User

Portal to Use

User1

Azure Active Directory admin center

User2

Microsoft 365 compliance center

User3

Microsoft Endpoint Manager admin center

This question tests your knowledge of Microsoft 365 administrative roles and their associated management portals, as defined in the Microsoft Identity and Access Administrator (SC-300) Exam Study Guide and Microsoft Learn’s “Manage identity and access in Microsoft Entra ID and Microsoft 365” module.

Let’s analyze each user and the roles assigned:

Roles:

User Administrator

Device Administrator

Identity Governance Administrator

These are all Azure AD-based roles.

The User Administrator role allows the management of users, groups, and password resets in Azure AD.

The Device Administrator role applies to Azure AD joined devices.

The Identity Governance Administrator manages Access Reviews, Entitlement Management, and Terms of Use, all of which are under Azure AD Identity Governance.

According to Microsoft documentation:

“User, Device, and Identity Governance Administrators perform their management tasks in the Azure Active Directory admin center.”

Portal: Azure Active Directory admin center

Roles:

Records Management

Quarantine Administrator

These are Microsoft Purview compliance roles, used for managing retention policies, data lifecycle management, and quarantine of messages/files.

Both are managed through the Microsoft 365 compliance center (previously known as the Security & Compliance Center). Microsoft documentation:

“Records Management and Quarantine Administrator roles allow access to compliance features such as data retention, auditing, and message quarantine, all of which are configured from the Microsoft 365 compliance center.”

Portal: Microsoft 365 compliance center

Roles:

Endpoint Security Manager

Intune Role Administrator

These roles are directly tied to Microsoft Endpoint Manager (Intune).

The Endpoint Security Manager configures device compliance, security baselines, and endpoint protection.

The Intune Role Administrator manages Intune roles and permissions.

Microsoft documentation:

“Administrators managing Intune roles and endpoint security policies use the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com).”

Portal: Microsoft Endpoint Manager admin center

<  [answer choice] can access App1 from the homepage URL: → Only users listed on the Users and groups blade

 App1 will appear in the Microsoft Office 365 app launcher for [answer choice]: → Only users listed on the Users and groups blade

According to Microsoft’s official documentation and the SC-300: Microsoft Identity and Access Administrator study guide, when you register and configure an enterprise application in Azure Active Directory, two specific settings directly influence user visibility and access:

User assignment required?

If this option is set to Yes, Azure AD requires users to be explicitly assigned to the app before they can sign in.

Only users or groups listed on the Users and groups blade (app assignments) will have access.

This means that even if the application is visible in Azure AD, users not assigned to it cannot authenticate or launch it.

Visible to users?

If set to Yes, the app appears in the Microsoft 365 app launcher (also known as the My Apps portal).

However, when “User assignment required” is Yes, the visibility is limited only to those who are assigned to the app.

From the exhibit:

“User assignment required?” = Yes

“Visible to users?” = Yes

This configuration implies:

Only assigned users (those listed on the Users and groups blade) can sign in to App1 via the homepage URL.

App1 will appear in the Microsoft 365 app launcher (My Apps portal) only for those same assigned users.

As per Microsoft Learn documentation (“Manage enterprise apps in Azure AD”):

“When User assignment required is set to Yes, only users assigned to the application can access it. If Visible to users is also Yes, the application will appear in My Apps for those assigned users.”

As per the Microsoft SC-300: Identity and Access Administrator official study materials and Microsoft Learn documentation on “Manage administrative units in Azure Active Directory”, Administrative Units (AUs) are designed to delegate administrative permissions within large organizations based on divisions such as geography or department. They provide scoped administrative control—allowing helpdesk or user administrators to manage users only within a specific subset of the directory, such as a branch office or department.

In this scenario, Contoso’s technical requirement states:

“The helpdesk administrators must be able to manage licenses for only the users in their respective office.”

To fulfill this, you must create an administrative unit for each branch office (e.g., Montreal, London, Seattle) and assign helpdesk administrators scoped to those AUs. This ensures that each helpdesk admin can only manage licenses for the users within their respective office, enforcing the principle of least privilege.

