ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-101 All Questions

View all questions & answers for the MS-101 exam
Go to Exam

Exam MS-101 topic 1 question 47 discussion

Actual exam question from Microsoft's MS-101
Question #: 47
Topic #: 1
[All MS-101 Questions]

You have two conditional access policies named Policy1 and Policy2.
Policy1 has the following settings:
✑ Assignments:
- Users and groups: User1
- Cloud apps or actions: Office 365 Exchange Online
- Conditions: 0 conditions selected
✑ Access controls:
- Grant: Grant access
- Session: 0 controls selected
✑ Enable policy: On
Policy2 has the following settings:
✑ Assignments:
- Users and groups: User1
- Cloud apps or actions: Office 365 Exchange Online
- Conditions: 0 conditions selected
✑ Access controls:
- Grant: Block access
- Session: 0 controls selected
✑ Enable policy: On
You need to ensure that User1 can access Microsoft Exchange Online only from devices that are marked as compliant.
What should you do?

  • A. Modify the Grant settings of Policy2.
  • B. Disable Policy2.
  • C. Modify the Conditions settings of Policy2.
  • D. Modify the Grant settings of Policy1.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by F_M at Aug. 30, 2021, 1:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
techtest848
Highly Voted 3 years, 7 months ago
When two CA policies apply to an object, Block rule takes priority over Grant rule. In order to achieve the desired outcome, Policy 2 conditions will have to be edited. Block All but Exclude Devices Marked as Compliant. The give answer (C) is correct.
upvoted 21 times
prabhjot
2 years, 2 months ago
https://danielchronlund.com/2018/11/23/how-multiple-conditional-access-policies-are-applied/ ( when both are present teh Block CA wins over Grant CA policy) so Ans is to modify the Polict 2
upvoted 1 times
...
...
owenMS
Most Recent 2 years, 5 months ago
Selected Answer: C
C. Exclude/block takes priority over allow/grant rules.
upvoted 1 times
...
ovd
2 years, 5 months ago
D - Grant and "Require device to be market as compliant" so pol 1 - Grant for compliant only, after them pol 2 - Block for all
upvoted 1 times
...
KrisDeb
2 years, 7 months ago
Selected Answer: C
C - only GRANT has 'Require device to be marked as compliant'
upvoted 2 times
...
TechMinerUK
2 years, 8 months ago
Selected Answer: A
Whilst C is correct as you could change the "Grant" requirement to be something such as require MFA the question seems unclear as Policy1 would allow the user to access if Policy2 wasn't present. Having said that Policy1 is missing a grant access requirement entirely which isn't possible in AzureAD Conditional Access as Grant requires at least one requirement to be present in the policy
upvoted 1 times
KrisDeb
2 years, 7 months ago
You are right - Policy 1 wouldn't exist. 'You must configure either the "Grant" or "Session" section' error.
upvoted 2 times
...
...
k9_bern_001
2 years, 10 months ago
C is correct
upvoted 2 times
...
L33D
3 years ago
Still valid, on exam Jun 25, 2022
upvoted 3 times
...
JT19760106
3 years, 5 months ago
Policy 2 would take precedence because of the conflict with Policy 1 and having the block condition. Requiring a compliant device can be done with either: Condition -> Device State -> Exclude Device Marked as Compliant Or Grant -> Require device to be marked as compliant Since the question states Grant is Block, then that would make C the logical answer
upvoted 4 times
Bulldozzer
3 years, 4 months ago
This condition is being depreciated. Now you should use "Filter for devices" condition.
upvoted 1 times
...
...
ubt
3 years, 5 months ago
Selected Answer: C
Block always wins, so need to change Policy 2 to exclude "Devices as compliant"
upvoted 3 times
...
[Removed]
3 years, 6 months ago
Ambiguous question... You can't even create a policy with "Grant access" without selecting a grant or session control so Policy1 makes no sense! If you try it in a tenant, you can not save the policy. The easiest way would seem to add "Require device to be compliant" to the grant controls in Policy1. Since Policy2 blocks, it will take precedence so you would need to disable that policy as well. Following that logic, the answer would be to choose B and D. However, you could also modify the grant controls on Policy2 from "Block access" to "Grant access" with "Require device to be masked as compliant". That would mean Answer A, but you still have Policy1 that makes no sense!
upvoted 3 times
...
Goena
3 years, 6 months ago
C. Modify the Conditions settings of Policy2: Exclude "Devices as compliant"
upvoted 3 times
...
Flacky_Penguin32
3 years, 9 months ago
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#require-hybrid-azure-ad-joined-devices
upvoted 3 times
DiscGolfer
3 years, 8 months ago
I think the answer is A(link above that Flacky posted explains)
upvoted 2 times
...
...
Flacky_Penguin32
3 years, 9 months ago
Specifically, take note of the exclude section under Device State
upvoted 1 times
...
Flacky_Penguin32
3 years, 9 months ago
This is enforced via the Device State in the Assignments > Conditions, but is set as a control in the Access Controls > Grant via "Require device to be marked as compliant". Should note, this needs to have a device compliance policy in Intune setup.
upvoted 1 times
...
F_M
3 years, 10 months ago
By the way, a policy like the first one can't be created in Azure! It forces you to select a session control or a condition for granting the access. The last one can be set both under grant access (for example, grant access but require device marked as compliant) and in the condition panel.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel