SC-100 Certification Practice Question #203

Question

Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Accepted Answer

This is a "choose two" item asking how to secure a B2C-backed app from identity-related attacks. Both Conditional Access (adaptive/risk-based access enforcement, including MFA) and smart account lockout (brute-force/credential-attack mitigation) are documented B2C protections that directly defend against identity attacks. The official Suggested Answer lists only C, but the question requires two selections and a near-unanimous community (56 votes, plus the two highest-voted comments) plus MS Learn confirm B as the second answer. A merely monitors, D is a B2B-only governance feature with no B2C support, and E (ROPC) is a credential-based flow that reduces rather than improves security. Confidence is set at 90 rather than higher because the printed Suggested Answer is a single letter, but the partial-answer format and overwhelming corroboration make BC the clear intended pair.

More SC-100 practice questions