Exam MS-102 All Questions

View all questions & answers for the MS-102 exam

Exam MS-102 topic 1 question 30 discussion

Actual exam question from Microsoft's MS-102

Question #: 30
Topic #: 1

You have a Microsoft 365 E5 subscription.
You need to create Conditional Access policies to meet the following requirements:
All users must use multi-factor authentication (MFA) when they sign in from outside the corporate network.
Users must only be able to sign in from outside the corporate network if the sign-in originates from a compliant device.
All users must be blocked from signing in from outside the United States and Canada.
Only users in the R&D department must be blocked from signing in from both Android and iOS devices.
Only users in the finance department must be able to sign in to an Azure AD enterprise application named App1. All other users must be blocked from signing in to App1.
What is the minimum number of Conditional Access policies you should create?

A. 3
B. 4
C. 5
D. 6
E. 7
F. 8

Show Suggested Answer

Suggested Answer: B 🗳️

by certma2023 at Aug. 17, 2023, 9:15 a.m.

Comments

Submit Cancel

certma2023

Highly Voted 1 year, 8 months ago

Selected Answer: B

I would go for B answer. 4 rules configured like that : -> One rule that target all users & all location except a custom trusted location (Public IP Ranges of the company). This rule grant access with MFA + Compliant device. -> One rule that target all users & all location except US & Canada. This rule block access. -> One rule that target R&D Users only & Android+IOS Devices. This rule block access. -> One rule that target all users except Finance users. The rule target only App1. This rule block access. For me, it should meet the goals.

upvoted 37 times

golijat

1 year, 5 months ago

Your approach is indeed a clever one and it seems like it could work. However, there might be a potential issue with the first rule. In your first rule, you're targeting all users and all locations except a custom trusted location (Public IP Ranges of the company), and you're granting access with MFA + Compliant device. This rule might conflict with the third rule where you're blocking all users from signing in from outside the United States and Canada. The issue arises because the first rule could potentially allow users to sign in from outside the United States and Canada if they're using a compliant device and MFA, which contradicts the third rule that aims to block all sign-ins from outside these two countries. Therefore, it's safer to separate these into two different rules to avoid any potential conflicts or overlaps. This way, you can ensure that each rule is enforced correctly without any unintended consequences. Hence, a total of 5 rules would be needed to meet all the requirements. Please note that the actual configuration might vary based on the specific settings and conditions in your environment. It's always a good idea to test the policies in a controlled environment before deploying them in a production environment.

upvoted 1 times

newark123

1 year, 4 months ago

It wont work like that . You could create a 100 policies that allow access and 1 rule that blocks access and if the one rule that blocks triggers access will be blocked . Having a rule that lets you in will not allow you to log in from a blocked rule .

upvoted 5 times

...

Xbmc66

Highly Voted 1 year, 3 months ago

Selected Answer: A

3....... 1 CA with: MFA and compliant device sign-in and block US and Canada 2 CA with blocking Android and IOS for only R&D 3 App1 access for finance department

upvoted 12 times

...

EubertT

Most Recent 6 days ago

Selected Answer: C

Restrict access to the enterprise application (App1) for users in the finance department Since this requirement applies only to a specific department and enterprise app, a separate policy is necessary. Policy Count: 5 Minimum number of Conditional Access policies: 5 The correct answer is C. 5. _____________________________________________________

upvoted 1 times

...

FemiA55

5 months ago

I go for B. I don't think there is a need for conditional access management for App1. The security requirement for App1 can be taken care of by granting access to a security group with members from finance team only.

upvoted 1 times

...

Frank9020

5 months, 1 week ago

Selected Answer: A

Policy 1: Combine MFA, compliant devices, and geographic restrictions. Conditions: Sign-in from outside the corporate network. Controls: Require MFA, require compliant devices, block sign-ins from outside the United States and Canada. Policy 2: Block R&D department users from signing in from Android and iOS devices. Conditions: Users in the R&D department. Controls: Block access from Android and iOS devices. Policy 3: Restrict access to App1 to only finance department users. Conditions: Users in the finance department. Controls: Allow access to App1, block all other users.

upvoted 4 times

...

Ody

5 months, 1 week ago

Selected Answer: B

The first two options are both requirements for being outside the corporate network.

upvoted 1 times

...

9326359

11 months, 2 weeks ago

The answer is 3, i am able to configure named locations in the new "network" section within Conditional access. This question may be outdated as this feature says "new" next to it

upvoted 2 times

...

Moazzamfarooqiiii

1 year, 1 month ago

Chat GPT is saying C = 5

upvoted 6 times

...

Amir1909

1 year, 2 months ago

B is correct

upvoted 1 times

...

Master_Tx

1 year, 7 months ago

I personally dont recommend creating policies that combine functions unless there is a specific need, so I chose C. However B is what the question is asking for, as a MINIMUM.

upvoted 2 times

...

nsotis28

1 year, 7 months ago

answer is correct B

upvoted 3 times

...

Exam MS-102 All Questions

View all questions & answers for the MS-102 exam

Exam MS-102 topic 1 question 30 discussion

Comments

certma2023

golijat

newark123

Xbmc66

EubertT

FemiA55

Frank9020

Ody

9326359

Moazzamfarooqiiii

Amir1909

Master_Tx

nsotis28

SY0-701