Explanation:

According to the official Microsoft SC-300: Identity and Access Administrator Study Guide and Microsoft Learn documentation on "Implement and manage self-service password reset (SSPR)" , configuration of SSPR requires settings in both Azure AD and Azure AD Connect .
* Azure AD Configuration (Password reset blade): In the Azure AD admin center, the Password reset blade includes three primary sections: Properties , Authentication methods , and Registration .
* The Authentication methods section determines which verification methods users can use when resetting their password.
* To meet the requirement that u sers must respond to a mobile app notification or answer three security questions, you must configure these under Authentication methods . Microsoft documentation explicitly states:
"In the Authentication methods section of the Password reset settings, choo se which methods users can use, such as mobile app notification, email, or security questions."
* Azure AD Connect Configuration: When users reset their password in Azure AD or on-premises, synchronization must occur both ways to ensure passwords remain cons istent.
* Enabling Password writeback in Azure AD Connect allows password changes made in Azure AD (such as through SSPR) to be written back to the on-premises Active Directory. The study guide confirms:
"Password writeback enables users who change or reset their password in Azure AD to have that new password written back to their on-premises Active Directory." Therefore, to meet both requirements - user verification via mobile app or security questions and password synchronization between cloud and on-premis es - the correct configuration is:
* From the Password reset blade: Authentication methods
* From Azure AD Connect: Password writeback

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

See the Explanation for the complete step by step solution.
Explanation:
To implement additional security checks for the Sg-Executive group members before they canaccess any company apps, you can use Conditional Access policies in Microsoft Entra. Here's a step-by-step guide:
Sign in to the Microsoft Entra admin center:
Ensure you have the role of Global Administrator or Security Administrator.
Navigate to Conditional Access:
Go to Security > Conditional Access.
Create a new policy:
Select + New policy.
Name the policy appropri ately, such as "Sg-Executive Security Checks".
Assign the policy to the Sg-Executive group:
Under Assignments, select Users and groups.
Choose Select users and groups and then Groups.
Search for and select the Sg-Executive group.
Define the application control conditions:
Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.
Set the device compliance requirement:
Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.
Set the app protection policy requirement:
Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.
Configure the access controls:
Under Access controls > Grant, select Grant access.
Choose Require device to be marked as compliant and Require approved client app.
Ensure that the option Require one of the selected controls is enabled.
Enable the policy:
Set Enable policy to On.
Review and save the policy:
Review all settings to ensure they meet the requirements.
Click Create to save and implement the policy.
By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app.
This enhances the security posture of your organization by enforcing stricter access controls for executive- level users.

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation:
< User1 syncs to th e Microsoft Entra tenant: Yes
User2 syncs to the Microsoft Entra tenant: No
Group2 syncs to the Microsoft Entra tenant: Yes

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation:
Object type: An administrative unit
Role: Authentication administrator
In Azure AD Identity and Access Administration, Administrative units (AUs) let you scope delegated admin privileges to a subset of users. The study materials describe AUs as a way to "delegate administration to a subset of users by using administrative units," ensuring the support team's privileges apply only to the executives and not tenant-wide. You would place the 100 executives in a dedicated AU and then assign the support team a s uitable role scoped to that AU , satisfying least-privilege principles.
For the required tasks- reset passwords and manage MFA settings -the correct least-privileged role is Authentication administrator . The role capabilities are documented as allowing you to "view, set, and reset authentication method information for non-administrators" and to "require users to re-register for MFA," which covers managing MFA settings for the executives. By contrast, Password administrator is limited to
"reset passwords for no n-administrators" and does not include managing authentication methods/MFA, and Helpdesk administrator focuses on basic user help tasks and password resets without full MFA method management. Therefore, assigning Authentication administrator scoped to an A dministrative unit containing only the executives meets the scenario and adheres to least privilege.

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

One-time password: The External collaboration settings
User details: A user flow
According to Microsoft's official documentation and the Microsoft Identity and Access Administrator (SC-
300) Study Guide , when configuring self-service sign-up for guest users in Azure Active Directory (Azure AD) External Identities, there are two separate configuration areas that govern how users authenticate and what information they must provide:
# One-time password requirement To allow guest users who do not have Azure AD, Microsoft, or Google accounts to authenticate using a one-time passcode (OTP) sent to their email, you must enable this feature under External collaboration settings.
This configuration is found in the Azure AD admin center under:
Azure Active Directory # External Identities # External collaboration settings # One-time passcode for guests.
Microsoft documentation states:
"The one-time passcode feature in External collaboration settings enables guest users to authenticate by using a temporary code emailed to them when they sign in." Therefore, for the requirement "Guest users must be able to sign up by using a one-time password," you must configure The External collaboration settings.
# User details requirement To collect specific user attributes such as first name, last name, city, and email address during self-service sign-up, you configure a user flow (also known as a sign-up/sign-in flow) under Azure AD B2C or External Identities user flows.
In the Azure AD admin center, navigate to:
Azure AD # External Identities # User flows # New user flow # Sign-up flow.
Within the flow, you define the attributes (like name, city, and email) that must be collected at registration.
Microsoft's official Identity and Access Administrator materials explain:
"User flows in External Identities determine the user experience during sign-up and sign-in and allow administrators to collect custom attributes such as name, location, or other organization-specific details."

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).