Exam MS-102 topic 1 question 151 discussion

Y = User1 is on the MFA block list BUT IP range 133.107.10.20 is Montreal which is EXLUDED from MFA so user1 can access N = User1 is on the MFA block list AND IP range 193.77.10.15 is Toronto which is INCLUDED in MFA so User cannot access Y = User2 is not in the MFA block list and and member of Group2 which is excluded from the conditional acces policy and therefore can access from 193.77.10.20 Toronto. User2 is even allowed to access M365 from Montreal because the policy is noit applied to User2.

I think it is NNY ,because MFA in not enforced by policy. When you are blocked with MFA you cannot sign in any way.

NNY Statement 1: User1 can access Microsoft Office 365 from a device that has an IP address of 133.107.10.20. User1's Groups: User1 is in Group1. The policy includes Group1. Location: 133.107.10.20 falls within the Montreal IP range (133.107.0.0/16). The policy excludes Montreal. MFA Blocked List: User1 is on the MFA blocked users list. This is a critical override; even if the policy would grant access, being on the MFA blocked list prevents access. Conclusion for Statement 1: No. User1 is on the MFA blocked users list, and the location is excluded by the policy.

NO: - User1 cannot access any cloud apps because User1 is on the MFA blocked users list, preventing them from completing the required MFA sign in. NO: -User1 cannot access Microsoft Office 365 because User1 is blocked from completing MFA. NO: -User2 is in Group1 and Group2. In conditional access the rule is that exclusions take precedence over inclusions, so User2 is not allowed to sign in being member of the exclusion group. When there is a Conditional Access Policy with locations as we have here: Excluded: Location Montreal: IP range 133.107.0.0/16. - The meaning of exclusion is that if you are in Montreal: - You are not allowed/blocked from signing in or accessing. Included: Any Location - which includes Toronto: IP range 193.77.10.0/24, and many other locations they might have you are allowed to sign in with MFA, and you have to be in Group1 (included)

User1 is in Group1, which is included in the conditional access policy. However, Montreal is an excluded location in the policy, and since the IP address 133.107.10.20 falls within the Montreal IP range, this location is excluded from the MFA requirement. User1 is on the MFA blocked list, but since MFA is not required for this location, being blocked from MFA would not prevent access. Answer: YES The IP address 193.77.10.15 is from Toronto, which is not in the excluded location list. Therefore, MFA is required based on the policy. Since User1 is on the MFA blocked list, they would not be able to complete the MFA process. Answer: NO User2 is in Group1 (included) and Group2 (excluded) in the conditional access policy. Since Group2 is excluded, User2 is not subject to this policy's conditions. User2 can access Office 365 from any location, including the Toronto IP range (193.77.10.20), without being blocked by the policy. Answer: YES

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

NNY my choice Once user blocked he is blocked everywhere irrespective of different IP. Group 2 excluded for user2

Statement 1: User1 can sign in to Microsoft SharePoint Online from Toronto. No. Even though Toronto is included in the locations, User1 is on the MFA blocked users list. This means they will be blocked from signing in regardless of the conditional access policy's rules. Statement 2: User2 can sign in to SharePoint Online from Montreal. No. While User2 is part of a group excluded from the policy, the location Montreal is specifically excluded. Any access attempt from that location will be blocked. Statement 3: User3 can sign into SharePoint Online from Montreal if the user performs multi-factor authentication. Yes. Here's why: User3 is in the included Group1. Montreal is explicitly excluded, HOWEVER, the policy grants access if MFA is performed. Therefore, if User3 performs MFA successfully, the location restriction is bypassed.

The issue here is that “Blocked MFA users List” according to Microsoft Learn is actually a report that says why a users mfa was blocked. In this case the second option would cause an entry in that “list” This is the only reference I could find to a “List” https://techcommunity.microsoft.com/t5/microsoft-entra/unblock-mfa/m-p/408018 there is however a section in Azure MFA that you can block or unblock the ability for the app to send requests to the Azure Tenant. This however is not a seen as a list in the Microsoft documentation. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#block-and-unblock-users So the user being on a blocked mfa list just means that they have had failed mfa attempts which wouldn’t matter to the Conditional Access Policies.

Can't figure this one out and don't have the time to set up a lab scenario, but: Azure blocked users page states: 'A blocked user will not receive multifactor authentication requests. Authentication attempts for that user will be automatically denied. A user will remain blocked for 90 days from the time they are blocked.' ChatGPT: ' If a user is on the blocked MFA users list in Azure, their sign-in attempts will be blocked regardless of the location from which they are attempting to sign in. Exclusions based on location for not requiring MFA typically apply to users who are not on the blocked list. Once a user is on the blocked list, their sign-in attempts will be blocked regardless of other factors such as location exclusions. Therefore, even if the user is trying to sign in from a location excluded from MFA requirements, their login attempt will still be blocked if they are on the blocked MFA users list.' I am convinced that User 1 is unable to sign in regardless of location/IP address

NNY user MFA is enabled in lgeacy settings....

YNY is correct. User1 wouldnt trigger the CA Policy from Montreal due to the exclusion so would be granted access without requiring MFA.

I would assume since User 1 is on the blocked list they cannot access?

YNY. Question is, Can User 1 connect? NOT can User1 connect with MFA. And the CA doesn't apply to montreal anyway since its excluded.

https://www.examtopics.com/discussions/microsoft/view/55435-exam-ms-100-topic-4-question-36-discussion/ NNY

Answer is correct. User1 can connect from Montreal.

NNY? MFA of user1 is blocked