Exam SC-100 topic 1 question 12 discussion

AB looks correct to me

I don't think this is correct. Zero Trust its reffering to Conditional Access, so would be Microsoft Intune reports the endpoints as compliant. https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection and I assume The client access tokens are refreshed.

A. The client access tokens are refreshed. Once access is suspended (e.g., via Conditional Access), any existing tokens may still be valid. After remediation, refreshing the tokens ensures that the new compliant state is recognized and access can be restored. B. Microsoft Intune reports the endpoints as compliant. Intune is the authority that determines and reports device compliance based on Defender for Endpoint’s input. Defender for Endpoint alone does not directly mark a device as "compliant" in Conditional Access. Instead, it assesses the device's security state and shares that with Intune, which then determines compliance based on its policies. So the integration between Defender for Endpoint and Intune is critical to the compliance process.

Devices must be marked as compliant before Intune policies will allow them to access the network

• Enforce conditional access based on trusted devices. We recommend that you enforce location-based conditional access to suit your organizational requirements. • Reset passwords after eviction for any user accounts that may have been compromised. • Revoke refresh tokens immediately after rotating your credentials. https://learn.microsoft.com/en-us/azure/security/fundamentals/recover-from-identity-compromise#remediate-user-and-service-account-access

B. Microsoft Intune reports the endpoints as compliant: Intune ensures that the endpoints meet the organization's compliance policies, verifying that they are secure and properly configured. https://learn.microsoft.com/en-us/security/zero-trust/deploy/endpoints D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides advanced threat protection and ensures that the endpoints are free from malware and other security threats. https://learn.microsoft.com/en-us/defender-endpoint/zero-trust-with-microsoft-defender-endpoint These conditions help maintain the integrity of the Zero Trust model by ensuring that only secure and compliant endpoints can access corporate applications.

B. Microsoft Intune reports the endpoints as compliant: In a Zero Trust model, compliance is verified before granting access. Intune is used to manage device compliance policies, and the endpoints need to be reported as compliant to ensure they are safe for accessing corporate applications again. D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides security management for endpoints. After the malware is removed, Defender must report that the endpoints are secure and compliant, ensuring that they are safe for access.

A. The client access tokens are refreshed B. Microsoft Intune reports the endpoints as compliant

Agree with the given answer

Tokens need to be refreshed, when a device is marked as incompliant. The access is revoked due to the incomliance state. Answer A In Intune you configure the compliance policy. Within the compliance policy you configure the risk level for defender. Intune reports the compliance state as compliant, if the defender risk level is equal to or lower than the configured value. Answer B. Answer C: Is wrong Answer D is incorrect, because Defender does not report compliance. It reports the client risk level.

Questions asks "which 2 conditions must be met". The answer is: D: Defender must report the risk as being mitigated to Intune B: Intune reports the device as compliant

Answer should be B and C from the below key points in the question and the reference conditional access link: The customer discovers that several endpoints are infected with malware. - This comes under Microsoft intune compliance reporting. The customer suspends access attempts from the infected endpoints. - Conditional access kicks in "when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated." The malware is removed from the endpoints. - "an automated investigation and remediation process is launched." https://learn.microsoft.com/en-us/defender-endpoint/conditional-access?view=o365-worldwide <<Understand the Conditional Access flow>>

To ensure that endpoint users can access the corporate applications again after malware removal, the following two conditions must be met: B. Microsoft Intune reports the endpoints as compliant: This ensures that the devices meet the organization’s compliance policies and are considered secure1. D. Microsoft Defender for Endpoint reports the endpoints as compliant: This confirms that the endpoints are free from threats and meet the security requirements1.

B and D is correct answer

Answer: B. Microsoft Intune reports the endpoint as compliant. D. Microsoft Defender for Endpoint reports the endpoint as compliant. Reason: In a Zero Trust model, it is necessary to verify the security and compliance status of endpoints before they access corporate applications. Microsoft Intune and Microsoft Defender for Endpoint report the compliance status of endpoints and ensure that the endpoints are secure. Reasons why other answers are different: A. Client access tokens are refreshed: While refreshing tokens is important, it is not directly related to verifying the security status of endpoints. C. A new Azure Active Directory (Azure AD) Conditional Access policy is applied: Conditional access policies help with access control but are not directly related to verifying the compliance status of endpoints.

Answer is BD Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide

Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are; A and D.