SC-300 is about to receive a minor update that removed the section on Entra Permissions Management, and reduced the weighting of one of the sections.

Old weighting

• Implement and manage user identities (20–25%)
• Implement authentication and access management (25–30%)
• Plan and implement workload identities (20–25%)
• Plan and automate identity governance (25–30%)

New weigthing

• Implement and manage user identities (20–25%)
• Implement authentication and access management (25–30%)
• Plan and implement workload identities (20–25%)
• Plan and implement identity governance (20–25%) (decreased)

If you have already passed other Microsoft exams where Entra is a large part of the score, such as AZ-500, MS-102 or the recently retired MS-500, MS-100 and MS-101, you probably already know quite a few of the topics the exam covers, so it shouldn’t be too hard an exam to prepare for, but there are two main things to think about as you commence.

The first thing to watch out for when you are preparing for this exam include not accidentally going in without knowledge of changes that have occurred with Entra features over time. Not just new features, but enhancements to what may have been included for a while now. Where this is most likely to happen is when you haven’t worked too closely with the technology, especially premium functionality has expanded dramatically.

The example that I always like to use is Access Reviews, which were originally focused on Privileged Identity Management for Microsoft Entra ID roles, but have expanded across Azure roles, groups and applications, for example. It’s easy to miss this kind of change when you aren’t always being exposed to new functionality as it is being introduced.

The second thing to consider with your preparation is whether your Entra exposure is mostly from within Microsoft 365 workloads, or with Azure workloads. This is going to change what you need to focus on for the exam, examples include app registrations being something that Microsoft 365 focused exam takers should take a look at, and Microsoft 365 groups being something that Azure admins may not have much exposure to. There are more than these two things, just make sure you are targeting features that you haven’t been exposed to, or that you have very limited exposure to.

Implement identities in Microsoft Entra ID (20—25%)

Configure and manage a Microsoft Entra tenant

• Configure and manage built-in and custom Microsoft Entra roles
  • Assign roles to users
  • View and assign roles
• Recommend when to use administrative units
  • Administrative units
• Configure and manage administrative units
  • Create or delete administrative units
• Evaluate effective permissions for Microsoft Entra roles
  • About admin roles
• Configure and manage domains in Microsoft Entra ID and Microsoft 365
  • Add domain
  • Domains FAQ
  • Can I add custom subdomains or multiple domains to Microsoft 365?
  • How do I change the default domain in Microsoft 365?
• Configure Company branding settings
  • Add company branding
• Configure tenant properties, user settings, group settings, and device settings
  • Configure your tenant for Microsoft Entra Verified ID
  • What is device management in Microsoft Entra ID?
  • What are Microsoft Entra ID registered devices?
  • Plan your Microsoft Entra ID device deployment
  • Microsoft Entra ID joined devices
  • Hybrid Microsoft Entra ID joined devices

Create, configure, and manage Microsoft Entra identities

• Create, configure, and manage users
  • Add or delete a new user
  • How to create, invite, and delete users
• Create, configure, and manage groups
  • Overview of Microsoft 365 Groups for administrators
  • Create a group and add members
  • Manage groups
• Manage custom security attributes
  • Manage access to custom security attributes in Microsoft Entra ID
• Automate bulk operations by using the Microsoft Entra admin center and PowerShell
  • Get started with the Microsoft Graph PowerShell SDK
  • Create users in bulk
• Manage device join and device registration in Microsoft Entra ID
  • What is a Microsoft Entra joined device?
  • What are Microsoft Entra registered devices?
  • What is a Microsoft Entra hybrid joined device?
  • Plan your Microsoft Entra device deployment
• Assign, modify, and report on licenses
  • Subscriptions, licenses, and tenants
  • Manage user accounts and licenses

Implement and manage identities for external users and tenants

• Manage External collaboration settings in Microsoft Entra ID
  • Configure external collaboration settings
• Invite external users, individually or in bulk
  • Add guest users in the portal
  • Add guest users with PowerShell
• Manage external user accounts in Microsoft Entra ID
  • Permissions and sharing
• Implement Cross-tenant access settings
  • What is cross-tenant synchronization?
  • Cross-tenant access overview
• Implement and manage cross-tenant synchronization
  • What is a cross-tenant synchronization in Microsoft Entra ID?
  • Configure cross-tenant synchronization
• Configure external identity providers, including protocols such as SAML and WS-Fed
  • SAML authentication
  • Set up WS-Federation with Microsoft Entra ID

