HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to create a Conditional Access policy that will require the use of FIDO2 security keys only when users join their Windows devices to Microsoft Entra ID.
How should you configure the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
User Actions - here you choose the policy to apply when the user joins the device. Device Platform - because it is a Windows device Require authentication strength - to require FIDO2 Key
1. User Actions 2. Device Platform 3. You can only use "Require MFA" with the Join or Register device user action. Tested in lab.
Then pls test again. Grant control has 7 options and you need "Require authentication strength" for FIDO.
https://cloudbrothers.info/en/fido2-security-keys-are-important/ For the user action “Register or join devices” there is only the “Require multi-factor authentication” option available.
OK, but why would you like to register or join a device? Here we are controlling cloud app access, and it is now irrelevant if the device is in AAD or not. You can access Entra from a non-registered device as well, all you need is a capable browser.
To register because the question says: "when users join their Windows devices to Microsoft Entra ID". Moreover the question doesn't talk about "cloud app access", it talks about devices.
User Actions -> has the "Register or join devices" option Device Platform -> Windows Require multifactor authentication -> this message pops up when you select Register or Join device: <Only "Require multifactor authentication" can be used in policies created for the "Register or join devices" user action.>