The users must first: Register for multi-factor authentication (MFA)
You must configure: A user risk policy
According to Microsoft SC-300 official learning materials and Exam Ref SC-300: Microsoft Identity and Access Administrator, when the requirement is to address the probability that user identities were compromised, the appropriate feature is Azure AD Identity Protection. Identity Protection detects risky sign-ins and risky users through continuous analysis of login behavior, location, device, and credential exposure signals.
Two types of policies can be created:
Sign-in risk policy – Triggers actions based on suspicious sign-in behavior (for example, unfamiliar location).
User risk policy – Triggers actions when the user’s overall identity is deemed at risk (for example, compromised credentials).
The documentation specifies:
“When user risk is detected, the policy can require the user to change their password to remediate the risk. Users must first be registered for MFA to perform secure password change operations.”
Therefore, before the user risk policy can be enforced, users must be enrolled in multi-factor authentication (MFA). MFA is used during the remediation step (password change) to verify the user’s identity securely.
Thus, to meet the requirement for “the probability that user identities were compromised,” you configure a user risk policy in Azure AD Identity Protection, and ensure that users first register for MFA so that they can complete password change or verification flows when risks are detected.
