SC-300 Set 2 Flashcards
You configure a new Microsoft 365 tenant to use a default domain name of contoso.com.
You need to ensure that you can control access to Microsoft 365 resources by using conditional access policies.
What should you do first?
A. Disable the User consent settings.
B. Disable Security defaults.
C. Configure a multi-factor authentication (MFA) registration policy.
D. Configure password protection for Windows Server Active Directory.
B. Disable Security defaults.
Your company has a Microsoft 365 tenant.
The company has a call center that contains 300 users. In the call center, the users share desktop computers and might use a different computer every day. The call center computers are NOT configured for biometric identification.
The users are prohibited from having a mobile phone in the call center.
You need to require multi-factor authentication (MFA) for the call center users when they access Microsoft 365 services.
What should you include in the solution?
A. a named network location
B. the Microsoft Authenticator app
C. Windows Hello for Business authentication
D. FIDO2 tokens
D. FIDO2 tokens
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
All users who run applications registered in Azure AD are subject to conditional access policies.
You need to prevent the users from using legacy authentication.
What should you include in the conditional access policies to filter out legacy authentication attempts?
A. a cloud apps or actions condition
B. a user risk condition
C. a client apps condition
D. a sign-in risk condition
C. a client apps condition
You have an Azure Active Directory (Azure AD) tenant.
You open the risk detections report.
Which risk detection type is classified as a user risk?
A. impossible travel
B. anonymous IP address
C. atypical travel
D. leaked credentials
D. leaked credentials
You have a Microsoft 365 tenant.
All users have computers that run Windows 10. Most computers are company-owned and joined to Azure Active Directory (Azure AD). Some computers are user- owned and are only registered in Azure AD.
You need to prevent users who connect to Microsoft SharePoint Online on their user-owned computer from downloading or syncing files. Other users must NOT be restricted.
Which policy type should you create?
A. a Microsoft Cloud App Security activity policy that has Microsoft Office 365 governance actions configured
B. an Azure AD conditional access policy that has session controls configured
C. an Azure AD conditional access policy that has client apps conditions configured
D. a Microsoft Cloud App Security app discovery policy that has governance actions configured
B. an Azure AD conditional access policy that has session controls configured
You have an Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant.
The on-premises network contains a VPN server that authenticates to the on-premises Active Directory domain. The VPN server does NOT support Azure Multi-
Factor Authentication (MFA).
You need to recommend a solution to provide Azure MFA for VPN connections.
What should you include in the recommendation?
A. Azure AD Application Proxy
B. an Azure AD Password Protection proxy
C. Network Policy Server (NPS)
D. a pass-through authentication proxy
C. Network Policy Server (NPS)
D. the Azure AD Password Protection proxy service
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. a notification through the Microsoft Authenticator app
B. an app password
C. Windows Hello for Business
D. SMS
C. Windows Hello for Business
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant.
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.
Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure portal, you configure the Notifications settings for multi-factor authentication (MFA).
Does this meet the goal?
A. Yes
B. No
B. No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant.
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.
Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure portal, you configure the Account lockout settings for multi-factor authentication (MFA).
Does this meet the goal?
A. Yes
B. No
B. No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant.
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.
Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure portal, you configure the Block/unblock users settings for multi-factor authentication (MFA).
Does this meet the goal?
A. Yes
B. No
B. No
he first box should be User3 only because he is security admin
the second one User3 and User4.
NO
YES
YES
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant.
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services.
Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure portal, you configure the Fraud alert settings for multi-factor authentication (MFA).
Does this meet the goal?
A. Yes
B. No
A. Yes
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. a notification through the Microsoft Authenticator app
B. email
C. security questions
D. a verification code from the Microsoft Authenticator app
D. a verification code from the Microsoft Authenticator app
CONDITION–>named LOCATION.
SESSION–>SIGN-IN FREQUENCY
C. C0nt0s0, Pr0jectlitw@re, and T@ilw1nd
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. a verification code from the Microsoft Authenticator app
B. security questions
C. voice
D. SMS
A. a verification code from the Microsoft Authenticator app
You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1 is assigned the Security administrator role.
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of non-administrative users. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
A. Authentication administrator
B. Helpdesk administrator
C. Privileged authentication administrator
D. Security operator
B. Helpdesk administrator
Box 1: Modify security defaults.
Privileged Authentication Administrator
Users with this role can set or reset any authentication method (including passwords) for any user, including Global Administrators. Privileged Authentication
Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next sign-in of all users.
The Authentication Administrator role has permission to force re-registration and multifactor authentication for standard users and users with some admin roles.
Box 2: User1 only.
Security Administrator.
Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure
Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center.
Yes
No
Yes
Anonymous IP triggers sign-in risk policy (not user risk policy)
So user1 gets only user risk policy —> not affected, can login YES
User2 affected by the sign-in risk policy, and has no MFA so cannot login NO
User 3 gets both policies, but only policy 2 is used for the anonymous IP, and he has MFA, so can login YES
B. Mark User1 as compromised
Scenario: User compromised (True positive)
‘Risky users’ report shows an at-risk user [Risk state = At risk] with low risk [Risk level = Low] and that user was indeed compromised.
Feedback: Select the user and click on ‘Confirm user compromised’.
What happens under the hood? Azure AD will move the user risk to High [Risk state = Confirmed compromised; Risk level = High] and will add a new detection
‘Admin confirmed user compromised’.
You have an Azure Active Directory (Azure AD) tenant.
You configure self-service password reset (SSPR) by using the following settings:
- Require users to register when signing in: Yes
- Number of methods required to reset: 1
What is a valid authentication method available to users?
A. a Microsoft Teams chat
B. a mobile app notification
C. a mobile app code
D. an FIDO2 security token
C. a mobile app code
When administrators require one method be used to reset a password, verification code is the only option available.
Note: When administrators require two methods be used to reset a password, users are able to use notification OR verification code in addition to any other enabled methods.
A. User1 only
You can also allow your employee’s phone to become a passwordless authentication method. You may already be using the Authenticator app as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option.
The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm.
Incorrect:
* Not User2
FIDO2 security keys -
The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
You have an Azure Active Directory (Azure AD) tenant.
You configure self-service password reset (SSPR) by using the following settings:
- Require users to register when signing in: Yes
- Number of methods required to reset: 1
What is a valid authentication method available to users?
A. an email to an address outside your organization
B. a smartcard
C. an FID02 security token
D. a Microsoft Teams chat
A. an email to an address outside your organization
A one-gate policy requires one piece of authentication data, such as an email address or phone number.
A one-gate policy applies in the following circumstances:
It’s within the first 30 days of a trial subscription; or
A custom domain hasn’t been configured for your Azure AD tenant so is using the default *.onmicrosoft.com. The default *.onmicrosoft.com domain isn’t recommended for production use; and Azure AD Connect isn’t synchronizing identities.
C. The What If tool
The Azure AD conditional access What if tool allows you to understand the impact of your conditional access policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report. The report does not only list the applied conditional access policies but also classic policies if they exist.
You have a Microsoft 365 tenant.
All users have mobile phones and Windows 10 laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptops to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
A. an app password
B. voice
C. Windows Hello for Business
D. security questions
C. Windows Hello for Business
The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for
Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.
No
Yes
No
1 - No. Although 10.10.0.0/16 is a named trusted location, it’s a private IP range and won’t function correctly, so user 1 won’t match the condition of CA policy 1. In addition, user 1 has per-user MFA disabled, it won’t be prompted for MFA.
2 - Yes. User2’s source IP is 10.10.1.160, the public IP of which is in the range of 20.93.15.0/24, which isn’t a trusted MFA range. Besides, User2 is a per-user MFA-enforced user. Therefore, User2 will be prompted for MFA.
3 - No. The public IP address of 192.168.1.20 is in the space of 193.17.17.0/24, which is an MFA-trusted IP range. Although user2 is a per-user MFA-enforced user, it won’t be prompted for MFA.
Box 1: Guest3 only -
When does a guest user get a one-time passcode?
When a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:
They don’t have an Azure AD account
They don’t have a Microsoft account
The inviting tenant didn’t set up federation with social (like Google) or other identity providers.
Box 2: 30 minutes -
One-time passcodes are valid for 30 minutes. After 30 minutes, that specific one-time passcode is no longer valid, and the user must request a new one. User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource. Session expiration provides added security, especially when a guest user leaves their company or no longer needs access.
C. built-in Azure subscription roles and Role2 only
No
No
Yes
User1: The User Risk Policy for User1 specifies the User Risk as “Low and above” and the control as “Block Access”. Therefore, User1 would not be allowed to sign in even via multi-factor authentication (MFA) since the policy is set to block access.
User2: The User Risk Policy for User2 specifies the User Risk as “Low and above” and once the user is confirmed compromised, the policy as “Block Access” applies. Hence, User2 would not be allowed to sign in even via MFA after being confirmed as compromised.
User3: The User Risk for User3 is dismissed. This means User3 can sign in from any location including anonymously. In case the Sign-in Risk becomes High, then User3 would not be allowed to sign in as per the Sign-in Risk Policy.
Location: Azure AD
Role: Global Administrator
Explanation: A break-glass account is a highly privileged account meant to be used in emergency situations where normal administration cannot be performed. As such, it should be created directly in Azure AD so it’s not dependent on the on-premises AD DS domain. The Global Administrator role will provide the broadest level of permissions to address potential emergency issues. Remember, such accounts should be protected with strong, complex passwords, ideally stored securely off-line, and should only be used for temporary and emergency purposes.
- Publish App1.
- Create a conditional access policy that has session controls configured.
- From MCAS modify the Connected apps settings
- From MCAS create a session policy
B. User3 and User4 only
D. the Azure AD Password Protection proxy service
Include: All users
Exclude: Admin1
No
Yes
Yes
B. User2 only
B. Delete CAPolicy1
- Get-AzVM
- Get-AzADServicePrincipal
