Exam SC-300 All QuestionsBrowse all questions from this exam
Go to Exam
Question 151

DRAG DROP

-

You have an Azure AD tenant that contains a user named Admin1.

Admin1 uses the Require password change for high-risk users policy template to create a new Conditional Access policy.

Who is included and excluded by default in the policy assignment? To answer, drag the appropriate options to the correct target. Each option may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point

    Correct Answer:

Discussion
penatuna

Include: All users Exclude: Admin1 These are the settings for the Require Password Change for High-Risk Users template: Users: All Users are Included – The current user creating the policy will be excluded Apps:All apps User Risk: Risk levels: High Access Control: Grant access – Require multifactor authentication AND Require password change Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to exclude other accounts, you will be able to modify the policy once they are created. You can find these policies in the Microsoft Entra admin center > Protection > Conditional Access > Policies. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. https://sccmentor.com/2023/03/26/just-dropped-in-to-see-what-condition-my-conditional-access-rule-was-in-part-6-require-password-change-for-high-risk-users/ https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=zero-trust#template-categories

Nyamnyam

Nice catch!

Kmkz83510

This is correct. Viewing the template shows Included: All users, Excluded: Current user (which is Admin1)

cgonIT

Wrong answer. Include: All Users Exclude: Current User (Admin1 in this case) Tested in lab. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user

agittunc

This is wrong, your link also doesn't say admin is excluded. All users guest/external as they are not managed by the specific tenant.

emartiy

Current user which is creating policy is excluded mean Admin1 who is performing operation :)

F_Dias

The correct is: Include: All Users Exclude: Current User (Admin1 in this example)

daschicken

All User & none... Microsoft even warns you in their Docs to Test CAPs in Report only Mode before you Lock yourself Out And logically If you say all User in the First place you cant say anything Else the none as 2nd answer because the First answer wouldnt be all the ;)

ak1234

- All users - All guest and external users

criminal1979

Just tested. Include: All Users, Exclude: Current User

RemmyT

Include: None Exclude: None The default settings when creating any new CA policy: Users 0 users and groups selected Control access based on who the policy will apply to, such as users and groups, workload identities, directory roles, or external guests. Include - None : default - All users - Select users and groups Exclude Select the users and groups to exempt from the policy - Guest or external users : Unchecked - Directory roles : Unchecked - Users and groups : Unchecked Policy can be enforced with "Enable policy".

Peeeedor

-All users -All guest and external users My thinking: The reason for excluding these is because they login with external credentials! We do not manage their identity and therefore cannot enforce a PW reset? Also in the real world I would exclude the breakglass account also (as mentioned in ms documentation)

ak1234

- All users - All guest and external users