🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Identity Access Administrator
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SC-300Microsoft AzureAssociateComing Soon

Identity Access Administrator

The Microsoft Identity and Access Administrator (SC-300) certification validates expertise in designing, implementing, and managing Microsoft Entra ID identity and access solutions across hybrid and cloud environments. The exam covers the full identity lifecycle: provisioning users and groups, configuring authentication methods and Conditional Access policies, securing application registrations and managed identities, and enforcing identity governance through entitlement management, access reviews, and Privileged Identity Management. SC-300 is the credential of record for professionals responsible for Zero Trust identity architecture on the Microsoft platform, serving organizations that depend on Microsoft Entra ID as their identity authority for Microsoft 365, Azure, and integrated SaaS applications.

100
Minutes
50
Questions
700/1000
Passing Score
$165
Exam Cost
9
Languages

Who Should Take This

SC-300 is designed for identity and access administrators, cloud security engineers, and IT professionals who implement and operate Microsoft Entra ID in enterprise environments. Candidates typically manage identity governance programs, configure authentication policies, and integrate enterprise applications with the Microsoft identity platform. A working understanding of Azure fundamentals and Active Directory concepts is assumed.

What's Covered

1Configuring Microsoft Entra tenant settings, creating and managing users and groups, implementing external identities and B2B collaboration, and deploying hybrid identity with Microsoft Entra Connect and Cloud Sync.
2Planning and implementing authentication methods, passwordless authentication, self-service password reset, Conditional Access policies, authentication strength, and Identity Protection risk policies.
3Creating and managing app registrations, configuring API permissions and consent, implementing managed identities, configuring enterprise application SSO using SAML and OIDC, and managing SCIM provisioning.
4Implementing entitlement management, access packages, and connected organizations; configuring access reviews; managing Privileged Identity Management for Entra ID and Azure resource roles; and monitoring identity activity.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response
  • Case Studies
  • Drag-And-Drop

Scoring Method

Scaled score 100-1000, passing score 700

Delivery Method

Proctored exam, 40-60 questions, 100 minutes

Prerequisites

None required. AZ-900 or security fundamentals background recommended.

Recertification

Renew annually via free Microsoft Learn renewal assessment

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Domain 1: Implement Identities in Microsoft Entra ID
4 topics

Configure and manage a Microsoft Entra tenant

  • Identify Microsoft Entra ID tenant architecture including directories, domains, tenants, and the relationship between Microsoft Entra ID and Azure subscriptions for enterprise identity management.
  • Configure Microsoft Entra tenant properties including tenant name, primary domain, technical contact, and data classification settings for organizational identity baseline configuration.
  • Configure and verify custom domain names in Microsoft Entra ID including adding domains, creating DNS TXT verification records, and setting the primary domain for user principal name alignment.
  • Analyze Microsoft Entra tenant configuration settings and evaluate company branding, self-service password reset enablement, and user consent policies to determine appropriate baseline configuration for different organizational security postures.

Create, configure, and manage identities

  • Identify Microsoft Entra ID user account types including cloud-only users, synchronized users, guest users, and B2B collaboration users and describe their creation methods, attributes, and lifecycle management differences.
  • Create and configure Microsoft Entra user accounts individually and in bulk using the portal, Microsoft Graph API, and PowerShell, including setting required attributes, usage location, and license assignment.
  • Create and manage Microsoft Entra groups including security groups, Microsoft 365 groups, dynamic membership groups with attribute-based rules, and assigned versus dynamic group types.
  • Configure administrative units in Microsoft Entra ID to delegate scoped administration, restrict role assignments to specific user or device subsets, and implement department-level identity management.
  • Analyze identity lifecycle management requirements and evaluate dynamic group rules, administrative unit scoping, and bulk provisioning approaches to design a scalable user and group management strategy.

Implement and manage external identities

  • Identify Microsoft Entra External ID capabilities including B2B collaboration, B2B direct connect, and cross-tenant access settings and describe how they enable secure external partner and customer access.
  • Configure B2B collaboration settings including external collaboration policy, guest user access restrictions, invitation redemption flows, and cross-tenant access settings for inbound and outbound collaboration.
  • Implement Microsoft Entra Verified ID by configuring credentials, issuance, and verification flows to enable decentralized identity attestation for partner and customer identity verification scenarios.
  • Evaluate external identity scenarios and determine appropriate external collaboration configurations including B2B versus B2B direct connect, trust settings for MFA and device compliance, and partner redemption flows.

