SC-300 recently received a minor update, and my guidance for preparing for it doesn’t really change. If you have already passed other Microsoft exams where AAD is a large part of the score, such as MS-500, AZ-500, MS-100 and MS-101 you probably already know quite a few of the topics the exam covers, so it shouldn’t be too hard an exam to prepare for, but there are two main things to think about as you commence.

The first thing to watch out for when you are preparing for this exam include not accidentally going in without knowledge of changes that have occurred with Azure Active Directory features over time. Not just new features, but enhancements to what may have been included for a while now. Where this is most likely to happen is when you haven’t worked too closely with the technology, especially premium functionality has expanded dramatically.

The example that I always like to use is Access Reviews, which were originally focused on Privileged Identity Management for Azure AD roles, but have expanded across Azure roles, groups and applications, for example. It’s easy to miss this kind of change when you aren’t always being exposed to new functionality as it is being introduced.

The second thing to consider with your preparation is whether your AAD exposure is mostly from within Microsoft 365 workloads, or with Azure workloads. This is going to change what you need to focus on for the exam, examples include app registrations being something that Microsoft 365 focused exam takers should take a look at, and Microsoft 365 groups being something that Azure admins may not have much exposure to. There are more than these two things, just make sure you are targeting features that you haven’t been exposed to, or that you have very limited exposure to.

Implement identities in Azure AD (20—25%)

Configure and manage an Azure AD tenant

• configure and manage Azure AD roles
  • Assign roles to users
  • View and assign roles
• configure delegation by using administrative units
  • Administrative units
• analyze Azure AD role permissions
  • About admin roles
• configure and manage custom domains
  • Add domain
  • Domains FAQ
  • Can I add custom subdomains or multiple domains to Microsoft 365?
  • How do I change the default domain in Microsoft 365?
• configure tenant-wide settings
  • About the Microsoft 365 admin center

Create, configure, and manage Azure AD identities

• create, configure, and manage users
  • Add or delete a new user
• create, configure, and manage groups
  • Overview of Microsoft 365 Groups for administrators
• configure and manage device join and registration, including writeback
  • What is device management in Azure AD?
  • What are Azure AD registered devices?
  • Plan your Azure AD device deployment
  • Azure AD joined devices
  • Hybrid Azure AD joined devices
• assign, modify, and report on licenses
  • Subscriptions, licenses, and tenants
  • Manage user accounts and licenses

Implement and manage external identities

• manage external collaboration settings in Azure AD
  • Configure external collaboration settings
• invite external users, individually or in bulk
  • Add guest users in the portal
  • Add guest users with PowerShell
• manage external user accounts in Azure AD
  • Permissions and sharing
• configure identity providers including SAML or WS-fed
  • SAML authentication

Implement and manage hybrid identity

• implement and manage Azure AD Connect
  • Hybrid Identity Design Considerations Overview
  • Set up directory synchronization for Microsoft 365
• implement and manage Azure AD Connect cloud sync
  • What is Azure AD Connect cloud sync?
  • Cloud sync configuration
• implement and manage Password Hash Synchronization (PHS)
  • What is password hash synchronization?
• implement and manage Pass-Through Authentication (PTA)
  • What is pass-through authentication?
• implement and manage seamless Single Sign-On (SSO)
  • What is Single Sign-On?
• implement and manage Federation excluding manual ADFS deployments
  • Managing federation with Azure AD Connect
• implement and manage Azure Active Directory Connect Health
  • Azure AD Connect Health Operations
• troubleshoot synchronization errors
  • Errors during synchronization

Implement authentication and access management (25-30%)

Plan, implement, and manage Azure Multifactor Authentication (MFA) and
self-service password reset

• plan Azure MFA deployment (excluding MFA Server)
  • Determine multi-factor auth requirements
• configure and deploy self-service password reset
  • How it works: Azure AD self-service password reset
• implement and manage Azure MFA settings
  • How it works: Azure Multi-Factor Authentication
• manage MFA settings for users
  • Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication
• extend Azure AD MFA to third party and on-premises devices
  • Plan integration with on-premises systems
• monitor Azure AD MFA activity
  • MFA Reports
  • Authentication methods activity

Plan, implement, and manage Azure AD user authentication

• plan for authentication
  • Azure Active Directory deployment plans
  • Determine identity requirements
• implement and manage authentication methods
  • Authentication methods
• implement and manage Windows Hello for Business
  • Windows Hello for Business Deployment Overview
• Implement and manage password protection and smart lockout
  • Eliminate bad passwords using Azure Active Directory Password Protection
  • Prevent attacks using smart lockout
• Implement certificate-based authentication in Azure AD
  • Overview of Azure AD certificate-based authentication
• Configure Azure AD user authentication for Windows and Linux virtual machines on Azure
  • Azure Linux VMs and Azure AD
  • Azure Windows VMs and Azure AD

Plan, implement, and administer conditional access

• plan conditional access policies
  • Common ways to use conditional access
  • Azure Active Directory security defaults
• implement conditional access policy controls
  • Create and assign conditional access policy
• implement conditional access policy assignments
  • Create and assign conditional access policy
• test and troubleshooting conditional access policies
  • Monitor conditional access
• implement session management
  • Protect apps with Session Control in Microsoft Defender for Cloud Apps
• implement device-enforced restrictions
  • Create a device compliance policy
• Implement continuous access evaluation
  • Continuous access evaluation
• Create a conditional access policy from a template
  • Conditional Access templates

