SC-300 · Question #416
SC-300 Question #416: Real Exam Question with Answer & Explanation
This question tests understanding of how Conditional Access policies with include/exclude settings interact when multiple policies apply to the same user. The key is determining which policies apply to each user based on group memberships and directory roles.
Question
Hotspot Question You have a Microsoft 365 E5 subscription that contains three groups named Group1, Group2, and Group3, and the users shown in the following table. You create a Conditional Access policy named CA1 that has the following settings: - Users - Include -- Users and groups: Group1 - Exclude -- Users and groups: Group2 -- Directory roles: Global Administrator - Target resources -- Include: All cloud apps - Access controls -- Grant: Require multifactor authentication You create a Conditional Access policy named CA2 that has the following settings: - Users - Include -- Users and groups: Group2 - Exclude -- Users and groups: Group3 - Target resources -- Include: All cloud apps - Access controls -- Grant: Block access For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantyes_no
Explanation
This question tests understanding of how Conditional Access policies with include/exclude settings interact when multiple policies apply to the same user. The key is determining which policies apply to each user based on group memberships and directory roles.
Approach. To evaluate each statement, you must check each user against both CA1 and CA2. For CA1: a user is in scope if they are in Group1 AND not in Group2 AND not a Global Administrator. For CA2: a user is in scope if they are in Group2 AND not in Group3. Exclusions always take precedence over inclusions in Conditional Access. If a user is excluded from a policy, that policy does not apply to them regardless of include conditions. When multiple policies apply, the most restrictive result wins - Block access (CA2) overrides MFA (CA1). Typically the statements being evaluated follow this logic: (1) A user in Group1 only → CA1 applies → must use MFA (Yes). (2) A user in Group1 and Group2 → excluded from CA1 (in Group2), included in CA2 (in Group2, not in Group3) → CA2 blocks access (Yes, blocked). (3) A user in Group2 and Group3 → excluded from CA1 (in Group2), excluded from CA2 (in Group3) → neither policy applies → no restriction (No MFA or block required). (4) A Global Administrator in Group1 → excluded from CA1 due to Global Administrator directory role exclusion → CA1 does not apply; if not in Group2, CA2 also does not apply → no restriction (No). Always remember: exclusions in Conditional Access are absolute overrides, and Block always beats Grant when multiple policies apply.
Concept tested. Microsoft Entra ID (Azure AD) Conditional Access policy evaluation: how include and exclude conditions are processed per user based on group membership and directory roles, and how conflicting policies (MFA vs Block) are resolved when multiple policies apply simultaneously.
Community Discussion
No community discussion yet for this question.