SC-300 Question #245: Real Exam Question with Answer & Explanation

Question

Your company purchases a new Microsoft 365 E5 subscription and an app named App1. You need to create a Microsoft Defender for Cloud Apps access policy for App1. What should you do you first?

Options

• AConfigure a Conditional Access policy to use app-enforced restrictions.
• BConfigure a Token configuration for App1.
• CAdd an API permission for App1.
• DConfigure a Conditional Access policy to use Conditional Access App Control.

Explanation

Explanation

Configuring a Conditional Access policy to use Conditional Access App Control (option D) is the required first step because Defender for Cloud Apps access policies only work when traffic is routed through the Defender for Cloud Apps reverse proxy - and Conditional Access App Control is the mechanism that enables this routing for the specific app. Without this prerequisite, Defender for Cloud Apps cannot intercept or enforce policies on App1's sessions.

Why the distractors are wrong:

• Option A (App-enforced restrictions) applies to specific apps like SharePoint and Exchange Online that natively support enforced restrictions, not to third-party or custom apps like App1.
• Option B (Token configuration) relates to adding optional claims to tokens in Azure AD app registrations and has no direct role in enabling Defender for Cloud Apps policies.
• Option C (API permissions) is used to grant apps access to Microsoft APIs and is unrelated to routing traffic through Defender for Cloud Apps.

Memory Tip

Think of it as a "traffic redirect first" rule: before Defender for Cloud Apps can watch or control an app, Conditional Access must first redirect the traffic to Defender for Cloud Apps using App Control - no redirect, no policy enforcement. 🚦

No community discussion yet for this question.