SC-300 Study Guide

Exam Quick Facts

Official Learning Paths

1. 📘 Implement and manage user identities — Entra tenants, users, groups, hybrid identity
2. 📘 Implement authentication and access management — MFA, Conditional Access, ID Protection, Global Secure Access
3. 📘 Plan and implement workload identities — Managed identities, app registrations, enterprise apps, Defender for Cloud Apps
4. 📘 Plan and automate identity governance — Entitlement management, access reviews, PIM, monitoring

📖 Study Resources

Skills at a Glance

Who is this exam for?

The SC-300 is for identity and access administrators — the people who design, implement, and operate an organisation’s identity infrastructure using Microsoft Entra. If you manage who can access what, how they authenticate, and how access is governed, this exam is for you.

You should be familiar with Azure, Microsoft 365, Active Directory Domain Services, PowerShell, and KQL. This exam is deeply hands-on — expect lab-based questions on Conditional Access policies, PIM configurations, and app registrations.

This exam was last updated on April 27, 2026 and now includes Global Secure Access as a key topic. The SC-300 also counts toward the Microsoft 365 Certified: Administrator Expert certification.

Skills Measured — with Microsoft Learn Links

Implement and manage user identities (20–25%)

This domain covers the full lifecycle of user identities — from creating Entra tenants and managing users to handling hybrid identity with on-premises Active Directory. You need to know how to manage cloud users, groups, external identities, and directory synchronisation.

Configure and manage a Microsoft Entra tenant

Your Entra tenant is the foundation of identity in Microsoft 365 and Azure. You need to know how to manage built-in and custom roles, administrative units (to delegate admin access to specific groups of users), domains, company branding, and tenant-wide settings.

• Configure and manage built-in and custom Microsoft Entra roles
• Recommend when to use administrative units
• Configure and manage administrative units
• Evaluate effective permissions for Microsoft Entra roles
• Configure and manage domains in Microsoft Entra ID and Microsoft 365
• Configure Company branding settings
• Configure tenant properties, user settings, group settings, and device settings

Create, configure, and manage Microsoft Entra identities

Day-to-day identity management: creating users and groups, managing custom security attributes, performing bulk operations (via admin center or PowerShell), managing device registrations, and handling licence assignments.

• Create, configure, and manage users
• Create, configure, and manage groups
• Manage custom security attributes
• Automate bulk operations by using the Microsoft Entra admin center and PowerShell
• Manage device join and device registration in Microsoft Entra ID
• Assign, modify, and report on licenses

Implement and manage identities for external users and tenants

External collaboration lets you invite users from outside your organisation (B2B) and configure cross-tenant access. You need to know how to manage guest users, configure external identity providers (SAML, WS-Fed), and set up cross-tenant synchronisation.

• Manage External collaboration settings in Microsoft Entra ID
• Invite external users, individually or in bulk
• Manage external user accounts in Microsoft Entra ID
• Implement Cross-tenant access settings
• Implement and manage cross-tenant synchronization
• Configure external identity providers, including protocols such as SAML and WS-Fed

Implement and manage hybrid identity

Hybrid identity connects your on-premises Active Directory with Microsoft Entra ID. You need to know the two sync engines (Entra Connect Sync and Cloud Sync), authentication methods (password hash sync, pass-through authentication, federation), and how to monitor the health of your hybrid environment.

• Implement and manage Microsoft Entra Connect Sync
• Implement and manage Microsoft Entra Cloud Sync
• Implement and manage password hash synchronization
• Implement and manage pass-through authentication
• Implement and manage seamless single sign-on (SSO)
• Migrate from AD FS to other authentication and authorization mechanisms
• Implement and manage Microsoft Entra Connect Health

Implement authentication and access management (25–30%)

This is the largest and most critical domain. It covers how users authenticate (MFA, passwordless, passkeys), how access is controlled (Conditional Access policies), how risks are managed (ID Protection), and the new Global Secure Access feature. Expect heavy scenario-based questions here.

Plan, implement, and manage Microsoft Entra user authentication

Authentication methods have evolved far beyond passwords. You need to know about certificate-based authentication, Temporary Access Pass, FIDO2 passkeys, Microsoft Authenticator, Windows Hello for Business, and how to configure MFA and SSPR at the tenant level.

• Plan for authentication
• Implement and manage authentication methods, including certificate-based authentication, Temporary Access Pass, OAuth 2.0 tokens, Microsoft Authenticator, and passkeys (FIDO2)
• Implement and manage tenant-wide MFA settings
• Configure and deploy self-service password reset (SSPR)
• Implement and manage Windows Hello for Business
• Disable accounts and revoke user sessions
• Implement and manage Microsoft Entra password protection
• Enable Microsoft Entra Kerberos authentication for hybrid identities

Plan, implement, and manage Microsoft Entra Conditional Access

Conditional Access is the Zero Trust policy engine — it evaluates signals (user, device, location, risk level) and enforces access decisions (allow, block, require MFA). This is one of the most heavily tested areas. You need to know how to plan, create, test, and troubleshoot policies.

• Plan Conditional Access policies
• Implement Conditional Access policy assignments
• Implement Conditional Access policy controls
• Test and troubleshoot Conditional Access policies
• Implement session management
• Implement device-enforced restrictions
• Implement continuous access evaluation
• Configure authentication context
• Implement protected actions
• Create a Conditional Access policy from a template

Manage risk by using Microsoft Entra ID Protection

ID Protection automatically detects risky sign-ins and risky users using Microsoft’s intelligence. You need to know how to configure risk-based policies (e.g., “require MFA for medium-risk sign-ins”), investigate alerts, and remediate compromised users.

• Implement and manage user risk policies
• Implement and manage sign-in risk policies
• Implement and manage MFA registration using authentication methods and registration campaigns
• Monitor, investigate and remediate risky users and risky sign-ins
• Monitor, investigate, and remediate risky workload identities

Implement Global Secure Access

Global Secure Access is Microsoft’s Security Service Edge (SSE) solution — it provides identity-aware, cloud-delivered network security. This is a newer topic on the exam, covering Private Access (replace VPNs), Internet Access (secure web gateway), and Internet Access for Microsoft 365.

• Deploy Global Secure Access clients
• Deploy and manage Private Access
• Deploy and manage Internet Access
• Deploy and manage Internet Access for Microsoft 365

Plan and implement workload identities (20–25%)

Workload identities are for applications and services — not people. This domain covers managed identities, service principals, app registrations, enterprise application integration, and monitoring app access with Defender for Cloud Apps. If you manage SaaS application SSO or custom app integrations, this is your domain.

Plan and implement identities for applications and Azure workloads

Managed identities let Azure resources authenticate to other Azure services without storing credentials in code. You need to know the difference between system-assigned and user-assigned managed identities, service principals, and when to use each.

• Select appropriate identities for applications and Azure workloads
• Create managed identities
• Assign a managed identity to an Azure resource
• Use a managed identity assigned to an Azure resource to access other Azure resources

Plan, implement, and monitor the integration of enterprise applications

Enterprise applications are the SaaS and on-premises apps that users access through Entra ID. You need to know how to configure SSO, manage user/group assignments, handle consent, and use Application Proxy to publish on-premises apps externally.

• Plan and implement settings for enterprise applications
• Assign appropriate Microsoft Entra roles to users to manage enterprise applications
• Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
• Design and implement integration for SaaS apps
• Assign, classify, and manage users, groups, and app roles for enterprise applications
• Configure and manage user and admin consent
• Create and manage application collections

Plan and implement app registrations

App registrations define how your custom applications integrate with Entra ID. You need to know how to create registrations, configure authentication (redirect URIs, supported account types), set up API permissions, and create app roles.

• Plan for app registrations
• Create app registrations
• Configure app authentication
• Configure API permissions
• Create app roles

Manage and monitor app access by using Microsoft Defender for Cloud Apps

Defender for Cloud Apps provides visibility and control over SaaS applications. Cloud Discovery finds shadow IT, app connector policies monitor activity, and session policies can block risky actions in real-time. This is a newer topic area that ties security to app access.

