Exam MS-102 All QuestionsBrowse all questions from this exam
Go to Exam
Question 267

HOTSPOT

-

You have a Microsoft 365 E5 subscription that contains the security groups shown in the following table.

The subscription contains the users shown in the following table.

You have a Conditional Access policy that has the following settings:

• Assignments

o Users

Include: Group1

Exclude: Group2, Group3

o Target resources

Cloud apps

App1

Access controls

Grant

Block access

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
TonyTe0

Shoud be YYY User2 is not applied the CA

TonyTe0

CA is not applied, so not blocked. So can sign in the app1. (YYY) https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-unknown-unsupported-device

JMB7448

I believe it is NYN Here is why: User 1 is in group1 and group 2 User 2 is not in a group User 3 is in group1 and group 3 User 1 = N -> Block always wins (because of membership group1) User 2 = y -> policy does not apply User 3 = N -> Block always wins (because of membership group1)

solderboy

NNN User1 is in Group1 (static assigned) and Group2 (dynamic assigned). CA includes Group1 but excludes Group2. Since exclusion takes precedence over inclusion, CA is not applied to User1. So, User1 cannot sign in to App1. User2 is not in any group hecne CA is not applied. So, User2 cannot sign in to App1. User3 is in Group1 (static assigned) and Group3 (dynamic assigned). CA includes Group1 but excludes Group2. Since exclusion takes precedence over inclusion, CA is not applied to User3. So, User3 cannot sign in to App1. Please correct if I am wrong!

SBGM

I think TonyTe0 is right, both of the members in group 1 (Users 1 & 3) are also in dynamic groups 2 & 3, thus excluded. The policy blocks access. Since it won't be applied to all 3 users and users without a CA policy applied can freely access they will all be able to access the app.

TonyManero

I think NYN because: In Azure, within a Conditional Access policy, when a user belongs to multiple groups with contrasting configurations, precedence follows the rule of least privilege.

Murad01

I would say: YNN

XylosSW

Explanation? Because exclude takes precedence over include. And User 1 has group 1 & 2 and User 3 group 1 & 3. Both are excluded so can sign in the app.

BJS78

User1 is included by static group assignment and excluded by dynamic, so not in scope for the CA, User2 is not in scope at all due to not having group memberships User3 is similar to User1, so I would vote on: all out of scope of this DENY CA, so they all have access