Exam MS-101 topic 1 question 27 discussion

Yes: user 1 is member of group 1 No: user 1 is member of group 1 but device 2 is not compliant Yes: user 2 is not member of group 1

YES-NO-YES

just to clarify: Conditional Access policies are triggered by a condition which enforces a rule (access granted/not granted/MFA required etc.) Compliance Policies apply a state to a device (Compliant/Non-Compliant). Like a sticker on the device. It doesn't DO anything to the device other than applying the sticker (I appreciate that this is not 100% accurate but in the given context of the question it is). You can apply Conditional Access Policies BECAUSE a device has the sticker, but it's not mandatory. You can have non-compliant devices without any problems signing in to anything. User 2 may be non-compliant, but there is no policy preventing anything for user 2. Y-N-Y

My thought is Y,N,N. Wouldn't User 2 default to the Intune Device Policy?

'Device state' has been depreciated, replaced with filter for devices now. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-deprecated

Y,N,N. box3: User2 does not have the conditional access policy affecting him, but he does have the compliance policy (policy 2) affecting him. This policy states that device2 is required to have bitlocker enabled. This device hasn't and User2 cannot access MS Exchange Online because of that. Third answer should be NO.

Why is user 1 yes? The access control is specified to block access. Am I missing something?

If "✑ Access controls is set to Block access.", doesn't this mean that All Users in Group 1 cannot access Exchange Online in the first place? So NNN should be the answer?

Y. N. Y.

Yes-No-No while the policy is assigned to user Group 1, device 2 is not compliant as Policy 4 requires BL to be enabled.

I think the answer should be YES, NO, YES, here is why: User1 is a member of Group1 (where the policy is assigned). Device1 belongs to Group3 which has Policy1 that doesn't enforce BL so if BL is disabled it doesn't matter thus this device according to Policy1 is compliant. User1 is a member of Group1 (where the policy is assigned), but Device2 is a member of Group4 which has a policy that requires BL to be ON but it is off, so it is NOT compliant. So even if the user is compliant, the device is NOT, hence User1 from Device2 cannot access User2 is a member of Group2 and there is no conditional access for this group, so there is nothing to evaluate, hence Users2 should be able to access the application from both devices actually

User1 can access Microsoft Exchange Online from Device1: Yes, because Device 1 is member of group 3. Policy 1 is assigned to group 3, policy 1 does not require Bitlocker encryption thus Device is 1 compliant. The conditional access policy conditions exclude Devices marked as compliant, thus access is allowed. User1 can access Microsoft Exchange Online from Device2: No, because Device 2 is a member of Group 4. Policy 2 is assigned to group 4, policy 2 requires Bitlocker encryption, Device 2 does not have bitlocker encryption thus is Device 2 marked as non compliant. Conditional access policy Access controls is set to Block access, so Device 2 is not allowed. User2 can access Microsoft Exchange Online from Device2: No, because Device 2 is non compliant (see answer above why) and also User 2 is not in group 1 and thereby is also not allowed access.

the answer is incorrect, should Yes NO Yes

I also think its YES-NO-YES User1 / Device1 = Yes, because the conditional access policy is scoped for Group1 and User1 is a member. Using Device1 which is apart of Group3, Group3 bitlocker is Not Configured so it should be compliant and pass the Conditional Access User1 / Device2 = No, because Device2 is apart of Group4 which requires bitlocker so it wouldn't be compliant even though User1 is apart of Group1 User2 / Device1 = Yes, because User2 is not scoped in the Conditional Access Policy being that it is apart of Group2, so I would think the conditional address wouldn't apply to users in Group2 and it will be able to access EXO regardless of the conditional access policy