SC-200 Certification Practice Question #98

Question

You have an on-premises datacenter that contains a custom web app named App1. App1 uses Active Directory Domain Services (AD DS) authentication and is accessible by using Microsoft Entra application proxy.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You receive an alert that a user downloaded highly confidential documents.

You need to remediate the risk associated with the alert by requiring multi-factor authentication (MFA) when users use App1 to initiate the download of documents that have a Highly Confidential sensitivity label applied.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Accepted Answer

An on-premises app published through Microsoft Entra application proxy is governed by a Conditional Access policy to require MFA, and Conditional Access App Control routes that session into Microsoft Defender for Cloud Apps, where a session policy with "Control file download (with inspection)" filtered on the Highly Confidential sensitivity label blocks/requires-MFA on the labeled download. MS Learn explicitly ties application-proxy apps to Defender for Cloud Apps session policies and lists "require multifactor authentication" as a Conditional Access App Control session activity. All discussion comments (including the 3-👍 Sparkletoss with the canonical proxy-intro-aad citation) agree, so confidence is high despite no formal Suggested/Most-Voted marker.

More SC-200 practice questions