Azure SC-300 Microsoft Identity and Access Administrator
July 2021
Overview
I recently passed the Azure SC-300 Microsoft Identity and Access Administrator certification exam and wrote this post to list some of the useful resources I came across that help me pass.
Microsoft are updating their exams more regularly to meet the ever changing services and practices that the cloud brings. It is always best to download the exam objectives from the official site and go through them to build a plan to pass the exam.
When I took the exam it was broken down into the following sections:
- Implement an identity management solution (25-30%)
- Implement an authentication and access management solution (25-30%)
- Implement access management for apps (10-15%)
- Plan and implement an identity governance strategy (25-30%)
Microsoft Learning
First stop should be the Microsoft Learning path which is a free online learning platform created by Microsoft that has a lot of good information covering the topics covered in the exam.
The learning path is broken down into 4 modules (this may change in the future):
SC-300 part 1: Implement an identity management solution SC-300 part 3: Implement Access Management for Apps
At time of writing there were no 3rd party courses available. Keep an eye on Pluralsight, Udemy, A cloud guru, [cloudskill.io] and other learning platforms because I’m sure there will be courses created in the future.
YouTube
By John Savill
John’s videos on YouTube are great, complex topics are explained clearly along with detailed examples. Highly recommended watching for all things Azure, PowerShell and more. Check out his channel.
- Azure Master Class Part 2 - Identity
- Azure AD Privileged Identity Management (PIM) - AZ-500, SC-300 Deep Dive Topic
- Azure AD App Registrations, Enterprise Apps and Service Principals
- Access Reviews Deep Dive - AZ-500/SC-300
By Mark Grimes
I found Mark’s videos the night before the exam. They are nice and concise with lots of good points and tips. Recommend to check them out sooner because he has lots of links and tips to dig deeper into the exam topics.
- SC-300 Module 1 Implement an Identity Management Solution
- SC-300 Module 2 Implement an Authentication and Access Management Solution
- SC-300 Module 3 Implement Access Management for Apps
- SC-300 Module 4 Plan and implement an Identity Governance Strategy
Pluralsight
If you have access to Pluralsight, the following courses are worth a watch.
- Design Authorization for Microsoft Azure
- Design Authentication for Microsoft Azure
- Design Auditing for Microsoft Azure
- Design Governance and Identity Management in Microsoft Azure
- Microsoft Azure Administrator: Preparing for the AZ-104 Exam (Useful tips for exam day).
Documentation
Azure AD concepts
Reading through the documentation is a great way to prepare for the exam and helps get comfortable with how the services work, different options that can be configured and how to implement and monitor. The Microsoft Learn modules have links to relevant documentation throughout the course. Below are direct links to documentation I read through a couple of times to help me pass, this is not a complete list of documents to read through and this site and this site have links that directly link to the documentation for some of the individual exam objectives.
- Main Azure AD documentation
- MFA
- Privilege Identity Management
- Azure AD Service limits (Good to review how nested groups work with certain services in Azure AD)
- What is Azure AD connect?
- Connect Azure AD to Sentinel
- Administrative Units
- Conditional Access
- Security Defaults
- Seamless Single Sign-On
- Access Packages
- Visual of services and licenses
Azure PowerShell
I recommend knowing some PowerShell for the exam and how the different Azure Modules work, enough so you can understand what is going on in a basic script. I had questions that had output from the older MSOL module and the newer Azure module.
General concepts
- The four pillars of identity management
- How SAML authentication works
- What’s the Difference Between OAuth, OpenID Connect, and SAML?
- An Illustrated Guide to OAuth and OpenID Connect
Hands on learning
This is the way I love to cement what I learned via watching and reading and I highly recommend signing up for a free Azure subscription (credit card is required) to get hands on with the services. Once you have your free subscription, you can activate a 90 day trial for P2 licenses and then another 90 day trial for EMS E5 from within the portal. This will enable the premium features of Azure AD that will feature in the exam. I have had my Azure AD and Azure subscription a number of years now but had not activated the trial until studying for the exam and that gave me the chance to configure conditional access, PIM and all the other nice features you get with a P2 license.
It is possible to get hands on and not pay a penny but with everything cloud, please review what is covered in the free tiers and understand what services will cost you money. I always have a spending limit implemented on my pay as you go account to stop any unexpected costs.
I set up an Active Directory Domain Services environment to mimic an on-premises deployment in my Azure subscription and configured an Azure AD connect server to go over the different hybrid scenarios and felt this exercise is not only worth while for the exam but also for real world experience where you are likely to come across hybrid deployments in organisations.
My GitHub repository contains the code I used to set up my demo tenant. It uses [Terraform] to create users, groups, applications and the Active Directory Domain Services and Azure AD connect along with some PowerShell configuration scripts.
A fun hands on exercise I completed was creating a basic dotnet core application following this tutorial that published to an [Azure App Service] (free tier). Then I create an App Registration so Azure AD could be used to authenticate with the application. After that I setup the app for self service, included it in access packages and set various conditional access polices to see how they affected signing into the app. It also helped me verify that I had configured Seamless Single Sign On for a domain joined machine correctly.
Practice tests
There wasn’t much in the way of practice tests available at the time I took the test. I did sign up for Wizlabs because they had a free 20 questions test for the SC-300 with a full practice exam coming soon. I advise to have a look around at the time to see if there are any available.
Exam experience
I found the exam experience smooth and well done. Day before the exam I ran the system test to make sure my laptop was OK to complete the exam and also read through tips on taking the exam including the environment to take the exam in. My workspace at home met the requirements and I just had to move my notepads and second monitor to another room while I took the exam.
Check-in was opened up 30 minutes before the exam start time and a link was sent to my mobile phone that allowed me to take a head shot and pictures of the my ID and room where I was taking the test. After a brief wait, this was all verified and I started the test.
The test itself was definitely challenging with 2 case studies and a number of questions on a broad range of topics from the skills measured sections of the exam objectives document and I was pleased with the pass result.
Hopefully this has been helpful and good luck for the exam if you’re taking it!