1 with access to the tenant, the attempt fails.

You need to ensure that the users can request admin consent for App1. The solution must follow the principle of least privilege.

What should you do first?

A . Enable admin consent requests for the tenant.
B . Designate a reviewer of admin consent requests for the tenant.
C . From the Permissions settings of App1, grant App1 admin consent for the tenant
D . Create a Conditional Access policy for Appl.

Reveal Solution Hide Solution

Question #25

HOTSPOT

You need to create the LWGroup1 group to meet the management requirements.

How should you complete the dynamic membership rule? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You many need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #26

You have an Azure Active Directory (Azure AD) tenant.

You create an enterprise application collection named HR Apps that has the following settings:

• Applications: Appl. App?, App3

• Owners: Admin 1

• Users and groups: HRUsers

AH three apps have the following Properties settings:

• Enabled for users to sign in: Yes

• User assignment required: Yes

• Visible to users: Yes

Users report that when they go to the My Apps portal, they only sue App1 and App2-You need to ensure that the users can also see App3.

What should you do from App3? What should you do from App3?

A . From Users and groups, add HRUsers.
B . Prom Properties, change User assignment required to No.
C . From Permissions, review the User consent permissions.
D . From Single sign on, configure a sign-on method.

Reveal Solution Hide Solution

Question #27

You create the Azure Active Directory (Azure AD) users shown in the following table.

On February 1, 2021, you configure the multi-factor authentication (MFA) settings as shown in the following exhibit.

The users authentication to Azure AD on their devices as shown in the following table.

On February 26, 2021, what will the multi-factor auth status be for each user?

A)

A . Option A
B . Option B
C . Option C
D . Option D

Reveal Solution Hide Solution

Question #28

HOTSPOT

You have a Microsoft 365 tenant that has 5,000 users. One hundred of the users are executives. The executives have a dedicated support team.

You need to ensure that the support team can reset passwords and manage multi-factor authentication (MFA) settings for only the executives. The solution must use the principle of least privilege.

Which object type and Azure Active Directory (Azure AD) role should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #29

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.

You need to ensure that users can request access to Site. the solution must meet the following requirements.

• Automatically approve requests from users based on their group membership.

• Automatically remove the access after 30 days

What should you do?

A . Create a Conditional Access policy.
B . Create an access package.
C . Configure Role settings in Azure AD Privileged Identity Management.
D . Create a Microsoft Defender for Cloud Apps access policy.

Reveal Solution Hide Solution

Question #30

HOTSPOT

You have a Microsoft 365 E5 subscription.

You need to create a dynamic user group that will include all the users that do NOT have a department defined in their user profile.

How should you complete the membership rule? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

1 2 3 4 5 6 7 8 9 10

Exams