ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 2 question 76 discussion

Actual exam question from Microsoft's SC-300
Question #: 76
Topic #: 2
[All SC-300 Questions]

HOTSPOT -

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and the users shown in the following table.



The users have the devices shown in the following table.



You create the following two Conditional Access policies:

• Name: CAPolicy1
• Assignments
o Users or workload identities: Group1
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -startsWith “Device”
o Access controls
Grant: Block access
Session: 0 controls selected
o Enable policy: On

• Name: CAPolicy2
• Assignments
o Users or workload identities: Group2
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions: 0 conditions selected
• Access controls
o Grant: Grant access
Require multifactor authentication
o Session: 0 controls selected
• Enable policy: On

All users confirm that they can successfully authenticate using MFA.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by cgonIT at Oct. 9, 2023, 11:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
vaaws
Highly Voted 1 year, 7 months ago
Azure Conditional Access policies can only apply to devices that are registered or joined in Azure Active Directory. If a device is not registered or joined, the policy will not be able to read the device name. N Y Y
upvoted 17 times
Alcpt
1 year ago
Wrong reason. Microsoft Entra ID uses device authentication to evaluate device filter rules. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device.
upvoted 2 times
...
Ody
1 year, 3 months ago
I agree. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices
upvoted 4 times
...
...
Florian74
Highly Voted 1 year, 7 months ago
If the CAPolicy1 included the filtred devices it would be YNY. But the policy exclude them. So YYY for me
upvoted 10 times
Saynot
1 year, 4 months ago
If the device isnt registered at least, conditional access policy filter cant evaluate the name, so for me is NYY
upvoted 5 times
...
...
Rackup
Most Recent 3 months ago
User1 is in Group1 only. Policy 1 would block access for Group1 users if they used a device not excluded, but since all “Device*” machines are excluded, User1 is not blocked and can access SharePoint Online from any of those devices. User2 is in Group2 only. Only Policy 2 applies, requiring MFA. User2 confirms MFA is working, so User2 can access Site1 from any device, including Device2. User3 is in Group1 and Group2. Policy 1 does not apply because Device3 is excluded by name. Policy 2 requires MFA, which User3 can do. Therefore, User3 can also access Site1 from Device3.
upvoted 2 times
...
Frank9020
4 months, 2 weeks ago
User1 ❌ No Blocked by CAPolicy1 (not excluded). User2 ✅ Yes Allowed via CAPolicy2 (MFA required). User3 ✅ Yes Excluded from CAPolicy1, so only CAPolicy2 applies (MFA required). In Conditional Access, exclusions override inclusions, meaning an excluded user/device is not affected by the policy!
upvoted 1 times
Sunth65
4 months, 1 week ago
NB! Filter for devices: Exclude filtered devices from the policy !
upvoted 1 times
...
Sunth65
4 months, 1 week ago
Name: CAPolicy1 Filter for devices: Exclude filtered devices from the policy Rule syntax: device.displayName -startsWith “Device”
upvoted 1 times
Frank9020
4 months, 1 week ago
You cannot use CA Policy filter for a device that is not registered in AD. Device1 is not registered in Azure AD, that is why User1 is blocked by the policy, cause the filter will not recognize an unregistered device.
upvoted 2 times
...
...
...
Nail
7 months, 3 weeks ago
Let's take this one user at a time. User1: Tries to access Site1. They belong to Group1 so CAPolicy1 is applied. The CAP considers the device name null so the user is not excluded and the user is blocked. Answer: N User2: Tries to access Site1. They belong to Group2 so CAPolicy2 is applied. They can access Site1 if they do MFA. Answer: Y User3: Tries to access Site1. They belong to Group1 and Group2 so both CA policies are applied. CAPolicy1 reads the device name and excludes the user so they can access. CAPolicy2 is applied and allows the user to access if they do MFA. Answer: Y Summary: NYY
upvoted 7 times
...
CubicTeach
1 year, 1 month ago
First is NO since the device is not registered or joined, user 2 is yes, user 3 is yes, the policy says exclude any who's device name starts with "Device " .that my opinion i could be wrong but that's my answer .
upvoted 2 times
...
klayytech
1 year, 2 months ago
Microsoft Entra ID uses device authentication to evaluate device filter rules. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory.
upvoted 1 times
...
Nielll
1 year, 2 months ago
Device1 is not Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members. So, User1 cannot access Site1 from Device1. The answer is No. Device2 is Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1. However, User2 is not a member of Group1, so CAPolicy1 doesn’t apply. User2 is a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User2 can successfully authenticate using MFA. So, User2 can access Site1 from Device2. The answer is Yes. Device3 is Azure AD registered and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members. However, User3 is also a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User3 can successfully authenticate using MFA. So, User3 can access Site1 from Device3. The answer is Yes. No YES YES
upvoted 5 times
Sunth65
4 months, 1 week ago
NB! Filter for devices: Exclude filtered devices from the policy !
upvoted 1 times
...
Tony416
9 months, 1 week ago
Great explanation. 100% agreed!
upvoted 1 times
...
...
Kmkz83510
1 year, 6 months ago
I think most agree that it's ?YY. The debate is regarding the first one and whether the policy is applied because the device is not registered or joined. See here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-registration-mfa-sspr-combined#methods-available-in-combined-registration It appears to depend on the rule logic that is applied. In this case, since a 'positive' operator was used, the policy is not applied and therefore access should be granted. Therefore YYY.
upvoted 3 times
AleFerrillo
1 year, 1 month ago
No, in this case the EXCLUSION is not applied and the policy blocks access (NYY)
upvoted 2 times
...
...
Sorrynotsorry
1 year, 6 months ago
NYY. CAP1 can’t read device1 name so will block access.
upvoted 2 times
...
Nyamnyam
1 year, 7 months ago
YYY definitely. Consider this: CAP1 is a blocking policy, but with Exclusion condition. This is very clear: any device from Group1 will be blocked, EXCEPT the ones starting with "Device". Haha, User1 and 3 are thus always allowed no matter the device join type or compliance state. CAP2 is a simple MFA enforcement policy for Group2. User2 will be able to access the site (once he was registered for MFA) independent from what device (1,2,3) he accesses Site2. Trust me, I work with CAPs in real life for years.
upvoted 7 times
...
Peeeedor
1 year, 7 months ago
I am a little confused? How can user 1 be in group 1 and successfully using MFA while not being entra ID joined or registered?
upvoted 1 times
Nivos300
1 year, 7 months ago
I agree with you . In my opinion the answer is N Y Y
upvoted 1 times
...
...
0byte
1 year, 7 months ago
Hmm... NYY for me Here is my thinking - have to say haven't tested it yet :-) User1 will be blocked because its device is neither AzureAD-joined nor Registered and device's name cannot be evaluated. The CAPolicy1 will block it. User2 will be allowed as it doesn't fall under any of the two policies. User3 will be excluded from blocking by CAPolicy1 (because of device name) and will be allowed by CAPolicy2 because of membership in Group2.
upvoted 1 times
...
JCkD4Ni3L
1 year, 7 months ago
YYY, as all devices are "excluded" from CAPolicy1, and since CAPolicy2 only triggers MFA, all users can access from any devices through MFA.
upvoted 3 times
JCkD4Ni3L
1 year, 7 months ago
Hmm since Device1 has no Azure AD joined/Registered state it cannot report it's name and will be blocked by CAPolicy1. I would there force state NYY.
upvoted 3 times
...
MarkElliott
1 year, 7 months ago
Wrong, look at the Syntax rule, exclude device name that starts with Device. Correct answer given
upvoted 1 times
MarkElliott
1 year, 7 months ago
Infact just checked, it says exclude devices from the rule, so it is YYY
upvoted 2 times
Nail
7 months, 3 weeks ago
It is not excluding devices from the rule, it is excluding devices that start with "Device". The CAP can't see the name of the device because it is null so the user is not excluded from the CAP. NYY
upvoted 1 times
...
...
...
...
DasChi_cken
1 year, 8 months ago
User1 and User3 are in group1 and there devicenames Starts with "Device" --- Access blocked User2 IS in group2 and will only ne prompt to MFA
upvoted 1 times
Intrudire
1 year, 7 months ago
Devices that start with "Device" are excluded from being blocked: Filter for devices: Exclude filtered devices from the policy Rule syntax: device.displayName -startsWith “Device”
upvoted 2 times
...
...
shuhaidawahab
1 year, 8 months ago
Explanation: User1 is a member of Group1, which is assigned to CAPolicy1. This policy blocks access to SharePoint Online for any device that starts with “Device”. Since Device1 has this prefix, User1 cannot access Site1 from Device1. User2 is a member of Group2, which is assigned to CAPolicy2. This policy grants access to SharePoint Online with MFA for any device. Since User2 has confirmed MFA, they can access Site1 from Device2. User3 is not a member of any group that is assigned to a Conditional Access policy. Therefore, they have the default access level to SharePoint Online, which is none. User3 cannot access Site1 from Device3.
upvoted 1 times
...
cgonIT
1 year, 8 months ago
At the very beginning I was telilng N, N, N. But then I decided to test in lab. - Created 2 AAD Security user groups. - Created 3 users, and added to ech group. - Created 2 Conditional Access. Tested with WhatIf... and that's surprised me. Y, Y, Y. - User 1, no Conditional Access is detected to be applied. - User 2 and 3, MFA will be required. So all 3 are Yes.
upvoted 2 times
klayytech
1 year, 2 months ago
Microsoft Entra ID uses device authentication to evaluate device filter rules. For a device that is unregistered with Microsoft Entra ID, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory.
upvoted 1 times
...
agittunc
1 year, 7 months ago
you do realize that device 1 isnt even AD joined right? N, Y, Y
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel