Practice Test #1

Pass. Modifying the properties of the IT administrator user accounts can meet the goal because the access review is configured to use “(Preview) Manager” as the reviewer. That setting relies on each reviewed user having the Manager attribute populated in Microsoft Entra ID. If the Manager field is missing for users, Entra ID cannot determine who should review and will send the request to the configured fallback reviewer (Megan Bowen), which matches the observed behavior. To ensure each department manager receives the reviews for their department, you must set each IT admin’s Manager to the correct department manager (or ensure it is correctly synchronized from on-premises AD if hybrid). Once managers are correctly assigned, review requests will be routed to those managers and only users without a manager will go to the fallback reviewer. The alternative (not chosen here) would be changing the review configuration to use specific reviewers per group, but the proposed solution directly addresses the dependency of the “Manager” reviewer type.

Pass. The correct action order to enable real-time session-level monitoring with Microsoft Cloud App Security (Defender for Cloud Apps) is: 1) Publish App1 in Azure Active Directory (Azure AD) (so it’s an enterprise app integrated with Entra ID for SSO/Conditional Access targeting). 2) From Microsoft Cloud App Security, modify the Connected apps settings for App1 (configure/onboard the app for Conditional Access App Control/reverse proxy so sessions can be monitored). 3) From Microsoft Cloud App Security, create a session policy (defines the real-time monitoring/controls such as monitor-only, block download, protect downloads, etc.). 4) Create a conditional access policy that has session controls configured (set “Use Conditional Access App Control” to route sessions through the proxy and enforce the session policy). Why others are wrong if ordered differently: creating the Conditional Access policy before the app is published/onboarded can’t correctly target or proxy the app; creating session policy without enabling proxy routing won’t enforce in real time.

Yes. The “User administrator” role is a Microsoft Entra ID (Azure AD) built-in directory role. It grants permissions to manage users and groups (for example, create and delete users, reset passwords for non-admin users, manage group membership), depending on tenant settings and role scope. In the scenario, User1 must be configured with the User administrator role, so the correct selection is Yes. This is not an Exchange, Purview, or Intune RBAC role; it is specifically a directory role used for identity administration. On the exam, keywords like “administrator role” for users/groups typically indicate Entra directory roles unless the question explicitly says “role group” (Exchange) or “compliance role” (Purview) or “Intune role” (Endpoint Manager).

Yes. “Device Administrators” is a Microsoft Entra ID (Azure AD) directory role (often seen as “Azure AD Joined Device Local Administrator” capability). Members can be granted local administrator rights on Azure AD-joined devices, depending on device settings. Because the requirement states User1 needs the Device Administrators role, the correct answer is Yes. This is not an Intune RBAC role; Intune RBAC controls management actions inside Intune, whereas “Device Administrators” is a directory role controlling device-level local admin assignment behavior for Azure AD-joined devices. For SC-300, recognize that device-related directory roles still live in Entra ID, not in Exchange or Purview.

Yes. “Identity Governance Administrator” is a Microsoft Entra ID (Azure AD) built-in role used to manage identity governance features such as entitlement management, access reviews, and lifecycle workflows (depending on licensing and feature availability). Since User1 must be configured with the Identity Governance Administrator role, the correct selection is Yes. This is not a Purview compliance role; despite the word “governance,” identity governance is an Entra capability (access packages, access reviews) and is administered through Entra admin experiences. On the exam, “Identity Governance” strongly signals Entra ID rather than Microsoft Purview.

Yes. “Records Management” is a Microsoft Purview (Microsoft 365 compliance) role used for managing records management features such as retention labels, record declaration, and disposition reviews (depending on configuration). Because User2 must be configured with the Records Management role, the correct answer is Yes. This is not an Entra directory role and not an Exchange role group. In exam terms, anything involving retention, records, eDiscovery, audit, or compliance policies is typically assigned in the Microsoft 365 compliance (Purview) portal using compliance role groups/permissions.

Yes. “Quarantine Administrator” is an Exchange Online/EOP-related role group that allows managing quarantined messages (view, release, report). In Microsoft 365, quarantine is part of email security operations tied to Exchange Online Protection/Defender for Office 365. Therefore, if User2 must have the Quarantine Administrator role group, the correct selection is Yes. This is not a Purview records/compliance permission and not an Entra directory role. The key exam clue is the phrase “role group” and the term “Quarantine,” which is administered under Exchange/security mail flow controls rather than Entra ID.

Yes. “Endpoint Security Manager” is an Intune (Microsoft Endpoint Manager) RBAC role. It is used to manage endpoint security features within Intune, such as security baselines, endpoint security policies (AV, firewall, disk encryption), and related configurations. Because User3 must be configured with the Endpoint Security Manager role, the correct answer is Yes. This is not an Entra directory role (those are tenant-wide identity roles) and not an Exchange/Purview role. On SC-300, remember that Intune RBAC roles are assigned in the Endpoint Manager admin center, and they control actions within Intune’s management plane.

Yes. “Intune Role Administrator” is an Intune RBAC role that allows managing Intune roles and assignments (RBAC administration) within Microsoft Endpoint Manager. Since User3 must be configured with the Intune Role Administrator role, the correct selection is Yes. This is distinct from Entra roles like Privileged Role Administrator; Intune Role Administrator is scoped to Intune RBAC. The exam pattern: if the role name explicitly contains “Intune,” it is managed in the Microsoft Endpoint Manager admin center, not in Entra admin center.

User1 should be configured in the Azure Active Directory admin center (Microsoft Entra admin center). User1’s required roles—User administrator, Device Administrators, and Identity Governance Administrator—are all Microsoft Entra ID (Azure AD) directory roles. Directory roles are assigned and managed in the Entra/Azure AD portal under Roles and administrators (or via Privileged Identity Management if eligible/just-in-time is used). Exchange admin center is for Exchange role groups, Microsoft 365 compliance center is for Purview compliance permissions, and Endpoint Manager is for Intune RBAC. Therefore, the correct portal for User1 is the Azure Active Directory admin center.

User2 is mapped to the Microsoft 365 compliance center because the Records Management role is a Microsoft Purview compliance role assigned there. However, Quarantine Administrator is an Exchange Online/EOP role group and would normally be assigned in the Exchange admin center. Since this drag-and-drop requires one portal per user, the expected answer is the compliance center for User2 based on the Records Management requirement. The other options are not appropriate overall: Azure AD is for Entra directory roles, Endpoint Manager is for Intune RBAC, and SharePoint admin center is unrelated.

User3 should be configured in the Microsoft Endpoint Manager admin center. Both required roles—Endpoint Security Manager and Intune Role Administrator—are Intune RBAC roles. Intune RBAC roles are created/assigned and scoped (to groups, scope tags, and role assignments) in the Endpoint Manager admin center (Intune admin center). These permissions govern what the user can do inside Intune (device configuration, endpoint security policies, RBAC management). They are not assigned in the Azure AD admin center (unless you are assigning Entra directory roles) and are unrelated to Exchange or Purview. Therefore, the correct portal for User3 is Microsoft Endpoint Manager admin center.