Exam MS-102 topic 1 question 32 discussion

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy N: Trusted IPs in the MFA settings containts a list of IPs that MFA can be skipped from. https://c7solutions.com/2022/07/what-is-multifactor-authentication-trusted-ips

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy Y: User is in trusted location set by MFA config MFA per user setting is an old (but still existing) one. AAD > All Users > Per-User MFA icon > Gray Service setting tab https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user

YYY https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates The CA policy controls access to APP1. Trusted locations is a condition. Policy doesn't change the Disabled state of User1, which means that if User1 logs on anywhere else or tries to access any other application, he will not be prompted for MFA. But, to access APP1, he must be logging in from a trusted location (this is a condition in order to access App1), and he WILL be prompted for MFA (this is the Grant access control). User2 will be prompted for MFA whether there is a CA policy or not.

Y, Y, N The trusted IPs feature of Microsoft Entra multifactor authentication also bypasses MFA prompts for users who sign in from a defined IP address range. If both per-user MFA and Conditional Access policies are configured in the tenant, you need to add trusted IPs to the Conditional Access policy and update the MFA service settings. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips

YYN or YYY? I am torn about the last one. (new to this and Mac user if this is a silly question sorry) Can the list of IPs that MFA can be skipped from be edited? If it can be edited, what in the question indicates that it has been added to the list?

Statement Analysis: When User1 connects to App1 from 131.107.50.10, User1 must use MFA. User1's MFA is Disabled, so even if the policy applies, it won't enforce MFA. However, Azure AD cannot enforce MFA if it’s not registered/enabled for the user. ✅ Answer: No When User2 connects to App1 from 131.107.20.15, User2 must use MFA. User2 has Enforced MFA. The location (131.107.20.15) is in a trusted location, and the policy includes trusted locations. Policy triggers MFA even from trusted locations because the policy includes them and requires MFA. ✅ Answer: Yes When User2 connects to App1 from 131.107.5.5, User2 must use MFA. 131.107.5.0/24 is configured as a trusted IP range for MFA. Since the policy includes all trusted locations, MFA is required for this range as well. User2 has MFA enforced, so the requirement is effective. ✅ Answer: Yes Final Answers: User1 from 131.107.50.10: ❌ No User2 from 131.107.20.15: ✅ Yes User2 from 131.107.5.5: ✅ Yes

Is it not, N, N, Y? When User1 connects to App1 from a device that has an IP address of 131.107.50.10, User1 must use MFA? No. User1 has MFA disabled, and the IP address 131.107.50.10 falls within the trusted location 131.107.50.0/24. Since trusted locations are included in the conditional access policy, User1 will not be required to use MFA. When User2 connects to App1 from a device that has an IP address of 131.107.20.15, User2 must use MFA? No. User2 has MFA enforced, but the IP address 131.107.20.15 falls within the trusted location 131.107.20.0/24. Since trusted locations are included in the conditional access policy, User2 will not be required to use MFA. When User2 connects to App1 from a device that has an IP address of 131.107.5.5, User2 must use MFA? Yes. User2 has MFA enforced, and the IP address 131.107.5.5 does not fall within any of the trusted locations (131.107.20.0/24 and 131.107.50.0/24). Therefore, User2 will be required to use MFA.

I vote for Y,Y,Y In this link say that we can consider a trusted networks and locations: All locations marked as trusted locations (it applies to CA Ips: 131.107.20.0/24 and 131.107.50.0/24) and Multifactor authentication trusted IPs, if configured (it applies to the IP 131.107.5.0/24 marked as trusted in the MFA). https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network All trusted networks and locations This option applies to: All locations marked as trusted locations. Multifactor authentication trusted IPs, if configured.

YES: User1 will be required to complete MFA when signing in from a trusted location because the Conditional Access policy requires MFA for all users. YES: User2 from trusted location: MFA required due to the Conditional Access policy (trusted locations do not bypass MFA in this setup). YES: User2 from non-trusted location: MFA required as per the policy settings.

YYY. Refer to https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network#all-trusted-networks-and-locations CA Trusted Location INCLUDE Trusted IP in MFA. So it CANNOT be skip!

1: YES - User Matched - IP is trusted - User is accessing App1 2: Yes - User Matched - IP is trusted - User is accessing App1 3: YES - User matched - Ip not machted, however Multi-factor auth is enforced. This will require user to use MFA for anything. This is tricky, but I can confirm this since I have thested this in my own lab.

My thought is User1 MFA is disabled, so he cannot be authenticated even if with "grant with MFA" policy assigned. MFA must be enabled or Enforced to him. Answer should be NYN

User1 can access to the app because he is in the trusted IP range, he needs to set up MFA bacause its currently disabled, but after setup and authenticating he cann access the app User 2 is in the trusted range and has MFA already set up so only needs to authenticate the request and can access the app as well User2 is now not in the trusted IP range, access to the app is block completly and therefore not MFA authentication is prompt at all YYN is the answer in my opinion

Given answer looks correct YYN. (User MFA Status is irrelevant in this case) CA Policy hits first 2 Last one is in trusted ip range. To elaborate, when users are enabled individually, they perform multifactor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

https://learn.microsoft.com/en-ie/entra/identity/authentication/concept-mfa-howitworks

Trusted locations Locations such as your organization's public network ranges can be marked as trusted. This marking is used by features in several ways. Conditional Access policies can include or exclude these locations. Sign-ins from trusted named locations improve the accuracy of Microsoft Entra ID Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Locations marked as trusted can't be deleted. Remove the trusted designation before attempting to delete. Trusted IPs The trusted IPs feature of Microsoft Entra multifactor authentication also bypasses MFA prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition.

MFA Enabled vs Enforced Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled. MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in. MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA. MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.