nerdexam
Microsoft

SC-300 · Question #340

SC-300 Question #340: Real Exam Question with Answer & Explanation

This task requires creating a Conditional Access policy in Azure AD (Microsoft Entra ID) that targets the sg-Executive group and enforces Grant controls requiring either a compliant device (verified by Microsoft Intune) or an approved client app with app protection policies. Cond

Submitted by ashley.k· Mar 6, 2026Implement and manage identity and access - specifically configuring Conditional Access policies to enforce device compliance and app protection requirements for targeted user groups (Microsoft 365 MS-102 / SC-300 / MD-102 certification domain: Manage Access and Authentication)

Question

SIMULATION Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Microsoft 365 Username:[email protected] Microsoft 365 Password: =1122334455667788 If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 99999999 You need to implement additional security checks before the members of the sg-Executive can access any company apps. The members must meet one of the following conditions: - Connect by using a device that is marked as compliant by Microsoft Intune. - Connect by using client apps that are protected by app protection policies. To complete this task, sign in to the appropriate admin center. Answer:

Exhibit

SC-300 question #340 exhibit

Explanation

This task requires creating a Conditional Access policy in Azure AD (Microsoft Entra ID) that targets the sg-Executive group and enforces Grant controls requiring either a compliant device (verified by Microsoft Intune) or an approved client app with app protection policies. Conditional Access is the correct tool because it allows administrators to define access conditions based on user group membership, device compliance state, and app protection policies simultaneously using 'Require one of the selected controls' (OR logic). The policy must be configured with the sg-Executive group as the assignment target, 'All cloud apps' as the resource, and the two Grant controls selected with OR logic to satisfy the requirement that members meet at least one condition.

Topics

#Conditional Access#Microsoft Entra ID / Azure AD#Microsoft Intune Compliance#App Protection Policies

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SC-300 Practice