ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 4 question 11 discussion

Actual exam question from Microsoft's SC-300
Question #: 11
Topic #: 4
[All SC-300 Questions]

You have a Microsoft 365 tenant.
The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
You plan to create an emergency-access administrative account named Emergency1. Emergency1 will be assigned the Global administrator role in Azure AD.
Emergency1 will be used in the event of Azure AD functionality failures and on-premises infrastructure failures.
You need to reduce the likelihood that Emergency1 will be prevented from signing in during an emergency.
What should you do?

  • A. Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in.
  • B. Require Azure AD Privileged Identity Management (PIM) activation of the Global administrator role for Emergency1.
  • C. Configure a conditional access policy to restrict sign-in locations for Emergency1 to only the corporate network.
  • D. Configure a conditional access policy to require multi-factor authentication (MFA) for Emergency1.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by MajorUrs at May 16, 2021, 6:06 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MajorUrs
Highly Voted 4 years, 1 month ago
The answer is stupid, because creating alert does not help with reducing the likelihood. But it is correct, because all other answers will create additional blockers to connect
upvoted 61 times
WMG
2 years, 11 months ago
I tend to agree that many answers and questions are dumb, but this isn't that wrong. The question is "..prevented from signing in.." and the Answer contains "emergency1 is modified". This is exactly what you need to look out for, in fact we have the same setup here: The Emergency account password is locked in safes. We have an alert for any modications to that account, new password, CA policies, groups etc. Anything that can interefere with its usage. So the answer is not stupid at all if you ever worked in enterprise grade security administration.
upvoted 4 times
...
Eltooth
4 years, 1 month ago
Agreed - all other answers would prevent emergency (breakglass) account from working. Answer is A - always log changes to break glass account.
upvoted 7 times
...
JerryGolais
4 years, 1 month ago
A by elimination. You are right that is pretty dumb.
upvoted 6 times
...
YetiSpaghetti
3 years ago
Preach. I laughed at how dumb this answer was.
upvoted 4 times
...
Load full discussion...
...
MarioMK
Highly Voted 4 years ago
Woow. I guess there is a competition at Microsoft as to who can formulate a question in the most stupid way possible. I have read 5 times in order to understand what are they trying to say. I think this is done on purpose to make things look harder than they really are
upvoted 15 times
...
Obi_Wan_Jacoby
Most Recent 2 months ago
Selected Answer: A
Answer: A. I agree with others sentiment. This is a stupid question. The alerting itself will not prevent but rather inform. And MFA (although recommended for break glass accounts) is something that should be applied, but does indeed add onto the likelyhood of issues signing in with that account. And the requirement in this question is to "reduce the likelihood that Emergency1 will be prevented from signing in during an emergency".
upvoted 1 times
...
mohamedbenamor
7 months, 3 weeks ago
Selected Answer: A
stupid question , but i found this : https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#monitor-sign-in-and-audit-logs
upvoted 2 times
...
haazybanj
1 year, 7 months ago
Selected Answer: A
The correct answer is A. Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in. All of the other options would add additional barriers to signing in with the emergency-access administrative account, which could prevent it from being used in an emergency.
upvoted 2 times
...
shuhaidawahab
1 year, 8 months ago
The correct answer is C. Configure a conditional access policy to restrict sign-in locations for Emergency1 to only the corporate network.
upvoted 1 times
...
Jzx
1 year, 9 months ago
Selected Answer: D
D. Configure a conditional access policy to require multi-factor authentication (MFA) for Emergency1: Enforcing MFA for Emergency1 adds an extra layer of security and ensures that even if a password is compromised or other issues arise, Emergency1 will still need to provide a second form of authentication to access Azure AD resources. This is a crucial security measure, especially for accounts with high privileges like Global administrators. MFA enhances security and helps protect against unauthorized access, even in emergency situations.
upvoted 2 times
...
DasChi_cken
1 year, 10 months ago
Selected Answer: A
You need to protect this Account AS IT IS the highes privileged Admin, but you cant use protection Methodes mentioned in answer B, C and D because that could block Access. The only way to "protect" ist to Monitor. Answer A ist a good answer only the Word "likelihood" is a bit misleading
upvoted 3 times
...
EmnCours
1 year, 11 months ago
Selected Answer: A
A. Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in.
upvoted 4 times
...
dule27
2 years ago
Selected Answer: A
A. Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in.
upvoted 3 times
...
estyj
2 years, 8 months ago
A. Yes need to monitor that break glass account so that you are aware of any changes to acct in case of a real emergency.
upvoted 1 times
...
DeepMoon
2 years, 9 months ago
Perfect question. Perfect Answer. This is an account used in 'break the glass' scenarios. It only has a very long password, that is kept under lock and key. User id and password are not connected to any user or device for authentication. No MFA can block its access. Even with Cell or network/email/phone down situations you can login with this account. You can login from anywhere. So it needs to be monitored to prevent tampering and account usage.
upvoted 3 times
...
Faheem2020
2 years, 10 months ago
Makes perfect sense to put your emergency account on monitor. https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
upvoted 5 times
...
subhuman
3 years ago
Answer Provided is correct always log activities from the Emergency " Break Glass" Account to monitor for any changes. All Other choices will definitely prevent the account from being accessible
upvoted 1 times
...
Xyz_40
3 years ago
The question needs to be modified as it not correctly fits to the answer. Though only answer "A" fits it.
upvoted 1 times
...
TP447
3 years, 2 months ago
Was expecting the answer to be excluding the account from CA so that it can sign in always when needed but there was no option. Option A is most logical...ish
upvoted 1 times
...
Jun143
3 years, 3 months ago
just pass the exam today. This came in the question.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel