Studying for the SC-300 (part 1)


I finally took the time to book and study for the SC:300: Identity and Access Administrator. This is part of the Security, Compliance, and Identity new series of exams. There’s the SC-900: Microsoft Security, Compliance, and Identity Fundamentals, which is, as the name says, the exams that covers the fundamentals. Then there are the more specific, role-based exams: The SC-300, the SC-200: Microsoft Security Operations Analyst, and the SC:400: Microsoft Information Protection Administrator.

I’ve been studying for the SC-300 for the past week or so, and my intention with this series of articles is just to share my notes and observations. I hope some of you find it useful.

The topics covered

The exam is divided in four main knowledge domains, each with different weights:

  • Implement and identity management solution
  • Implement an authentication and access management solution
  • Implement access management for apps
  • Plan and implement an Identity Governance Strategy

These 4 domains are divided in subdomains, and each subdomain has a number of skills to be studied.

Charbel Nemnon has an excellent study guide for the SC-300. I’ve been following his guide for my own studies, and I highly recommend it. Thank you Charbel!

Implement an identity management solution

I still don’t know how many parts this series will have. This will work as a public repository of my studies, so it’s a work in progress. I’ll build it as I move on with the studies. Since I study every day, I hope I can publish an article every day. I’ll do my best!

The first domain, implement an identity management solution, is divided in four subdomains:

  • Implement initial configuration of Azure Active Directory
  • Create, configure, and manage identities
  • Implement and manage external identities
  • Implement and manage hybrid identity

Let’s start covering this first subdomain!

Implement initial configuration of Azure Active Directory

This subdomain covers five skills:

  • configure and manage Azure Active Directory roles
  • configure and manage custom domains
  • configure and manage device registration options
  • configure delegation by using administrative units
  • configure tenant-wide settings

Let’s see how many of these I can cover today!

Configure and manage Azure Active Directory roles

Azure Active Directory (also referred as Azure AD) is Microsoft’s cloud-based identity and access management solution. Azure AD manages an organization’s employees access to:

  • External resources, such as Microsoft 365 and the Azure portal.
  • Internal resources, such as corporate apps, hosted on your internal corporate network or in the cloud.

Azure AD is intended for:

  • IT admins, who use Azure AD to control access to apps and resources.
  • App developers, who use Azure AD as a standard’s-based approach for adding single-sign-on (SSO) to apps.
Azure AD roles

Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains.

Azure AD offers a number of built-in roles that you can choose from, and you can also create your own custom role to suit your specific business needs.

We can see a list of the built-in roles in the Azure portal. Navigate to Azure Active Directory, and from the menu on the left, select Roles and administrators.

Here’s a list of all built-in roles in Azure AD.

To assign a built-in role to a user, go to Users in Azure AD, and select the user you want to assign a role to. Select Assigned roles from the menu on the left, and + Add assignments from the top menu.

Create and assign custom roles

A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same as the ones used for the built-in roles.

Prerequisites for the creation of custom roles in Azure AD:

  • Azure AD Premium P1 or P2 license.
  • Privileged Role Administrator or Global Administrator.
  • AzureADPreview module when using PowerShell.
  • Admin consent when using Graph explorer for Microsoft Graph API.

To create a custom role, navigate to Azure AD and select Roles and administrators from the menu on the left. Select + New custom role on the top menu.

I couldn’t try it myself because I already used up my Azure AD Premium license trial, and they just let you use it once. So, no screenshots. Instead, here’s the step-by-step on how to do it.

I have to go now, pick my son at summer camp. But there’s more very soon, maybe even later today! I’ll share my notes on managing custom domains and device registration, the next topics from the first subdomain.

How did you like it? Please let me know. Don’t miss the next ones!

Stay tuned!


One thought on “Studying for the SC-300 (part 1)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s