SC-300 Exam QuestionsBrowse all questions from this exam

SC-300 Exam - Question 168


DRAG DROP -

You have an Azure AD tenant that contains a user named Admin1.

Admin1 uses the Require password change for high-risk users policy template to create a new Conditional Access policy.

Who is included and excluded by default in the policy assignment? To answer, drag the appropriate options to the correct target. Each option may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point

Show Answer
Correct Answer:

Discussion

10 comments
Sign in to comment
penatuna
Oct 31, 2023

Include: All users Exclude: Admin1 These are the settings for the Require Password Change for High-Risk Users template: Users: All Users are Included – The current user creating the policy will be excluded Apps:All apps User Risk: Risk levels: High Access Control: Grant access – Require multifactor authentication AND Require password change Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to exclude other accounts, you will be able to modify the policy once they are created. You can find these policies in the Microsoft Entra admin center > Protection > Conditional Access > Policies. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. https://sccmentor.com/2023/03/26/just-dropped-in-to-see-what-condition-my-conditional-access-rule-was-in-part-6-require-password-change-for-high-risk-users/ https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=zero-trust#template-categories

Nyamnyam
Nov 9, 2023

Nice catch!

Kmkz83510
Dec 7, 2023

This is correct. Viewing the template shows Included: All users, Excluded: Current user (which is Admin1)

cgonIT
Oct 9, 2023

Wrong answer. Include: All Users Exclude: Current User (Admin1 in this case) Tested in lab. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user

agittunc
Oct 29, 2023

This is wrong, your link also doesn't say admin is excluded. All users guest/external as they are not managed by the specific tenant.

emartiy
Mar 27, 2024

Current user which is creating policy is excluded mean Admin1 who is performing operation :)

emartiy
Mar 27, 2024

Current user which is creating policy is excluded mean Admin1 who is performing operation :)

F_Dias
Oct 22, 2023

The correct is: Include: All Users Exclude: Current User (Admin1 in this example)

DasChi_cken
Oct 16, 2023

All User & none... Microsoft even warns you in their Docs to Test CAPs in Report only Mode before you Lock yourself Out And logically If you say all User in the First place you cant say anything Else the none as 2nd answer because the First answer wouldnt be all the ;)

AK_1234
Oct 28, 2023

- All users - All guest and external users

AK_1234
Oct 11, 2023

- All users - All guest and external users

Peeeedor
Oct 29, 2023

-All users -All guest and external users My thinking: The reason for excluding these is because they login with external credentials! We do not manage their identity and therefore cannot enforce a PW reset? Also in the real world I would exclude the breakglass account also (as mentioned in ms documentation)

RemmyT
Jun 5, 2024

Include: None Exclude: None The default settings when creating any new CA policy: Users 0 users and groups selected Control access based on who the policy will apply to, such as users and groups, workload identities, directory roles, or external guests. Include - None : default - All users - Select users and groups Exclude Select the users and groups to exempt from the policy - Guest or external users : Unchecked - Directory roles : Unchecked - Users and groups : Unchecked Policy can be enforced with "Enable policy".

criminal1979
Jul 11, 2024

Just tested. Include: All Users, Exclude: Current User

d1e85d9
Mar 14, 2025

Include: All Users Exclude: Admin1 (current user, which is already inside all users)