The Azure Active Directory admin center is the correct tool for creating and managing administrative units. SC-300 guidance clarifies that administrative units are Azure AD objects, not on-premises Active Directory objects like Organizational Units (OUs). Therefore, they are created and managed exclusively through the Azure portal, Microsoft Graph, or PowerShell for Azure AD, but the most straightforward interface for exam purposes is the Azure AD admin center.

 The users must first: Register for multi-factor authentication (MFA)

 You must configure: A user risk policy

According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator, when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.

Two types of policies can be created:

Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).

User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).

The documentation specifies:

“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”

Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.

Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.

Answer is

This question asks you to apply the stated Technical Requirements for Self-Service Password Reset (SSPR) to complete the form. The specific scenario about "User3" is a distraction, as the configuration applies to all users.

The relevant technical requirements are:

"Users must provide one authentication method to reset their password by using SSPR."

This directly dictates the value for the Number of authentication methods required, which is 1.

"Available methods must include: Email, Phone, Security questions, The Microsoft Authenticator app"

This lists all the options that are configured to be available for SSPR, which determines the value for Authentication methods that can be used: Email,Phone,Security questions,The Microsoft Authenticator app.

In Azure AD Privileged Identity Management (PIM), the SC-300 materials explain that role assignment type determines how a user obtains permissions. An eligible assignment means the user requests activation when needed; an active assignment grants continuous permissions. As the guide states, “Eligible assignments require the user to activate the role for just-in-time access, while active assignments grant standing access.” To allow users of the User administrator role to request the role when needed, you must set assignments to Eligible rather than active.

The same objective also calls for ensuring this capability is available “for up to one year.” In PIM role configuration, the duration of an eligibility is controlled by the Expire eligible assignments after policy. The documentation describes that administrators can “configure the maximum duration for eligible assignments by setting ‘Expire eligible assignments after’ to a specific period (for example, months up to one year).” Therefore, you must modify the “Expire eligible assignments after” setting to the required period.

No requirement mentions activation justification or ticket metadata; those are optional controls used to add context to activations. Consequently, the two actions that directly satisfy the stated technical requirement are: set all assignments to Eligible (C) and configure “Expire eligible assignments after” (D).

In the SC-300 coverage of Azure AD Connect and Identity Governance, Microsoft explains that to surface a custom on-premises attribute in Azure AD you must enable Directory extensions in Azure AD Connect. The guide states that “Directory extensions lets you synchronize additional attributes from on-premises Active Directory to Azure AD so they are available in the cloud directory for apps and policy.” This is the supported way to bring a custom attribute (here, LWLicenses) from the litware.com forest into Azure AD so it can be referenced by cloud features such as dynamic group rules. Domain filtering or optional features do not expose a new attribute to Azure AD; directory extensions does.

For license automation, the SC-300 materials on group-based licensing and dynamic groups emphasize that “licenses can be assigned to Azure AD groups; group members then inherit the licenses, and when membership changes, licenses are added or removed automatically.” They further note that “dynamic user groups evaluate rules against user attributes to add or remove users without manual effort,” and that “nested groups are not supported for license inheritance—only direct members receive licenses.” Using the synced LWLicenses attribute in a Dynamic User group rule (for example, user.extensionAttribute… -eq "E5") ensures users are automatically added to the correct group and therefore receive the specified licenses without administrative intervention, fully meeting Litware’s requirement to “manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute.”

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn “Implement and manage Azure AD Identity Protection” module, Azure AD Identity Protection detects two primary categories of risks: user risks and sign-in risks.

User Risk Policy:A user risk represents the probability that a user's identity (credentials) has been compromised. Examples of user risk signals include leaked credentials, unusual sign-ins from different geographies, or sign-ins from infected devices. The Exam Ref SC-300 specifically lists “leaked credentials detected on the dark web or other compromised repositories” as the main trigger for a user risk policy. Such a policy can automatically force password change or enforce MFA to remediate the threat.

Sign-in Risk Policy:A sign-in risk reflects the likelihood that a specific authentication attempt is not performed by the legitimate user. Sign-in risk is based on context, such as sign-ins from suspicious browsers, anonymous IP addresses (like TOR networks), or impossible travel scenarios. The SC-300 documentation highlights these examples as conditions best handled with a sign-in risk policy, where conditional access can block or require MFA for the risky sign-in attempt.

Therefore:

Leaked credentials are addressed through a User Risk Policy, since the account itself is compromised.

