Exam AZ-103 topic 5 question 20 discussion

Correct: "Whenever possible". Setup conditional access rules for MFA Next let's examine how to set up Conditional Access policy rules that would enforce MFA for guest users accessing specific apps on your network. 1 - Switch back to the Azure portal and select Azure Active Directory > Security > Conditional access. 2 - Select New policy from the top menu. 3 - Name your policy, for example "All guests" 4 - Select Users and groups to open the panel. 5 - Select Select users and groups 6 - Check the All guest and external users checkbox to apply this to all guests. So IT IS possible to enabled mfa for all users

Answer correct: https://docs.microsoft.com/en-us/learn/modules/secure-aad-users-with-mfa/4-exercise-mfa "Check the All guest and external users checkbox to apply this to all guests"

C is correct

Given answer is correct

D. User1, User2, User3, and User4

I think the key here is, although User3 and User4 are external they are already configured as "GUEST" so in a way, they are in Contoso.com tenant, and as the below URL says, its surely possible to enable MFA for external users. So I believe Given Answer is correct. I am not an Azure expert, just learning. Feel free to correct me

With Conditional Access Policy we can enforce MFA for guest users https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa

Question clearly stated "Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com" Only User1 & User2 are part of 'Contoso.com" - Hence Answer is C

Answer is D ... 100% sure

ok MS has changed its documentation about enabling MFA on 07/13. As per new process, MFA is enabled for all users through Conditional access. so the answer is right https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

Answer is correct. All Guests in my Azure AD have MFA enabled.

We can require MFA for guests to be able to access things via a conditional policy. However 'Enable' implies actually enabling it on the account, so the answer would be just User 1 and 2.

The Given answer is write. Now we can enable MFA for quest users. Now it is out of preview. https://docs.microsoft.com/en-us/azure/active-directory/b2b/b2b-tutorial-require-mfa

Answer is not correct, it's only users 1 and 2. We cannot "enable" MFA for external accounts - enabling MFA is done in the multi-factor portal (not conditional access policies). If we were using Conditional Access Policies (which we're not) then we could enforce MFA for all users and guest users.

Answer is correct: https://docs.microsoft.com/en-us/learn/modules/secure-aad-users-with-mfa/4-exercise-mfa

ALL users

MFA may not be possible for invited accounts (which is the case of gmail and outlook.com ones)