How to Pass Microsoft Identity and Access Administrator (SC-300) in 2026: Complete Study Guide

# How to Pass Microsoft Identity and Access Administrator (SC-300) in 2026: Complete Study Guide The SC-300 exam validates your ability to design, implement, and operate identity and access management solutions using Microsoft Entra ID. As organizations shift to hybrid and cloud-first environments, the demand for identity professionals has surged — and the SC-300 is the certification that proves you can handle it. This guide covers everything you need: exam format, domain breakdown, key concepts, and a 6-week study plan. --- ## Exam Format and Registration | Detail | Value | |---|---| | Exam code | SC-300 | | Full name | Microsoft Identity and Access Administrator | | Cost | $165 USD | | Number of questions | 40–60 questions | | Time limit | 120 minutes | | Passing score | 700 / 1000 | | Question types | Multiple choice, case studies, drag-and-drop, yes/no scenarios | | Prerequisites | None (associate-level, but experience with Entra ID recommended) | The SC-300 is an associate-level exam. It assumes you have hands-on familiarity with the Azure portal, Entra admin center, and PowerShell for identity operations. Candidates without any prior Azure experience should consider the SC-900 first. --- ## Domain Breakdown | Domain | Weight | |---|---| | Domain 1: Implement and manage user identities | 20–25% | | Domain 2: Implement authentication and access management | 25–30% | | Domain 3: Implement access management for applications | 20–25% | | Domain 4: Plan and implement identity governance | 20–25% | Domain 2 carries the most weight and covers Conditional Access and PIM — topics that appear consistently across case studies and scenario questions. --- ## Domain 1: Implement and Manage User Identities (20–25%) ### Entra ID User and Group Management This domain starts with the fundamentals: creating and managing user accounts in Microsoft Entra ID (formerly Azure AD), managing group types (security groups vs Microsoft 365 groups), and dynamic membership rules. Key skills: - Create users in bulk via CSV upload or PowerShell (`New-MgUser`) - Configure dynamic group membership rules based on attributes (department, jobTitle, extensionAttribute) - Manage guest users and understand the difference between member users and guest users ### Hybrid Identity Most enterprises run a mix of on-premises Active Directory and cloud-based Entra ID. You need to understand both synchronization approaches: **Entra Connect (Azure AD Connect):** A full synchronization engine that runs on an on-premises Windows Server VM. It supports complex filtering rules, password hash synchronization, pass-through authentication, ADFS federation, and group writeback. Best for large enterprises with complex topologies. **Entra Cloud Sync:** A lightweight agent-based solution that runs entirely in the cloud. The provisioning agent is installed on-premises but is thin — all logic lives in the cloud. Supports multiple disconnected forests syncing to one tenant. Limitation: does not support group writeback or device writeback as of 2026. 💡 **Exam Tip:** The exam loves to test when to use Cloud Sync vs Entra Connect. If the scenario mentions multiple disconnected forests with no complex filtering needs, Cloud Sync wins. If you see "group writeback" or "device writeback," you need Entra Connect. ### External Identities: B2B and B2C **External ID B2B (Business-to-Business):** Invite external users from partner organizations to collaborate in your tenant. Guest users authenticate with their home organization's credentials — you do not manage their passwords. They appear in your directory as guests. **External ID B2C (Business-to-Consumer):** A separate Azure AD B2C tenant used for customer-facing applications. You configure user flows for sign-up, sign-in, and profile editing. Supports local accounts (email/password) and social identity providers (Google, Facebook). --- ## Domain 2: Implement Authentication and Access Management (25–30%) This is the heaviest domain and the one most likely to appear in case studies. ### Authentication Methods Microsoft Entra supports a portfolio of authentication methods: | Method | Type | License Required | |---|---|---| | Password | Legacy | None | | SMS / Voice call | MFA | Entra ID (any tier) | | Microsoft Authenticator app | MFA / Passwordless | Entra ID (any tier) | | FIDO2 security key | Passwordless, Phishing-resistant | Entra ID P1/P2 | | Windows Hello for Business | Passwordless, Phishing-resistant | Entra ID P1/P2 | | Certificate-Based Auth (CBA) | Phishing-resistant | Entra ID P1/P2 | | Temporary Access Pass (TAP) | Onboarding/Recovery | Entra ID P1/P2 | **SSPR (Self-Service Password Reset):** Allows users to reset their own passwords without calling IT. Requires at least one (or two, configurable) authentication methods registered. Can write passwords back to on-premises AD (requires Entra Connect with password writeback enabled). ### Conditional Access Conditional Access is the policy engine that intercepts token requests and enforces access controls based on conditions. It is the single most tested topic on the SC-300. A Conditional Access policy = **Conditions → Grant/Session Controls** Common conditions: user/group assignment, cloud app or user action, device platform, location (named locations), sign-in risk level, user risk level, client app type. Common grant controls: require MFA, require compliant device, require hybrid Azure AD joined device, require approved client app, require authentication strength. ### Privileged Identity Management (PIM) PIM provides just-in-time (JIT) privileged access to Entra ID roles and Azure resource roles. **Eligible assignments:** The user can activate the role when needed. Activation can require MFA, justification text, approval, and has a maximum duration. **Active assignments:** The role is always active (no activation needed). Used for break-glass accounts or service accounts. 