exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam

Exam SC-300 topic 1 question 29 discussion

Actual exam question from Microsoft's SC-300
Question #: 29
Topic #: 1
[All SC-300 Questions]

DRAG DROP -
You need to resolve the recent security incident issues.
What should you configure for each incident? To answer, drag the appropriate policy types to the correct issues. Each policy type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: A user risk policy -
User-linked detections include:
Leaked credentials: This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials.
User risk policy.
Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. User risk is a calculation of probability that an identity has been compromised. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.

Box 2: A sign-in risk policy -
Suspicious browser: Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser.

Box 3: A sign-in risk policy -
A sign-in risks include activity from anonymous IP address: This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Note: The following three policies are available in Azure AD Identity Protection to protect users and respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or groups for the policy to apply to, and decide if you want to block access at sign-in or prompt for additional action.
* User risk policy
Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
* Sign in risk policy
Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms of verification using Azure AD Multi-Factor Authentication.
* MFA registration policy
Makes sure users are registered for Azure AD Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure
AD Multi-Factor Authentication.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
0byte
Highly Voted 1 year, 11 months ago
The given answer is correct. Currently supported risk detections are Sign-in risk detections: Activity from anonymous IP address Additional risk detected Admin confirmed user compromised Anomalous Token Anonymous IP address Atypical travel Azure AD threat intelligence Impossible travel Malicious IP address Malware linked IP address Mass Access to Sensitive Files New country Password spray Suspicious browser Suspicious inbox forwarding Suspicious inbox manipulation rules Token Issuer Anomaly Unfamiliar sign-in properties User risk detections: Additional risk detected Anomalous user activity Azure AD threat intelligence Leaked credentials Possible attempt to access Primary Refresh Token (PRT) https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
upvoted 22 times
rvln7
3 weeks ago
1. A user risk policy 2. A sign in risk policy 3. A conditional access policy- "resources ACCESSED from an anonymous IP address"- if something is ACCESSED, it has nothing to do with a sign-in policy.
upvoted 2 times
...
chikorita
1 year, 5 months ago
why "Azure AD threat intelligence" is part of both?
upvoted 1 times
Holii
1 year, 3 months ago
Azure AD Threat Intelligence are real-time detections on user behavior using machine learning. It's not tied to one type of "User Risk" vs "Sign-in Risk", it scans all sorts of behaviors for anything that may be illegitimate/malicious traffic. No link to provide, just look it into it yourself.
upvoted 1 times
...
...
...
chzon
Highly Voted 1 year, 5 months ago
Today I would solve all over Conditional Access.
upvoted 13 times
S60
2 months, 3 weeks ago
Identity protection console now has a note "We recommend migrating user-risk / Sign-in risk policy to conditional access" so i would say conditional access for all three scenarios.
upvoted 1 times
...
syougun200x
1 year ago
I would go for conditional access policy for all the choices, too. When I open user risk policy or sign in risk policy, the below appears at the top of the page. We recommend migrating user risk policy (or sign in risk policy) to Conditional access policy for more conditions and controls. Maybe youre the only one who bothered to go hands on here.
upvoted 2 times
...
...
noa808a
Most Recent 3 days, 20 hours ago
As of Mar 2025: 1. User Risk Policy 2. Sign In Risk Policy 3. Conditional Access Policy
upvoted 1 times
...
Frank9020
2 months ago
1. A user risk policy 2. A sign in risk policy 3. A conditional access policy
upvoted 3 times
...
RahulX
7 months, 1 week ago
1. A user risk policy 2. A sign-in risk policy 3. A sign-in risk policy
upvoted 4 times
...
EmnCours
1 year, 1 month ago
1. A user risk policy 2. A sign-in risk policy 3. A sign-in risk policy
upvoted 2 times
...
dule27
1 year, 2 months ago
1. A user risk policy 2. A sign-in risk policy 3. A sign-in risk policy
upvoted 3 times
...
ShoaibPKDXB
1 year, 4 months ago
Correct
upvoted 1 times
...
den5_pepito83
1 year, 10 months ago
ON EXAM 14/11/2022
upvoted 4 times
Vaerox
8 months, 1 week ago
But was it correct?
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago