SC-300 recently received a very minor update with some product names, but a few months back it received a major update. The October 2023 update had some new topics being added, the biggest addition being Entra Permissions Management and cross-tenant settings and synchronisations. There has also been some restructuring, along with Entra naming replacing the existing Azure AD naming.
If you have already passed other Microsoft exams where Entra is a large part of the score, such as AZ-500, MS-102 or the recently retired MS-500, MS-100 and MS-101, you probably already know quite a few of the topics the exam covers, so it shouldn’t be too hard an exam to prepare for, but there are two main things to think about as you commence.
The first thing to watch out for when you are preparing for this exam include not accidentally going in without knowledge of changes that have occurred with Entra features over time. Not just new features, but enhancements to what may have been included for a while now. Where this is most likely to happen is when you haven’t worked too closely with the technology, especially premium functionality has expanded dramatically.
The example that I always like to use is Access Reviews, which were originally focused on Privileged Identity Management for Microsoft Entra ID roles, but have expanded across Azure roles, groups and applications, for example. It’s easy to miss this kind of change when you aren’t always being exposed to new functionality as it is being introduced.
The second thing to consider with your preparation is whether your Entra exposure is mostly from within Microsoft 365 workloads, or with Azure workloads. This is going to change what you need to focus on for the exam, examples include app registrations being something that Microsoft 365 focused exam takers should take a look at, and Microsoft 365 groups being something that Azure admins may not have much exposure to. There are more than these two things, just make sure you are targeting features that you haven’t been exposed to, or that you have very limited exposure to.
Implement identities in Microsoft Entra ID (20—25%)
Configure and manage a Microsoft Entra tenant
- Configure and manage built-in and custom Microsoft Entra roles
- Recommend when to use administrative units
- Configure and manage administrative units
- Evaluate effective permissions for Microsoft Entra roles
- Configure and manage custom domains
- Configure Company branding settings
- Configure tenant properties, user settings, group settings, and device settings
Create, configure, and manage Microsoft Entra identities
- Create, configure, and manage users
- Create, configure, and manage groups
- Manage custom security attributes
- Automate the management of users and groups by using PowerShell
- Assign, modify, and report on licenses
Implement and manage identities for external users and tenants
- Manage External collaboration settings in Microsoft Entra ID
- Invite external users, individually or in bulk
- Manage external user accounts in Microsoft Entra ID
- Implement Cross-tenant access settings
- Implement and manage cross-tenant synchronization
- Configure identity providers, including SAML and WS-Fed
- Create and manage a Microsoft Entra B2C tenant (Microsoft Entra External ID)
Implement and manage hybrid identity
- Implement and manage Microsoft Entra Connect
- Implement and manage Microsoft Entra Connect cloud sync
- Implement and manage password hash synchronization
- Implement and manage pass-through authentication
- Implement and manage seamless single sign-on (SSO)
- Implement and manage federation, excluding manual Active Directory Federation Services (AD FS) deployments
- Implement and manage Microsoft Entra Connect Health
- Troubleshoot synchronization errors
Implement authentication and access management (25-30%)
Plan, implement, and manage Microsoft Entra ID user authentication
- Plan for authentication
- Implement and manage authentication methods
- Implement and manage tenant-wide Multi-factor Authentication (MFA) settings
- Manage per-user MFA settings
- Configure and deploy self-service password reset (SSPR)
- Implement and manage Windows Hello for Business
- Disable accounts and revoke user sessions
- Implement and manage password protection and smart lockout
- Enable Microsoft Entra Kerberos authentication for hybrid identities
- Implement certificate-based authentication in Microsoft Entra ID
Plan, implement, and administer conditional access
- Plan Conditional Access policies
- Implement Conditional Access policy assignments
- Implement Conditional Access policy controls
- Test and troubleshooting Conditional Access policies
- implement session management
- Implement device-enforced restrictions
- Implement continuous access evaluation
- Create a Conditional Access Policy from a template
Manage Microsoft Entra ID Identity Protection
- Implement and manage user risk policies
- Implement and manage sign-in risk policies
- Implement and manage MFA registration policies
- Monitor, investigate and remediate risky users
- Monitor, investigate and remediate risky workload identities
Implement access management for Azure resources
- Create custom Azure roles, including both control plane and data plane permissions
- Assign built-in and custom Azure roles
- Evaluate effective permissions for a set of Azure roles
- Assign Azure roles to enable Microsoft Entra ID login to Azure virtual machines
- Configure Azure Key Vault RBAC and policies
Plan and implement workload identities (20–25%)
Plan and implement identities for applications and Azure workloads
- Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
- Create managed identities
- Assign a managed identity to an Azure resource
- Use a managed identity assigned to an Azure resource to access other Azure resources
Plan, implement, and monitor the integration of enterprise applications
- Configure and manage user and admin consent
- Discover apps by using AD FS application activity reports
- Plan and implement settings for enterprise applications, including application-level and tenant-level settings
- Assign appropriate Microsoft Entra roles to users to manage enterprise applications
- Monitor and audit activity in enterprise applications
- Design and implement integration for on-premises apps by using Microsoft Entra application proxy
- Design and implement integration for SaaS apps
- Assign, classify, and manage users, groups, and app roles for enterprise applications
- Create and manage application collections
Plan and implement application registrations
- Plan for app registrations
- Create app registrations
- Configure app authentication
- Configure API permissions
- Create app roles
Manage and monitor appaccess by using Microsoft Defender for Cloud
Apps
- Configure and analyze cloud discovery results by using Defender for Cloud Apps
- Configure connected apps
- Implement application-enforced restrictions
- Configure Conditional Access app control
- Create access and session policies in Defender for Cloud Apps
- Implement and manage policies for OAUTH apps
- Manage the Cloud app catalog
Plan and implement identity governance (20-25%)
Plan and implement entitlement management in Microsoft Entra
- Plan entitlements
- Create and configure catalogs
- Create and configure access packages
- Manage access requests
- Implement and manage terms of use (ToU)
- Manage the lifecycle of external users
- Configure and manage connected organizations
Plan, implement, and manage access reviews in Microsoft Entra
- Plan for access reviews
- Create and configure access reviews
- Monitor access review activity
- Manually respond to access review activity
Plan and implement privileged access
- Plan and manage Azure roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
- Plan and manage Azure resources in PIM, including settings and assignments
- Plan and configure Privileged Access groups
- Manage the PIM request and approval process
- Analyze PIM audit history and reports
- Create and manage break-glass accounts
Monitor identity activity by using logs, workbooks, and reports
- Design a strategy for monitoring Microsoft Entra
- Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
- Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
- Monitor Microsoft Entra by using KQL queries in Log Analytics
- Analyze Microsoft Entra by using workbooks and reporting
- Monitor and improve the security posture by using Identity Secure Score
Plan and implement Microsoft Entra Permissions Management
- Onboard Azure subscriptions to Permissions Management
- Evaluate and remediate risks relating to Azure identities, resources, and tasks
- Evaluate and remediate risks relating to Azure highly privileged roles
- Evaluate and remediate risks relating to Permissions Creep Index (PCI) in Azure
- Configure activity alerts and triggers for Azure subscriptions