Exam MS-203 topic 1 question 7 discussion

I don't think the correct answer is on the list of options. This should be using an ActiveSyncDeviceAccess rule. https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Android" -AccessLevel Block Answer D - EOP doesn't seem to have a way to block just Android from using ActiveSync. Please let me know if you disagree.

"To ensure that users of iOS and Android devices can only access work or school content using Outlook for iOS and Android, you need a Conditional Access policy that targets those potential users." https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#require-that-ios-and-android-devices-must-use-outlook

The answer does not appear to be listed. Should be: a mobile device mailbox policy in Exchange Online.

A is not correct because you need an Azure Premium P1 license for Conditional Access polcies!

D for sure: Conditional access and Intune or not present in 0365 E3 !

I think answer A. You will need an Azure AD Premium P1 license to get access to the Microsoft Office 365 conditional access policy feature wich is inclused in Microsoft 365 E3 (https://www.microsoft.com/en-us/microsoft-365/enterprise/e3?rtc=1&activetab=pivot%3aoverviewtab).

C is the correct answer. https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy#app-protection-policies-for-microsoft-office-apps

Approved Application List: This setting stores a list of approved applications that can be run on the mobile device. ApprovedApplicationList: The ApprovedApplicationList parameter specifies a configured list of approved applications for the device The explaination in the revealed solution area doesnt make any sense, because this settings defines what apps are allowed on the mobile and not what apps are allowed to connect to the Mailbox. if you want to do this without CA then this is the way (but its not in the answers): Create the default block rule: Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block Create an allow rule for Outlook for iOS and Android New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Allow

I think the answer that will be marked correct by Microsoft...is D. This is really a question about CA and licensing.

To benefit from the Conditional Access App Control capabilities in Defender for Cloud Apps, users must also be licensed for Azure Active Directory P1, which is included in Enterprise Mobility + Security F1/F3/E3/A3/G3, Enterprise Mobility + Security E5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5/F5 Security and Microsoft 365 F5 Security & Compliance. https://docs.microsoft.com/en-CA/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#azure-active-directory-identity-protection

Agree with Cbruce, the correct option isn't provided in the list.

D is not correct, the EOP connection Filter is for add the IP into trust IP E3 already include Azure Active Directory Premium plan 1 and which already have Azure AD Conditional Access https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication

Answer is A https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android

I think it is A, from the link posted by Cbruce

could the answer be "A" ?