SC-100 Certification Practice Question #215

Question

Your company is developing an invoicing application that will use Azure AD B2C. The application will be deployed as an App Service web app.

You need to recommend a solution to the application development team to secure the application from identity-related attacks.

Which two configurations should you recommend? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Accepted Answer

The question asks for two configurations that secure the B2C app specifically from *identity-related attacks*. Smart account lockout (B) directly defends against brute-force and dictionary credential attacks and is the canonical B2C anti-attack feature. Conditional Access integration with user flows/custom policies (A) brings Identity Protection risk signals to bear so risky sign-ins are challenged with MFA or blocked — a second, complementary identity-attack control. Access packages (C) govern entitlements rather than mitigate attacks, and custom ROPC flows (D) are a legacy password-grant flow that bypasses interactive protections and is explicitly discouraged, so it reduces rather than improves security. The Suggested Answer lists only B, but a "choose two" question needs a second part, and the community Most Voted (AB) plus MS Learn confirm A as the correct partner; confidence is set at 85 to reflect the Suggested-vs-MostVoted partial disagreement, resolved by MS Learn.

More SC-100 practice questions