r/iam

Hey everyone,

I’m planning to give the SC-300 exam soon and wanted some advice on the preparation approach from people who’ve already cleared it.

My background:
- Currently working as an IAM Engineer
- Around 1.5 years of hands-on experience with Entra ID
- Comfortable with configuring SSO integrations and Conditional Access policies
- Cleared AZ-900 about a year ago

For preparation so far:
- Went through Microsoft Learn modules
- Watched YouTube playlists
- Read some documentation (honestly found parts of it pretty dry 😅)
- Practice quizzes on MS Learn felt relatively easy

But when I tried a mock exam, I felt like I was missing a lot of details outside core Entra concepts and that the questions were broader/deeper than expected.

I was also wondering whether it’s worth buying additional resources like:
- MeasureUp
- Tutorials Dojo
- Udemy courses

or if Microsoft Learn + hands-on experience should be enough with the right revision strategy.

Wanted to ask:
- What areas should I focus on more?
- Are there any must-use resources apart from MS Learn?
- How important are topics outside Entra ID?
- Any tips for handling scenario-based questions?
- Which practice tests are closest to the actual exam?

Would appreciate any guidance, study strategies, or resource recommendations from people who recently passed the exam.

Thanks!

we spun up an agent to handle some internal reporting, read access to a few databases, nothing privileged, at least that's what we assumed at the time. ran for maybe three months without anyone checking in on it.

during a routine audit someone pulled the agent's activity logs and noticed it was authenticating against one of our older internal databases using a credential that wasn't in our secrets manager. traced it back and found the agent had picked up a hardcoded credential sitting in a script from a migration we did two years ago. the original script was supposed to be decommissioned. it wasn't. the credential still worked. the agent found the most efficient path and used it.

the database it was accessing had customer records in it. read-only, so nothing was modified, but the access was never supposed to exist and we had no idea it was happening.

the IdP shows clean. okta has no idea this access path exists because it's not routing through the IdP at all. the application just has its own auth sitting there from years ago and the agent discovered it. there's no connector for it, no provisioning flow, it just exists.

how are people actually tracking what paths an agent takes once it's inside an environment? logging the task completion doesn't help if you don't know what it accessed to get there.

Hi Folks

How do you handle new user onboarding and initial credential communication when using an IAM system?

Our current setup is:

One Identity IAM system integrated with HR System
On-premises Active Directory
Microsoft Entra ID for O365 Email
User login to IAM using Entra ID federated login

The main question is around the first login journey, initial credential communication and birthright access.

How do you communicate the initial username and temporary password to the user?

Do you use SMS, personal email, manager handover, or another secure method?

I 25M currently have around 3.6 YOE in IAM/SailPoint and I’m confused between two offers.

Offer 1:
PwC India
Role: FS Cyber Alliances & Implementation Associate
Location: Ahmedabad
Fixed: 11 LPA
Total CTC : 14.7 LPA

Offer 2:
Accenture
Role: Security Architect Senior Analyst L10
Location: Pune
Fixed: 10.1 LPA currently (revision under review after counter offer)
Total CTC: 12.1 currently (most likely will match PwC)

A few important things:

- My preferred location is Pune due to the weather/language/and familiarity aspect.
- I’ll have to relocate either way as I am settled Chennai and originally from Maharashtra
- Long-term goal is growth in IAM/cybersecurity consulting
- I care about work culture, learning, future opportunities, and quality of work more than just salary
- Weather/location/lifestyle also matter to me since I’ll be moving alone
- I’ve heard Big 4 cyber roles accelerate careers faster, but also heard mixed things about WLB

Would love honest opinions from people working in:

- PwC Cyber / Big 4 cyber consulting
- Accenture IAM/Cyber
- SailPoint/IAM domain

Which would should I choose and why?

Anyone interested in casually presenting something at an upcoming IAM community meetup/workshop?

I’m looking for people who’d be open to sharing something useful with others in the IAM/security space.

Could be:

• a cool IAM setup or workflow
• useful tools/resources
• automation ideas
• Entra/Okta lessons learned
• phishing-resistant MFA
• AI + IAM topics
• cert/career advice
• something you wish more IAM people knew

Nothing salesy or overly formal. More “here’s something useful I learned” than “come watch my pitch.”

We’ve been growing a pretty active IAM community in the Zero to Sec Discord, and I’d like to get more community-led sessions going with people sharing real-world knowledge and ideas.

If interested, drop a comment or DM me.

 Ran a full access review in January. Okta clean. Entra clean. Reports looked fine across the board.

A week later someone mentioned an internal billing tool with its own login. No SSO. Just username/password. Pulled users, found 14 accounts. 6 were people who had already left.

Then we started digging. Found two more apps in the same situation. One internal, one from an old vendor setup. All had their own user stores and weren't tied into anything we manage.

Our tooling wasn't wrong. It just wasn't seeing the whole environment.

Everything it showed was accurate. It just missed the parts nobody ever connected or tracked.

How are you finding apps that have their own auth and were never part of your IAM in the first place, especially when you don't have the bandwidth to do it manually?

We have an application that needs to be set up for SSO. So far they have been manually configuring the users and their access within the application and now are hoping to use AD groups

The architect and the team were having a discussion about whether to use AD groups only for authentication and then internal access for authorisation or should AD groups be set up for both authentication and authorisation