SC-100 Certification Practice Question #220

Question

You have a Microsoft 365 tenant.

Your company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.

You need to design a security strategy to meet the following requirements:

•	Users must be able to request access to App1 by using a self-service request.
•	When users request access to App1, they must be prompted to provide additional information about their request.
•	Every three months, managers must verify that the users still require access to App1.

What should you include in the design?

Accepted Answer

All three requirements map directly to Microsoft Entra ID Governance: self-service access requests + the prompt for additional information are delivered by **entitlement management** access packages (the My Access portal can require the requester to answer questions / provide business justification), and the quarterly manager recertification is delivered by recurring **access reviews**. Both capabilities are sub-features of Identity Governance, which is exactly option A. The Defender for Cloud Apps options govern cloud-app usage/sessions, not the request-and-review lifecycle, and Application Proxy is a reverse-proxy publishing feature — none provide the request workflow or periodic review. Suggested Answer, a unanimous Most Voted, two high-vote comments, and MS Learn all agree.

More SC-100 practice questions