SC-300 Question #117: Real Exam Question with Answer & Explanation

Question

Your organization is looking to tighten its security posture when it comes to Azure AD users passwords. There has been reports on local news recently of various organizations having user identities compromised due to using weak passwords or passwords that resemble the organization name or local sports team names. You want to provide protection for your organization as well as supplying a list of common words that are not acceptable passwords. What should you configure.

Options

• AAzure AD Password Protection
• BAzure AD Privileged Identity Management
• CAzure Defender for Passwords
• DAzure AD Multi-factor Authentication

Explanation

Azure AD Password Protection

Option A is correct because Azure AD Password Protection is specifically designed to prevent weak passwords by enforcing a global banned password list (maintained by Microsoft) and allowing organizations to create a custom banned password list - perfect for blocking organization names, local team names, or industry-specific terms that attackers might exploit.

The distractors are wrong because:

• B (Privileged Identity Management) manages access and roles for privileged accounts (e.g., just-in-time admin access) - it has nothing to do with password strength
• C (Azure Defender for Passwords) is a fabricated service that does not exist in Azure - a classic exam trap
• D (Multi-Factor Authentication) adds a second verification layer during sign-in but does nothing to enforce or restrict what passwords users can choose

🧠 Memory Tip

Think "Protection = Prevention" - Azure AD Password Protection protects your organization by preventing bad passwords from being set in the first place. If the question mentions custom banned word lists or weak/organization-specific passwords, that's your signal to choose Password Protection over MFA (which only addresses authentication, not password quality).

No community discussion yet for this question.