SC-300 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-300 Exam - Question 308

Case Study -

Overview -

ADatum Corporation is a consulting company in Montreal.

ADatum recently acquired a Vancouver-based company named Litware, Inc.

Existing Environment. ADatum Environment

The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.

ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.

ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.

The tenant contains the users shown in the following table.

The tenant contains the groups shown in the following table.

Existing Environment. Litware Environment

Litware has an AD DS forest named litware.com

Existing Environment. Problem Statements

ADatum identifies the following issues:

• Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.

• A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.

• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.

• Anyone in the organization can invite guest users, including other guests and non-administrators.

• The helpdesk spends too much time resetting user passwords.

• Users currently use only passwords for authentication.

Requirements. Planned Changes -

ADatum plans to implement the following changes:

• Configure self-service password reset (SSPR).

• Configure multi-factor authentication (MFA) for all users.

• Configure an access review for an access package named Package1.

• Require admin approval for application access to organizational data.

• Sync the AD DS users and groups of litware.com with the Azure AD tenant.

• Ensure that only users that are assigned specific admin roles can invite guest users.

• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.

Requirements. Technical Requirements

ADatum identifies the following technical requirements:

• Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.

• Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.

• Users must provide one authentication method to reset their password by using SSPR. Available methods must include:

- Email

- Phone

- Security questions

- The Microsoft Authenticator app

• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.

• The principle of least privilege must be used.

You need to implement the planned changes for Package1.

Which users can create and manage the access review?

Show Answer
Correct Answer: C

To create and manage access reviews for an access package, a user must have the Identity Governance Administrator role. According to the requirements, User5 is the only one assigned with this role. Therefore, User5 can create and manage the access review for the access package named Package1.

Discussion

25 comments
Sign in to comment
Siraf
Dec 23, 2023

Answer is C To enable reviews of access packages, you must meet the prerequisites for creating an access package: - Microsoft Entra ID P2 or Microsoft Entra ID Governance - Global administrator, Identity Governance administrator, Catalog owner, or Access package manager https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create

Ikazimirs
Jul 23, 2023

but user 4 is the user with Priviledged Role Administrator role....

Alcpt
May 20, 2024

Answer is C. You are confusing access reviews for Azure resources vs access reviews for Microsoft Entra roles. For creating access reviews for Azure RESOURCES, you need Owner or the User Access Administrator role for the Azure resources. For creating access reviews for Microsoft Entra ROLES, you need Global Administrator or the Privileged Role Administrator role. You are review access packages here, which are Azure RESOURCES. Evidence: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review

Alcpt
May 20, 2024

sorry above answer is for a different question. Answer is C. You are reviewing an application, not a role-assignable group = #1 #1 Global Administrator or Identity Governance Administrator to create reviews on groups or applications. #2 Users must be in the Global administrator role or the Privileged Role administrator role to create reviews on role-assignable groups

Alcpt
May 20, 2024

sorry above answer is for a different question. Answer is C. You are reviewing an application, not a role-assignable group = #1 #1 Global Administrator or Identity Governance Administrator to create reviews on groups or applications. #2 Users must be in the Global administrator role or the Privileged Role administrator role to create reviews on role-assignable groups

CheMettoOption: E
Jul 21, 2023

First, you must be assigned one of the following roles: Global administrator User administrator Identity Governance Administrator Privileged Role Administrator (for reviews of role-assignable groups only) (Preview) Microsoft 365 or AAD Security Group owner of the group to be reviewed https://learn.microsoft.com/en-us/azure/active-directory/governance/manage-access-review

Another_oneOption: C
Jan 6, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Definitely C is the answer.

siffy
Jan 27, 2024

how is it c when it says Global administrator User administrator

Ody
Feb 24, 2024

Look in the table where it says "Access Packages"

Ody
Feb 24, 2024

Look in the table where it says "Access Packages"

SneekygeekOption: C
Jan 31, 2024

Answer is C https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews The role required to create an access review will depend on the type of resource the access review is for.

KRISTINMERIEANNOption: C
Apr 11, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

HartMSOption: C
Apr 14, 2024

Only following roles can create and manage access reviewes for packages: Global administrator Identity Governance administrator

marsotOption: E
Jul 24, 2023

To create and perform an access review for users, you need to have one of the following roles: • Global administrator • User administrator • Identity Governance Administrator • Privileged Role Administrator (for reviews of role-assignable groups only) • (Preview) Microsoft 365 or AAD Security Group owner of the group to be reviewed https://learn.microsoft.com/en-us/azure/active-directory/governance/manage-access-review#create-and-perform-an-access-review-for-users

penatunaOption: E
Sep 14, 2023

Requirements. Planned Changes: Configure an access review for an access package named Package1. Looking at the link below, only User3 & User5 can create and manage access reviews for access package named Package1. https://learn.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

itismadu
Oct 26, 2023

Strongly agree with you. Its User3 & User5 The administrative role required to create, manage, or read an access review depends on the type of resource being reviewed. The type of resource is access Package. Hence user 3 and User 5 - https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

Ody
Feb 24, 2024

The link explains why both of you are wrong and why User 5 is the answer.

Ody
Feb 24, 2024

The link explains why both of you are wrong and why User 5 is the answer.

penatuna
Feb 29, 2024

OK, things have changed from when I first answered the question. Now the correct answer is C - Identity Governance administrator. In the Entra admin centre, it now says: "NOTE! The User Administrator role is no longer allowed to manage catalogs and access packages in Microsoft Entra Entitlement Management. Please transition to the Identity Governance Administrator role to continue managing access without disruption, or go to the Entitlement Management settings page if you need to temporarily opt out."

pokrz26Option: C
Dec 16, 2023

This link -> https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Clearly says: Create and manage access reviews (creators) - Global administrator - Identity Governance administrator - Catalog owner (for the access package) - Access package manager (for the access package) Read access review results - Global administrator - Global reader - User administrator - Identity Governance administrator - Catalog owner (for the access package) - Access package manager (for the access package) - Security reader Question says: Which users can create and manage the access review? So the answer is C. User administrator can read access review of access package but cannot create and manage it.

belyoOption: C
Mar 11, 2024

it is not clear what access package covers.. so following this: https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews:~:text=Authorization/*/read%20permissions.-,Access%20package,-Global%20administrator i vote for ID Governance admin

blanco00555Option: C
Apr 6, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews see table: Access package: Global administrator Identity Governance administrator

JuanZOption: E
Apr 23, 2024

Create and manage access reviews (creators): -Global administrator -User administrator -Identity Governance administrator -Privileged Role administrator (only does reviews for Microsoft Entra role-assignable groups) -Group owner (if enabled by an admin) https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

criminal1979Option: C
May 2, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

Tony416Option: C
Sep 9, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

hml_2024Option: C
Sep 15, 2024

To create and manage Access Reviews, a user needs to have one of the following roles in Azure AD: • Global Administrator • Privileged Role Administrator • Identity Governance Administrator

BSVITOption: C
Dec 16, 2023

It's C. https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews You need to be able to create and manage resource type ''Access Package". there are 4 roles that can create and manage: Global administrator Identity Governance administrator Catalog owner (for the access package) Access package manager (for the access package)

TomasfcOption: C
Dec 19, 2023

Answer in both links: https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

TomasfcOption: C
Dec 22, 2023

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

GummyBear95Option: C
Sep 20, 2024

Those who can create and manage access reviews are: Global Administrator Identity Governance Administrator Catalog owner (for the access package) Access package manager (for the access package) User Administrator can only read not create and manage https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

roman_cat
Aug 26, 2023

Should be F. User 4 and 5. Least privilege access

Sc300ExamDemo
Jun 2, 2024

For review access package, only these roles are required Global administrator Identity Governance administrator Catalog owner (for the access package) Access package manager (for the access package) https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Answer: C

hml_2024
Sep 15, 2024

Privileged Role Administrator does not have access to create access review.

watanabetatarouOption: E
Oct 1, 2024

E

Obi_Wan_JacobyOption: C
May 5, 2025

Answer: C (user 5) Identity Governance Administrator