Exam MS-102 All QuestionsBrowse all questions from this exam
Go to Exam
Question 247

HOTSPOT

-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You configure a multi-factor authentication (MFA) registration policy that has the following settings:

• Assignments:

o Include: Group1

o Exclude: Group2

• Access controls: Require Azure MFA registration

• Enforce Policy: On

You create a conditional access policy that has the following settings:

• Name: Policy 1

• Assignments:

o Include: Group2

o Exclude: Group1

• Access controls:

o Grant, Require multi-factor authentication

• Enable policy: On

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Kmkz83510

Have not tested, but I think YNY since the question is about registration. U1 - User will be prompted because they are in Group1. They aren't currently registered and would be required to do so because of registration policy. Does not matter if they are excluded from CA. Remember register, not necessarily use for access. U2 - Already registered. U3 - User not registered. Even though they are excluded from the registration policy, they need MFA for CA, so they are forced to register anyway.

Mr4D97

Statement 1 = Yes - User 1 is part of group 1 with MFA status disabled and, as per the MFA registration policy, will need to register for MFA. Statement 2 = No - Although part of group one and two, they already have MFA enabled so will not need to register for it Statement 3 = No - does not have MFA anebled already is part of group 2 so is excluded from registration policy, therefore will not need to register. Y, N, N This are my thoughts but please comment if you think im wrong or have any further points to add :)

Vaerox

Statement 3 must be Yes. The user is indeed excluded from the MFA Campaign (policy) but is included in the CA policy, which enforces MFA.

Vaerox

Y, N, Y User 1 = Might be excluded from the CA policy but is still required to set-up MFA because of the MFA Campaign User 2 = Excluded from the CA policy and has also already registered MFA. User 3 = CA policy enforces the user to set-up MFA (we have this type of policy for over 100 customers. You can't skip the 14 day grace period).

BSVIT

Yes, no, no? its about REGISTRATION for MFA, not prompting to login with it.

Cloudddddd

Correct answer is: No, Yes, Yes https://www.examtopics.com/discussions/microsoft/view/58278-exam-ms-100-topic-4-question-69-discussion/

sigvast

The question you linked is about "use MFA", this one ask "register for MFA". Not the same thing.

AAlmani

Yes No Yes if you enable MFA via the MFA portal, you completely rub out the ability to utilize Conditional Access Policies. You must have the Azure MFA user state set to disabled, and a CA policy configured to require multi factor authentication for CA based settings to apply. -user1 excluded from the CA but enforced to register MFA based on the first policy.(yes) -user2 included in the CA (no already registered) -user3 included in the CA but MFA not register yet (yes should register)

aleksdj

NYY Exclude wins over include User1 = Group1 = Excluded = no MFA required User2 = Group1/Group2 = Should be Excluded because Group1 is excluded BUT MFA Auth Status is set to enabled so User2 must register for MFA User3 = Group2 = included = MFA required

aleksdj

Correction: User2 has already MFA Enabled, so no need to register again, answer is NO. The given answer is correct, NNY

MvdSpoel

Answers are correct https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

MvdSpoel

Answers is correct User 1 -> No: - See https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#require-all-users-to-register-for-microsoft-entra-multifactor-authentication users have a 14 day grace period after which they require registration User 2 -> No: because there are no MFA rules applicable. Because user is a member of Group 1 and Group 2 which are both used as include and exclude User 3 -> Yes: The MFA policy used is require autentioncation, which overrule the grace period of 14 days

oopspruu

When MFA is being pushed from MFA Registration policy, you are not required to setup MFA on the very next login. You have 14 days to complete it. Given answers are correct.

Valavanchandran

why the 3rd user should when he is excluded from both CA.

Tomtom11

Microsoft Entra multifactor authentication user states All users start out Disabled. When you enroll users in per-user Microsoft Entra multifactor authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

Tomtom11

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

Amir1909

No Yes Yes

jt2214

I'm confused, this question is about will they need to register with MFA, not authenticate. Wouldn't it be Y, Y, N?