Exam MD-101 topic 3 question 76 discussion

So much confusion here..... MULTI-FACTOR AUTH STATUS (MFA Legacy) and Conditional Access are not the same! MULTI-FACTOR AUTH STATUS (Azure Active Directory-> Users -> Per Users-MFA) Note that in the conditional access under conditions there is Include, so the policy will be applied only if the conditions is true (so the policy will apply only to the trusted location) The correct answer is: 1 - NO: User1 Sign-in from an UN-Trusted Location, so the policy CAPolicy1 won't be applied 2 - YES: User1 Sign-In from a Trusted Location, so the policy will be applied (Grant Access, Require MFA), also if the MFA Status report as disabled, doesn't mean anything. If the user has not yet configured the mfa he will be asked to register 3 - NO: The Multi-Factor Auth Status is Enforced, so at every Sign-In User2 is required to approve MFA (regardless of conditional access...MFA Legacy in enforced mode take precedence to Conditional Access), but there is Public Subnet 123.30.20.0/24 marked as trusted IP per MFA Legacy, so is not required from this location

This is Chat GPT answer. If user level MFA is disabled and Conditional access enable MFA for the same user, which one will be applied? ChatGPT If a user has MFA disabled at the user level but there is a Conditional Access policy in place that requires MFA for that user, the Conditional Access MFA requirement will take precedence over the user-level MFA setting. In this case, the user will be prompted for MFA despite having MFA disabled at the user level. Conditional Access policies in Azure AD have a higher priority than user-level settings. When a user attempts to access a resource or sign in, the Conditional Access engine evaluates the policies that are applicable to that user based on the conditions defined in the policies. If a Conditional Access policy requires MFA for the user, it will be enforced, overriding any user-level MFA settings. It's worth noting that if a Conditional Access policy does not require MFA for a user, the user-level MFA setting will be honored, and the user will not be prompted for additional authentication factors.

No for all, what i understood after some reading is box1: no because its not trusted location, so CA policy will not apply Box2&3: no because it is trusted location in azure and in MFA, so MFA will be bypassed. This is a tricky one.. reference: https://learn.microsoft.com/en-us/mem/intune/configuration/vpn-settings-windows-10#apps-and-traffic-rules

I think NO, NO & NO https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states Also it states: If needed, you can instead enable each account for per-user Azure AD Multi-Factor Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

I'm answering NNN and taking 2 out of 3 points because idk what's right and what's not

I say N, N, Y MFA Status is disabled for User 1. If the MFA Status was 'Not Registered' then yes it would prompt user to register, however its clear it shows that its disabled

Confusing but i think it should be No No Yes No because disabled. Yes because trusted locations have been granted require MFA.

here it should be no no. no 1. not a trusted location 2 mfa is disabled for user 1 so he cannot be prompted for mfa. 3. mfa trusted iprange so AD Multifactor Authentication bzpasses multifactor authentication prompts

Why won't user 2 be prompted for MFA in answer 3? They are not in a trusted location.

I feel like it should be N N N User 1 MFA is disabled. That should override the Conditional Access Rule. So he won't be prompted for 2FA anywhere. Please correct me if I'm wrong