💡 **Exam Tip:** PIM requires Entra ID P2. If the scenario mentions "just-in-time access" or "require justification before activating admin role," the answer involves PIM. If the scenario says "always-on admin role," that is an active assignment. --- ## Domain 3: Implement Access Management for Applications (20–25%) ### App Registration vs Enterprise Application This distinction trips up many candidates: **App Registration:** Defines the application — its identity, permissions it needs (API permissions), redirect URIs, and authentication flows. Lives in the home tenant. Managed by developers. Results in an application object. **Enterprise Application (Service Principal):** The instance of an app registration within a specific tenant. Manages user assignment, SSO configuration (SAML/OIDC), and admin consent for that tenant. One app registration can have service principals across many tenants. ### Managed Identities Managed identities eliminate the need to store credentials in code or configuration for Azure resources. **System-assigned managed identity:** Tied to a specific Azure resource's lifecycle. When the resource is deleted, the managed identity is deleted automatically. Can only be used by that single resource. **User-assigned managed identity:** An independent Azure resource with its own lifecycle. Can be assigned to multiple Azure resources simultaneously. Persists after the resource it is assigned to is deleted. 💡 **Exam Tip:** When a scenario describes a fleet of VMs that all need the same permissions (e.g., read from Key Vault), use a user-assigned managed identity — assign it once and attach to all VMs. When a single resource needs its own identity, use system-assigned. ### Service Principals A service principal is the identity representation of an application in a tenant. Unlike managed identities, service principals require credential management (client secret or certificate with expiration and rotation). For Azure-hosted resources, always prefer managed identities over service principals to eliminate credential management overhead. --- ## Domain 4: Plan and Implement Identity Governance (20–25%) ### Entitlement Management Entitlement Management automates access to groups, applications, and SharePoint sites through access packages. **Catalog:** A container for resources and access packages. Allows delegation — you can designate catalog owners who manage resources within that catalog without being global admins. **Access Package:** A bundle of resources (group memberships, app assignments, SharePoint access) with associated policies that define who can request access, who approves, and how long access lasts. **Connected Organization:** Represents an external partner tenant. Allows external users to request access packages self-service, without requiring a pre-existing guest invitation. ### Access Reviews Access reviews periodically validate that users still need their current access. Key configurations: - **Reviewers:** Self-review (users confirm their own access), selected reviewers (managers, specific users), group owners - **Recurrence:** Weekly, monthly, quarterly, semi-annual, annual - **Action on no response:** Approve (keep access), Deny (remove access), No change (take no action) - **Auto-apply:** Must be enabled, or results sit in "Completed" state and require manual application ### Lifecycle Workflows Lifecycle Workflows automate identity tasks based on attribute-based triggers: - **Pre-hire:** Triggered N days before the employee hire date. Tasks include generating a Temporary Access Pass, sending a welcome email, adding to onboarding groups. - **Day-1 (new hire):** Triggered on the hire date. Tasks include enabling the account, adding to department groups. - **Offboarding:** Triggered on last day or N days after termination. Tasks include disabling the account, removing group memberships, revoking sessions. ### Entra Permissions Management A CIEM (Cloud Infrastructure Entitlement Management) solution that provides visibility into permissions across Azure, AWS, and GCP. Key metrics: Permission Creep Index (PCI) — measures how far actual permissions exceed what is actually used. --- ## 6-Week Study Plan | Week | Focus | Activities | |---|---|---| | Week 1 | Domain 1: User Identities | Entra Connect vs Cloud Sync labs, create dynamic groups, configure B2B guest invitations | | Week 2 | Domain 2: Authentication | Configure SSPR, set up MFA registration, create FIDO2 security key policy | | Week 3 | Domain 2: Conditional Access | Build CA policies for MFA enforcement, block legacy auth, device compliance | | Week 4 | Domain 2: PIM + Domain 3: Apps | Configure PIM eligible roles, create app registrations, test managed identities | | Week 5 | Domain 4: Identity Governance | Build an access package with connected organization, configure access reviews | | Week 6 | Full review + practice exams | Take 2–3 practice exams, review weak areas, read Microsoft Learn SC-300 learning paths | --- ## Essential Resources - Microsoft Learn SC-300 learning paths (free, official) - Microsoft Entra admin center sandbox (use a free trial tenant) - Microsoft documentation: Conditional Access, PIM, Entitlement Management - CertLand SC-300 practice exam (340 questions with explanations) --- ## Start Practicing Now The SC-300 rewards hands-on experience more than rote memorization. Build CA policies, activate PIM roles, and configure access packages in a trial tenant — the exam scenarios mirror real-world configurations closely. Ready to test your knowledge? Try the [SC-300 practice exam on CertLand](https://certland.net) with 340 questions covering all four domains.