ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-100 All Questions

View all questions & answers for the MS-100 exam
Go to Exam

Exam MS-100 topic 4 question 69 discussion

Actual exam question from Microsoft's MS-100
Question #: 69
Topic #: 4
[All MS-100 Questions]

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You configure a multi-factor authentication (MFA) registration policy that has the following settings:
Assignments:

- Include: Group1
- Exclude: Group2
✑ Access controls: Require Azure MFA registration
✑ Enforce Policy: On
You create a conditional access policy that has the following settings:
✑ Name: Policy1
✑ Assignments:
- Include: Group2
- Exclude: Group1
✑ Access controls:
- Grant, Require multi-factor authentication
✑ Enable policy: On
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
The MFA policy applies to User1 so he will be prompted to register for MFA. He has 14 days to complete the registration. During this 14-day period, he can bypass registration but at the end of the period he will be required to register before he can complete the sign-in process.
The Conditional Access Policy does not apply to User1 so MFA is not required.

Box 2: No -
User2's MFA status is Enabled which means he has been enrolled in MFA but has not yet completed the registration.
The Conditional Access Policy does not apply to User2 because Group1 is excluded so MFA is not required.

Box 3: Yes -
The Conditional Access Policy does apply to User3 so MFA will be required. He will need to be enrolled for MFA first.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
by stromnessian at July 21, 2021, 10:04 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
stromnessian
Highly Voted 3 years, 9 months ago
2nd answer should be YES. User2 has MFA enabled in the per-user MFA settings, which means that MFA is enforced for that user - it is not the same as "registered".
upvoted 16 times
michszym
3 years, 9 months ago
Agree, I've tested it - when you enable per-user MFA for user - he cannot bypass registration for 14 days. He has to use MFA nex sign-in. This has a priority over Registration policy
upvoted 7 times
MallonoX_111
3 years, 5 months ago
But Eser2 is a member of Group1. Exlusion take precedence over inclusion
upvoted 2 times
Durden871
3 years, 1 month ago
Yes, exclusion takes precedence over inclusion; however, block always wins over grant and there are two policies that User 2 belongs to, the second policy requires MFA. So, if policy 2 didn't exist, user 2 wouldn't require MFA. Since it does, most restrictive policy wins here.
upvoted 2 times
...
...
...
...
Startkabels
Most Recent 2 years, 4 months ago
I agree with the answers provided but isn't the MFA registration policy totally irrelevant? They're asking who has to USE mfa on the next signin, not register MFA or be enrolled for MFA. Simply the Conditional Access Policy determines that, whether or not a user is registered or can use MFA. If not that is their problem and will not get access (see the provided explanation for user 3: "needs to be enrolled first")
upvoted 2 times
...
Jubei612
3 years, 1 month ago
User 3 is in group 2 and they are set to exclude, so I'm confused on this one. Can anyone give me the reason why?
upvoted 1 times
Downstar
2 years, 5 months ago
They are excluded on the registration part.
upvoted 1 times
...
...
Durden871
3 years, 1 month ago
Correct me if I'm wrong (likely am wrong) Group 1 is no - MFA is disabled Policy applied only requires MFA to be registered. Not required to sign-in. User 2 belongs to both groups. So, yes? - User 2 has MFA enabled, but not enforced. They have been enrolled, but not completed the registration. Policy 1 will require you to register. Policy 2 is requiring MFA. They're a member of both groups. So both group policies apply. User 3 is yes because of policy 2. What am I missing?
upvoted 3 times
...
LillyLiver
3 years, 2 months ago
I see what's happening here. This was confusing for me to wrap my head around. User1: No True, there is an MFA policy applied to Group1. But User1 will not be REQUIRED to use MFA since the CAP is excluding Group1. User2: No I had to test this in my tenant. Apparently an explict Grant superceeds an explicit Block. So this ends up being the same as User1. Only he's already enabled. User3: Yes User3 is being targeted by the CAP only. So MFA will be required. I agree with the given answer.
upvoted 1 times
...
Rickert
3 years, 5 months ago
Correct answer is No-Yes-Yes. Group1 is registration and group2 is require
upvoted 4 times
...
Zardu
3 years, 5 months ago
Here is a good resource for the differences between Disable, Enrolled and Enforced: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
upvoted 1 times
...
Aesam
3 years, 7 months ago
why can't 14 days logic applied to user 3 if it can be applied to user 1? I believe answer should be Y Y Y , if we keep 14 days logic out
upvoted 1 times
jinxie
3 years, 5 months ago
because group two will not allow access without MFA. unlike the policy on group 1 which is a request for enrollment that can be postponed for 14 days the policy on group two demands you perform a MFA or you receive no access.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago