MS-102 Exam QuestionsBrowse all questions from this exam
Go to Exam

MS-102 Exam - Question 83

HOTSPOT -

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and the users shown in the following table.

Exam MS-102 Question 83

The devices are configured as shown in the following table.

Exam MS-102 Question 83

You have a Conditional Access policy named CAPolicy1 that has the following settings:

Assignments -

Users or workload identities: Group1

Cloud apps or actions: Office 365 SharePoint Online

Conditions -

Filter for devices: Exclude filtered devices from the policy

Rule syntax: device.displayName -startsWith "Device"

Access controls -

Grant -

Grant: Block access -

Session: 0 controls selected -

Enable policy: On -

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Exam MS-102 Question 83
Show Answer
Correct Answer:
Exam MS-102 Question 83

Discussion

8 comments
Sign in to comment
amurp35
Sep 21, 2023

read the policy like this: "exclude from the block if the device starts with "device"". The first device is not registered. It is not, therefore, excluded from the block as it is not analyzed. It is blocked. The next two devices, however, are excluded from the block. N/Y/Y

ghjbhj
Sep 25, 2023

Correct, https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#policy-behavior-with-filter-for-devices Unregistered device + positive operators = filter not applied If the filter does not apply, the device is not excepted from the block policy and is therefor blocked. N/Y/Y

Motanel
Apr 25, 2024

But if the filter is not applied, then the default will be applied, which is allow, right?

Paul_white
Oct 7, 2023

MY BROTHER YOU ARE TOO GOOD!!!!! EXCELLENT RESPONSE

ThomasMcThomasface
Nov 1, 2023

This translation is so very useful to me. Thank you so much. We need more people like you

Motanel
Apr 25, 2024

But if the filter is not applied, then the default will be applied, which is allow, right?

Khanbaba43
Aug 23, 2024

Amurp35, You should take up teaching as a profession. *thumbs up*

692a0df
Feb 2, 2024

Y/Y/Y for me... First one: my reading on this - as the device is not registered in Azure AD then the CAP does not apply. Then it's down to the Global settings (Sharepoint Admin -> Policies -> Access Control -> Unmanaged Device) for unmanaged devices (see link) which by default is set to 'Allow full access'. https://learn.microsoft.com/en-US/sharepoint/control-access-from-unmanaged-devices?WT.mc_id=365AdminCSH_spo

SBGM
Feb 5, 2024

CA Policy does apply to every user, and because the device is unregistered it is not query'd for it's name so the policy does NOT filter him out, meaning the device will be blocked.

hogehogehoge
Aug 25, 2023

This answer is correct. Device1 is not registerd in Azure AD. In this case, Device filter is not enable. So Device1 is blocked.

spectre786
Sep 11, 2023

I think the policy is there to Block Access not to allow. So whoever is targeted by this policy, should be blocked. So the answer should be Y/N/N , right ?

PhoenixMan
Sep 15, 2023

Yes I think the same, the policy block access and the answer should be Y/N/N

CheMetto
Oct 27, 2023

it's block, you are right, but CA condition said "Exclude device that start with Device", so NYY

PhoenixMan
Sep 15, 2023

Yes I think the same, the policy block access and the answer should be Y/N/N

CheMetto
Oct 27, 2023

it's block, you are right, but CA condition said "Exclude device that start with Device", so NYY

daye
Dec 2, 2023

but... a non Azure AD device cannot be applied by a Conditional Access, therefore it won't validate it, so it won't be blocked. In other words, it's a cloud solution for a non cloud identity device. Am I missing something?

daye
Dec 2, 2023

ah ok, I just get the ghjbhj comment. Unregistered device + positive operators = filter not applied = blocked

Moazzamfarooqiiii
Feb 23, 2024

All the devices are called Device so there is a filter to exclude device. They all have device name So does that not mean YYY

Khanbaba43
Aug 23, 2024

User1: Is not excluded from the block, so the block stays, hence can't access Site1. User2 & User3: Are excluded from the block, so no block applied, hence they can access Site1. My answer: NYY

Khanbaba43
Sep 5, 2024

Exlude filtered devices. 1. Device 1 not filtered and is not excluded from the block, hence blocked and CANNOT access the site. 2. Dev 2 & 3 are filtered and are excluded from the block, hence not blocked and CAN access the site.

EubertT
Apr 14, 2025

Access Evaluation: User1 can access Site1 from Device1 User1 is in Group1 Device1 is not Azure AD joined, thus not excluded → Blocked ✅ Answer: No User2 can access Site1 from Device2 User2 is in Group1 Device2 is Azure AD joined and matches exclusion filter → Allowed ✅ Answer: Yes User2 can access Site1 from Device3 Device3 is Registered (not joined), not excluded User2 is in Group1 → Blocked by policy ✅ Answer: No ✅ Final Answers: User1 can access Site1 from Device1 → No User2 can access Site1 from Device2 → Yes User2 can access Site1 from Device3 → No ______________________________________________