Implement and manage hybrid identity

  • Identify Microsoft Entra Connect and Microsoft Entra Cloud Sync architectural components and explain how they synchronize on-premises Active Directory identities to Microsoft Entra ID using password hash sync, pass-through authentication, and federation.
  • Configure Microsoft Entra Connect synchronization including installation, custom attribute filtering, organizational unit scoping, and source anchor selection for hybrid identity deployment.
  • Configure Microsoft Entra Cloud Sync provisioning agents and synchronization scope for lightweight hybrid identity scenarios with multiple disconnected Active Directory forests.
  • Implement Microsoft Entra Application Proxy connectors and configure header-based, Kerberos-constrained delegation, and SAML-based single sign-on for on-premises applications published to external users.
  • Analyze hybrid identity architecture options and evaluate password hash sync versus pass-through authentication versus AD FS federation for resilience, latency, compliance, and operational complexity tradeoffs.
2Domain 2: Implement Authentication and Access Management
3 topics

Plan, implement, and manage Microsoft Entra user authentication

  • Identify Microsoft Entra authentication methods including passwords, Microsoft Authenticator app, FIDO2 security keys, Windows Hello for Business, certificate-based authentication, and Temporary Access Pass and describe their phishing resistance and security characteristics.
  • Configure authentication methods policy to enable, disable, and target specific authentication methods to user groups including FIDO2, Microsoft Authenticator, OATH tokens, and voice call for phased authentication modernization.
  • Implement and manage Microsoft Entra self-service password reset including authentication method requirements, registration enforcement, writeback to on-premises Active Directory, and lockout thresholds.
  • Implement Microsoft Entra certificate-based authentication by configuring certificate authority trust stores, user certificate binding, and CRL distribution for smart card and derived credential authentication.
  • Analyze authentication method adoption and evaluate the phishing resistance, usability, and deployment complexity of FIDO2, Windows Hello for Business, and certificate-based authentication to recommend a passwordless strategy for specific organizational contexts.

Plan, implement, and manage Microsoft Entra Conditional Access

  • Identify Conditional Access policy components including assignments (users, cloud apps, conditions) and access controls (grant, session) and describe how signal-based policy evaluation enforces adaptive access decisions.
  • Configure Conditional Access policies with user risk and sign-in risk conditions, device compliance requirements, named location restrictions, and authentication strength controls to enforce Zero Trust access decisions.
  • Implement Conditional Access authentication strength policies to require specific authentication method combinations for privileged operations, sensitive applications, and high-risk sign-in scenarios.
  • Configure Conditional Access session controls including application-enforced restrictions, Conditional Access App Control via Microsoft Defender for Cloud Apps, sign-in frequency, and persistent browser session policies.
  • Troubleshoot Conditional Access policy failures using the What If tool, sign-in logs, and Conditional Access Insights workbook to identify policy conflicts, exclusion gaps, and misconfigured conditions.
  • Evaluate Conditional Access policy design by analyzing sign-in log data, policy coverage gaps, and authentication strength requirements to recommend improvements that reduce attack surface while minimizing user friction.

Manage Microsoft Entra Identity Protection

  • Identify Microsoft Entra Identity Protection risk detection types including leaked credentials, anonymous IP, atypical travel, malware-linked IP, and unfamiliar sign-in properties and describe their risk categorization.
  • Configure Microsoft Entra Identity Protection user risk and sign-in risk policies to automatically block or require MFA remediation based on risk level thresholds and target user populations.
  • Investigate Identity Protection risk reports including risky users, risky sign-ins, and risk detections to confirm, dismiss, or remediate compromised identities and refine detection accuracy.
  • Analyze Identity Protection risk event data to evaluate the effectiveness of existing risk policies, identify false positive patterns, and recommend threshold and exclusion adjustments to reduce operational noise.
3Domain 3: Plan and Implement Workload Identities
4 topics

Plan and implement application registrations

  • Identify Microsoft Entra app registration components including application ID, tenant ID, redirect URIs, app roles, API permissions, certificates and secrets, and publisher verification and describe their roles in application identity.
  • Create and configure app registrations with appropriate redirect URIs, supported account types, and certificate or client secret credentials for web, single-page application, mobile, and daemon app scenarios.
  • Configure API permissions for app registrations including delegated permissions, application permissions, and admin consent grants to control what resources applications can access on behalf of users or as themselves.
  • Configure app roles and group claims in app registrations to implement application-level RBAC and surface directory group membership in tokens for downstream authorization decisions.
  • Evaluate app registration security configurations by analyzing permission scope, credential type, token lifetime, and consent model settings to identify overly permissive application access patterns and recommend remediation.

Plan and implement managed identities

  • Identify system-assigned and user-assigned managed identity types and describe how they provide credential-free Azure resource authentication by eliminating client secrets and certificate management from application code.
  • Configure user-assigned managed identities, assign them to Azure Virtual Machines, App Service, Azure Functions, and AKS workloads, and grant appropriate RBAC roles for credential-free resource access.
  • Analyze workload identity scenarios and evaluate when to use system-assigned versus user-assigned managed identities, service principals, and federated identity credentials to meet security, lifecycle, and operational requirements.

Plan and implement service principal security

  • Describe OAuth 2.0 flows including authorization code with PKCE, client credentials, on-behalf-of, and device code flow and explain how each applies to different application types and authentication scenarios.
  • Configure enterprise applications and service principal settings including user assignment requirements, visible to users flags, app proxy integration, and single sign-on for SaaS applications in the Microsoft Entra gallery.
  • Configure SAML-based single sign-on for enterprise applications including basic SAML configuration, attribute mapping, user identifier claims, and certificate-based token signing.
  • Configure SCIM-based automatic user provisioning and deprovisioning for enterprise SaaS applications to synchronize user and group attributes and maintain access currency across the identity lifecycle.
  • Evaluate enterprise application access configurations by analyzing user and group assignment, SSO method, provisioning scope, and token claim mappings to ensure applications use appropriately scoped access patterns.

Plan and implement app consent and permissions management

  • Identify Microsoft Entra app consent types including user consent, admin consent, and tenant-wide consent grants and describe how they control application permission acquisition for delegated and application scopes.
  • Configure user consent settings and admin consent workflow to require admin approval for applications requesting sensitive permissions and implement application access policy to control which apps users can access.
  • Analyze application consent grant posture by reviewing existing tenant-wide admin consent grants and identifying overly permissive or risky application permission patterns that should be restricted or revoked.
4Domain 4: Plan and Implement Identity Governance
4 topics

Plan and implement entitlement management

  • Identify Microsoft Entra ID Governance entitlement management components including catalogs, access packages, policies, assignments, and connected organizations and describe how they automate access request and approval workflows.
  • Create access package catalogs, define resource roles including groups, applications, and SharePoint sites, and configure access package policies with requestor scope, approval workflows, and expiration settings.
  • Configure connected organizations and external user access package policies to enable self-service access requests for B2B partner users to organization resources without manual IT provisioning.
  • Analyze entitlement management design by evaluating access package structure, policy conditions, lifecycle expiration, and approval chain requirements to recommend a self-service access governance model that reduces administrative overhead.

Plan, implement, and manage access reviews

  • Identify Microsoft Entra access review types for groups, applications, privileged roles, and access packages and describe how reviewer types, duration, recurrence, and auto-apply settings control review outcomes.
  • Create and manage Microsoft Entra access reviews for group memberships and application assignments with configurable reviewer selection, review duration, completion actions, and periodic recurrence for compliance reporting.
  • Monitor access review completion, apply review decisions to remove denied access, and export review results for compliance audit reporting across group memberships and application assignments.
  • Evaluate access review design effectiveness by analyzing completion rates, denial patterns, and auto-apply outcomes to recommend reviewer selection strategies and review frequency adjustments that improve governance coverage.

Plan and implement Privileged Identity Management

  • Identify Microsoft Entra Privileged Identity Management components including eligible assignments, active assignments, activation requests, approval workflows, and PIM for Groups and describe how they implement just-in-time privileged access.
  • Configure PIM role settings for Microsoft Entra ID roles including activation duration, MFA requirement, approval requirements, and notification settings to implement just-in-time administrator access controls.
  • Configure PIM for Azure resource roles to manage just-in-time access to subscriptions, resource groups, and individual Azure resources including Owner, Contributor, and security-sensitive built-in roles.
  • Configure PIM access reviews for privileged roles including reviewer assignment, review duration, auto-apply settings, and alerting on over-privileged permanent role assignments to maintain least-privilege governance.
  • Analyze PIM audit logs and role activation history to identify privilege escalation patterns, excessive activation frequency, and unused eligible assignments and recommend adjustments to tighten privileged access governance.

Monitor Microsoft Entra ID activity and investigate identity health

  • Identify Microsoft Entra ID monitoring capabilities including sign-in logs, audit logs, provisioning logs, identity secure score, and Microsoft Entra Permissions Management and describe how they support identity governance.
  • Configure Microsoft Entra ID diagnostic settings to export sign-in logs, audit logs, and provisioning logs to Log Analytics workspaces for centralized identity monitoring and long-term retention.
  • Investigate Microsoft Entra identity security posture by reviewing identity secure score recommendations, Microsoft Entra Permissions Management unused permission findings, and privileged role assignment reports.
  • Analyze Microsoft Entra sign-in and audit log data to investigate suspicious identity events including bulk user deletions, impossible travel sign-ins, and anomalous application consent grants and recommend containment actions.

Hands-On Labs

20 labs ~378 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$130,000
Average Salary

Related Job Roles

Identity and Access AdministratorCloud Security EngineerAzure Security EngineerIdentity Architect

Industry Recognition

SC-300 validates deep Microsoft identity platform expertise and is highly valued in enterprises standardizing on Microsoft Entra ID for Zero Trust access governance across hybrid and multi-cloud environments.

Scope

Included Topics

  • All domains and task statements in the Microsoft Identity and Access Administrator (SC-300) exam guide: Domain 1 Implement identities in Microsoft Entra ID (~20-25%), Domain 2 Implement authentication and access management (~25-30%), Domain 3 Plan and implement workload identities (~20-25%), and Domain 4 Plan and implement identity governance (~20-25%).
  • Associate-level identity and access administration practices including Microsoft Entra ID tenant configuration, user and group lifecycle management, external identities, hybrid identity with Microsoft Entra Connect and cloud sync, authentication strength policies, multi-factor authentication, passwordless authentication methods, Conditional Access policies, Privileged Identity Management, entitlement management, access reviews, identity governance, and app registration security.
  • Scenario-driven identity decision making for implementing, configuring, and managing identity and access controls across Microsoft Entra ID and integrated SaaS and on-premises applications.
  • Key Microsoft Entra and identity services: Microsoft Entra ID, Microsoft Entra ID Governance, Microsoft Entra Verified ID, Microsoft Entra Permissions Management, Microsoft Entra External ID, Microsoft Entra Connect, Microsoft Entra Cloud Sync, Conditional Access, Identity Protection, Privileged Identity Management, Entitlement Management, Access Reviews, Microsoft Entra Application Proxy, SAML SSO, OIDC SSO, OAuth 2.0, SCIM provisioning, Microsoft Entra Domain Services, Azure AD B2C, FIDO2, Windows Hello for Business, Microsoft Authenticator, Certificate-Based Authentication.

Not Covered

  • Expert-level Azure solutions architecture and enterprise-wide multi-tenant governance design that exceeds SC-300 associate identity administrator objectives.
  • Deep network security implementation details including NSG configuration, Azure Firewall rule authoring, and VPN gateway setup not centered on identity and access workloads.
  • Transient Azure service pricing details and short-lived promotional values that are not stable for durable domain specifications.
  • Non-Microsoft identity provider configuration specifics beyond integration points tested by SC-300, including deep Okta, Ping, or on-premises LDAP administration.
  • Azure CLI and PowerShell command-level syntax memorization and SDK version-specific API signatures beyond conceptual understanding of identity operations automation.
  • Compute security, storage encryption, and database security topics that are outside identity and access management scope and belong to AZ-500.

Official Exam Page

Learn more at Microsoft Azure

Visit

SC-300 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

Microsoft and Azure are registered trademarks of Microsoft Corporation. Microsoft does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.