Exam MS-100 topic 4 question 13 discussion

3rd Box should be no as IP not from Trusted Location so Policy does not apply Subnet 131.107.5.5 is not in the range of 131.107.50.0/24

User 2 has MFA 'ENFORCED' they will always be required to enter it, even if their location doesn't apply to the policy.

3xY All trusted locations This option applies to: All locations marked as trusted locations. MFA Trusted IPs, if configured.

"Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs" Means that the user does not need to use MFA coming from that range. Due to this being a MFA trusted IP and not a CAP trusted location the CAP is not applied. Answer is YYN

Because all trusted locations/ip's are included into the CA policy all users have to do MFA. MFA settings per user don't matter anymore. I just tested this scenario.

On Exam 03.01.2023

Hahaha, trick question! CA policy includes all users and all trusted IP's, everyone has to use MFA. Stupid question though.

Answer is N,Y,Y All trusted locations are included (not Excluded)- meaning any one from those location and only from those locations will be granted access with condition of Require MFA. if you have IP other than 131.107.5.0/24 rage then this policy will not apply. As for User2, MFA is enabled per user basis so will prompt for MFA regardless of condtional Access policy.

Even though User 1 has MFA disabled, the conditional access policy will still apply and require MFA be used. User 1 will need to sort out the disabled status before accessing App1 (raise a ticket with IT 🤣)

This question was in my exam on 06/April/2022. I passed.

from the documentation: If needed, you can instead enable each account for per-user Azure AD Multi-Factor Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on). https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates so answer 3 is NO. Also, "Enforced" means that the user has completed the MFA Registration process.: from the same link: All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

The given answer is correct !

If user 2 wasnt enforced to use MFA the 3rd box should say no, but in this case all boxes are yes

key word on the exhibit is: Conditions: "INCLUDE" all trusted locations That is why answer is YES. Agreed that in general we do configure trusted location to EXCLUDE from being forced to use MFA, but this was not the Q

In exam today

The first box should be NO because the MFA feature is disabled for the user1, even if the conditional policy force him to use MFA, but he couldn't because the MFA is not enabled at the first place

They do tell use that Named locations have been configured to block not included IP ranges, but to create location you need to include one IP range 1 Open the Azure portal and navigate to Azure Active Directory > Conditional access > Named locations; 2 On the Named locations blade, click New location to open the New blade; 3 On the New blade, provide a Name and IP range, and click Create; https://www.petervanderwoude.nl/post/conditional-access-and-named-locations/ Locations are designated in the Azure portal under Azure Active Directory > Security > Conditional Access > Named locations. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations can be defined by IPv4/IPv6 address ranges or by countries. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition https://docs.microsoft.com/en-us/answers/questions/31819/trusted-locations-mfa-conditional-access-not-apply.html answer should be YES | YES | YES.