Exam MS-900 topic 1 question 223 discussion

D is correct: Valid Microsoft 365 Multi-Factor Authentication (MFA) methods include: A. Receive an automated call on the desk phone that includes a verification code ✔️ Valid – Users can verify their identity via an automated phone call. B. Use the Microsoft Authenticator mobile application to receive a notification and authenticate ✔️ Valid – This is a preferred and secure method using push notifications. C. Receive a call on a phone ✔️ Valid – Similar to option A, users can answer a call and press a key to verify. ❌ D. Enter a Windows 10 PIN code when prompted ✖️ Not a valid Microsoft 365 MFA method – A Windows Hello PIN is a local device authentication method. It’s considered a single factor (something you know), and while secure on the device, it doesn't count toward Microsoft 365 MFA, which must include two distinct factors like: Something you know (password) Something you have (authenticator app, phone) Something you are (biometrics)

Receive an automated call on the desk phone that includes a verification cod

I go with A - they want to trick you with D - there are situations when you have to enter a 2 letter code from the authenticator that’s true for mobiles not suite with W10

A, no code is provided via call.

Phone call verification With phone call verification during SSPR or Azure AD Multi-Factor Authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad. The calling number that a user receives the voice call from differs for each country. See phone call settings to view all possible voice call numbers. Office phone verification With office phone call verification during SSPR or Azure AD Multi-Factor Authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad.

I got this question in the exam on 2023-06-28.

I'd say D as the problem is with D is that it says "Windows 10 PIN" which can be out of Hello for Business scope, meanwhile A is definitely a valid answer.

A, no code will be given via the phone call

I'm going with answer D A PIN code is NOT a form of MFA for Microsoft 365 (see link below). A PIN code is part of part of Windows Hello for Business, but the question does not reference Windows Hello for Business - only that MFA has been enabled and the answer option of using a PIN as part of MFA. Think about it, if you log into Exchange Online by entering your username and password, it would never prompt for a PIN as both your password and PIN are both 'things you know', therefore NOT MFA. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#available-verification-methods

To confuse even more: A is an answer because you can't get code on the desk phone (phone call requires user to press #) And it is not D, because: If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.

This is same as Qn 107 I'll take D

I go with answer A. Win10 PIN is part of Windows Hello for business. It can use with MFA. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview --- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods ---- https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752

Isn't answer D a part of Windows Hello?