ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-102 All Questions

View all questions & answers for the MS-102 exam
Go to Exam

Exam MS-102 topic 1 question 267 discussion

Actual exam question from Microsoft's MS-102
Question #: 267
Topic #: 1
[All MS-102 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the security groups shown in the following table.



The subscription contains the users shown in the following table.



You have a Conditional Access policy that has the following settings:

• Assignments
o Users
Include: Group1
Exclude: Group2, Group3
o Target resources
Cloud apps
App1
Access controls
Grant
Block access

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by solderboy at Jan. 12, 2024, 6:20 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TonyTe0
Highly Voted 1 year, 6 months ago
Shoud be YYY User2 is not applied the CA
upvoted 31 times
BigO76
7 months ago
i think this is correct why: User1 is included via Group1 but excluded via Group2 (Finance department). Since exclusions take precedence, User1 is allowed to sign in to App1. - YES User2 is not included in Group1 and therefore is not affected by the Conditional Access policy. User2 is allowed to sign in to App1.- YES User3 is included via Group1 but excluded via Group3 (R&D department). Since exclusions take precedence, User3 is allowed to sign in to App1. - YES
upvoted 6 times
...
KennehBE
10 months, 1 week ago
When a user is both included and excluded in a Conditional Access policy, the exclusion takes precedence. This means that the user will be excluded from the policy. Exclusions are often used for emergency access or break-glass accounts
upvoted 8 times
...
...
JMB7448
Highly Voted 1 year, 3 months ago
I believe it is NYN Here is why: User 1 is in group1 and group 2 User 2 is not in a group User 3 is in group1 and group 3 User 1 = N -> Block always wins (because of membership group1) User 2 = y -> policy does not apply User 3 = N -> Block always wins (because of membership group1)
upvoted 11 times
Hiyas
8 months, 3 weeks ago
you dont know what you're saying
upvoted 5 times
...
golijat
11 months, 3 weeks ago
You are correct
upvoted 2 times
makonmakon
6 months ago
how it could be upvoted 11 times! terrible!
upvoted 2 times
...
...
...
Frank_2022
Most Recent 3 months, 1 week ago
Yes Yes Yes
upvoted 2 times
...
Kallely
9 months, 2 weeks ago
Anser is NYN, The exclude action overrides the include action in policy. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups
upvoted 1 times
Kallely
9 months, 1 week ago
Sorry the correct answer is YYY
upvoted 3 times
...
...
Tr619899
10 months ago
1. User1 can sign in to App1 - YES User1 is in Group1, which is included in the policy. 2. User2 can sign in to App1 - YES User2 is not part of any group, so they are not excluded by the policy. 3. User3 can sign in to App1 - YES User3 is in Group1, which is assigned directly to them. Group1 is included in the Conditional Access policy, and there are no exclusions for User3. Therefore, User3 can sign in to App1.
upvoted 1 times
...
radamelca
10 months, 1 week ago
I think is YYN: User1 is in group 1 and group2, exclusion takes precedence over action in include, even if it says block. User2 is not in a group. User 3 the same case of User1, exclusion takes precedence over block action in include.
upvoted 1 times
radamelca
10 months, 1 week ago
I meant YYY
upvoted 1 times
...
...
Tomtom11
10 months, 4 weeks ago
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant
upvoted 1 times
...
Tomtom11
10 months, 4 weeks ago
The answer is correct. Access controls -Grant -Block access. If the Policy apply to you. You get blocked
upvoted 1 times
justITtopics
6 months, 1 week ago
That's the key. If you are included by Group 1 membership, you will be blocked to access App1. Only if you have exclusions (members of groups 2 &3) or you are not a member of any group, you are excluded and therefore granted access.
upvoted 2 times
...
...
APK1
11 months, 3 weeks ago
For me the answer should be NYN
upvoted 3 times
...
Murad01
1 year ago
I would say: YNN
upvoted 1 times
XylosSW
1 year ago
Explanation? Because exclude takes precedence over include. And User 1 has group 1 & 2 and User 3 group 1 & 3. Both are excluded so can sign in the app.
upvoted 3 times
...
...
BJS78
1 year, 2 months ago
User1 is included by static group assignment and excluded by dynamic, so not in scope for the CA, User2 is not in scope at all due to not having group memberships User3 is similar to User1, so I would vote on: all out of scope of this DENY CA, so they all have access
upvoted 5 times
...
TonyManero
1 year, 3 months ago
I think NYN because: In Azure, within a Conditional Access policy, when a user belongs to multiple groups with contrasting configurations, precedence follows the rule of least privilege.
upvoted 2 times
TristanForest
11 months, 1 week ago
According to learn.microsoft.com - The exclude action overrides the include action in policy.
upvoted 2 times
...
...
TonyTe0
1 year, 6 months ago
CA is not applied, so not blocked. So can sign in the app1. (YYY) https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-unknown-unsupported-device
upvoted 9 times
...
solderboy
1 year, 6 months ago
NNN User1 is in Group1 (static assigned) and Group2 (dynamic assigned). CA includes Group1 but excludes Group2. Since exclusion takes precedence over inclusion, CA is not applied to User1. So, User1 cannot sign in to App1. User2 is not in any group hecne CA is not applied. So, User2 cannot sign in to App1. User3 is in Group1 (static assigned) and Group3 (dynamic assigned). CA includes Group1 but excludes Group2. Since exclusion takes precedence over inclusion, CA is not applied to User3. So, User3 cannot sign in to App1. Please correct if I am wrong!
upvoted 3 times
SBGM
1 year, 6 months ago
I think TonyTe0 is right, both of the members in group 1 (Users 1 & 3) are also in dynamic groups 2 & 3, thus excluded. The policy blocks access. Since it won't be applied to all 3 users and users without a CA policy applied can freely access they will all be able to access the app.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel