SC-300 Question #373: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 E5 subscription. You plan to deploy a third-party software as a service (SaaS) app named App1. You need to onboard App1 to Microsoft Defender for Cloud Apps. The solution must ensure that you can implement session control policies. What should you do first?

Options

• AFrom the Microsoft Defender portal, configure Cloud discovery.
• BFrom the Microsoft Entra admin center, configure single sign-on (SSO) for App1.
• CFrom the Microsoft Defender portal, create an OAuth app policy.
• DFrom the Microsoft Entra admin center, configure a traffic forwarding profile.

Explanation

Explanation

Configuring Cloud Discovery in the Microsoft Defender portal is the essential first step because it allows Defender for Cloud Apps to discover and identify App1 within your environment before any policies can be applied - you cannot implement session controls on an app that hasn't been onboarded and recognized by the platform.

Why the distractors are wrong:

• Option B (SSO via Entra) is actually a subsequent step required for Conditional Access App Control (which enables session policies), but it cannot be done before the app is discovered and onboarded through Defender for Cloud Apps first.
• Option C (OAuth app policy) governs permissions for OAuth-connected apps and is unrelated to the onboarding process needed to enable session control.
• Option D (Traffic forwarding profile) is a Microsoft Entra Private Access/Global Secure Access concept used for network traffic routing, not for onboarding SaaS apps into Defender for Cloud Apps.

Memory Tip: Think of it as a "discover before you defend" rule - Cloud Discovery is always the gateway step in Defender for Cloud Apps. You must first make the platform aware of the app before you can monitor, control, or apply any policies to it.

No community discussion yet for this question.