Sign-ins from suspicious browsers and access from anonymous IP addresses are handled through Sign-in Risk Policies, as they relate to risky sessions rather than compromised identities.

Server1

On DC1

Azure AD Password Protection has two components: the DC agent (installed on domain controllers) and the proxy service (installed on one or more member servers). The SC-300 materials and Microsoft Identity Governance guidance explain that the proxy service is required when domain controllers do not have direct internet access. The proxy retrieves the password protection policy and custom banned password list from Azure AD over outbound HTTPS and makes it available to DC agents. The documentation further states that you should deploy at least one proxy per forest and two for high availability, and that domain controllers do not need internet connectivity when a proxy is deployed. In this scenario, DCs are explicitly blocked from internet access, so the proxy must be placed on member servers. Both SERVER1 (Application Proxy connector) and SERVER2 (Azure AD Connect) are domain-joined member servers with internet connectivity and are appropriate locations for the AzureADPasswordProtectionProxy service; selecting both provides the recommended redundancy. The custom banned password list is configured in Azure AD at the tenant level (as part of Azure AD Password Protection settings), not on individual servers. Once configured, the policy and list are downloaded by the proxy and enforced by the DC agent during password set or change operations, satisfying the requirement to implement a banned password list for the litware.com forest.

SC-300 materials stress that to enforce modern controls (like MFA) on on-premises apps, you must front them with Azure AD so Conditional Access can evaluate sign-ins. The documentation states that Azure AD Application Proxy “provides secure remote access to on-premises applications” and that apps published through it can have “Conditional Access policies, including multifactor authentication” applied at sign-in. In other words, once the legacy app is published by Application Proxy, Azure AD sits in the path, enabling you to meet the requirement to enforce MFA when accessing on-premises applications and to combine it with your location-based exemptions.

For SharePoint Online restrictions, SC-300 points to Microsoft Cloud App Security (Defender for Cloud Apps) for real-time governance: you can create session policies that “control and limit activities in real time” and, for SharePoint Online and other Microsoft 365 apps, “monitor user sessions and block download, cut, copy, and print” when conditions (device state, risk, or location) warrant it. Since the scenario already has anomaly detections enabled, configuring Cloud App Security policies aligns directly with the requirement to place access restrictions on SharePoint Online without altering tenant-wide consent settings. Thus, publish on-prem apps with Application Proxy to bring them under Conditional Access (for MFA), and use Cloud App Security policies to enforce SharePoint Online session and download controls.

According to the Microsoft Identity and Access Administrator (SC-300) Exam Ref and the Azure AD Dynamic Membership Rules documentation, when you create a dynamic group in Azure Active Directory (now Entra ID), you define rules that automatically add or remove users based on their attributes.

The scenario requires a group named LWGroup1 that contains all Azure AD user accounts for Litware but excludes all guest accounts. In Azure AD, internal users created within the tenant are designated with the attribute user.userType = "Member", while external or guest accounts from partner organizations have user.userType = "Guest".

To ensure only internal (Litware) users are included, the membership rule must:

Ensure the user object exists — by checking (user.objectId -ne null) which confirms that the rule only applies to valid user objects.

Include only members, excluding guests — by filtering with (user.userType -eq "Member").

Hence, the dynamic rule that satisfies these conditions is:

(user.objectId -ne null) and (user.userType -eq "Member")

This rule guarantees that LWGroup1 dynamically includes all internal users from litware.com and excludes all external users or guest accounts (such as Fabrikam users).

This logic aligns precisely with the Microsoft Learn module “Manage groups in Azure Active Directory” and SC-300 study guide section “Implement and manage dynamic membership rules”, which states:

“Use user.userType to distinguish between internal members and external guests when configuring membership rules for dynamic groups.”

✅ Correct Answer:

(user.objectId -ne null) and (user.userType -eq "Member")

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)”, there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID).The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM.The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario.As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources.The role responsible for managing these assignments is the User Access Administrator.This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control).The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.

Box 1: Yes

Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.

Box 2. Yes

Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.

Box 3. No

Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.

Based on the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn module “Manage external collaboration settings in Azure AD”, Azure Active Directory provides granular control over external collaboration through External collaboration settings and Collaboration restrictions. These settings control which external domains can receive guest invitations.

