SC-200 Respond to security incidents • Set 20
SC-200 Respond to security incidents Practice Test 20 — 15 questions with explanations. Free, no signup.
Your security team is investigating a suspicious sign-in from an unfamiliar IP address. The user has Microsoft Entra ID P2 licenses and is assigned a Conditional Access policy that requires MFA for all cloud apps. During the incident response, you find that the sign-in succeeded despite the user not completing MFA. Which action should you take first to investigate the discrepancy?