Question 417 of 1,411

Quick Answer

The answer is Conditional Access App Control (CAAC). This capability is correct because it enforces real-time session policies that can block downloads based on sensitivity labels and device compliance, directly addressing the need to monitor and control data activities in third-party cloud apps like Box. By integrating with Microsoft Defender for Cloud Apps, CAAC intercepts user sessions and applies granular controls, such as preventing file downloads when the device is unmanaged and the file carries a 'Confidential' label. On the SC-900 exam, this tests your understanding of how Defender for Cloud Apps extends Azure AD Conditional Access policies to non-Microsoft apps at the session level. A common trap is confusing CAAC with app discovery or cloud app permissions; remember that CAAC is about real-time control during an active session, not just visibility. A helpful memory tip: think "CAAC intercepts the click" — it acts on the user's action in the moment, blocking or monitoring based on context like device and label.

SC-900 Practice Question: Describe the capabilities of Microsoft security solutions

This SC-900 practice question tests your understanding of describe the capabilities of microsoft security solutions. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses Microsoft Defender for Cloud Apps to secure its cloud applications. The security team wants to monitor and control data activities in a third-party cloud app (e.g., Box) in real time. Specifically, they need to block downloads of files that have a 'Confidential' sensitivity label when users access the app from unmanaged devices. Which capability of Microsoft Defender for Cloud Apps should they configure?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Conditional Access App Control

Conditional Access App Control (CAAC) is the correct capability because it enforces real-time session policies that can block downloads based on sensitivity labels and device compliance. By integrating with Microsoft Defender for Cloud Apps, CAAC intercepts user sessions to third-party apps like Box and applies granular controls, such as blocking file downloads when the device is unmanaged and the file carries a 'Confidential' label.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Cloud Discovery

    Why it's wrong here

    Cloud Discovery identifies cloud apps in use but does not provide real-time control of data activities.

  • App connector

    Why it's wrong here

    App connectors enable integration with cloud apps for log collection and API-based controls, not real-time session monitoring.

  • Conditional Access App Control

    Why this is correct

    Correct. This feature provides session-level control to monitor and restrict data access in real time.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Information protection

    Why it's wrong here

    Information protection covers classification and labeling, but not the real-time session control needed here.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is confusing API-based app connectors (which control data at rest) with reverse proxy-based Conditional Access App Control (which controls data in motion during user sessions).

Detailed technical explanation

How to think about this question

Conditional Access App Control works by routing user traffic through a reverse proxy, allowing Defender for Cloud Apps to inspect HTTP headers and payloads in real time. When a user attempts to download a file with a 'Confidential' sensitivity label from an unmanaged device, the session policy triggers an HTTP 403 response or redirects to a block page, preventing the download. This capability relies on Azure AD Conditional Access policies to redirect the session to Defender for Cloud Apps, where the policy is evaluated against attributes like device state and sensitivity label metadata.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SC-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-900 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-900 question test?

Describe the capabilities of Microsoft security solutions — This question tests Describe the capabilities of Microsoft security solutions — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Conditional Access App Control — Conditional Access App Control (CAAC) is the correct capability because it enforces real-time session policies that can block downloads based on sensitivity labels and device compliance. By integrating with Microsoft Defender for Cloud Apps, CAAC intercepts user sessions to third-party apps like Box and applies granular controls, such as blocking file downloads when the device is unmanaged and the file carries a 'Confidential' label.

What should I do if I get this SC-900 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on SC-900

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps? (Select TWO.)

medium
  • A.Enforce device compliance policies
  • B.Provide threat analytics reports
  • C.Control access with Conditional Access App Control
  • D.Classify sensitive data across cloud apps
  • E.Discover shadow IT cloud apps

Why C: Correct: Discover shadow IT (A) and Control access via Conditional Access App Control (D). Option B: DLP is in Purview, not Defender for Cloud Apps. Option C: Device compliance is in Intune/Entra. Option E: Threat analytics is in Defender for Endpoint/Office.

Variation 2. Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps?

medium
  • A.Information protection for files in Microsoft 365
  • B.Session controls to monitor and control app access in real time
  • C.Cloud discovery to identify shadow IT
  • D.Identity governance and access reviews
  • E.Vulnerability assessment for Azure virtual machines

Why B: Microsoft Defender for Cloud Apps provides session controls that leverage reverse proxy architecture to monitor and control user app access in real time, enabling conditional access policies for cloud apps. Cloud discovery uses traffic logs from network appliances or Windows endpoints to identify shadow IT by analyzing app usage and risk scores.

Variation 3. Which THREE capabilities are provided by Microsoft Defender for Cloud Apps? (Choose three.)

hard
  • A.Threat detection to identify malicious behavior in cloud apps
  • B.Cloud Discovery to identify shadow IT
  • C.Email scanning and remediation
  • D.Endpoint detection and response (EDR)
  • E.Information protection to apply labels to files stored in cloud apps

Why A: Options A, B, and C are correct. Cloud Access Security Brokers (CASB) provide discovery, data protection, and threat detection. Option D is incorrect because endpoint detection is in Defender for Endpoint. Option E is incorrect because email scanning is in Defender for Office 365.

Variation 4. Which TWO capabilities are provided by Microsoft Defender for Cloud Apps?

medium
  • A.Email security
  • B.Cloud Discovery to identify shadow IT
  • C.Data loss prevention for cloud apps
  • D.Endpoint detection and response
  • E.Identity protection

Why B: Option A is correct because Defender for Cloud Apps provides cloud discovery to identify shadow IT. Option C is correct because it offers DLP capabilities for cloud apps. Option B is wrong because endpoint detection is provided by Defender for Endpoint. Option D is wrong because identity protection is provided by Entra ID Protection. Option E is wrong because email security is provided by Defender for Office 365.

Variation 5. Which TWO are features of Microsoft Defender for Cloud Apps? (Choose two.)

hard
  • A.Apply sensitivity labels to files
  • B.Investigate email-borne attacks
  • C.Vulnerability management for endpoints
  • D.Cloud Discovery to identify shadow IT
  • E.App governance for OAuth apps

Why D: Options A and D are correct. Cloud Discovery identifies shadow IT. App governance controls OAuth apps. Option B is wrong because sensitivity labels are in Purview. Option C is wrong because email attack investigation is in Defender for Office 365. Option E is wrong because endpoint vulnerability management is in Defender for Endpoint.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-900 exam.