The configuration in the exhibit shows:

“Allow invitations only to the specified domains (most restrictive)”

Target Domain: Outlook.com

This means invitations can only be sent to users whose email domains are explicitly listed (in this case, Outlook.com). Any other external domain (like fabrikam.com or adatum.com) is not permitted to receive or accept invitations.

User1@outlook.com

Domain Outlook.com is listed under allowed domains.

Although the invitation was initially not accepted, since the domain is allowed, User1 can accept the invitation and gain access.✅ Answer: Yes

User2@fabrikam.com

The domain fabrikam.com is not listed in the allowed domains list.

However, this user already accepted the invitation before the restriction was configured.

Once a guest has accepted the invitation, they are an existing guest object in Azure AD and retain access unless explicitly removed.✅ Answer: Yes

User3@adatum.com

Domain adatum.com is not listed under allowed domains.

Therefore, this user cannot receive or accept new invitations for collaboration resources like SharePoint Online.❌ Answer: No

Summary from Microsoft documentation:

“When collaboration restrictions are set to allow invitations only to specified domains, invitations to all other domains are blocked. Existing guest users who have already accepted invitations remain unaffected.”

(Source: Microsoft Learn – Configure external collaboration settings in Azure AD)

According to the Microsoft SC-300 Study Guide and Microsoft Learn documentation (“Secure access to Azure Storage with managed identities” and “Implement managed identities for Azure resources”), the recommended best practice for granting Azure services access to other Azure resources is to use Managed Identities in combination with Azure Role-Based Access Control (RBAC).

A Managed Identity is a service principal automatically managed by Azure AD that allows applications to authenticate securely without storing credentials in code or configuration. There are two types:

System-assigned managed identity: Tied directly to an Azure resource (e.g., an App Service). Its lifecycle is automatically managed — when the resource is deleted, the identity is removed.

User-assigned managed identity: A standalone identity that can be assigned to one or more resources and must be managed manually.

Since the question specifies multiple App Service apps requiring access to multiple storage accounts, the system-assigned managed identity is optimal when minimizing administrative effort because each app automatically gets its own identity with no manual credential handling or lifecycle management.

For authorization, Azure Role-Based Access Control (RBAC) is used to grant least-privilege permissions (e.g., “Storage Blob Data Contributor” or “Storage Blob Data Reader”) to the managed identity at the appropriate scope (resource group or storage account level).

The Microsoft SC-300 exam content explicitly states:

“To enable applications to access Azure resources securely without credential management, configure system-assigned or user-assigned managed identities and use RBAC to grant appropriate access permissions.”

Thus, to meet the requirement for minimal administrative effort and secure access, the correct pairing is:

✅ Identity Type: System-assigned managed identity

✅ Access Control: Role-based access control (RBAC)

 Identify all the accounts that are assigned the Global Administrator role permanently: Microsoft Entra Insights

 Review the PCI of User1: Analytics

In Microsoft Entra Permissions Management, the Microsoft Entra Insights tab provides role-focused visibility into directory privileges. The SC-300 materials describe it as the place to surface “standing privileges for Microsoft Entra roles” and to identify accounts with high-risk assignments such as Global Administrator. The insights view surfaces who has those roles and whether they’re permanent (standing) versus eligible or time-bound, enabling you to quickly “identify high-impact directory roles and users with persistent assignments.”

The Analytics tab is centered on identities, resources, and actions, featuring risk and usage metrics, including the Permission Creep Index (PCI). The study content explains that Analytics lets you “drill into an identity’s effective permissions and risk score (PCI) to compare granted vs. used permissions.” For a specific user (e.g., User1), you navigate to Analytics → Identities, search/select the user, and view the PCI card and detailed breakdown of unused vs. used permissions.

Accordingly: to find permanent Global Administrator assignments, use Microsoft Entra Insights; to review User1’s PCI, use Analytics.

According to the official Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation (“Manage External Identities in Microsoft Entra ID”), External Identities in Microsoft Entra ID allow organizations to collaborate securely with users outside the organization using features like B2B collaboration and B2C self-service sign-up.

Let’s analyze the two required configurations:

B2B Collaboration:The External collaboration settings page is where administrators configure how external users (guests) interact with internal resources. This includes settings for guest user invitations, collaboration restrictions, redemption policies, and access permissions for B2B users. Microsoft documentation clearly states:

“Use External collaboration settings to manage the behavior and restrictions of B2B collaboration users in your directory.”

Therefore, to enable or adjust B2B collaboration, you must configure External collaboration settings.

Monthly Active Users (MAU)-based pricing:Microsoft Entra External Identities pricing is based on Monthly Active Users (MAU), which must be linked to an Azure subscription for billing purposes. This configuration is found under Linked subscriptions. Microsoft’s documentation explains:

“To enable MAU-based billing for your External Identities, you must link your Microsoft Entra tenant to an Azure subscription under the ‘Linked subscriptions’ option.”

Linking the subscription allows Microsoft to bill based on the number of active external users each month, aligning with the MAU pricing model.

Therefore:

B2B collaboration → External collaboration settings

MAU-based pricing → Linked subscriptions

Can assign users to App1: Admin1 and Admin3 only

Can register App2 in Azure AD: Admin1, Admin2, and Admin3 only

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn module “Manage enterprise applications and app registrations”, role-based access control (RBAC) in Azure Active Directory defines what administrative actions each role can perform for applications.

1️⃣ Assigning users to an enterprise application (App1):

The ability to assign users to enterprise apps (service principals) in Azure AD is granted to two specific roles:

Application Administrator

Cloud Application Administrator

These roles allow administrators to add and remove users or groups from the Users and Groups section of an enterprise app, manage application properties, and control assignments.

The Application Developer role is designed only to create and manage own app registrations, not to assign users to enterprise apps.

The User role has no administrative privileges related to app assignments.

➡ Therefore, only Admin1 (Application Administrator) and Admin3 (Cloud Application Administrator) can assign users to App1.

2️⃣ Registering applications in Azure AD (App2):

By default, the App registrations setting in Azure AD allows all users to register applications. However, if the question specifies that the default settings apply (which means users can register applications), then both admins and developers can register apps.

Microsoft documentation clarifies:

“By default, all users can register app registrations in Azure AD. Roles such as Application Developer, Application Administrator, and Cloud Application Administrator also have this capability regardless of tenant-wide settings.”

Therefore, the following users can register new apps:

Admin1 (Application Administrator)

Admin2 (Application Developer)

Admin3 (Cloud Application Administrator)

➡ Correct answer for registration: Admin1, Admin2, and Admin3 only

✅ Final Correct Answers:

Can assign users to App1: Admin1 and Admin3 only

Can register App2 in Azure AD: Admin1, Admin2, and Admin3 only

In the SC-300 curriculum, monitoring consented third-party apps is covered under Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). The exam materials describe creating policies that watch OAuth-based applications users authorize against Azure AD and flag excessive permissions. The relevant guidance explains that you can configure a policy to alert when “an OAuth application is granted high-impact permissions,” for example when a newly registered or consented app gains read and write access to mail (the Mail.ReadWrite permission). By contrast, Azure AD Identity Protection is focused on User risk and Sign-in risk policies for account compromise, not app consent. Identity Governance addresses access packages and reviews, not OAuth permissions. Microsoft Endpoint Manager “app protection” policies are for MAM/MDM on client apps and do not monitor OAuth consent to Microsoft 365 data. The study path emphasizes using Defender for Cloud Apps to “detect and govern OAuth apps and their permissions,” and to trigger alerts when scopes indicating data-write capability are granted. Therefore, to be notified if a user-registered app obtains read/write access to users’ email, you configure an OAuth app policy in Microsoft Cloud App Security that matches the permission scope and raises an alert when detected.

Based on the official Microsoft SC-300 study guide and Microsoft Entra ID (Azure AD) licensing documentation, the licensing requirement for Access Reviews depends on who is being reviewed and how the review is configured.

Access reviews are an Azure AD Premium P2 feature (included in Microsoft 365 E5), and the licensing model specifies that:

“Each user who is part of an access review (either being reviewed or reviewing) must have an Azure AD Premium P2 license, except in cases where guest users are reviewed by internal reviewers — in that case, only the reviewers require a license.”

Let’s analyze each configuration:

Members: 500 internal + 25 guest users = 525 total members.

Review Type: Teams + Groups

Review Scope: All users

Reviewers: Users review own access

Since all users (internal and guest) review their own access, every member is considered an active participant in the review. Therefore, each of the 525 members (500 internal + 25 guests) must have an Azure AD Premium P2 license.

✅ Group1 = 525 licenses required

Members: 295 internal + 100 guest users = 395 total members.

Review Type: Teams + Groups

Review Scope: Guest users only

Reviewers: Group owner

Here, only guest users are being reviewed, and the reviewer is the group owner (User2). Since the guest users don’t require licenses when being reviewed by an internal reviewer, only the group owner (User2) needs a P2 license.

✅ Group2 = 1 license required

???? According to Microsoft Licensing Guidance (SC-300 Official Content):

“If guest users review their own access, each guest requires a P2 license. If the review is conducted by an internal user (owner or admin), only that reviewer requires the license.”

In Azure AD B2B bulk invitations, the portal and CSV workflow require two core fields: the external user’s email address and the Invite Redirect URL that determines where the guest is sent to redeem the invitation. The study guide notes that the bulk invite template “must include the guest’s email address” and that “InviteRedirectUrl is required to define the post-invite redemption target (such as MyApps or a specific app).” Usernames and passwords are not supplied for B2B guests because “guest accounts authenticate with their home identity provider,” and there is no shared key involved in the invitation. Therefore, the only mandatory parameters to successfully process a bulk B2B invite are the email address of each guest and the redirection URL used during invitation redemption.

To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here’s a step-by-step guide:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Security Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Name the policy appropriately, such as “Sg-Executive Security Checks”.

Assign the policy to the Sg-Executive group:

Under Assignments, select Users and groups.

Choose Select users and groups and then Groups.

Search for and select the Sg-Executive group.

Define the application control conditions:

Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.

Set the device compliance requirement:

Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.

Set the app protection policy requirement:

Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.

Configure the access controls:

Under Access controls > Grant, select Grant access.

Choose Require device to be marked as compliant and Require approved client app.

Ensure that the option Require one of the selected controls is enabled.

Enable the policy:

Set Enable policy to On.

Review and save the policy:

Review all settings to ensure they meet the requirements.

Click Create to save and implement the policy.

By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app. This enhances the security posture of your organization by enforcing stricter access controls for executive-level users.

To assign a Windows 10/11 Enterprise E3 license to the Sg-Retail group, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Make sure you have the role of Global Administrator or License Administrator.

Navigate to the licensing page:

Go toBilling>Licenses1.

Find the Windows 10/11 Enterprise E3 license:

Look for the Windows 10/11 Enterprise E3 license in the list of available products.

Assign licenses to the group:

Select the license and then choose Assign licenses.

Search for and select the Sg-Retail group.

Confirm the assignment and make sure that the correct number of licenses is available for the group.

Review and confirm the assignment:

Ensure that the licenses have been properly assigned to the Sg-Retail group without affecting other groups or users.

Monitor the license status:

Check the license usage and status to ensure that the Sg-Retail group members can utilize the Windows 10/11 Enterprise E3 features.

By following these steps, the Sg-Retail group should now have the Windows 10/11 Enterprise E3 licenses assigned to them.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance>Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups>Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

To ensure that users in the Sg-Operations group see a tab named “Operations” containing only LinkedIn and Box applications in the My Apps portal, you can create a collection with these specific applications. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Make sure you have one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Navigate to App launchers:

Go to Identity > Applications > Enterprise applications.

Under Manage, select App launchers.

Create a new collection:

Click on New collection.

Enter “Operations” as the Name for the collection.

Provide a Description if necessary.

Add applications to the collection:

Select the Applications tab within the new collection.

Click on + Add application.

Search for and select LinkedIn and Box applications.

Click Add to include them in the collection.

Assign the collection to the Sg-Operations group:

Select the Users and groups tab.

Click on + Add users and groups.

Search for and select the Sg-Operations group.

Click Select to assign the collection to the group.

Review and create the collection:

Select Review + Create to check the configuration.

If everything is correct, click Create to finalize the collection.

By following these steps, when users in the Sg-Operations group visit the My Apps portal, they will see a new tab named “Operations” that contains only the LinkedIn and Box applications1.

Please note that to create collections on the My Apps portal, you need a Microsoft Entra ID P1 or P2 license1.

To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in as a Security Administrator or Global Administrator.

Navigate to MFA settings:

Go to Users > Active users.

On the Active users page, select Multi-factor authentication.

Manage user settings:

Find and select the Sg-Finance group.

Enable MFA for this group by setting the requirement status to Enabled.

Exclude a user from MFA:

In the Multi-factor authentication page, search for Debra Berger.

Set her MFA status to Disabled to exclude her from MFA registration.

Verify the configuration:

Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.

Communicate the change:

Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.

Monitor the setup:

Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.

To add the LinkedIn application as a resource to the Sales and Marketing access package without removing any other resources, you can follow these steps:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Identity Governance Administrator.

Navigate to Entitlement Management:

Go to Identity governance > Entitlement management > Access packages1.

Select the Sales and Marketing access package:

Find and select the Sales and Marketing access package to modify it.

Add a new resource:

Within the access package details, select Resources.

Click on + Add resource.

Search for and select the LinkedIn application from the list of available resources.

Configure the resource role:

Assign the appropriate role for the LinkedIn application that users in the Sales and Marketing access package will have.

Review and update the access package:

Ensure that the LinkedIn application has been added as a resource.

Confirm that no other resources have been removed from the access package.

Save the changes:

After reviewing, save the changes to the access package.

Communicate the update:

Notify the relevant users about the addition of the LinkedIn application to their access package.

By following these steps, you will successfully add the LinkedIn application to the Sales and Marketing access package without affecting the other resources.

To ensure that all users can consent to apps that require permission to read their user profile and prevent them from consenting to apps that require any other permissions, you can configure the user consent settings in the Microsoft Entra admin center. Here’s how you can do it:

Sign in as a Global Administrator:

Access the Microsoft Entra admin center with Global Administrator privileges.

Navigate to user consent settings:

Go toIdentity>Applications>Enterprise applications>Consent and permissions>User consent settings1.

Configure the consent settings:

Under User consent for applications, select the option that allows users to consent to apps that only require permission to read their user profile.

Ensure that all other permissions are set to require administrator consent, thus preventing users from consenting to apps that require additional permissions1.

Save the settings:

After configuring the consent settings, select Save to apply the changes.

By following these steps, you will have configured the system to allow user consent for apps that need to read the user profile while blocking consent for apps that require additional permissions. This setup helps maintain user autonomy where appropriate while safeguarding against unauthorized access to broader permissions.

To prevent all users from using legacy authentication protocols when authenticating to Microsoft Entra ID, you can create a Conditional Access policy that blocks legacy authentication. Here’s how to do it:

Sign in to the Microsoft Entra admin center:

Ensure you have the role of Global Administrator or Conditional Access Administrator.

Navigate to Conditional Access:

Go to Security > Conditional Access.

Create a new policy:

Select + New policy.

Give your policy a name that reflects its purpose, like “Block Legacy Auth”.

Set users and groups:

Under Assignments, select Users or workload identities.

Under Include, select All users.

Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication.It’s recommended to exclude at least one account to prevent lockout1.

Target resources:

Under Cloud apps or actions, select All cloud apps.

Set conditions:

Under Conditions > Client apps, set Configure to Yes.

Check only the boxes for Exchange ActiveSync clients and Other clients.

Configure access controls:

Under Access controls > Grant, select Block access.

Enable policy:

Confirm your settings and set Enable policy to Report-only initially to understand the impact.

After confirming the settings using report-only mode, you can move theEnable policytoggle fromReport-onlytoOn2.

By following these steps, you will block legacy authentication protocols for all users, enhancing the security posture of your organization by requiring modern authentication methods. Remember to monitor the impact of this policy and adjust as necessary to ensure business continuity.

To configure the account lockout settings so that accounts are locked out for five minutes after 10 failed sign-in attempts, you can follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to the lockout settings:

Go to Security > Authentication methods > Password protection.

Adjust the Smart Lockout settings:

Set the Lockout threshold to 10 failed sign-in attempts.

Set the Lockout duration (in minutes) to 5.

Please note that by default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants1. The lockout period is one minute at first, and longer in subsequent attempts.However, you can customize these settings tomeet your organization’s requirements if you have Microsoft Entra ID P1 or higher licenses for your users1.