Exam SC-300 All QuestionsBrowse all questions from this exam
Go to Exam
Question 191

Case Study -

Overview -

ADatum Corporation is a consulting company in Montreal.

ADatum recently acquired a Vancouver-based company named Litware, Inc.

Existing Environment. ADatum Environment

The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.

ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.

ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.

The tenant contains the users shown in the following table.

The tenant contains the groups shown in the following table.

Existing Environment. Litware Environment

Litware has an AD DS forest named litware.com

Existing Environment. Problem Statements

ADatum identifies the following issues:

• Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.

• A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.

• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.

• Anyone in the organization can invite guest users, including other guests and non-administrators.

• The helpdesk spends too much time resetting user passwords.

• Users currently use only passwords for authentication.

Requirements. Planned Changes -

ADatum plans to implement the following changes:

• Configure self-service password reset (SSPR).

• Configure multi-factor authentication (MFA) for all users.

• Configure an access review for an access package named Package1.

• Require admin approval for application access to organizational data.

• Sync the AD DS users and groups of litware.com with the Azure AD tenant.

• Ensure that only users that are assigned specific admin roles can invite guest users.

• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.

Requirements. Technical Requirements

ADatum identifies the following technical requirements:

• Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.

• Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.

• Users must provide one authentication method to reset their password by using SSPR. Available methods must include:

- Email

- Phone

- Security questions

- The Microsoft Authenticator app

• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.

• The principle of least privilege must be used.

You need implement the planned changes for application access to organizational data.

What should you configure?

    Correct Answer: B

    To implement the planned changes for application access to organizational data, you need to configure the User consent settings. By adjusting these settings, you can manage and control how users grant permissions to applications, particularly when these applications request access to organizational data. Admin approval can be required for specific applications, ensuring that consent is granted in a controlled manner and in alignment with the organization's policies. This approach ensures that only users with specific admin roles can invite guest users and adheres to the principle of least privilege.

Discussion
marsotOption: C

Azure Portal> Azure AD > Identity Governance > (Entitlement Management Heading) Access Packages > + New Access Package (from the top bar) > (Resources tab) + Applications > (Requests tab) in the section "users who can requests" we check box " for users in your directory), and then "all members(incl. guests), and then in the section " approval, we select "Yes" ..etc

Hull

One moment, either I'm reading the question and requirement wrong or the answer isn't correct. The requirement is: Require admin approval for application access to organizational data. To deny user consent for Azure applications, that can be done via User consent settings. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal That means answer should be B, not C. Someone please correct me if I'm missing this question completely.

penatuna

I'm with the Hull on this one. Correct me if I'm wrong. Requirements. Planned Changes: Require admin approval for application access to organizational data. "Before an application can access your organization's data, a user must grant the application permissions to do so. Different permissions allow different levels of access." "To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant." If i understand correctly, you should first go to Identity > Applications > Enterprise applications > Consent and permissions > User consent settings. Under User consent for applications, choose Do not allow user consent. Then you should enable the admin consent workflow: Browse to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent settings. Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

Alcpt

this question context has nothing to do with access packages. The answer is B.

SozoOption: B

To implement the planned changes for application access to organizational data while requiring admin approval, you should configure: B. the User consent settings By adjusting the User consent settings in Azure AD, you can manage and control how users grant permissions to applications, particularly when these applications request access to organizational data. Admin approval can be required for apps that need to access corporate resources, which ensures that consent is granted in a controlled manner and in alignment with the organization's policies. This setting aligns with the requirement to have admin approval for application access and follows the principle of least privilege.

JCkD4Ni3LOption: B

"Require admin approval for application access to ***organizational data***" This can only be done through Admin Consent...

SneekygeekOption: B

Sounds more like app consent scenario because they call it "application access" which will always require admin consent. App packages can allow an approval process for access to use an application and these wouldn't necessarily require admin approval.

itismaduOption: B

To implement the requirement of requiring admin approval for application access to organizational data, you should configure: B. the User consent settings Configuring the User consent settings allows you to control whether users can grant consent to applications themselves or if admin approval is required for application access. By setting the User consent settings to "Require admin approval," you ensure that users cannot grant consent to applications accessing organizational data without the approval of an administrator. Options A, C, and D do not directly address the specific requirement of requiring admin approval for application access. Authentication methods, access packages, and application proxy are related to different aspects of identity and access management, but they do not directly pertain to user consent settings and approval requirements.

LC_90Option: B

I agree with Hull and Penatuna, this link talks about using the User consent settings to get admin approval https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

Discuss4certiOption: B

Require admin approval for application access to organizational data. This means the user settings should be: Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.

SorrynotsorryOption: B

Only User Consent makes sense here

JimboJones99Option: B

Answer is B. Look at the next question "You configure User consent settings to allow users to provide consent to apps from verified publishers"

daschickenOption: B

B is correct

SumitSahooOption: B

......approval for application access (to data) needed hence user need admin consent for approval.