SC-300 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-300 Exam - Question 238

Case Study -

Overview -

ADatum Corporation is a consulting company in Montreal.

ADatum recently acquired a Vancouver-based company named Litware, Inc.

Existing Environment. ADatum Environment

The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.

ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.

ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.

The tenant contains the users shown in the following table.

The tenant contains the groups shown in the following table.

Existing Environment. Litware Environment

Litware has an AD DS forest named litware.com

Existing Environment. Problem Statements

ADatum identifies the following issues:

• Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.

• A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.

• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.

• Anyone in the organization can invite guest users, including other guests and non-administrators.

• The helpdesk spends too much time resetting user passwords.

• Users currently use only passwords for authentication.

Requirements. Planned Changes -

ADatum plans to implement the following changes:

• Configure self-service password reset (SSPR).

• Configure multi-factor authentication (MFA) for all users.

• Configure an access review for an access package named Package1.

• Require admin approval for application access to organizational data.

• Sync the AD DS users and groups of litware.com with the Azure AD tenant.

• Ensure that only users that are assigned specific admin roles can invite guest users.

• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.

Requirements. Technical Requirements

ADatum identifies the following technical requirements:

• Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.

• Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.

• Users must provide one authentication method to reset their password by using SSPR. Available methods must include:

- Email

- Phone

- Security questions

- The Microsoft Authenticator app

• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.

• The principle of least privilege must be used.

You need implement the planned changes for application access to organizational data.

What should you configure?

Show Answer
Correct Answer: B

To implement the planned changes for application access to organizational data, you need to configure the User consent settings. By adjusting these settings, you can manage and control how users grant permissions to applications, particularly when these applications request access to organizational data. Admin approval can be required for specific applications, ensuring that consent is granted in a controlled manner and in alignment with the organization's policies. This approach ensures that only users with specific admin roles can invite guest users and adheres to the principle of least privilege.

Discussion

14 comments
Sign in to comment
marsotOption: C
Jul 31, 2023

Azure Portal> Azure AD > Identity Governance > (Entitlement Management Heading) Access Packages > + New Access Package (from the top bar) > (Resources tab) + Applications > (Requests tab) in the section "users who can requests" we check box " for users in your directory), and then "all members(incl. guests), and then in the section " approval, we select "Yes" ..etc

Hull
Aug 26, 2023

One moment, either I'm reading the question and requirement wrong or the answer isn't correct. The requirement is: Require admin approval for application access to organizational data. To deny user consent for Azure applications, that can be done via User consent settings. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal That means answer should be B, not C. Someone please correct me if I'm missing this question completely.

penatuna
Sep 14, 2023

I'm with the Hull on this one. Correct me if I'm wrong. Requirements. Planned Changes: Require admin approval for application access to organizational data. "Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access." "To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant." If i understand correctly, you should first go to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings. Under User consent for applications, choose Do not allow user consent. Then you should enable the admin consent workflow: Browse to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

penatuna
Sep 14, 2023

I'm with the Hull on this one. Correct me if I'm wrong. Requirements. Planned Changes: Require admin approval for application access to organizational data. "Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access." "To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant." If i understand correctly, you should first go to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings. Under User consent for applications, choose Do not allow user consent. Then you should enable the admin consent workflow: Browse to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

Alcpt
Jun 10, 2024

this question context has nothing to do with access packages. The answer is B.

Discuss4certiOption: B
Jul 4, 2024

Require admin approval for application access to organizational data. This means the user settings should be: Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

JCkD4Ni3LOption: B
Oct 25, 2023

"Require admin approval for application access to ***organizational data***" This can only be done through Admin Consent...

SozoOption: B
Feb 18, 2024

To implement the planned changes for application access to organizational data while requiring admin approval, you should configure: B. the User consent settings By adjusting the User consent settings in Azure AD, you can manage and control how users grant permissions to applications, particularly when these applications request access to organizational data. Admin approval can be required for apps that need to access corporate resources, which ensures that consent is granted in a controlled manner and in alignment with the organization's policies. This setting aligns with the requirement to have admin approval for application access and follows the principle of least privilege.

LC_90Option: B
Oct 5, 2023

I agree with Hull and Penatuna, this link talks about using the User consent settings to get admin approval https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

SneekygeekOption: B
Jan 30, 2024

Sounds more like app consent scenario because they call it "application access" which will always require admin consent. App packages can allow an approval process for access to use an application and these wouldn't necessarily require admin approval.

Matt19Option: B
Dec 14, 2024

Require admin approval for application access to organizational data = done via user consent settings.

DasChi_ckenOption: B
Oct 19, 2023

B is correct

JimboJones99Option: B
Oct 19, 2023

Answer is B. Look at the next question "You configure User consent settings to allow users to provide consent to apps from verified publishers"

itismaduOption: B
Oct 26, 2023

To implement the requirement of requiring admin approval for application access to organizational data, you should configure: B. the User consent settings Configuring the User consent settings allows you to control whether users can grant consent to applications themselves or if admin approval is required for application access. By setting the User consent settings to "Require admin approval," you ensure that users cannot grant consent to applications accessing organizational data without the approval of an administrator. Options A, C, and D do not directly address the specific requirement of requiring admin approval for application access. Authentication methods, access packages, and application proxy are related to different aspects of identity and access management, but they do not directly pertain to user consent settings and approval requirements.

SorrynotsorryOption: B
Nov 18, 2023

Only User Consent makes sense here

SumitSahoo
Oct 8, 2023

......approval for application access (to data) needed hence user need admin consent for approval.

FijiiOption: B
Mar 1, 2025

This is correct. You need to select "Do not allow user consent". Tested in my lab. In Entra : User consent settings, you have the following three options : Do not allow user consent (An administrator will be required for all apps.) Allow user consent for apps from verified publishers, for selected permissions (Recommended) (All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.) Allow user consent for apps (this is the default) (All users can consent for any app to access the organization's data.)

Obi_Wan_JacobyOption: B
Apr 16, 2025

Answer b: the User consent settings