SC-300 Exam Dumps : Microsoft Identity and Access Administrator

In SC-300, the mitigation for unsolicited MFA prompts (push fatigue) is Fraud alert on Azure AD MFA. The materials state that administrators can “allow users to report suspicious MFA prompts and automatically block the user when they select Report fraud in Microsoft Authenticator.” By contrast, Account lockout settings are designed to “temporarily lock an account after a configurable number of consecutive MFA denials to thwart brute-force attempts,” and they do not initiate an automatic block tied to a user’s fraud report. The study guide further clarifies that fraud alerts “can automatically block the user for a specified period (default 90 days) when a fraudulent attempt is reported,” which is precisely the behavior required in the scenario. Therefore, merely configuring Account lockout settings will not meet the goal of automatically blocking users when they report an unsolicited prompt.

According to the Microsoft SC-300: Identity and Access Administrator official study guide and the Microsoft Learn “Implement and manage Azure AD Identity Protection” module, Azure AD Identity Protection detects two primary categories of risks: user risks and sign-in risks.

User Risk Policy:A user risk represents the probability that a user's identity (credentials) has been compromised. Examples of user risk signals include leaked credentials, unusual sign-ins from different geographies, or sign-ins from infected devices. The Exam Ref SC-300 specifically lists “leaked credentials detected on the dark web or other compromised repositories” as the main trigger for a user risk policy. Such a policy can automatically force password change or enforce MFA to remediate the threat.

Sign-in Risk Policy:A sign-in risk reflects the likelihood that a specific authentication attempt is not performed by the legitimate user. Sign-in risk is based on context, such as sign-ins from suspicious browsers, anonymous IP addresses (like TOR networks), or impossible travel scenarios. The SC-300 documentation highlights these examples as conditions best handled with a sign-in risk policy, where conditional access can block or require MFA for the risky sign-in attempt.

Therefore:

Leaked credentials are addressed through a User Risk Policy, since the account itself is compromised.

Sign-ins from suspicious browsers and access from anonymous IP addresses are handled through Sign-in Risk Policies, as they relate to risky sessions rather than compromised identities.