Microsoft Security Operations Analyst Associate SC-200 Practice Question
While triaging an incident in the Microsoft Defender portal, you open the compromised user page for an Azure AD (Microsoft Entra ID) account that is flagged with high user risk. You must immediately stop any future authentication attempts from this account while the investigation continues. Which action should you take from the portal to achieve this?
Revoke the user's refresh tokens to force sign-out
Confirm user compromised
Require the user to reset their password at next sign-in
Choosing the Disable user (also called Block sign-in) action changes the account's Azure AD sign-in state to blocked. This prevents all interactive and non-interactive authentication attempts until you manually re-enable the account, fully containing the threat during investigation.
Confirm user compromised only labels the risk state and may trigger automated remediation policies, but it does not itself prevent sign-ins.
Revoking refresh tokens signs the user out of current sessions but still allows new authentications as long as the account is enabled.
Requiring a password reset forces the user to change credentials at the next logon, yet the account can still authenticate, so it does not guarantee immediate containment.
Therefore, disabling the user is the appropriate immediate containment step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Disable user (block sign-in)' do in Microsoft Defender portal?
Open an interactive chat with Bash
What is the difference between 'Disable user' and 'Revoke refresh tokens'?
Open an interactive chat with Bash
How does the 'Confirm user compromised' action differ from disabling a user?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage incident response
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .