Review the Microsoft Identity and Access Administrator (SC-300) scope, Microsoft Entra ID, Conditional Access, MFA, privileged access, app consent, lifecycle, and governance traps before practicing.
SC-300 is an identity exam. Use this cheat sheet to keep the access-control model clear: who the subject is, what resource is being accessed, which conditions apply, and how Microsoft Entra governance keeps access current.
Use this with practice. Review the identity checkpoints, then return to the SC-300 exam page for sample questions and update tracking.
| Field | Detail |
|---|---|
| Issuer | Microsoft |
| Certification lane | Microsoft Identity and Access Administrator |
| Exam code | SC-300 |
| Main scope | Microsoft Entra identity, authentication, authorization, lifecycle, applications, and governance |
| IT Mastery status | Sample questions available |
| Area | What to know | Common trap |
|---|---|---|
| Authentication methods | MFA, passwordless, registration, method policy, user rollout, and risk-based enforcement | Assuming MFA works before users have registered methods |
| Conditional Access | User, group, app, device, location, risk, grant controls, and session controls | Applying broad policies without exclusions or break-glass planning |
| Privileged access | PIM, eligible roles, activation, approval, audit, access reviews, and least privilege | Making privilege permanent because activation feels inconvenient |
| App access and consent | App registrations, delegated permissions, application permissions, admin consent, and scopes | Treating consent as harmless when it grants tenant data access |
| External identities | B2B collaboration, guest access, entitlement management, lifecycle, and access reviews | Sharing internal accounts with partners |
| Identity governance | Access packages, reviews, lifecycle workflows, group governance, and stale-access removal | Only granting access and never reviewing it |
| Distinction | How to decide |
|---|---|
| Authentication vs authorization | Authentication proves identity; authorization decides what the identity can do. |
| MFA vs Conditional Access | MFA is a control; Conditional Access decides when and where controls apply. |
| Eligible role vs active role | Eligible users can activate a role; active users currently hold the role. |
| Delegated permission vs application permission | Delegated access acts as a signed-in user; application access acts as the app itself. |
| Guest access vs external access | Guest access brings an external identity into the tenant; external access enables communication across tenants. |
| Access review vs access package | Reviews validate existing access; packages bundle access for request and lifecycle management. |
For SC-300 misses, classify the item as authentication, authorization, app consent, privileged access, external identity, or governance. Then explain which Microsoft Entra control changes access over time, not just at the moment of creation.