If you want to know how to pass the Microsoft SC-300 exam in 2026, the honest answer is that it rewards structure over cramming. The SC-300 (Microsoft Identity and Access Administrator) is not a memory test. It is a scenario exam that checks whether you can design and run Microsoft Entra ID in a real tenant, make Conditional Access decisions under pressure, and reason about identity governance the way an administrator actually does on the job.
This 8-week SC-300 study plan breaks the whole blueprint into weekly blocks, tells you exactly what to build in a lab, and shows you where candidates lose marks. Follow it properly and you walk into the exam having already done, in a practice tenant, almost everything the questions describe.
What the SC-300 Exam Actually Tests in 2026
The SC-300 earns you the Microsoft Certified: Identity and Access Administrator Associate credential. It sits on the security path alongside SC-200 and SC-100, and it focuses entirely on Microsoft Entra ID (the service formerly called Azure Active Directory).
Microsoft last refreshed the skills-measured outline on 7 November 2025, and no separate 2026 blueprint change has been published since, so the objectives below are current for anyone sitting the exam this year. Always re-check the official study guide the week you book, because Microsoft can adjust wording between the fortnightly exam updates.
Exam Tip: The SC-300 has roughly 40 to 60 questions, gives you around 100 to 120 minutes, and requires a scaled score of 700 out of 1000 to pass. That 700 is not 70 per cent of the questions, because Microsoft weights harder items more heavily.
Here are the key facts to anchor your planning:
- Exam code: SC-300
- Credential: Microsoft Certified: Identity and Access Administrator Associate
- Cost: 165 USD (varies by region and local tax)
- Questions: approximately 40 to 60
- Duration: about 100 to 120 minutes of exam time
- Passing score: 700 out of 1000 (scaled)
- Format: multiple choice, multiple select, drag-and-drop ordering, and one or two case studies with five to eight linked questions
The Four Exam Domains and Their Weightings
The exam is built on four domains. The weightings below reflect the current outline, and they tell you exactly where to spend your study hours.
| Domain | What it covers | Weighting |
|---|---|---|
| Implement and manage user identities | Tenant setup, users, groups, external identities, licensing, hybrid identity with Entra Connect | 20 to 25% |
| Implement authentication and access management | MFA, passwordless, Conditional Access, Entra ID Protection, Global Secure Access | 25 to 30% |
| Implement access management for applications | Enterprise apps, app registrations, SSO, consent and permissions | 15 to 20% |
| Plan and implement identity governance | Entitlement management, access reviews, Privileged Identity Management, terms of use | 25 to 30% |
Two things jump out. First, authentication and access management is the heaviest domain, and Conditional Access lives at its centre. Second, identity governance is nearly as heavy, and it is the area most candidates underprepare because the features (entitlement management, access reviews, PIM) need Entra ID P2 to practise properly.
Before You Start: Build a Free Practice Tenant
You cannot pass SC-300 by reading. The single most valuable thing you can do is get a tenant with premium features switched on, because Conditional Access, PIM, Identity Protection and entitlement management are all premium capabilities.
Sign up for the Microsoft 365 Developer Program and you get a 25-user E5 tenant that includes Entra ID P2. That gives you every premium feature the exam tests, for free, with sample users you can target with policies. Set this up in week one and use it every single week.
Exam Tip: When you configure a feature in the portal, always find the equivalent Microsoft Graph PowerShell cmdlet or Graph API call. The exam frequently asks which command achieves a result, not just which blade to click.
The 8-Week SC-300 Study Plan
This plan assumes six to eight hours of study per week. If you already administer Microsoft 365 or Entra ID daily, you can compress it to five or six weeks by merging the lighter weeks. If you are coming from a general IT background with little identity experience, add two weeks and slow down on Conditional Access and governance.
Week 1: Foundations and Tenant Setup
Start with the shape of Entra ID: tenants, the difference between Entra ID roles and Azure RBAC, licensing tiers (Free, P1, P2), and how identity fits the wider Microsoft security stack.
- Create your developer tenant and explore the Entra admin centre.
- Learn the built-in directory roles and the principle of least privilege.
- Understand company branding, tenant properties, and where licensing is assigned.
By the end of week one you should be comfortable moving around the portal without hunting for blades.
Week 2: User and Group Identities
This is the core of domain one. Focus on how identities are created, grouped, and licensed.
- Create cloud users and configure bulk operations.
- Build security groups and Microsoft 365 groups, and configure dynamic membership rules (learn the membership rule syntax, it appears in questions).
- Configure group-based licensing and self-service group management.
- Understand administrative units and how they scope delegated admin.
Practise writing at least three dynamic membership rules by hand. Candidates routinely lose marks on rule syntax.
Week 3: External Identities and Hybrid
Round out domain one with the identities that come from outside the tenant or from on-premises.
- Configure B2B guest access, cross-tenant access settings, and external collaboration policies.
- Understand B2B versus B2C at a conceptual level.
- Study hybrid identity: Microsoft Entra Connect, Connect cloud sync, password hash synchronisation, pass-through authentication, and seamless single sign-on.
Exam Tip: Know the difference between password hash sync, pass-through authentication, and federation, and when each is the right choice. Scenario questions love to test which hybrid option meets a specific compliance or outage requirement.
Week 4: Authentication Methods and MFA
Now you move into the heaviest domain. Spend a full week on authentication before touching Conditional Access.
- Configure the authentication methods policy.
- Set up multi-factor authentication, the Authenticator app, FIDO2 passkeys, Windows Hello for Business, certificate-based authentication, and Temporary Access Pass.
- Configure self-service password reset and combined registration.
- Understand passwordless rollout and authentication strengths.
Register several test users with different methods so you can see how the sign-in experience changes.
Week 5: Conditional Access and Identity Protection
This is the single most important week. Conditional Access is the topic examiners test most, and it is where careers are made or broken in the real world too.
- Build Conditional Access policies from scratch: assignments (users, cloud apps, conditions) and access controls (grant and session).
- Configure device-based, location-based, and risk-based conditions.
- Use Report-only mode, the What If tool, and understand policy evaluation order.
- Configure Microsoft Entra ID Protection: user risk and sign-in risk policies, and how risk feeds Conditional Access.
- Learn authentication context and continuous access evaluation.
Build at least five distinct Conditional Access policies and test each one with a real sign-in. If you can explain why a given policy blocks or grants a specific sign-in, you are ready for this domain.
Week 6: Application Access Management
Domain three is smaller but very learnable, so treat this as a slightly lighter week and use the spare time to revisit Conditional Access.
- Register enterprise applications and configure single sign-on (SAML and OIDC).
- Understand app registrations, service principals, and the difference between them.
- Configure delegated and application permissions, admin consent, and the consent framework.
- Manage app roles, and review and restrict user consent settings.
Week 7: Identity Governance
Do not skip or rush this week. Governance is nearly a third of the exam and needs the P2 features in your developer tenant.
- Configure entitlement management: catalogues, access packages, and access package policies.
- Set up access reviews for groups, applications, and privileged roles.
- Configure Privileged Identity Management (PIM): eligible assignments, activation settings, approval workflows, and PIM alerts.
- Configure terms of use and lifecycle workflows.
Exam Tip: PIM questions almost always involve just-in-time activation, approval, and time-bound roles. Know the difference between eligible and active assignments cold.
Week 8: Practice Exams, Weak Spots, and Review
The final week is not for new material. It is for turning knowledge into exam marks.
- Sit full-length timed practice exams and review every wrong answer until you understand why.
- Re-lab any feature you got wrong, do not just re-read it.
- Revisit Conditional Access and governance, your two heaviest domains.
- Work through case-study style questions so the multi-part format holds no surprises.
- Skim the official study guide one last time to catch any recent wording changes.
Aim to score consistently above 85 per cent on practice questions before you book. Practising under timed conditions is the fastest way to find the gaps you still have, which is exactly what the SC-300 practice questions on CertCrush are built for.
Common Reasons Candidates Fail SC-300
Most SC-300 failures come down to a short list of avoidable mistakes:
- Reading instead of building. If you have never created a Conditional Access policy, the scenario questions will beat you.
- Underpreparing governance. Entitlement management, access reviews and PIM are a quarter of the exam and get skipped because they need P2.
- Ignoring PowerShell and Graph. The exam tests commands, not just portal clicks.
- Misjudging the scoring. Because 700 out of 1000 is scaled, you cannot afford to write off an entire domain and hope to scrape through on the rest.
- Never practising under time pressure. Case studies with five to eight linked questions eat time if you have not rehearsed the format.
SC-300 Versus the Rest of the Microsoft Security Path
If you are choosing where SC-300 fits in your wider plan, it pairs naturally with the other Microsoft security exams.
| Exam | Focus | Level |
|---|---|---|
| SC-900 | Security, compliance and identity fundamentals | Beginner |
| SC-300 | Entra ID, identity and access administration | Associate |
| SC-200 | Security operations, Defender and Sentinel | Associate |
| SC-100 | Cybersecurity architecture and strategy | Expert |
Many candidates take SC-300 after SC-900 and either before or alongside SC-200. If you are weighing SC-300 against the operations track, read our comparison of SC-200 versus SC-300 to pick the right next step. Working through the SC-200 route as well? Our SC-200 8-week study plan uses the same weekly structure.
Ready to Start Practising?
Reading this plan is the easy part. Passing SC-300 comes down to hours in a tenant and hundreds of practice questions that expose what you do not yet know. Build your developer tenant this week, follow the eight-week structure, and test yourself relentlessly on Conditional Access and identity governance.
When you are ready to check your progress, create a free CertCrush account and work through realistic SC-300 practice questions with full explanations, so you find your weak spots before the exam does. Browse the full range of Microsoft security courses on our courses page and build the study habit that gets you certified first time.
