Question 10 - Microsoft Identity SC-300 Real Exam Questions [March 2026 Update]

Q: 10

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps. You need to identify which users access Facebook from their devices and browsers. The solution must minimize administrative effort. What should you do first?

Options

Discussion

Avery O. Mar 1, 2026 9:21 pm

Option A every time for fast identification, barely any admin overhead.

Sean A. Feb 18, 2026 12:05 pm

A imo, had almost the same in a practice set last month, first step is mark Facebook unsanctioned.

Zoe Feb 20, 2026 6:00 am

C tbh, since creating a Defender for Cloud Apps access policy lets you specify Facebook and see user activity. Feels like the direct way, but I get why A is tempting for quick tagging.

Logan Feb 28, 2026 7:38 pm

Its C, create a Defender for Cloud Apps access policy.

Emma U. Feb 25, 2026 7:47 pm

C/D? I always thought creating a Defender for Cloud Apps access policy (C) was the first step if you want to track who is using something like Facebook. Conditional Access could also come in here, so not 100%.

HelpfulConsultant1857 Feb 25, 2026 6:39 pm

A imo. Tagging Facebook as unsanctioned in Defender for Cloud Apps lets you filter its usage right away, minimizing admin work. C feels like a trap here since that's more for blocking or controlling rather than just quick identification. Agree?

LunaB Feb 21, 2026 4:35 am

Its A, but if you needed to block or restrict access instead of just identify users, I'd switch to C.

Parker H. Mar 6, 2026 6:26 pm

C/D? I'm not sure, I'd probably start with C instead for identifying specific access. Could be wrong.

Skyler E. Mar 4, 2026 10:07 pm

C seems like the way to go, since a Defender for Cloud Apps access policy could let you target Facebook traffic directly and see those users. I thought that would be the fastest route. Not super confident though, maybe I'm missing some shortcut in A?

OwenV Feb 23, 2026 8:51 pm

A imo. Tagging Facebook as unsanctioned in Defender for Cloud Apps makes it super quick to filter and report on who accessed it. C can look tempting but it's more about enforcing controls, not just spotting usage with minimal work. If you wanted to block, sure, but for this question I think A fits best. Anyone see a reason C would actually be less effort here?

Be respectful. No spam.

Correct Answer:

Explanation

Microsoft Defender for Cloud Apps automatically discovers cloud application usage (Shadow IT) by analyzing traffic logs from sources like Microsoft Defender for Endpoint. This discovery process populates the "Discovered apps" page. To efficiently identify users accessing a specific application like Facebook, the first administrative action is to classify the app. By tagging Facebook as "Unsanctioned," you are not blocking it, but rather categorizing it for easier monitoring and filtering. This simple, low-effort action allows you to use the Cloud Discovery filters to immediately isolate all usage data for Facebook and identify the specific users, devices, and browsers involved.

Why Incorrect

B. Create an app configuration policy in Microsoft Endpoint Manager.

This is incorrect because app configuration policies are used to configure settings for managed applications on enrolled devices, not for discovering or identifying unmanaged cloud app usage.

C. Create a Defender for Cloud Apps access policy.

This is a subsequent step. Access policies are control mechanisms to manage real-time sessions (e.g., block downloads) after an app has already been discovered and classified.

D. Create a Conditional Access policy.

This is also a control mechanism. Conditional Access policies enforce access requirements (like MFA) for apps but are not the primary tool for the initial discovery and identification of users.

---

References

1. Microsoft Learn. (2023). Sanctioning/unsanctioning an app. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/governance-actions#sanctioningunsanctioning-an-app.

Section: Sanctioning/unsanctioning an app.

Quote: "Marking an app as unsanctioned doesn't block use

but enables you to more easily monitor its use with the Cloud Discovery filters." This directly supports that unsanctioning is a primary step for monitoring and identification.

2. Microsoft Learn. (2023). Working with discovered apps. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/discovered-apps.

Section: Discovered apps page.

Content: This document explains that after apps are discovered

a primary task for the administrator is to review and classify them. It states

"Once you've identified an app

you can sanction or unsanction it." This establishes sanctioning/unsanctioning as a foundational administrative step in managing discovered apps.

3. Microsoft Learn. (2023). Set up Cloud Discovery. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/set-up-cloud-discovery.

Section: Cloud Discovery dashboard.

Content: This document describes the workflow for Shadow IT discovery. The process begins with data collection and analysis

which is largely automatic. The first manual administrative phase involves evaluating the discovered apps

which includes the act of sanctioning or unsanctioning to apply organizational policy and facilitate further monitoring.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE