MS-102 Exam QuestionsBrowse all questions from this exam
Go to Exam

MS-102 Exam - Question 30

You have a Microsoft 365 E5 subscription.

You need to create Conditional Access policies to meet the following requirements:

All users must use multi-factor authentication (MFA) when they sign in from outside the corporate network.

Users must only be able to sign in from outside the corporate network if the sign-in originates from a compliant device.

All users must be blocked from signing in from outside the United States and Canada.

Only users in the R&D department must be blocked from signing in from both Android and iOS devices.

Only users in the finance department must be able to sign in to an Azure AD enterprise application named App1. All other users must be blocked from signing in to App1.

What is the minimum number of Conditional Access policies you should create?

Show Answer
Correct Answer: C

To meet the stated requirements, you need to create five Conditional Access policies as follows: 1. A policy to enforce MFA and compliant device conditions for all sign-ins from outside the corporate network. 2. A policy to block sign-ins from outside the United States and Canada for all users. 3. A policy to block R&D department users from signing in using both Android and iOS devices. 4. A policy to enforce different sign-in controls, which includes compliant devices and MFA, specifically for these users outside the corporate network. 5. A policy to restrict access to the Azure AD enterprise application App1 to only finance department users while blocking all other users. This avoids any potential conflicts and ensures accurate enforcement of all specified conditions.

Discussion

12 comments
Sign in to comment
certma2023Option: B
Aug 17, 2023

I would go for B answer. 4 rules configured like that : -> One rule that target all users & all location except a custom trusted location (Public IP Ranges of the company). This rule grant access with MFA + Compliant device. -> One rule that target all users & all location except US & Canada. This rule block access. -> One rule that target R&D Users only & Android+IOS Devices. This rule block access. -> One rule that target all users except Finance users. The rule target only App1. This rule block access. For me, it should meet the goals.

golijat
Nov 11, 2023

Your approach is indeed a clever one and it seems like it could work. However, there might be a potential issue with the first rule. In your first rule, you're targeting all users and all locations except a custom trusted location (Public IP Ranges of the company), and you're granting access with MFA + Compliant device. This rule might conflict with the third rule where you're blocking all users from signing in from outside the United States and Canada. The issue arises because the first rule could potentially allow users to sign in from outside the United States and Canada if they're using a compliant device and MFA, which contradicts the third rule that aims to block all sign-ins from outside these two countries. Therefore, it's safer to separate these into two different rules to avoid any potential conflicts or overlaps. This way, you can ensure that each rule is enforced correctly without any unintended consequences. Hence, a total of 5 rules would be needed to meet all the requirements. Please note that the actual configuration might vary based on the specific settings and conditions in your environment. It's always a good idea to test the policies in a controlled environment before deploying them in a production environment.

newark123
Dec 19, 2023

It wont work like that . You could create a 100 policies that allow access and 1 rule that blocks access and if the one rule that blocks triggers access will be blocked . Having a rule that lets you in will not allow you to log in from a blocked rule .

newark123
Dec 19, 2023

It wont work like that . You could create a 100 policies that allow access and 1 rule that blocks access and if the one rule that blocks triggers access will be blocked . Having a rule that lets you in will not allow you to log in from a blocked rule .

Xbmc66Option: A
Dec 27, 2023

3....... 1 CA with: MFA and compliant device sign-in and block US and Canada 2 CA with blocking Android and IOS for only R&D 3 App1 access for finance department

Moazzamfarooqiiii
Feb 21, 2024

Chat GPT is saying C = 5

Frank9020Option: A
Nov 14, 2024

Policy 1: Combine MFA, compliant devices, and geographic restrictions. Conditions: Sign-in from outside the corporate network. Controls: Require MFA, require compliant devices, block sign-ins from outside the United States and Canada. Policy 2: Block R&D department users from signing in from Android and iOS devices. Conditions: Users in the R&D department. Controls: Block access from Android and iOS devices. Policy 3: Restrict access to App1 to only finance department users. Conditions: Users in the finance department. Controls: Allow access to App1, block all other users.

nsotis28
Aug 27, 2023

answer is correct B

Master_Tx
Sep 5, 2023

I personally dont recommend creating policies that combine functions unless there is a specific need, so I chose C. However B is what the question is asking for, as a MINIMUM.

9326359
May 6, 2024

The answer is 3, i am able to configure named locations in the new "network" section within Conditional access. This question may be outdated as this feature says "new" next to it

Amir1909
Feb 6, 2024

B is correct

OdyOption: B
Nov 13, 2024

The first two options are both requirements for being outside the corporate network.

FemiA55
Nov 18, 2024

I go for B. I don't think there is a need for conditional access management for App1. The security requirement for App1 can be taken care of by granting access to a security group with members from finance team only.

EubertTOption: C
Apr 14, 2025

Restrict access to the enterprise application (App1) for users in the finance department Since this requirement applies only to a specific department and enterprise app, a separate policy is necessary. Policy Count: 5 Minimum number of Conditional Access policies: 5 The correct answer is C. 5. _____________________________________________________

skids222Option: B
Apr 19, 2025

Policy 1: MFA + Compliant device when outside corporate network Applies to all users Conditions: Sign-in from outside corporate network Grant access only if: MFA is used Device is compliant ✔ Satisfies: **MFA when outside** **Compliant devices only when outside** Policy 2: Block sign-ins outside US and Canada Applies to all users Conditions: Location is not United States or Canada Block access ✔ Satisfies: **Block all sign-ins from outside US/Canada** Policy 3: Block R&D from using Android and iOS Applies to R&D group only Conditions: Device platform is Android or iOS Block access ✔ Satisfies: **Block R&D on mobile devices** Policy 4: Allow only Finance to access App1 Applies to all users except Finance Conditions: Accessing App1 Block access ✔ Satisfies: **Only Finance can sign in to App1** ✅ All requirements met using 4 policies.