nerdexam
ExamsMS-900Questions#371
MicrosoftMicrosoft

MS-900 · Question #371

MS-900 Question #371: Real Exam Question with Answer & Explanation

The correct answer is A: Multi-factor authentication. Azure Conditional Access Policies Explained Azure Conditional Access acts as a policy engine that evaluates signals (user, location, device, app) and enforces access controls based on defined conditions. Option A (MFA) is correct because Conditional Access can require multi-facto

Submitted by amina.ke· Mar 5, 2026Describe security, compliance, privacy, and trust in Microsoft 365

Question

A company is evaluating Microsoft Azure Conditional Access policies. You reed to determine which scenarios Conditional Access policies support. Which three scenarios should you select? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

  • AMulti-factor authentication
  • BSelf-service password reset capabilities
  • CHybrid Azure Active Directory joined device
  • DBlocked access to Microsoft 365 services for unverified users
  • EBitLocker deployment

Explanation

Azure Conditional Access Policies Explained

Azure Conditional Access acts as a policy engine that evaluates signals (user, location, device, app) and enforces access controls based on defined conditions. Option A (MFA) is correct because Conditional Access can require multi-factor authentication as a grant control when specific conditions are met (e.g., risky sign-ins or access from unknown locations). Option C (Hybrid Azure AD joined devices) is correct because Conditional Access can enforce device compliance by requiring that devices be Hybrid Azure AD joined before granting access. Option D (Blocked access to Microsoft 365) is correct because Conditional Access explicitly supports blocking access entirely for users who don't meet verification requirements, such as unverified or non-compliant users.

Options B and E are incorrect because Self-Service Password Reset (SSPR) is a separate Azure AD feature unrelated to access policy enforcement, and BitLocker is a Windows disk encryption tool managed through Intune/Endpoint Manager - neither falls within the scope of Conditional Access policy controls.

🧠 Memory Tip:

Think of Conditional Access as a "if-then" gatekeeper: IF a user meets certain conditions, THEN require MFA, block access, or demand a compliant/hybrid-joined device. Anything outside of authentication and access control (like encryption or password resets) belongs to different tools.

Topics

#Conditional Access#Azure AD#Security Policies#Multi-factor Authentication

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full MS-900 PracticeBrowse All MS-900 Questions