SC-300 recently had a minor update, just some reorganization and slight wording changes. If you have already passed other Microsoft exams where AAD is a large part of the score, such as MS-500, AZ-500, MS-100 and MS-101 you probably already know quite a few of the topics the exam covers, so it shouldn’t be too hard an exam to prepare for, but there are two main things to think about as you commence.

The first thing to watch out for when you are preparing for this exam include not accidentally going in without knowledge of changes that have occurred with Azure Active Directory features over time. Not just new features, but enhancements to what may have been included for a while now. Where this is most likely to happen is when you haven’t worked too closely with the technology, especially premium functionality has expanded dramatically.

The example that I always like to use is Access Reviews, which were originally focused on Privileged Identity Management for Azure AD roles, but have expanded across Azure roles, groups and applications, for example. It’s easy to miss this kind of change when you aren’t always being exposed to new functionality as it is being introduced.

The second thing to consider with your preparation is whether your AAD exposure is mostly from within Microsoft 365 workloads, or with Azure workloads. This is going to change what you need to focus on for the exam, examples include app registrations being something that Microsoft 365 focused exam takers should take a look at, and Microsoft 365 groups being something that Azure admins may not have much exposure to. There are more than these two things, just make sure you are targeting features that you haven’t been exposed to, or that you have very limited exposure to.

Implement an identity management solution (25-30%)

Implement initial configuration of Azure Active Directory

configure and manage Azure AD directory roles
configure and manage custom domains
configure and manage device registration options
- What is device management in Azure AD?
- What are Azure AD registered devices?
configure delegation by using administrative units
- Administrative units
configure tenant-wide settings
- About the Microsoft 365 admin center

Create, configure, and manage identities

create, configure, and manage users
- Add or delete a new user
create, configure, and manage groups
- Overview of Microsoft 365 Groups for administrators
manage licenses
- Subscriptions, licenses, and tenants
- Manage user accounts and licenses

Implement and manage external identities

manage external collaboration settings in Azure Active Directory
- Configure external collaboration settings
invite external users (individually or in bulk)
- Add guest users in the portal
- Add guest users with PowerShell
manage external user accounts in Azure Active Directory
- Permissions and sharing
configure identity providers (social and SAML/WS-fed)
- SAML authentication

Implement and manage hybrid identity

implement and manage Azure Active Directory Connect (AADC)
- Hybrid Identity Design Considerations Overview
- Set up directory synchronization for Microsoft 365
implement and manage Azure AD Connect cloud sync
- What is Azure AD Connect cloud sync?
- Cloud sync configuration
implement and manage Password Hash Synchronization (PHS)
- What is password hash synchronization?
implement and manage Pass-Through Authentication (PTA)
- What is pass-through authentication?
implement and manage seamless Single Sign-On (SSO)
- What is Single Sign-On?
implement and manage Federation excluding manual ADFS deployments
- Managing federation with Azure AD Connect
implement and manage Azure Active Directory Connect Health
- Azure AD Connect Health Operations
troubleshoot synchronization errors
- Errors during synchronization

Implement an authentication and access management solution (25-30%)

Plan and implement Azure Multifactor Authentication (MFA)

plan Azure MFA deployment (excluding MFA Server)
- Determine multi-factor auth requirements
implement and manage Azure MFA settings
- How it works: Azure Multi-Factor Authentication
manage MFA settings for users
- Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Manage user authentication

administer authentication methods (FIDO2 / Passwordless)
- Authentication methods
implement an authentication solution based on Windows Hello for Business
- Windows Hello for Business Deployment Overview
configure and deploy self-service password reset
- How it works: Azure AD self-service password reset
deploy and manage password protection
- Eliminate bad passwords using Azure Active Directory Password Protection
implement and manage tenant restrictions
- Tenant restrictions
configure smart lockout thresholds
- Prevent attacks using smart loc kout

Plan, implement, and administer conditional access

plan and implement security defaults
- Azure Active Directory security defaults
plan conditional access policies
- Common ways to use conditional access
implement conditional access policy controls and assignments (targeting, applications, and conditions)
- Create and assign conditional access policy
testing and troubleshooting conditional access policies
- Monitor conditional access
implement application controls
- Cloud apps or actions in Conditional Access policy
implement session management
- Protect apps with Session Control in Cloud App Security

Manage Azure AD Identity Protection

implement and manage a user risk policy
- Configure the user risk policy
implement and manage sign-in risk policy
- Configure the sign-in risk policy
implement and manage MFA registration policy
- MFA and PIM
monitor, investigate and remediate elevated risky users
- Simulate risk events

Implement Access Management for Apps (10-15%)

Plan, implement, and monitor the integration of Enterprise Apps for Single Sign-On (SSO)

implement and configure consent settings
- Managing consent to applications and evaluating consent requests
discover apps by using MCAS or ADFS app report
- Discover and manage shadow IT in your network
- Discovered apps with Cloud App Security
design and implement access management for apps
- App access options
design and implement app management roles
- Enterprise application permissions for custom roles in Azure Active Directory
monitor and audit access / Sign-ins to Azure Active Directory integrated enterprise applications
- Sign-in logs
integrate on-premises apps by using Azure AD application proxy
- Application Proxy
integrate custom SaaS apps for SSO
- Add an app
configure pre-integrated (gallery) SaaS apps
- Add an app
implement application user provisioning
- SaaS application tutorials

Implement app registrations

plan your line of business application registration strategy
- Register app or web API
implement application registrations
- App scenarios and authentication flows
configure application permissions
- Review permissions granted to apps
implement application authorization
- Authentication vs. authorization
plan and configure multi-tier application permissions
- Single tenant and multi-tenant apps

Plan and implement an Identity Governance Strategy (25-30%)

Plan and implement entitlement management

define catalogs
- Create & manage a catalog of resources in entitlement management – Azure AD
define access packages
- Create a new access package
plan, implement and manage entitlements
- Common scenarios in Azure AD entitlement management
implement and manage terms of use
- Require terms o f use
manage the lifecycle of external users in Azure AD Identity Governance settings
- Review and remove users from external organizations

Plan, implement, and manage access reviews

plan for access reviews
- Plan Access review deployment
create access reviews for groups and apps
- Create an access review
monitor access review findings
- Review access
manage licenses for access reviews
- License requirements
automate access review management tasks
- Access reviews
configure recurring access reviews
- Automate actions based on Access Reviews

Plan and implement privileged access

define a privileged access strategy for administrative users (resources, roles, approvals, thresholds)
- Deploy PIM
configure Privileged Identity Management for Azure AD roles
- Management capabilities for Azure AD roles in Privileged Identity Management
configure Privileged Identity Management for Azure resources
- Discover Azure resources
assign roles
- Assign Azure AD roles in Privileged Identity Management
- Assign Azure resource roles in Privileged Identity Management
manage PIM requests
- Approve or deny requests for Azure AD roles in Privileged Identity Management
- Approve or deny requests for Azure resource roles in Privileged Identity Management
analyze PIM audit history and reports
- View audit history for Azure AD roles in Privileged Identity Management
- View activity and audit history for Azure resource roles in Privileged Identity Management
create and manage break-glass accounts
- Create emergency accounts

Monitor and maintain Azure Active Directory

analyze and investigate sign-in logs to troubleshoot access issues
- Sign-in logs
review and monitor Azure AD audit logs
- Audit logs
enable and integrate Azure AD diagnostic logs with Log Analytics / Azure Sentinel
- Log analytics wizard
export sign-in and audit logs to a third-party SIEM
- Stream logs to event hub
review Azure AD activity by using Log Analytics / Azure Sentinel, excluding KQL use
- Connect Azure Active Directory data to Azure Sentinel
- Install and use the log analytics views for Azure AD
analyze Azure Active Directory workbooks / reporting
- How to use Azure AD workbooks
configure notifications
- Alert on an activity log event

intunedin.net