nerdexam
ExamsSC-100Questions#343
MicrosoftMicrosoft

SC-100 · Question #343

SC-100 Question #343: Real Exam Question with Answer & Explanation

The correct answer is B: Exclude: Selected networks and locations; Site1. {"question_number": 4, "correct_answers": ["B"], "explanation": "The Zero Trust principle of 'never trust, always verify' explicitly rejects network location as a trust signal. The existing policy excludes Site1 (a named network location) from the Conditional Access controls, mea

Design solutions that align with security best practices and priorities

Question

You have a Microsoft 365 subscription. You have a Conditional Access policy that has the following settings: Name: Policy 1 Assignments - Users: -- Include: All users - Target resources -- Include: Select apps; Office 365 - Network -- Include: Any network or location -- Exclude: Selected networks and locations; Site1 - Access controls -- Grant: Require multifactor authentication, Require Hybrid Microsoft Entra joined device You plan to implement Zero Trust Rapid Modernization Plan (RaMP). You need to ensure that Policy1 aligns with best practice recommendations in RaMP. Which setting should you change?

Options

  • AInclude: Any network or location
  • BExclude: Selected networks and locations; Site1
  • CGrant Require Hybrid Microsoft Entra joined device
  • DGrant: Require multifactor authentication

Explanation

{"question_number": 4, "correct_answers": ["B"], "explanation": "The Zero Trust principle of 'never trust, always verify' explicitly rejects network location as a trust signal. The existing policy excludes Site1 (a named network location) from the Conditional Access controls, meaning users at that location bypass MFA and device compliance checks. This is a direct violation of Zero Trust's Rapid Modernization Plan (RaMP), which instructs organizations to remove network-based exclusions from Conditional Access policies. Trusting a corporate network (Site1) assumes that because traffic originates from a 'known' location, it is safe - exactly the implicit trust model Zero Trust eliminates. Removing the Site1 exclusion (B) forces all users, regardless of location, to satisfy the grant controls. A is incorrect because 'Any network or location' in the Include section is correct for Zero Trust - you want the policy to apply everywhere. C is not the primary issue; Hybrid Entra joined is a valid grant control, though Compliant device is preferred in Zero Trust. D is incorrect; requiring MFA is a core Zero Trust and RaMP requirement that must be kept.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

Topics

#Conditional Access#Zero Trust#Rapid Modernization Plan (RaMP)#Network conditions

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SC-100 PracticeBrowse All SC-100 Questions