SC-300 · Question #351
SC-300 Question #351: Real Exam Question with Answer & Explanation
This question tests understanding of how Conditional Access policies apply to users based on group membership, directory roles, and exclusions, specifically around MFA requirements and session controls like persistent browser sessions and sign-in frequency.
Question
Hotspot Question You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2. The subscription contains the users shown in the following table. You create the following Conditional Access policies: Name: Policy1 Users: o Include: Group1 o Exclude: Group2 Target resources: o Include: All cloud apps Grant: o Grant access: Require multi-factor authentication Session: o Persistent browser session: Never persistent Name: Policy2 Users: o Include: - Directory roles: Global Administrator - Users and groups: User3 o Exclude: Group2 Target resources: o Include: All cloud apps Session: o Sign-in frequency: - Periodic authentication: 2 hours For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests understanding of how Conditional Access policies apply to users based on group membership, directory roles, and exclusions, specifically around MFA requirements and session controls like persistent browser sessions and sign-in frequency.
Approach. To evaluate each statement, you must cross-reference each user's group memberships and roles against Policy1 and Policy2. Policy1 applies to Group1 members (excluding Group2 members) and enforces MFA with a never-persistent browser session. Policy2 applies to Global Administrators and User3 (excluding Group2 members) and enforces a 2-hour sign-in frequency re-authentication. A user in Group1 but NOT in Group2 will be subject to Policy1's MFA and never-persistent session. A user who is a Global Administrator or is User3 but NOT in Group2 will be subject to Policy2's 2-hour re-authentication. Users in Group2 are excluded from both policies. If a user falls under both policies (e.g., a Global Admin who is also in Group1), both sets of controls apply - MFA, never-persistent session, AND 2-hour re-authentication frequency.
Concept tested. Conditional Access policy scoping - understanding Include/Exclude logic for users and groups, how multiple policies can stack on a single user, and the effect of session controls (persistent browser session and sign-in frequency) versus grant controls (MFA). Key nuance: exclusions override inclusions, and all applicable policies are enforced simultaneously on a user.
Reference. Microsoft Learn: Conditional Access policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Community Discussion
No community discussion yet for this question.