SC-300 無料問題集「Microsoft Identity and Access Administrator」
Your network contains an on-premises Active Directory Domain services (AD DS) domain that syncs with an Azure AD tenant. The AD DS domain contains the organizational units (OUs) shown in the following table.
You need to create a break-glass account named BreakGlass.
Where should you create BreakGlass, and which role should you assign to BreakGlass? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to create a break-glass account named BreakGlass.
Where should you create BreakGlass, and which role should you assign to BreakGlass? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Task 6
You need to implement additional security checks before the members of the Sg-Executive can access any company apps. The members must meet one of the following conditions:
* Connect by using a device that is marked as compliant by Microsoft Intune.
* Connect by using client apps that are protected by app protection policies.
You need to implement additional security checks before the members of the Sg-Executive can access any company apps. The members must meet one of the following conditions:
* Connect by using a device that is marked as compliant by Microsoft Intune.
* Connect by using client apps that are protected by app protection policies.
正解:
See the Explanation for the complete step by step solution.
Explanation:
To implement additional security checks for the Sg-Executive group members before they can access any company apps, you can use Conditional Access policies in Microsoft Entra. Here's a step-by-step guide:
* Sign in to the Microsoft Entra admin center:
* Ensure you have the role of Global Administrator or Security Administrator.
* Navigate to Conditional Access:
* Go to Security > Conditional Access.
* Create a new policy:
* Select + New policy.
* Name the policy appropriately, such as "Sg-Executive Security Checks".
* Assign the policy to the Sg-Executive group:
* Under Assignments, select Users and groups.
* Choose Select users and groups and then Groups.
* Search for and select the Sg-Executive group.
* Define the application control conditions:
* Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.
* Set the device compliance requirement:
* Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.
* Set the app protection policy requirement:
* Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.
* Configure the access controls:
* Under Access controls > Grant, select Grant access.
* Choose Require device to be marked as compliant and Require approved client app.
* Ensure that the option Require one of the selected controls is enabled.
* Enable the policy:
* Set Enable policy to On.
* Review and save the policy:
* Review all settings to ensure they meet the requirements.
* Click Create to save and implement the policy.
By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app.
This enhances the security posture of your organization by enforcing stricter access controls for executive- level users.
Explanation:
To implement additional security checks for the Sg-Executive group members before they can access any company apps, you can use Conditional Access policies in Microsoft Entra. Here's a step-by-step guide:
* Sign in to the Microsoft Entra admin center:
* Ensure you have the role of Global Administrator or Security Administrator.
* Navigate to Conditional Access:
* Go to Security > Conditional Access.
* Create a new policy:
* Select + New policy.
* Name the policy appropriately, such as "Sg-Executive Security Checks".
* Assign the policy to the Sg-Executive group:
* Under Assignments, select Users and groups.
* Choose Select users and groups and then Groups.
* Search for and select the Sg-Executive group.
* Define the application control conditions:
* Under Cloud apps or actions, select All cloud apps to apply the policy to any company app.
* Set the device compliance requirement:
* Under Conditions > Device state, configure the policy to include devices marked as compliant by Microsoft Intune.
* Set the app protection policy requirement:
* Under Conditions > Client apps, configure the policy to include client apps that are protected by app protection policies.
* Configure the access controls:
* Under Access controls > Grant, select Grant access.
* Choose Require device to be marked as compliant and Require approved client app.
* Ensure that the option Require one of the selected controls is enabled.
* Enable the policy:
* Set Enable policy to On.
* Review and save the policy:
* Review all settings to ensure they meet the requirements.
* Click Create to save and implement the policy.
By following these steps, you will ensure that the Sg-Executive group members can only access company apps if they meet one of the specified conditions, either by using a compliant device or a protected client app.
This enhances the security posture of your organization by enforcing stricter access controls for executive- level users.
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity.
While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity.
While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
正解:A
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Task 1
You need to deploy multi factor authentication (MFA). The solution must meet the following requirements:
* Require MFA registration only for members of the Sg-Finance group.
