ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-100 All Questions

View all questions & answers for the MS-100 exam
Go to Exam

Exam MS-100 topic 4 question 36 discussion

Actual exam question from Microsoft's MS-100
Question #: 36
Topic #: 4
[All MS-100 Questions]

HOTSPOT -
You have a Microsoft 365 subscription that contains the users shown in the following table.

You have the named locations shown in the following table.

You create a conditional access policy that has the following configurations:
✑ Users and groups:
- Include: Group1
- Exclude: Group2
✑ Cloud apps: Include all cloud apps
✑ Conditions:
- Include: Any location
- Exclude: Montreal
✑ Access control: Grant access, Require multi-factor authentication
User1 is on the multi-factor authentication (MFA) blocked users list.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
The Blocked User list is used to block specific users from being able to receive Multi-Factor Authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked.

Box 1: Yes -
133.107.10.20 is in the Montreal named location. The conditional access policy excludes Montreal so the policy does not apply. Therefore, User1 can access
Microsoft Office 365.

Box 2: No -
193.77.10.15 is in the Toronto named location. The conditional access policy applies to Group1 which User1 is a member of and all locations except for Montreal.
Therefore, the conditional access policy applies in this case. The policy requires MFA but User1 is on the MFA blocked list so he is unable to use MFA.
Therefore, User1 cannot access Microsoft 365.

Box 3: Yes -
User2 is in Group1 and Group2. The conditional access policy applies to Group1 but excludes Group2. Therefore, the conditional access policy does not apply in this case so User2 can access Microsoft Office 365.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
by melatocaroca at June 16, 2021, 1:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TimurKazan
Highly Voted 3 years, 7 months ago
N-N-Y User1 is in the blocked list, hence he can not authenticate to any resources User2 is member of included and excluded group, since exclusion wins over inclusion the policy does not work for him
upvoted 27 times
fko1978
3 years, 7 months ago
i was thinking that too. User1 (mfa enabled) is in the block list, so no access to anything.
upvoted 2 times
...
allesglar
3 years, 5 months ago
I also agree. The fact that mfa is enabled for the user means that he will prompted to use mfa next time he sign in. This is but not possible because he is in the block list and therefore wont be able to access any resources. The policy does not play a role.
upvoted 1 times
One111
2 years, 3 months ago
Mfa enabled means he can configure it. MFA blocked user list is not featue. You can disable mfa for user, this will prevent him from registration, also you can build ca policy to block mfa (and some other endpoints) registration. This is typo, if you has blocked signin, then will not be able to login. If it is about mfa, then depends on exclusions.
upvoted 1 times
sufisuffix
2 years, 2 months ago
MFA Blocked user IS a feature. AAD>Protect & Secure > MFA> Block/Unblock users
upvoted 1 times
...
...
...
Sweethaven
2 years, 9 months ago
Wrong, User 1 is excluded as its within the Montreal location.
upvoted 3 times
...
...
stromnessian
Highly Voted 3 years, 9 months ago
Y, N, Y For 1., User1 does not have MFA enforced but is on the MFA block list, but as Montreal is excluded from the CA policy, MFA is not required so an MFA challenge will not have to be sent to User1.
upvoted 14 times
allesglar
3 years, 5 months ago
If needed, you can instead enable each account for per-user Azure AD Multi-Factor Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on). So 1) is N. He has to use mfa but he cannot because he is in the block list.
upvoted 1 times
...
...
Amir1909
Most Recent 1 year, 2 months ago
Correct
upvoted 1 times
...
Ayham_J
2 years, 1 month ago
on exam today
upvoted 2 times
...
Feyenoord
2 years, 1 month ago
NNY: Block/unblock users A blocked user will not receive multifactor authentication requests. Authentication attempts for that user will be automatically denied. A user will remain blocked for 90 days from the time they are blocked. To manually unblock a user, click the “Unblock” action.
upvoted 1 times
...
Nilz76
3 years ago
This question was in my exam on 06/April/2022. I passed.
upvoted 2 times
...
Durden871
3 years, 1 month ago
I had said YNY, but my reasoning for Y on box 3 seems to contradict the answer provided. I thought most restrictive policy would win? In this case, both groups are applied. The location is on the grant access and user 2 has MFA enforced. Which is it? Did the policy allow user 2 because of the group exclusion or did it allow user 2 because they met the criteria of the CA?
upvoted 1 times
...
joergsi
3 years, 2 months ago
A confusing resolution was provided: The Blocked User list is used to block specific users from being able to receive Multi-Factor Authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked. In the scenario: User1 is on the multi-factor authentication (MFA) blocked users list. => This would mean, that User1 can't use MFA for 90 days. In this case, why is question 1 Yes? Shouldn't it be N/N/Y?
upvoted 1 times
...
melatocaroca
3 years, 10 months ago
iMHO Answer: N, Y,Y Conditional Access policy to work. User based mfa vs Conditional access mfa If user-based MFA is enabled, it will override the Conditional Access policies extremely important to note, is that if you enable MFA via the MFA portal, you completely rub out the ability to utilize Conditional Access Policies. You must have the Azure MFA user state set to disabled, and a Conditional Access policy configured to require multi factor authentication for Conditional Access policy-based settings to apply https://messageops.com/user-based-mfa-vs-conditional-access-mfa/ https://jkindon.com/2018/08/12/azure-mfa-vs-conditional-access/
upvoted 2 times
melatocaroca
3 years, 10 months ago
Sorry typo error Answer: N, N, Y
upvoted 4 times
melatocaroca
3 years, 10 months ago
Box 1: No User 1 133.107.10.20 Montreal location. Montreal, policy does not apply. User1 can access, because per user setting is set to require MFA, and user policy have priority, over policy Box 2: No 193.77.10.15 Toronto location. The conditional access policy applies to Group1 which User1 is a member of and all locations except for Montreal, requires MFA, User1 is on the MFA blocked list, per user setting is MFA enabled. User1 cannot access Microsoft 365. Box 3: Yes - User2 is in Group1 and Group2. The conditional access policy applies to Group1 but excludes Group2. Therefore, the conditional access policy does not apply in this case and because User2 per user setting is enforced to use MFA can access Microsoft Office 365. Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings https://messageops.com/user-based-mfa-vs-conditional-access-mfa/ https://jkindon.com/2018/08/12/azure-mfa-vs-conditional-access/
upvoted 3 times
chaoscreater
3 years, 10 months ago
What are you on about? The policy doesn't apply to Montreal and so user 1 CAN access. Box 1 is YES.
upvoted 3 times
michszym
3 years, 9 months ago
I test it - when I've enabled MFA for User1 and added him to "block list" I cannot log on - cannot send text message during logon. As melatocaroca wrote, user-based MFA has a priority over conditional access policy
upvoted 4 times
Azreal_75
3 years, 7 months ago
I stand to be corrected but..... MFA is not enforced for User 1 - just Enabled so he doesn't need to use MFA, furthermore as chaoscreater says the Condiitional Access Policy does not apply to logins from Montreal - the answer is therfore yes for box 1. For box 2 User 1 is now logging in from a location that Conditional Access does apply and MFA is required hence No. I find the answer to Box 3 perplexing, in so many other areas of O365 the most restrictive policy applies but in Conditional Access that doesn't seem to be the case since being in Group 2 excludes the user from CA despite being in Group 1 as well!
upvoted 1 times
...
Load full discussion...
...
...
michszym
3 years, 10 months ago
Box 1: No? you wrote:"User 1 can access" - I think he can acces but require MFA (so should be YES)
upvoted 1 times
michszym
3 years, 10 months ago
sorry, it's No because User1 is on Blocked User List and he can't receive MFA request
upvoted 2 times
...
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago