Exam MS-100 topic 4 question 67 discussion

The core principles here are: 1. All Conditional Access policies in scope are applied and merged together - there is no priority order for CA policies. 2. Block access always wins over Allow access. 3. Exclude always wins over Include. So on that basis, the answers should be No, Yes, No.

User 1 should have access because user 1 is neither member of group 1 nor group 2. So, the conditional access should not apply to this user because conditional access will only apply to the members of groups 1 or 2. Any idea ???

Yes (User one is not a member of either Group1 or Groupe2), Yes (User2 in Group1, Policy1 Exclusion, Device1 is Compliant), No (User2 in Group1, Device2 is Not Compliant, Not excluded from Policy1)

Box 1: Y as user1 is not a member of group1 so no policy applies Box 2: Y as user 2 is a member of group1 and device1 is compliant only policy3 applies that grants access Box 3: No as user2 is a member of group1 and device2 is incompliant, policy1 applies that blocks access

Y,Y,N is correct, just tested!

Answer are correct. Tested!!

correct

Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device. All assignments are logically ANDed. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies

So if Lynxy is correct and table one is incorrect: "The first table is incorrect - this should read User 1 - Group 1" Would that change the first question? Think it Might be NYN in that case? Policy 1 should take priority with the block access over Policy 3?

The access is granted by hierarchy. Policy 1 is applied first, Policy 2 second and Policy 3 is the catch all at the end. User 1 has no policies applied to it. So all access, I believe. There appears to be no policy prohibiting User 1's access to App 1 unless there is a rule that says you have access only if you meet one of these criteria. User 2 cannot access App 1 on non-compliant devices. Device 1 is compliant. Device 2 is not. Yes? Yes. No.

The first table is wrong, as Lynxy has stated.

in policy2 the device state include is "none", so I think the policy has no effect even on user1 or user2

Yes Yes No

I have my doubt on this question and not sure if the first table is accurate. Here is the answers for different scenarios ... If User1 is member of "Compliant" group, YES YES NO. If User1 is member of "Group1" group, NO YES NO.

1. None of the policy will apply to user1 because he is not in Group1. 2. Policy1 will not apply because User2 is in Group1 and device is compliant which is excluded from the policy. Policy2 will not apply to User2 because he is also part of Group2 which means he is excluded. Policy3 will apply because User 2 is in Group1 and Policy3 allows all device states. Hence he will be granted access. 3. Policy1 will apply because User2 is in Group1 and the device state is noncompliant which the exclusion does not apply. Hence the access will be blocked. No need to go to other 2 policy as block wins over grants.

N N N correct

Policy 1 does not apply, Device 1 is excluded because it is compliant. Policy 2 does block access because User 1 is in group 1 and not in the excluded group 2. Answer N Policy 1 does not apply, Device 1 is compliant and excluded. User 2 is member of Group 2, so Policy 2 does not apply because Group 2 is excluded. Policy 3 does apply, User2 is member of group 1, and there are no device status configured. Answer Y Policy 1 does apply, User 2 is member of group 1, Device 2 is Noncompliant. Answer N NYN