Exam MS-500 topic 1 question 70 discussion

Y, N, N "All trusted locations" condition applies to All locations that have been marked as trusted location and MFA Trusted IPs (if configured) https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#all-trusted-locations:~:text=the%20corporate%20network.-,All%20trusted%20locations,MFA%20Trusted%20IPs%20(if%20configured),-Selected%20locations

I would say Yes, No, NO

user 1 will have access with MFA. MFA trusted IPs are included in 'All trusted locations' See - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#all-trusted-locations

Y, N, N (prove me wrong ;) ) Based on the information provided, it appears that DC 1 has an IP address within the range of 192.168.1.0/27, which is also the IP address range that has been configured as a trusted IP address range for Azure Multi-Factor Authentication (MFA). Therefore, if the conditional access policy is configured to allow access from all trusted locations but requires MFA, DC 1 should be able to access Microsoft Forms requiring MFA, since it is located within the trusted IP address range. The trusted IP address range you configured in Azure MFA overlaps with the IP address range of DC 1, so the conditional access policy should allow DC 1 to access Microsoft Forms from its current location.

Not even considering the discussion on MFA trusted locations actually do count for Trusted Locations in CAPs (and the internal IP discussion) Answer write-up states that "DC is not trusted. CA1 applies. Access will not be granted." DC1 is not trusted -> therefore CA1 does NOT apply since it failed to meet a condition -> CA1 is NOT applied, which does not mean access is blocked, but rather in the absence of another CAP that blocks access then access is in fact GRANTED.

it says : You have the Conditional Access policies shown in the following table. Which means NAMED LOCATION. Which also means all the IP Ranges have to be external. Azure AD CA policies do not accept internal IP's. Due to this the answer should be Y,Y,Y - no policies are applied. But you cannot create this whole setup in the first place.... With MFA Trusted locations you can use internal IP addresses but only with an MFA server / NPS. The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication, you can use only public IP address ranges. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings TL:DR this question is stupid and makes no sense. I would go for Y,Y,Y

Y N N Azure MFA Trusted IP ranges option is still valid beside the trusted locations in CA !!

Regarding User1 there is some confusion. The IP range of this user is in the "trusted ips" of the MFA service settings in the old MFA portal. That means that the MFA request has to be skipped. In this case, the answer has to be N. At the same time, there is a description in Microsoft documentation, that if "Location condition" is set up as "All trusted locations" that applies to the following: - All locations that have been marked as trusted location - MFA Trusted IPs (if configured) So, based on the eam task this condition is appropriate for the 1st string of table and User1 should meet with MFA, i.e. the answer is Y. This is a weird situation. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#all-trusted-locations

answer is Y,N,N All trusted locations This option applies to: 'All locations that have been marked as trusted location MFA Trusted IPs (if configured)' https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#any-location

TRIPLE NO. The IPs are Public. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings - The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication, you can use only public IP address ranges. They don't mention anything about MFA server in this question.

YNN first one is Y, because of this You configure an Azure Multi-Factor Authentication (MFA) trusted IP address range of 192.168.1.0/27

Private IP ranges can't be configured https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#ip-address-ranges

Y,N,Y for me

Yes , NO , No 1 IS TRUSTED

It dosent state if the Condition of the CA's are included or Excluded, should we just assume its excluded? Else they include the trusted locations to have MFA if accessing.

Just note the order of IP Adress ranges in the first table it. The first line (trusted range) is number TWO. .2 Trusted .1 NOT TRUSTED .3 NOT TRUSTED

I dont get why user3 won't be prompted for MFA. The policy applied to that user says "Grant Access: Require MFA." Can someone provide a little more explaining. To me it doesn't matter where they are logging in from, they will still be required to complete MFA.