Exam SC-300 topic 2 question 33 discussion

I think (feel free to discuss): 1) No 2) Yes (although the request is from a trusted location, that doesn't mean the MFA prompt will be bypassed! If there was CA policy configured to require MFA with the trusted locations EXCLUDED, then the user would not get the MFA prompt) 3) No (request is coming from the IP that is added to the MFA trusted IPs list in the legacy MFA portal https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx)

This is what I think: 1 - No. Although 10.10.0.0/16 is a named trusted location, it's a private IP range and won't function correctly, so user 1 won't match the condition of CA policy 1. In addition, user 1 has per-user MFA disabled, it won't be prompted for MFA. 2 - Yes. User2's source IP is 10.10.1.160, the public IP of which is in the range of 20.93.15.0/24, which isn't a trusted MFA range. Besides, User2 is a per-user MFA-enforced user. Therefore, User2 will be prompted for MFA. 3 - No. The public IP address of 192.168.1.20 is in the space of 193.17.17.0/24, which is an MFA-trusted IP range. Although user2 is a per-user MFA-enforced user, it won't be prompted for MFA.

I think its 1. YES - the first table refers to legacy per user authentication and that is not being evaluated when conditional access is used. User 1 is signing in from trusted location, but the policy still states grant access but require MFA 2. YES - conditional access doesnt apply to this user becasue the scope of the policy is group1 only. Therefore his legacy per user MFA will kick in and that requires him to use MFA unless he is not logging in from the legacy MFA trusted IP of 193.17.17.0/24 which in this case he is not 3. NO - this time around he is signing in from the per user MFA trusted IP of 193.17.17.0/24 Dont let the private ranges fool you. MS will only evaluate the public IPs, you only need to verify the corresponding private addresses match to the public ones.

NO YES YES User1 is member of Group1 -> CAPolicy1 applies 10.10.1.150 (Location1) connect to Azure with an IP from 20.93.15.0/24 range User1/Group1 -> CAPolicy1 -> Requires MFA : cannot login (MFA disabled) User2 is member of Group2 -> CAPolicy1 does not apply User2/Group2 -> MFA enforced -> will be prompted for MFA from any location 10.10.1.160 (Location1) connect to Azure with an IP from 20.93.15.0/24 range 192.168.1.20 (Location2) connect to Azure with an IP from 193.17.17.0/24 range 193.17.17.0/24 range - is trusted only in context of CAPolicy1

Enabling MFA for a user means that the user has the option to set up MFA, but it is not required. Enforcing MFA means that the user is required to set up MFA and cannot access their account until they have completed the MFA setup process. If you enforce MFA for a user, they will be prompted to set up MFA the next time they log in to their account. They will not be able to access their account until they have completed the MFA setup process. Once they have completed the setup process, they will be required to use MFA every time they log in to their account. Enabling MFA gives the user the option to set it up, but they can still access their account without MFA. Enforcing MFA requires the user to set it up and use it every time they log in.

CAPolicy1 workload is Group1. So, User1 is member of that group and this policy address that user. User2 is not member of Group1. This CAPolicy1 won't be applied for this user..However, user2 has MFA enforced.. This is tricky point... 1) No - Why? User1 is member of group1 and CAPolicy1 will apply. Since user1 login from IP address in Location1 which is marked as trusted location, MFA won't be prompted... If user one try to login from an untrusted location, since MFA isn't enabled, when it is forced via policy, user1 login won't success.. 2) YES - MFA is forced for user2. Even CAPolicy1 isn't assign to user2 due to user group, for each sign-in form any IP range user2 will be prompted MFA. 3) YES - Same above option 2. NO - YES - YES.

Tested on Azure 1. No. Because CAPolicy1 not applied, because of the location does not meet trust location requirement. Only public IP can be captured. 2. Yes. MFA is enforced for this user2 3. No. MFA is enforced for this user2, but the location is in the MFA trust IP ranges, so MFA is skipped. Additional finding: the IP configured in MFA trusted ips will also fall into the "all trust locations" in conditional access policy

Hi guys, just one question, 10.10.0.0/16 and 192.168.0.0/16 are both private IP, meaning you can set up these IP segments in any network. So, if user2 connects to the tenant from IP 192.168.1.20, how do you know it's from the public IP 193.17.17.0/24?

N-Y-N Think of this: Location1 is a "named location" marked as trusted, but wrongly configured with a private IP range, which the cloud-based MFA cannot resolve (it sees only the public IP address). And then we have "MFA has a trusted IP address range of 193.17.17.0/24", which is a service setting under Protection > Multifactor authentication > Service settings. This works outside of CAPs! Then comes the CAP with the "All trusted locations" condition, which will never be triggered, as clarified above! Then the answers are clear: User1 will NEVER be prompted for MFA. User2 will be prompted for MFA EXCEPT from the "MFA trusted IPs", which is only the public IP from Location2 (which is case 3)

1 No. Regardless if the policy applies or not, User 1 is MFA Disabled. No prompt. 2 Yes. The policy does not apply to User 2 (Assignments only to group 1). User 2 is MFA enforced. to be prompted. 3 No. The policy does not apply to User 2 (Assignments only to group 1). User 2 is MFA enforced, but the IP range is included in the below (MFA setting). Skip multi-factor authentication for requests from following range of IP address subnets

The question is very confusing and it needs to be broken down a bit further Location 1: is 20.93.15.0/24 (this is trusted as named location) Location 2: is 193.17.17.0/24 (this is a trusted IP range for Skip multi-factor authentication in the legacy MFA portal) The CA policy target only users in Group1 that are in trusted locations, it does not say it All trusted location are excluded (this is an assumption, but this is not what the problem statement says) so if a users is in the 10.10.0.0/16 range, is actually in Location1 and if a user is in the 192.168.0.0/16, is in Location2 1. User1 is in Location1 so the CA policy does require to do MFA, the CA apply to trusted location not the other way around, the word "exclude trusted location" was never mentioned. 2. User2 is in Location1 but not in Group1, no CA policy apply 3. User2 is in Location2 that is trusted, so no MFA is going to apply there so the answers are Y N N

The correct answer is N,Y,Y . It seemed so simple initially and I got it wrong but it's not as easy as it looked at first glance. We are being asked if the user will be prompted for MFA - NOT if they fall within scope of a conditional access policy. Number 2 is the only part that should cause any confusion. An enforced status means the legacy per user MFA is enabled.(I tested this. MFA Registration because of a CA policy does not change the legacy per MFA status - it remains as "disabled".) In this scenario the user will be asked to MFA every time except from a trusted location. The trusted location exception does not apply here so they will get a MFA prompt because of the per user MFA setting. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

The answer shown is correct, but the explanation for it it not. Answer is: N-N-Y Reason: 1 - No - User 1 has MFA Disabled, so will not be prompted for MFA 2 - No - User 2 is coming from Location 1 and Location one's IP is only configured in this CA policy using a private address, so it won't be prompted. 3 - Yes - User 2 is coming from Location 2, and this is configured in the CA policy to prompt MFA. The main confusion is due to the configuration being weak. If you want to prompt for MFA and exclude Trusted locations, you set the locations as "All Locations", exclude "Trusted Locations" and Require MFA - This means that you will be prompted for MFA at all locations except the Trusted Locations. What this policy will actually achieve is only prompting for MFA in the Trusted Location 193.17.17.0/24, and nowhere else.

No: User1 Has MFA Disabled, but although he is member of Group1, the public IP range he is logging in from does not belong to the Trusted location (only public IP is visible to Azure AD), so the CA policy will not apply. Yes: User2 connects from a Public CIDR that is not a trusted location and is in Group2, so CA policy does not apply, but MFA is Enforced, so he will be prompted for MFA. Yes: User2 policy does not apply (not in trusted locations and member of Group 2), has MFA Enforced, but connects from the MFA Trusted IP range (public range), so he won't be prompted for MFA. Tested it in lab, if MFA Trusted IP CIDRs are defined and enabled, MFA Enforcent is bypassed.

To me it's YES NO NO 1) YES because the CA policy is only for group1 (user1). His public IP address is not trusted thereforme the CA push a MFA prompt no matter his user MFA status. 2) The CA policy only applies to group1 members, user2 isn't a part of that. 3) same as above

The level of confusion seems to display the level ridiculousness of some of these questions

Hi guys, why is 10.10.1.160 trusted IP? IP range for 10.10.0.0/24 is "10.10.0.0 - 10.10.0.255" so it should not be in trusted IPs