Implement and manage hybrid identity

• Implement and manage Microsoft Entra Connect Sync
  • Hybrid Identity Design Considerations Overview
  • Set up directory synchronization for Microsoft 365
  • Errors during synchronization
• Implement and manage Microsoft Entra Cloud Sync
  • What is Microsoft Entra ID Connect cloud sync?
  • Cloud sync configuration
• Implement and manage password hash synchronization
  • What is password hash synchronization?
• Implement and manage pass-through authentication
  • What is pass-through authentication?
• Implement and manage seamless single sign-on (SSO)
  • What is Single Sign-On?
• Migrate from AD FS to other authentication and authorization mechanisms
  • Migrate applications from AD FS to Microsoft Entra ID
  • Managing federation with Microsoft Entra ID Connect
• Implement and manage Microsoft Entra Connect Health
  • Microsoft Entra ID Connect Health Operations

Implement authentication and access management (25-30%)

Plan, implement, and manage Microsoft Entra user authentication

• Plan for authentication
  • Microsoft Entra deployment plans
  • Determine identity requirements
  • Determine multi-factor auth requirements
• Implement and manage authentication methods, including certificate-based, temporary access pass, OAUTH tokens, Microsoft Authenticator, and passkey (FIDO2).
  • Authentication methods
• Implement and manage tenant-wide Multi-factor Authentication (MFA) settings
  • How it works: Azure Multi-Factor Authentication
• Configure and deploy self-service password reset (SSPR)
  • Self-service password reset deep dive
  • How it works: Microsoft Entra ID self-service password reset
• Implement and manage Windows Hello for Business
  • Windows Hello for Business Deployment Overview
• Disable accounts and revoke user sessions
  • Revoke a user’s access
• Implement and manage Microsoft Entra password protection
  • Password protection in Microsoft Entra ID
  • Prevent attacks using smart lockout
• Enable Microsoft Entra Kerberos authentication for hybrid identities
  • Windows authentication – Kerberos constrained delegation with Microsoft Entra ID
  • Overview of Microsoft Entra ID certificate-based authentication

Plan, implement, and administer conditional access

• Plan Conditional Access policies
  • Common ways to use conditional access
  • Providing a default level of security in Microsoft Entra ID
• Implement Conditional Access policy assignments
  • Create and assign conditional access policy
• Implement Conditional Access policy controls
  • Create and assign conditional access policy
• Test and troubleshooting Conditional Access policies
  • Monitor conditional access
• implement session management
  • Protect apps with Session Control in Microsoft Defender for Cloud Apps
• Implement device-enforced restrictions
  • Create a device compliance policy
• Implement continuous access evaluation
  • Continuous access evaluation
• Configure authentication context
  • Configure authentication contexts
• Implement protected actions
  • Protected actions
• Create a Conditional Access Policy from a template
  • Conditional Access templates

Manage Microsoft Entra ID Identity Protection

• Implement and manage user risk by using Identity Protection or Conditional Access policies
  • Configure the user risk policy
• Implement and manage sign-in risk by using Identity Protection or Conditional Access policies
  • Configure the sign-in risk policy
• Implement and manage Multifactor authentication registration policies
  • MFA and PIM
• Monitor, investigate and remediate risky users and risky sign-ins
  • Simulate risk events
• Monitor, investigate and remediate risky workload identities
  • Securing workload identities

Implement access management for Azure resources

• Create custom Azure roles, including both control plane and data plane permissions
  • Create Custom Azure Roles
• Assign built-in and custom Azure roles
  • Elevate access to manage all Azure subscriptions and management groups  
  • Add or change Azure subscription administrators  
  • What is Azure role-based access control (Azure RBAC)?
• Evaluate effective permissions for a set of Azure roles
  • List Azure role assignments using the Azure portal 
• Assign Azure roles to enable Microsoft Entra ID login to Azure virtual machines
  • Log in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH
  • Log in to a Windows virtual machine in Azure by using Microsoft Entra ID
• Configure Azure Key Vault RBAC and policies
  • Secure access to a key vault
  • Provide Key Vault authentication with a managed identity
  • Azure Policy built-in policy definitions for Key Vault
  • Best practices for Azure RBAC

Implement Global Secure Access

• Deploy Global Secure Access clients
  • Global Secure Access client for Windows
  • Global Secure Access client for Android
• Deploy Private Access
  • Understand Private Access
• Deploy Internet Access
  • Understand Internet Access
• Deploy Internet Access for Microsoft 365
  • Deploying Microsoft Entra Internet Access for Microsoft 365

Plan and implement workload identities (20–25%)

Plan and implement identities for applications and Azure workloads

• Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
  • About managed identities for Azure resources
• Create managed identities
  • Secure managed identities
• Assign a managed identity to an Azure resource
  • Configure managed identities for Azure resources on a VM using the Azure portal
• Use a managed identity assigned to an Azure resource to access other Azure resources
  • Managed identity best practice recommendations

Plan, implement, and monitor the integration of enterprise applications

• Configure and manage user and admin consent
  • Managing consent to applications and evaluating consent requests
• Discover apps by using AD FS application activity reports
  • Use the AD FS application activity report
• Plan and implement settings for enterprise applications, including application-level and tenant-level settings
  • App access options
• Assign appropriate Microsoft Entra roles to users to manage enterprise applications
  • App permissions for custom roles in Microsoft Entra ID
• Monitor and audit activity in enterprise applications
  • Sign-in logs
• Design and implement integration for on-premises apps by using Microsoft Entra application proxy
  • Application Proxy
• Design and implement integration for SaaS apps
  • Add an app
  • SaaS application tutorials
• Assign, classify, and manage users, groups, and app roles for enterprise applications
  • Add an app
• Create and manage application collections
  • Create collections

Plan and implement app registrations

• Plan for app registrations
  • Register app or web API
• Create app registrations
  • App scenarios and authentication flows
• Configure app authentication
  • Authentication vs. authorization
• Configure API permissions
  • Review permissions granted to apps
  • Register app or web API
  • Single tenant and multi-tenant apps
• Create app roles
  • Role-based access control for application developers

Manage and monitor app access by using Microsoft Defender for Cloud
Apps

• Configure and analyze cloud discovery results by using Defender for Cloud Apps
  • Discover and manage shadow IT in your network
  • Working with discovered apps – Microsoft Defender for Cloud Apps
  • Protect and govern your apps
• Configure connected apps
  • Azure Information Protection integration
  • SIEM integration
  • External DLP integration
  • Integrate with PowerAutomate
  • API tokens
• Implement application-enforced restrictions
  • Discovered apps with Cloud App Security
• Configure Conditional Access app control
  • Cloud apps or actions in Conditional Access policy
• Create access and session policies in Defender for Cloud Apps
  • Policy template reference
  • Control cloud apps with policies
• Implement and manage policies for OAUTH apps
  • Manage OAuth apps
• Manage the Cloud app catalog
  • Working with the app page
  • Deploy for catalog apps with Microsoft Entra

Plan and implement identity governance (20-25%)

Plan and implement entitlement management in Microsoft Entra

• Plan entitlements
  • Common scenarios in Microsoft Entra ID entitlement management
  • What is entitlement management?
• Create and configure catalogs
  • Create & manage a catalog of resources in entitlement management – Microsoft Entra ID
• Create and configure access packages
  • Create a new access package
• Manage access requests
  • Approve or deny access requests in Microsoft Entra ID entitlement management
• Implement and manage terms of use (ToU)
  • Require terms of use
• Manage the lifecycle of external users
  • Review and remove users from external organizations
• Configure and manage connected organizations
  • Add a connected organization

Plan, implement, and manage access reviews in Microsoft Entra

• Plan for access reviews
  • Plan Access review deployment
  • License requirements
• Create and configure access reviews
  • Create an access review
  • Prepare for an app access review
• Monitor access review activity
  • Review access
• Manually respond to access review activity
  • Access reviews
  • Automate actions based on Access Reviews

Plan and implement privileged access

• Plan and manage Azure roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
  • Deploy PIM
  • Assign Microsoft Entra ID roles in Privileged Identity Management
  • Assign Azure resource roles in Privileged Identity Management
  • Management capabilities for Microsoft Entra ID roles in Privileged Identity Management
• Plan and manage Azure resources in PIM, including settings and assignments
  • Discover Azure resources
• Plan and configure Privileged Access groups
  • Management capabilities for Privileged Access groups
• Manage the PIM request and approval process
  • Approve or deny requests for Microsoft Entra ID roles in Privileged Identity Management
  • Approve or deny requests for Azure resource roles in Privileged Identity Management
• Analyze PIM audit history and reports
  • View audit history for Microsoft Entra ID roles in Privileged Identity Management
  • View activity and audit history for Azure resource roles in Privileged Identity Management
• Create and manage break-glass accounts
  • Create emergency accounts

Monitor identity activity by using logs, workbooks, and reports

• Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
  • Sign-in logs
  • Audit logs
  • MFA Reports
  • Authentication methods activity
• Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and event hubs
  • Log analytics wizard
  • Stream logs to event hub
• Monitor Microsoft Entra by using KQL queries in Log Analytics
  • Install and use the log analytics views for Microsoft Entra ID
  • Connect Microsoft Entra data to Microsoft Sentinel
  • Alert on an activity log event
• Analyze Microsoft Entra by using workbooks and reporting
  • how to use Microsoft Entra ID workbooks
• Monitor and improve the security posture by using Identity Secure Score
  • Identity secure score