Manage Azure AD Identity Protection

• implement and manage a user risk policy
  • Configure the user risk policy
• implement and manage sign-in risk policy
  • Configure the sign-in risk policy
• implement and manage MFA registration policy
  • MFA and PIM
• monitor, investigate and remediate elevated risky users
  • Simulate risk events
• Implement security for workload identities
  • Securing workload identities

Implement access management for Azure resources

• Assign Azure roles
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • What is Azure role-based access control (Azure RBAC)?
• Configure custom Azure roles
  • Create Custom Azure Roles
• Create and configure managed identities
  • About managed identities for Azure resources
• Use managed identities to access Azure resources
  • Managed identity best practice recommendations
• Analyze Azure role permissions
  • List Azure role assignments using the Azure portal 
• Configure Azure Key Vault RBAC and policies
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Azure Policy built-in policy definitions for Key Vault
  • Best practices for Azure RBAC

Implement Access Management for Applications (15-20%)

Manage and monitor application access by using Microsoft Defender for Cloud
Apps

• Discover and manage apps by using Microsoft Defender for Cloud Apps
  • Discover and manage shadow IT in your network
  • Discovered apps with Cloud App Security
• Configure connectors to apps
  • Azure Information Protection integration
  • SIEM integration
  • External DLP integration
  • Integrate with PowerAutomate
  • API tokens
• Implement application-enforced restrictions
  • Discovered apps with Cloud App Security
• Configure conditional access app control
  • Cloud apps or actions in Conditional Access policy
• Create access and session policies in Microsoft Defender for Cloud Apps
  • Policy template reference
  • Control cloud apps with policies
• Implement and manage policies for OAUTH apps
  • Manage OAuth apps

Plan, implement, and monitor the integration of Enterprise Applications

• configure and manage user and admin consent
  • Managing consent to applications and evaluating consent requests
• discover apps by using ADFS application activity reports
  • Use the AD FS application activity report
• design and implement access management for apps
  • App access options
• design and implement app management roles
  • Enterprise application permissions for custom roles in Azure Active Directory
• monitor and audit activity in enterprise applications
  • Sign-in logs
• design and implement integration for on-premises apps by using Azure AD application proxy
  • Application Proxy
• design and implement integration for SaaS apps
  • Add an app
• provision and manage users, groups, and roles on Enterprise applications
  • Add an app
• implement application user provisioning
  • SaaS application tutorials
• create and manage application collections
  • Create collections

Plan and implement application registrations

• plan for application registrations
  • Register app or web API
• implement application registrations
  • App scenarios and authentication flows
• configure application permissions
  • Review permissions granted to apps
• implement application authorization
  • Authentication vs. authorization
• plan and configure multi-tier application permissions
  • Single tenant and multi-tenant apps
• Manage and monitor applications by using App governance
  • Protect and govern your apps

Plan and implement an Identity Governance Strategy (20-25%)

Plan and implement entitlement management

• plan entitlements
  • Common scenarios in Azure AD entitlement management
• create and configure catalogs
  • Create & manage a catalog of resources in entitlement management – Azure AD
• create and manage access packages
  • Create a new access package
• Manage access requests
  • Approve or deny access requests in Azure AD entitlement management
• implement and manage terms of use
  • Require terms of use
• manage the lifecycle of external users in Azure AD Identity Governance settings
  • Review and remove users from external organizations
• configure and manage connected organizations
  • Add a connected organization
• review per-user entitlements by using Azure AD Entitlement management
  • What is entitlement management?

Plan, implement, and manage access reviews

• plan for access reviews
  • Plan Access review deployment
• create and configure access reviews for groups and apps
  • Create an access review
• Create and configure access review programs
  • Prepare for an app access review
• monitor access review activity
  • Review access
• manage licenses for access reviews
  • License requirements
• respond to access review activity, including automated and manual responses
  • Access reviews
  • Automate actions based on Access Reviews

Plan and implement privileged access

• plan and manage Azure roles in Privileged Identity Management (PIM), including settings and assignments
  • Deploy PIM
  • Assign Azure AD roles in Privileged Identity Management
  • Assign Azure resource roles in Privileged Identity Management
  • Management capabilities for Azure AD roles in Privileged Identity Management
• plan and manage Azure resources in PIM, including settings and assignments
  • Discover Azure resources
• plan and configure Privileged Access groups
  • Management capabilities for Privileged Access groups
• manage PIM requests and approvals process
  • Approve or deny requests for Azure AD roles in Privileged Identity Management
  • Approve or deny requests for Azure resource roles in Privileged Identity Management
• analyze PIM audit history and reports
  • View audit history for Azure AD roles in Privileged Identity Management
  • View activity and audit history for Azure resource roles in Privileged Identity Management
• create and manage break-glass accounts
  • Create emergency accounts

Monitor Azure AD

• design a strategy for monitoring Azure AD
  • Azure AD monitoring
• review and analyze sign-in, audit, and provisioning logs by using the Azure Active Directory Admin Center
  • Sign-in logs
  • Audit logs
• configure diagnostic settings, including Log Analytics, Storage Accounts, and Event Hub
  • Log analytics wizard
  • Stream logs to event hub
• monitor Azure AD by using Log Analytics, including KQL queries
  • Install and use the log analytics views for Azure AD
  • Connect Azure Active Directory data to Microsoft Sentinel
  • Alert on an activity log event
• analyze Azure AD by using workbooks and reporting in the Azure Active Directory Admin Center
  • how to use Azure AD workbooks
• monitor and improve the security posture by using the Identity Secure Score
  • Identity secure score