SC-300 · Question #392
SC-300 Question #392: Real Exam Question with Answer & Explanation
This question tests understanding of Conditional Access policy assignment logic in Microsoft Entra ID (Azure AD), specifically how Include/Exclude rules interact for users who belong to multiple groups or have specific roles.
Question
Hotspot Question You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2 and the users shown in the following table. The subscription contains a Conditional Access policy that has the following settings: - Name: Policy1 - Assignments o Include - Users and Groups: Group1 - Directory roles: Global Administrator o Exclude - Users and Groups: Group2 o Target resources - Include - All cloud apps - Access controls - Grant - Require multifactor authentication For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantyes_no
Explanation
This question tests understanding of Conditional Access policy assignment logic in Microsoft Entra ID (Azure AD), specifically how Include/Exclude rules interact for users who belong to multiple groups or have specific roles.
Approach. Policy1 applies MFA to users in Group1 OR who have the Global Administrator directory role, EXCEPT those in Group2 (exclusions override inclusions). To determine if a user is affected: first check if they match any Include condition (member of Group1 OR is a Global Admin), then check if they are in the Exclude group (Group2) - exclusion wins. A user who is a Global Admin but also in Group2 would be EXCLUDED (no MFA required). A user in Group1 but also in Group2 would be EXCLUDED (no MFA required). A user in neither Group1 nor with a Global Admin role is NOT included at all (policy does not apply, so no MFA required from this policy). Only users who match an Include condition AND are NOT in Group2 will be required to perform MFA.
Concept tested. Microsoft Entra ID Conditional Access policy assignment logic: how Include and Exclude rules for users/groups/directory roles interact, with exclusions always taking precedence over inclusions.
Community Discussion
No community discussion yet for this question.