For Identity Governance (Entitlement Management), the materials clarify who can create and manage access reviews of access packages: “To create or manage access reviews for access packages, you must be a Global administrator, an Identity Governance administrator, a catalog owner for the catalog that contains the access package, or an access package manager.” The exam text also states: “User administrator does not grant the ability to manage entitlement management access reviews unless the user is delegated as a catalog owner or access package manager.” Given the scenario’s user roles, User3 (Identity Governance administrator) and User5 (Global administrator) satisfy these permissions and therefore can create and manage the access review for Package1. By contrast, User4 (User administrator) cannot perform this task by role alone. This selection follows the least-privilege guidance emphasized in SC-300: use specialized governance roles (Identity Governance admin or delegated catalog roles) rather than broad directory roles when possible.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn module “Manage user and group licenses in Microsoft Entra ID (Azure AD)”, when you need to automatically assign licenses to users based on specific attributes (such as department, location, or a custom attribute like LWLicenses ), you should use a Dynamic User Security Group in Azure Active Directory (Entra ID).

In the scenario, Litware wants to:

“Manage the assignment of Azure AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for LWLicenses must be added automatically to the Microsoft 365 group that has the appropriate license assigned.”

This requirement directly maps to a Dynamic User security group, which supports dynamic membership rules that automatically include users when their attributes meet defined conditions (for example, user.extensionAttribute15 -eq " E5 " ). When a license is assigned to this dynamic group, Azure AD automatically provisions or removes licenses for members based on their attribute values — eliminating manual license management.

Per Microsoft documentation:

“You can assign licenses to a group that has dynamic membership. When a user’s attributes change, Azure AD automatically adds or removes them from the group, which updates their license assignments accordingly.”

Now, analyzing the other options:

B. An OU (Organizational Unit): Used in on-premises Active Directory, not Azure AD. It cannot manage cloud-based license assignments.

C. A Distribution Group: Used for email distribution in Exchange Online; cannot be used for license assignment.

D. An Administrative Unit: Used for scoping administrative permissions, not for license assignment.

Therefore, the only object type that satisfies both the technical and automation requirements is a Dynamic User Security Group.

✅ Correct Answer: A. A Dynamic User security group

To meet auditing and monitoring requirements, Azure AD must send sign-in logs and audit logs to an external location such as a Log Analytics workspace, Azure Storage account, or Event Hub. This is configured using Diagnostics settings in Azure AD.

According to Microsoft documentation in “Monitor Azure Active Directory activity logs in Azure Monitor” and the SC-300 learning objective “Implement and monitor identity governance” , you must enable diagnostic settings to stream directory logs to a Log Analytics workspace.

The scenario specifies:

“You create a Log Analytics workspace. You need to implement the technical requirements for auditing.”

By configuring Azure AD’s Diagnostics settings, you can:

Send Sign-in logs, Audit logs, and Provisioning logs to Log Analytics.

Correlate identity events with security insights in Azure Sentinel or Microsoft Defender for Cloud Apps.

Microsoft documentation confirms:

“To collect and analyze Azure AD sign-in and audit data, configure diagnostic settings to send logs to Log Analytics.”

Other options do not meet the requirement:

A. Company branding: Only affects login pages, not logging or auditing.

C. External Identities: Controls guest access, not logging.

D. App registrations: Used for app integration, not auditing.

In Azure AD Privileged Identity Management (PIM) for Azure AD roles, the exam materials describe that you tailor how a role (for example, User administrator) is used by editing its Role settings. These settings control activation behavior, including require multi-factor authentication, justification, approval, assignment/activation durations, and notifications . The guide states that administrators can “configure activation requirements and time-bound eligibility on a per-role basis” and “enforce approval workflows and MFA at activation.” Access reviews are used to periodically verify who still needs a role , but they do not implement the operational changes to how the role is activated. Active assignments simply shows and changes who currently holds active/eligible assignments; it does not set policy for the role’s activation behavior. Administrative units scope certain directory tasks, but they are not how you change PIM activation/approval/MFA requirements. Therefore, to meet planned changes for the User administrator role (such as least privilege activation with approval, justification, and MFA), you update PIM → Azure AD roles → User administrator → Role settings. This aligns with the SC-300 objective to “configure PIM settings and policies for Azure AD roles,” ensuring governance by policy rather than ad-hoc assignment.

The SC-300 coverage of Azure AD Connect explains that when you need to bring in a new set of on-premises users or change what is synchronized (for example, adding an additional domain/OU such as ADatum or adjusting filtering), you reopen the Azure AD Connect wizard and choose “Customize synchronization options.” The guide notes that this path lets you “modify directory/OU filtering, add or remove forests, and enable optional sync features” so that only the intended users are synchronized. It contrasts with operational commands: Start-ADSyncSyncCycle merely triggers an immediate delta/full sync of the current configuration; Set-ADSyncScheduler changes the sync cadence or pause/resume behavior; and “Change user sign-in” alters the authentication method (e.g., PHS vs. PTA) but does not control scoping of which users are synced. To meet a requirement to sync the ADatum users according to technical constraints (such as OU/domain selection or feature toggles), you must first configure the scope by running the wizard and selecting Customize synchronization options, then perform/allow a sync cycle to bring those users into Azure AD as defined.

To create a group named “Audit” and ensure that its members can activate the Security Reader role, follow these steps:

Open the Microsoft Entra admin center:

Sign in with an account that has the Security Administrator or Global Administrator role.

Navigate to Groups:

Go toTeams & groups > Active teams and groups1.

Create the security group:

Select Add a security group.

On the Set up the basics page, enter “Audit” as the group name.

Add a description if necessary and chooseNext1.

Edit settings:

On theEdit settingspage, select whether you want Microsoft Entra roles to be assignable to this group and selectNext1.

Assign roles:

After creating the group, go to Roles > All roles.

Find and select the Security Reader role.

Under Assignments, choose Assign.

Select the “Audit” group to assign the role to its members2.

Review and finish:

Review the settings to ensure the “Audit” group is created with the ability for its members to activate the Security Reader role.

Finish the setup and save the changes.

By following these steps, you will have created the “Audit” group and enabled its members to activate the Security Reader role, which allows them to view security-related information without having permissions to change it. Remember to communicate the new group and role assignment to the relevant stakeholders in your organization.

According to the Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn modules “Implement and manage Azure AD roles” and “Implement Privileged Identity Management (PIM)” , there is a clear distinction between Azure AD built-in roles and Azure (resource-based) built-in roles.

Azure AD built-in roles govern directory-level access — such as managing users, groups, enterprise apps, or security settings in Azure Active Directory (Entra ID). The Privileged Role Administrator role allows the user to manage role assignments for directory roles in Azure AD, including activating roles through PIM. The Global Administrator also has this capability, but the Privileged Role Administrator is the least privilege role that meets the delegation requirement — aligning with the principle of least privilege stated in the scenario. As the documentation notes:

“Privileged Role Administrator manages role assignments in Azure AD, including the ability to activate and assign roles through Azure AD Privileged Identity Management.”

Azure built-in roles, on the other hand, are used to control access at the Azure resource level — for subscriptions, resource groups, and individual resources. The role responsible for managing these assignments is the User Access Administrator. This role can grant or revoke access to Azure resources by managing role assignments within Azure RBAC (Role-Based Access Control). The Microsoft documentation states:

“User Access Administrator allows management of user access to Azure resources. It can assign roles in Azure RBAC for resources, subscriptions, and management groups.”

Therefore:

✅ To manage Azure AD built-in role assignments → Privileged role administrator

✅ To manage Azure built-in role assignments → User access administrator

This approach satisfies the delegation requirement mentioned in the scenario by assigning the least-privileged roles necessary for each type of role management task.