To allow User1 to purchase a Microsoft Entra Permissions Management license, you need to grant them the permission to perform billing or purchase operations. Microsoft documentation for Microsoft Entra Permissions Management states that to activate a trial or purchase a license, you must have Billing Administrator permissions.

Specifically, under the “Enabling Permissions Management” section, Microsoft says:

“Sign in as a Global Administrator … In the Entra ID portal … select Microsoft Entra Permissions Management, then select the link to purchase a license or begin a trial.”

And in the product roles and permissions documentation, Microsoft lists “Billing Administrator” as a built-in role that performs billing related tasks like managing payment information and also mentions that to activate (i.e. purchase) Permissions Management you require Billing Administrator role.

Assigning Global Administrator (option D) is too broad and would violate principle of least privilege. Permissions Management Administrator allows managing the product after it ' s enabled, but doesn ' t grant purchase rights. User Access Administrator is an Azure role that grants permissions to manage role assignments but not purchase licenses. Thus the minimal correct role is Billing Administrator .

<  Statement 1 → No

 Statement 2 → No

 Statement 3 → Yes

According to the Microsoft SC-300: Microsoft Identity and Access Administrator study guide and Azure AD Privileged Identity Management (PIM) documentation, roles in PIM can be configured for eligible or active assignments.

User1 is assigned automatically – No The “Add assignments” screen shows User1’s assignment type as Eligible, not Active. Eligible assignments mean the user is not automatically granted the role; they must activate it manually when needed. Therefore, User1 is not assigned automatically to the Application Administrator role.

When User2 requests role assignment, only User3 can approve – No The Role setting details show that approval is required to activate and that the approver is listed as Group1. Because both User2 and User3 are members of Group1, any member of the group can approve the request, not only User3. Hence, the statement that only User3 can approve is incorrect.

User1’s approval on January 31, 2021, at 23:00 – Yes The configuration shows an activation maximum duration of 5 hours. Therefore, if User1’s request is approved at 23:00 on January 31, the role remains active for 5 hours — until 04:00 on February 1, 2021. This aligns precisely with the parameters displayed in the exhibit.

As confirmed in Microsoft documentation ( “Configure role settings in Azure AD PIM” ), activation settings define how long a user can remain active after approval, and group approvers allow any member of that group to approve activations.

First create: ✅ An Azure Automation account

Distribute Catalog1 by using: ✅ An access package

According to the Microsoft SC-300 study guide and Microsoft Entra Identity Governance documentation, when creating custom extensions for Entitlement Management catalogs, the extensions must be hosted in an Azure Automation account. This automation account provides the execution environment for scripts or runbooks that perform external actions when certain events occur, such as user assignments or access removals.

Entitlement Management in Microsoft Entra (formerly Azure AD) allows administrators to automate user access lifecycle processes through access packages. These packages are distributed to internal or external users and define which resources (applications, groups, teams, or SharePoint sites) they can request access to — all under a governance framework.

First create an Azure Automation account

To use a custom extension in a catalog, Microsoft Entra requires an Azure Automation account.

The automation account hosts runbooks (PowerShell scripts or actions) that execute when access package events trigger (e.g., user request approval, role assignment, or removal).

The automation account acts as the backend engine for entitlement management extensions.

Step-by-Step Breakdown: As per Microsoft documentation:

“To add a custom extension to an access package, create an Azure Automation account that contains the runbook to handle the automation triggered by access lifecycle events.”

Distribute Catalog1 by using an access package

Once the catalog (Catalog1) and custom extension are configured, access to the resources in that catalog is granted through access packages.

Each access package defines eligibility, approval workflows, and access duration for users.

Access packages serve as the distribution mechanism of catalogs — users request access through them, and the catalog defines what access is granted.

From Microsoft SC-300 content:

“In Entitlement Management, catalogs define available resources, while access packages define who can request them and under what conditions. Access packages are the method of distributing access in a catalog.”

In a Microsoft 365 E5 environment with Global Secure Access (Microsoft Entra Internet Access) deployed, to block users from accessing a specific website (for example, https://contoso.com ), the configuration process involves creating network, filtering, and security control components in sequence.

According to the Microsoft SC-300 Study Guide and official Microsoft Learn module “Configure Microsoft Entra Internet Access and Private Access”, the required workflow is as follows:

Create a remote network – This step establishes the connectivity fabric that links user devices (running the Global Secure Access client) with the Microsoft Entra Global Secure Access services. It defines network parameters and routes traffic through the Microsoft Entra inspection layer.

Create a web content filtering policy – Within Microsoft Entra Internet Access, administrators can define filtering rules that control outbound web traffic. Here, you would add https://contoso.com as a blocked domain or URL category. This policy ensures that traffic destined for that domain is denied.

Configure a security profile – Security profiles combine web content filtering policies, Conditional Access policies, and inspection settings. You then assign the security profile to the remote network or user group so the filtering rule applies to traffic from the enrolled devices.

These steps align with Microsoft’s recommended process to “create a remote network, define filtering policy, and link via a security profile” for enforcing secure outbound access control through Global Secure Access.

To implement a process for reviewing guest users’ access to the Salesforce app with the specified requirements, you can use Microsoft Entra’s Identity Governance access reviews feature. Here’s a step-by-step guide:

Assign the appropriate role:

Ensure you have one of the following roles: Global Administrator, User Administrator, or Identity Governance Administrator1.

Navigate to Identity Governance:

Sign in to the Microsoft Entra admin center.

Go toIdentity governance > Access reviews1.

Create a new access review:

Select New access review.

Choose the Salesforce app to review guest user access1.

Configure the review settings:

Set the frequency of the review to monthly.

Define thedurationof the review period to5 days1.

Determine the reviewers:

Assign the manager of each guest user as the reviewer.

If a guest user does not have a manager, assignMegan Bowenas the reviewer1.

Automate the removal process:

Configure settings toautomatically remove accessif the review is not completed within the specified time frame1.

Monitor and enforce compliance:

Regularly check the access review results to ensure compliance with the review policy1.

Communicate the process:

Inform all stakeholders about the new review process and provide guidance on how to complete the reviews.

By following these steps, you can ensure that guest users’ access to the Salesforce app is reviewed monthly, with managers being responsible for the review, and access is removed if the review is not completed in time.

According to Microsoft Identity Governance documentation and the SC-300 study guide, entitlement management in Azure AD allows you to manage access to resources like SharePoint Online sites, Teams, groups, and applications through access packages . However, before an access package can be created, the administrator must first define a catalog .

A catalog is the logical container that holds all the resources (such as groups, Teams, and SharePoint sites) that can be made available in access packages. The process for entitlement management begins with catalog creation, followed by adding resources, then creating access packages that assign roles for those resources. Therefore, the first step to managing Site1 (SharePoint site) and Team1 (Microsoft Teams team) within entitlement management is to create a catalog and add those resources to it.

This aligns with Microsoft documentation, which states:

“Before creating an access package, you must have a catalog that contains the resources to be made available for assignment.”

 If User1 connects from 10.10.0.150 → Yes

 If User2 connects from 10.10.1.160 → Yes

 If User2 connects from 192.168.1.20 → No

In Azure AD Conditional Access, the Locations condition can target All trusted locations, which include named locations marked as trusted and any MFA trusted IPs. In this scenario, a named location (location1) is marked as trusted with 10.10.0.0/16, and the MFA service has a trusted IP range of 193.17.17.0/24. The policy CAPolicy1 targets Group1, all cloud apps, Locations = All trusted locations, and Grant = Require multi-factor authentication. Therefore, a Group1 user connecting from an IP within a trusted location will be required to perform MFA by this Conditional Access policy. User1 is in Group1; from 10.10.0.150 (within 10.10.0.0/16), the CA policy applies → prompted for MFA (Yes).

Per-user MFA (legacy) still functions independently of Conditional Access. User2 has per-user MFA Enforced (Group2 is not targeted by the CA policy). When User2 connects from 10.10.1.160 (not in an MFA trusted IP range), the user is required to complete MFA → Yes. When User2 connects from 192.168.1.20 at Location2, outbound traffic NATs to 193.17.17.0/24, which is configured as an MFA trusted IP range, so per-user MFA is not prompted → No.

This aligns with SC-300 guidance: Conditional Access policies evaluate trusted locations for MFA requirements; per-user MFA can bypass prompts from trusted IPs and still enforce MFA elsewhere.

When granting external users (such as contractors) access to Microsoft Entra resources like enterprise applications, the correct method is to invite them as guest users .

The Microsoft SC-300 Study Guide states:

“To collaborate with external users who authenticate using their existing accounts (e.g., Outlook.com, Gmail, or another Entra tenant), you must invite them as guest users using the Microsoft Graph API or the New-MgInvitation PowerShell cmdlet.”

In this scenario, the contractor uses user1@outlook.com , which is a personal Microsoft account. The New-MgInvitation cmdlet creates a guest user in the tenant that links to their external identity for authentication.

Conditional Access policies evaluate Assignments (users, cloud apps), optional Conditions , and then enforce Access controls . In SC-300, Terms of use (ToU) is enforced via Grant controls : the policy must “ require terms of use ” so that users must accept a specified ToU before access is granted. The documentation states that the ToU experience is applied when a policy includes the control to “ require terms of use ,” and this control lives under the Grant section (alongside controls like require MFA, require compliant device, etc.). Therefore, to deploy Terms1 with Policy1 , configure the Grant controls and select Require terms of use and choose Terms1 . Conditions or Session settings do not trigger ToU acceptance; they refine when or how access is permitted. Target resources select apps, but the enforcement of acceptance is strictly a Grant control.

When onboarding to Microsoft Entra Permissions Management (a CIEM solution), before a user can perform any functions inside Permissions Management, that user must be granted an appropriate Permissions Management role in the Entra tenant. The principle of least privilege dictates that you grant only the minimal role necessary (for example, a Permissions Management Approver , Viewer , or Controller ). The SC-300 study materials and Microsoft’s documentation emphasize that administrative access must begin by assigning roles within Entra ID.

Creating a security group (option A) is a useful organizational practice but doesn’t itself grant the user permissions inside Permissions Management.

Creating a role/policy template (option B) is about defining permission scopes and is not a first step to allow a user access.

Creating a request in My Requests (option D) presupposes that User1 already has some entitlement to make requests (i.e. some role), which they don’t yet.

Therefore, the first action is to assign a Permissions Management role to User1 from the Entra admin center, thus giving them appropriate access while adhering to least privilege.