Exam MS-100 topic 2 question 37 discussion

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy Impossible travel is on anomaly detection policy see link

Hi guys and gals, I tested this answer in my tenant and i've come to a conclusion; Answer A. Is in fact the correct answer. "Modify the impossible travel alert policy" See the how-to over here: http://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/ (i am not this guy thogh) The fact remains that with an anomaly detection - impossible travel you cannot select a specific app to monitor for impossible travel (you CAN select a Cloud app but there's no option to monitor for impossible travel) Also see this: https://docs.microsoft.com/nl-nl/cloud-app-security/cloud-discovery-anomaly-detection-policy There no option to monitor for impossible travel here. I've tested this in my tenant and the option does not present itself.

I think it's A. Seems like a classic MS cert question where two answers are potentially right, but one is more right due precedence in what needs to be done first and foremost in order to accomplish the goal. I hate that THIS is how they challenge your knowledge of the subject matter. Making a test confusing and misleading doesn't mean the results indicate who is a better SME.

I vote A.

B, Option A (creating a Cloud Discovery anomaly detection policy) is incorrect because it is used to detect anomalous behaviors across all apps and cannot be configured to generate alerts for a specific app like App1. Option C (creating an app discovery policy) is incorrect because it is used to discover and assess apps used by employees in an organization, but not to generate alerts for impossible travel. Option D (modifying the conditional access policy from the Azure Active Directory admin center) is incorrect because conditional access policies are used to control access to apps based on certain conditions, but they cannot be configured to generate alerts for impossible travel events.

The answer is B. It's a trick question, they are misleading you with "impossible travel". Yes, there is a default "Impossible Travel" policy, but even if you modify you cannot restrict it to a single application. You would have to create a new "Cloud Discovery anomaly detection policy", which includes the "impossible travel" as part of its scope and then create a filter for "App1".

Answer has to be B A. You cannot Modify Impossible travel alert policy B. That will work C. You cannot setup email alert in conditional access policy D. The app is allready discovered. Thus dosen't make any sense. https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy#impossible-travel find : Scope anomaly detection policies in the link

all of the above

B is the correct. 1 - Never change a default policy, always create a new custom policy. 2 - The question ask to notify only if the App1 has a impossible travel alert, this is possible creating a new anomaly detection policy and setting the filter option with the App1 name.

tested

the answer is A explanation : 1-from (Microsoft 365 admin center > security ) it pops up a new window 2-you scroll down and click on (more resources) 3-you chose (microsoft defender for clouds Apps ) 4- you navigate in (control>policies) 5-you scroll down to (impossible travel ) and then modify it by adding the email address

tested, ans B

Answer "A"is correct. Policy Type : Anomaly detection Exact Policy name : Impossible travel. There are several "anomaly detection" polices available and dont need to configure all of them to achieve what is asked for (Refer the link in answer for all policy details). , As the question looks for the exact policy name, the answer is : Impossible travel Policy.

There is already default "Impossible travel" policy and to apply it to a specific user who uses App1. change Scope to "specific users & groups" and "filter" the specific user. So ANS=A

It has to be A, the question states that the policy is already created. The task is to simply modify the existing policy so that it alerts. Choosing B is if there was no policy in place, and even then the answer would be iffy, since when you create an anomaly detection policy you also choose what kind, one does not cover all.

I think there is some confusion here... the question is asking how to add email alerts to the already created conditional access policy for App1 that uses Conditional Access App Control. I think the correct answer should be modify the MCAS Session Policy based on the conditional access policy… But that’s not an option. C. is wrong since alerting is not part of conditional access policy A. maybe since it’s the only MCAS modify where B. and D. are MCAS create

Always create a custom policy. Never modify default policies.