Exam MS-101 topic 2 question 44 discussion

You need to turn security defaults off before you can enable the policy: "It looks like you're about to manage your organization's security configurations. That's great! You must first disable Security defaults before enabling a Conditional Access policy." "Security defaults must be disabled to enable Conditional Access policy." I believe the answer is: No, Yes, No

Yes, yes, no

No - Security defaults need to be off before enabling Yes - Has access to do so, no warnings No - Does not have access, cannot even see the policy

Correct answer is: NO : you cannot enable a policy when security default are enabled. Yes: report-only to off is allowed No: User adminstrator has in addition no rights.

as soon as you activate default the conditional policy will become ineffective and not accessible so N-N-N

"If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you" https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#deployment-considerations Therefore, as a result of this the answer is NNN.

The scenario is impossible to achieve: if you have a policy in conditional access you cannot enable security defaults - "It looks like you have Identity Protection policies enabled. Enabling Identity Protection policies prevents you from enabling Security defaults." If you have Security Defaults enabled, you cannot save the conditional access policy.

Just tested this scenario in my tenant. Replicated the question and with the Security Defaults set to "Yes" none of the users could enable the policy. So the answer is N, N, N.

Y-Y-N is the answer User admin don't have access to edit conditional access policies guys

Darkwing Duck to the rescue :) Answers are correct. Caz you can have Read Only or OFF - Policy status. To test Conditional policy before applying them. As soon as you switch Policy ON you will get a message "Security defaults must be disabled to enable Conditional Access policy."

N-Y-N 1. No - Can not set to on. Before the Security defaults must be disabled 2. Yes - Off ist ok with Security defaults must be disabled 3. No - No rights to edit CA

NYN and agreed with below: Because you set Enabled Security defaults to Yes for the tenant... N Conditional access policy can not be changed from report-only to on Y conditional access policy can be changed from report-only to off N user admin role doesn't have rights to modify conditional access policy

This is a trick question, it's no to all of them. If you enable security defaults you can't use conditional access rules until it's disabled Sources: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#deployment-considerations If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414 You can’t enable Security Defaults if you’re already using conditional access policies or other settings which conflict

Security defaults must be set to off to modify/ create or turn on a conditional access policy

Because you set Enabled Security defaults to Yes for the tenant... N Conditional access policy can not be changed from report-only to on Y conditional access policy can be changed from report-only to off N user admin role doesn't have rights to modify conditional access policy

Neither can turn anything on or off. Security Default is active, so conditional access policies are disabled. NO-NO-NO

Tested on my LAB, don't need to turn off Security Defaults yes, yes. no