ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 2 question 84 discussion

Actual exam question from Microsoft's SC-300
Question #: 84
Topic #: 2
[All SC-300 Questions]

HOTSPOT
-

You have a Microsoft Entra tenant that contains the users shown in the following table.



You have a user risk policy that has the following settings:

• Assignments:
o Include: Group1
o Exclude: Group2
• Sign-in risk: Medium and above
• Access controls:
o Grant access: Require password change

When the users attempt to sign in, user risk levels are detected as shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by spatrick at March 31, 2024, 10:20 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
spatrick
Highly Voted 1 year, 4 months ago
For a CA they say: Remember, the exclusion will take precedence. So if you select to include a user then exclude the user, the user will be excluded from the policy.
upvoted 15 times
...
Fijii
Most Recent 5 months, 2 weeks ago
Not sure about User1 ? User2 and User3 are clearly exluded from the policy and so are not required to change password. User1 however has a HIGH user risk, but the policy is about sign-in, I think it is not supposed to trigger ? I would say NNN
upvoted 2 times
...
YesPlease
5 months, 3 weeks ago
Yes) User1 is part of Group1 and has HIGH sign-in risk No) User2 is excluded from risk policy because they are part of Group2 No) User3 is part of Group1 and they are HIGH risk, but they are also part of Group2 and are excluded from the risk policy. This EXCLUDE is important to understand. EXCLUDE takes precedence for any policy, just like when you want to exclude your ADMIN accounts so that you don't get locked out of a very restrictive rule/policy.
upvoted 2 times
...
Frank9020
6 months, 2 weeks ago
User1 must change their password? ✅ Yes User2 must change their password? ❌ No User3 must change their password? ❌ No Since User3 is in both groups, exclusion takes priority, meaning User3 is excluded from the policy and does not have to change the password.
upvoted 2 times
...
penatuna
9 months, 2 weeks ago
When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts. User1 must change his password, cause Group1 is included in risk policy and his risk level is High. User2 does not need to change his password, cause Group2 is excluded from risk policy. User3 would not be required to change their password during sign-in. Here’s why: Inclusion and Exclusion: User3 is a member of both Group1 and Group2. Since Group2 is excluded from the policy, the policy does not apply to User3. Sign-in Risk Level: Even though User3’s sign-in risk level is High, the exclusion from Group2 takes precedence. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups#exclude-users
upvoted 4 times
...
76af099
9 months, 3 weeks ago
What is the precedence of Conditional Access policy? Understanding Policy Precedence When you have several policies enabled, the policy precedence is the following: A policy set to deny access is first priority. A policy set to allow access with MFA is second priority. A policy set to allow access without MFA is third priority. YNY
upvoted 2 times
...
a6792d4
1 year, 2 months ago
i' m not sure for user 3
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel