Question 1hardmulti select
Full question →hardmulti selectObjective-mapped
A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Use federation or SSO so the identity provider issues the session for all approved apps.
Federation and SSO allow one trusted identity provider to authenticate the user once and then pass that identity to approved applications. That matches the business requirement to avoid separate logins to each SaaS app. It also centralizes authentication control so access can be revoked or adjusted from one place.
B
Best answer
Use ABAC or conditional access rules that check project assignment and device compliance.
Attribute-based or conditional access is the right fit when access must depend on changing context, such as project membership and device posture. This goes beyond simple role assignment by checking conditions at sign-in. It helps ensure the contractor is authorized only when the device and assignment both meet policy.
C
Best answer
Require MFA and step-up authentication before the contractor reaches sensitive functions.
MFA reduces the chance that a stolen password alone can be used to enter the portal. Step-up authentication is useful when the user moves from ordinary tasks to sensitive actions, such as downloading data or approving changes. This matches the requirement for a fresh second factor and stronger verification at higher-risk points.
D
Distractor review
Create a shared project account so access can be revoked by changing one password.
Shared accounts destroy accountability because actions cannot be tied to a specific person. They also weaken least privilege and make revocation harder to audit. A contractor should have an individual identity so access decisions and session events remain traceable.
E
Distractor review
Issue long-lived refresh tokens that never expire unless the user reports a problem.
Long-lived tokens increase the risk that a stolen session remains valid far too long. They are the opposite of the fresh authentication and controlled session management the scenario requires. Sensitive environments need revocation, time limits, and reauthentication rather than indefinite trust.
Common exam trap
Common exam trap: authentication is not authorization
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
How to think about this question
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
KKey Concepts to Remember
- Authentication checks who the user is.
- Authorization controls what the user is allowed to do after login.
- Privilege levels affect access to EXEC and configuration commands.
- AAA, TACACS+ and RADIUS can separate login success from command access.
TExam Day Tips
- Do not assume successful login means full administrative access.
- Look for words such as cannot enter configuration mode, privilege level, authorization or command access.
- Separate login problems from permission problems before choosing the answer.
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Security+ security operations questions
Practise SY0-701 questions linked to Security+ security operations questions.
Security+ zero trust questions
Practise SY0-701 questions linked to Security+ zero trust questions.
Security+ authentication factors questions
Practise SY0-701 questions linked to Security+ authentication factors questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?
Question 2
An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?
Question 3
An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?
Question 4
You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?
Question 5
A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.
Question 6
A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?
FAQ
Questions learners often ask
What does this SY0-701 question test?
Authentication checks who the user is.
What is the correct answer to this question?
The correct answer is: Use federation or SSO so the identity provider issues the session for all approved apps. — The design needs centralized authentication, context-aware authorization, and stronger proof of identity. Federation or SSO gives the user one login across multiple SaaS apps. ABAC or conditional access enforces that the contractor is on a managed device and assigned to the project. MFA or step-up authentication ensures the user has a fresh second factor before access or sensitive actions. Together, these controls satisfy convenience and security requirements at the same time. Why others are wrong: Shared accounts and never-expiring tokens both undermine identity assurance and revocation. They make it harder to prove who did what and easier for stolen credentials to persist. The correct controls preserve individual accountability while enabling single sign-on and policy-based access decisions.
What should I do if I get this SY0-701 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.