Exam MS-102 topic 1 question 247 discussion

Have not tested, but I think YNY since the question is about registration. U1 - User will be prompted because they are in Group1. They aren't currently registered and would be required to do so because of registration policy. Does not matter if they are excluded from CA. Remember register, not necessarily use for access. U2 - Already registered. U3 - User not registered. Even though they are excluded from the registration policy, they need MFA for CA, so they are forced to register anyway.

Statement 1 = Yes - User 1 is part of group 1 with MFA status disabled and, as per the MFA registration policy, will need to register for MFA. Statement 2 = No - Although part of group one and two, they already have MFA enabled so will not need to register for it Statement 3 = No - does not have MFA anebled already is part of group 2 so is excluded from registration policy, therefore will not need to register. Y, N, N This are my thoughts but please comment if you think im wrong or have any further points to add :)

N,N,Y User1-Group 1 included in MFA registration policy, but Group 1 excluded in CA, so: NO (since CA doesn't apply, User 1 can bypass). User2-Group 1 included and Group 2 excluded (takes precedence) in MFA registration policy, but user 2 already has MFA enabled. In CA, Group 1 is excluded (takes precedence), so: NO User3-Group 2 excluded in MFA registration policy, but Group 2 included in CA, so: YES (since CA applies, user 3 cannot bypass).

Answer is NNY N - because user 1 is a part of group1 and excluded in Conditional access policy, so MFA not required N - because user 2 is part of both groups, so in Conditional access policy he is included and excluded, so rule is nullified, so no MFA Y - user 3 is a part of group 2 which is included in CAP, so yes

1. User1 will be required to register for MFA on the next sign-in – No Although User1 is in Group1, which is included in the MFA registration policy, they are also part of Group2, which is excluded. Therefore, User1 will not be required to register. 2. User2 will be required to register for MFA on the next sign-in – No User2 is in Group2 (excluded from the MFA registration policy) and Group1 (included). However, the exclusion takes precedence, so User2 will not be required to register. 3. User3 will be required to register for MFA on the next sign-in – Yes User3 is not mentioned as part of Group2 (excluded), so they fall under the MFA registration policy's Group1 inclusion and will be required to register.

https://learn.microsoft.com/en-ie/entra/fundamentals/security-defaults Disabled MFA status If your organization is a previous user of per-user based multifactor authentication, don't be alarmed to not see users in an Enabled or Enforced status if you look at the multifactor authentication status page. Disabled is the appropriate status for users who are using security defaults or Conditional Access based multifactor authentication

User1 = No = Groiup1, MFA disabled User2 = No = He is part of Group1 User3 = Yes = He is part of MFA Enabled Group2

When MFA is being pushed from MFA Registration policy, you are not required to setup MFA on the very next login. You have 14 days to complete it. Given answers are correct.

Microsoft Entra multifactor authentication user states All users start out Disabled. When you enroll users in per-user Microsoft Entra multifactor authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

No Yes Yes

Yes No Yes if you enable MFA via the MFA portal, you completely rub out the ability to utilize Conditional Access Policies. You must have the Azure MFA user state set to disabled, and a CA policy configured to require multi factor authentication for CA based settings to apply. -user1 excluded from the CA but enforced to register MFA based on the first policy.(yes) -user2 included in the CA (no already registered) -user3 included in the CA but MFA not register yet (yes should register)

Y, N, Y User 1 = Might be excluded from the CA policy but is still required to set-up MFA because of the MFA Campaign User 2 = Excluded from the CA policy and has also already registered MFA. User 3 = CA policy enforces the user to set-up MFA (we have this type of policy for over 100 customers. You can't skip the 14 day grace period).

NYY Exclude wins over include User1 = Group1 = Excluded = no MFA required User2 = Group1/Group2 = Should be Excluded because Group1 is excluded BUT MFA Auth Status is set to enabled so User2 must register for MFA User3 = Group2 = included = MFA required

I'm confused, this question is about will they need to register with MFA, not authenticate. Wouldn't it be Y, Y, N?

Answers are correct https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

Yes, no, no? its about REGISTRATION for MFA, not prompting to login with it.