• Configure and analyze cloud discovery results by using Defender for Cloud Apps
• Configure connected apps
• Implement application-enforced restrictions
• Configure Conditional Access app control
• Create access and session policies in Defender for Cloud Apps
• Implement and manage policies for OAuth apps
• Manage the Cloud app catalog

Plan and automate identity governance (20–25%)

Identity governance ensures the right people have the right access for the right reasons — and only for as long as they need it. This domain covers entitlement management (access packages), access reviews, Privileged Identity Management (PIM), and monitoring/reporting with logs and workbooks.

Plan and implement entitlement management in Microsoft Entra

Entitlement management lets you create access packages — bundles of group memberships, app assignments, and SharePoint site access that users can request through a self-service portal. It’s especially useful for managing access for external users.

• Plan entitlements
• Create and configure catalogs
• Create and configure access packages
• Manage access requests
• Implement and manage terms of use (ToU)
• Manage the lifecycle of external users
• Configure and manage connected organizations

Plan, implement, and manage access reviews in Microsoft Entra

Access reviews are periodic checks to ensure that user access is still appropriate. You can review group memberships, app assignments, and role assignments. If someone no longer needs access, the review can automatically remove it.

• Plan for access reviews
• Create and configure access reviews
• Monitor access review activity
• Manually respond to access review activity

Plan and implement privileged access

Privileged Identity Management (PIM) provides just-in-time, time-bound admin access. Instead of having permanent Global Admin assignments, users activate the role when needed and it expires automatically. This dramatically reduces the attack surface for privileged accounts.

• Plan and manage Microsoft Entra roles in PIM, including settings and assignments
• Plan and manage Azure resources in PIM, including settings and assignments
• Plan and configure PIM for Groups
• Manage the PIM request and approval process
• Analyze PIM audit history and reports
• Create and manage break-glass accounts

Monitor identity activity by using logs, workbooks, and reports

Monitoring is how you detect issues, troubleshoot problems, and measure the security health of your identity infrastructure. Sign-in logs, audit logs, and provisioning logs are your primary data sources. KQL queries in Log Analytics let you dig deeper, and Identity Secure Score gives you a benchmark.

• Review and analyze sign-in, audit, and provisioning logs
• Configure diagnostic settings, including configuring destinations
• Monitor Microsoft Entra ID by using KQL queries in Log Analytics
• Analyze Microsoft Entra ID by using workbooks and reporting
• Monitor and improve the security posture by using Identity Secure Score

Quick Links

• 📝 Official Exam Page
• 📖 Microsoft Study Guide
• 🎯 Practice Assessment | Implement and manage user identities | 20-25% | | Implement authentication and access management | 25-30% | | Plan and implement workload identities | 20-25% | | Plan and automate identity governance | 20-25% |

Skills Measured

Implement and manage user identities (20–25%)

Configure and manage a Microsoft Entra tenant

• Configure and manage built-in and custom Microsoft Entra roles
• Recommend when to use administrative units
• Configure and manage administrative units
• Evaluate effective permissions for Microsoft Entra roles
• Configure and manage domains in Microsoft Entra ID and Microsoft 365
• Configure Company branding settings
• Configure tenant properties, user settings, group settings, and device settings

Create, configure, and manage Microsoft Entra identities

• Create, configure, and manage users
• Create, configure, and manage groups
• Manage custom security attributes
• Automate bulk operations by using the Microsoft Entra admin center and PowerShell
• Manage device join and device registration in Microsoft Entra ID
• Assign, modify, and report on licenses

Implement and manage identities for external users and tenants

• Manage External collaboration settings in Microsoft Entra ID
• Invite external users, individually or in bulk
• Manage external user accounts in Microsoft Entra ID
• Implement Cross-tenant access settings
• Implement and manage cross-tenant synchronization
• Configure external identity providers, including protocols such as SAML and WS-Fed

Implement and manage hybrid identity

• Implement and manage Microsoft Entra Connect Sync
• Implement and manage Microsoft Entra Cloud Sync
• Implement and manage password hash synchronization
• Implement and manage pass-through authentication
• Implement and manage seamless single sign-on (SSO)
• Migrate from AD FS to other authentication and authorization mechanisms
• Implement and manage Microsoft Entra Connect Health

Implement authentication and access management (20–25%)

Plan, implement, and manage Microsoft Entra user authentication

• Plan for authentication
• Implement and manage authentication methods, including certificate-based authentication, Temporary Access Pass, OAuth 2.0 tokens, Microsoft Authenticator, and passkeys (FIDO2)
• Implement and manage tenant-wide multifactor authentication (MFA) settings
• Configure and deploy self-service password reset (SSPR)
• Implement and manage Windows Hello for Business
• Disable accounts and revoke user sessions
• Implement and manage Microsoft Entra password protection
• Enable Microsoft Entra Kerberos authentication for hybrid identities

Plan, implement, and manage Microsoft Entra Conditional Access

• Plan Conditional Access policies
• Implement Conditional Access policy assignments
• Implement Conditional Access policy controls
• Test and troubleshoot Conditional Access policies
• Implement session management
• Implement device-enforced restrictions
• Implement continuous access evaluation
• Configure authentication context
• Implement protected actions
• Create a Conditional Access policy from a template

Manage risk by using Microsoft Entra ID Protection

• Implement and manage user risk by using Microsoft Entra ID Protection or Conditional Access policies
• Implement and manage sign-in risk by using Microsoft Entra ID Protection or Conditional Access policies
• Implement and manage multifactor authentication registration by using authentication methods and registration campaigns
• Monitor, investigate and remediate risky users and risky sign-ins
• Monitor, investigate, and remediate risky workload identities

Implement Global Secure Access

• Deploy Global Secure Access clients
• Deploy and manage Private Access
• Deploy and manage Internet Access
• Deploy and manage Internet Access for Microsoft 365

Plan and implement workload identities (20–25%)

Plan and implement identities for applications and Azure workloads

• Select appropriate identities for applications and Azure workloads, including managed identities, service principals, user accounts, and managed service accounts
• Create managed identities
• Assign a managed identity to an Azure resource
• Use a managed identity assigned to an Azure resource to access other Azure resources

Plan, implement, and monitor the integration of enterprise applications

• Plan and implement settings for enterprise applications, including application-level and tenant-level settings
• Assign appropriate Microsoft Entra roles to users to manage enterprise applications
• Design and implement integration for on-premises apps by using Microsoft Entra Application Proxy
• Design and implement integration for software as a service (SaaS) apps
• Assign, classify, and manage users, groups, and app roles for enterprise applications
• Configure and manage user and admin consent
• Create and manage application collections

Plan and implement app registrations

• Plan for app registrations
• Create app registrations
• Configure app authentication
• Configure API permissions
• Create app roles

Manage and monitor app access by using Microsoft Defender for Cloud Apps

• Configure and analyze cloud discovery results by using Defender for Cloud Apps
• Configure connected apps
• Implement application-enforced restrictions
• Configure Conditional Access app control
• Create access and session policies in Defender for Cloud Apps
• Implement and manage policies for OAuth apps
• Manage the Cloud app catalog

Plan and automate identity governance (20–25%)

Plan and implement entitlement management in Microsoft Entra

• Plan entitlements
• Create and configure catalogs
• Create and configure access packages
• Manage access requests
• Implement and manage terms of use (ToU)
• Manage the lifecycle of external users
• Configure and manage connected organizations

Plan, implement, and manage access reviews in Microsoft Entra

• Plan for access reviews
• Create and configure access reviews
• Monitor access review activity
• Manually respond to access review activity

Plan and implement privileged access

• Plan and manage Microsoft Entra roles in Microsoft Entra Privileged Identity Management (PIM), including settings and assignments
• Plan and manage Azure resources in PIM, including settings and assignments
• Plan and configure PIM for Groups
• Manage the PIM request and approval process
• Analyze PIM audit history and reports
• Create and manage break-glass accounts

Monitor identity activity by using logs, workbooks, and reports

• Review and analyze sign-in, audit, and provisioning logs by using the Microsoft Entra admin center
• Configure diagnostic settings, including configuring destinations such as Log Analytics workspaces, storage accounts, and Azure Event Hubs
• Monitor Microsoft Entra ID by using KQL queries in Log Analytics
• Analyze Microsoft Entra ID by using workbooks and reporting
• Monitor and improve the security posture by using Identity Secure Score

Quick Links

• 📝 Official Exam Page
• 📖 Microsoft Study Guide
• 🎯 Practice Assessment