SC-300 · Question #435
SC-300 Question #435: Real Exam Question with Answer & Explanation
This hotspot question tests understanding of Azure AD self-service application access, including how approval workflows, group assignments, and user roles interact when a user requests access to an enterprise application.
Question
Hotspot Question You have an Azure subscription that contains a group named Group1 and two users named User1 and User2. User1 is a member of Group1. You register an enterprise application named App1. You enable self-service application access for App1 and configure the following settings: - Allow users to request access to this application: Yes - To which group should assigned users be added: Group1 - Require approval before granting access to this application: Yes - Who is allowed to approve access to this application: User2 For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantyes_no
Explanation
This hotspot question tests understanding of Azure AD self-service application access, including how approval workflows, group assignments, and user roles interact when a user requests access to an enterprise application.
Approach. When self-service application access is configured with 'Require approval before granting access: Yes' and 'Who can approve: User2', any user who requests access must wait for User2 to approve before being added to Group1 and gaining access to App1. User1, as a member of Group1, already has access to App1 without needing to request it - Group1 is the assignment target, and existing members benefit from the application assignment. User2 is designated as the approver, meaning User2 can approve requests but does NOT automatically have access to App1 unless they are also a member of Group1 or are directly assigned. A user who requests access (and is approved) gets added to Group1, thereby gaining access; without approval from User2, access is not granted. The key nuance is: Group1 membership grants App1 access, User2 is only the approver (not automatically added to Group1), and User1 already has access via Group1 membership.
Concept tested. Azure AD Self-Service Application Access: understanding how approval workflows, group-based application assignment, and user roles (approver vs. requester vs. existing group member) interact. Specifically: existing group members already have access, approvers are not automatically granted access, and approved requestors are added to the designated group.
Reference. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Community Discussion
No community discussion yet for this question.