* Exclude Debra Berger from having to register for MFA.
* Implement the solution without using a Conditional Access policy.
You need to deploy multi factor authentication (MFA). The solution must meet the following requirements:
* Require MFA registration only for members of the Sg-Finance group.
* Exclude Debra Berger from having to register for MFA.
* Implement the solution without using a Conditional Access policy.
正解:
See the Explanation for the complete step by step solution.
Explanation:
To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:
* Open the Microsoft Entra admin center:
* Sign in as a Security Administrator or Global Administrator.
* Navigate to MFA settings:
* Go to Users > Active users.
* On the Active users page, select Multi-factor authentication.
* Manage user settings:
* Find and select the Sg-Finance group.
* Enable MFA for this group by setting the requirement status to Enabled.
* Exclude a user from MFA:
* In the Multi-factor authentication page, search for Debra Berger.
* Set her MFA status to Disabled to exclude her from MFA registration.
* Verify the configuration:
* Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.
* Communicate the change:
* Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.
* Monitor the setup:
* Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.
Explanation:
To deploy Multi-Factor Authentication (MFA) for only the members of the Sg-Finance group, excluding Debra Berger, and without using a Conditional Access policy, you can follow these steps:
* Open the Microsoft Entra admin center:
* Sign in as a Security Administrator or Global Administrator.
* Navigate to MFA settings:
* Go to Users > Active users.
* On the Active users page, select Multi-factor authentication.
* Manage user settings:
* Find and select the Sg-Finance group.
* Enable MFA for this group by setting the requirement status to Enabled.
* Exclude a user from MFA:
* In the Multi-factor authentication page, search for Debra Berger.
* Set her MFA status to Disabled to exclude her from MFA registration.
* Verify the configuration:
* Ensure that all members of the Sg-Finance group have MFA enabled except for Debra Berger.
* Communicate the change:
* Inform the Sg-Finance group members about the MFA requirement and provide instructions on how to register for MFA.
* Monitor the setup:
* Check the sign-in logs to confirm that MFA is being prompted for the Sg-Finance group members and not for Debra Berger.
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site!. Site!
hosts PDF files
You need to prevent users from printing the files directly from Sitel.
Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?
hosts PDF files
You need to prevent users from printing the files directly from Sitel.
Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?
正解:D
解答を投票する
You have an Azure subscription that contains the resources shown in the following table.
You create a Microsoft Entra user named User1.
Which identities can you add to VM1 and App1? To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
You create a Microsoft Entra user named User1.
Which identities can you add to VM1 and App1? To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
正解:
Explanation:
You have a custom cloud app named App1 that is registered in Azure Active Directory (Azure AD).
App1 is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
App1 is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You have a Microsoft 365 tenant.
You have an Active Directory domain that syncs to the Azure Active Directory {Azure AD) tenant.
Users connect to the internet by using a hardware firewall at your company. The users authenticate to the firewall by using their Active Directory credentials.
You plan to manage access to external applications by using Azure AD.
You need to use the firewall logs to create a list of unmanaged external applications and the users who access them.
What should you use to gather the information?
You have an Active Directory domain that syncs to the Azure Active Directory {Azure AD) tenant.
Users connect to the internet by using a hardware firewall at your company. The users authenticate to the firewall by using their Active Directory credentials.
You plan to manage access to external applications by using Azure AD.
You need to use the firewall logs to create a list of unmanaged external applications and the users who access them.
What should you use to gather the information?
正解:A
解答を投票する
You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs.
Yon receive more than 100 email alerts each day for tailed Azure Al) user sign-in attempts.
You need to ensure that a new security administrator receives the alerts instead of you.
Solution: From Azure monitor, you create a data collection rule.
Does this meet the goal?
Yon receive more than 100 email alerts each day for tailed Azure Al) user sign-in attempts.
You need to ensure that a new security administrator receives the alerts instead of you.
Solution: From Azure monitor, you create a data collection rule.
Does this meet the goal?
正解:B
解答を投票する