MS-102 Exam QuestionsBrowse all questions from this exam
Go to Exam

MS-102 Exam - Question 32

HOTSPOT -

You have an Azure AD tenant named contoso.com that contains the users shown in the following table.

Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs.

The tenant contains the named locations shown in the following table.

You create a conditional access policy that has the following configurations:

Users or workload identities assignments: All users

Cloud apps or actions assignment: App1

Conditions: Include all trusted locations

Grant access: Require multi-factor authentication

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer:

Discussion

13 comments
Sign in to comment
Haso
Aug 15, 2023

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy N: Trusted IPs in the MFA settings containts a list of IPs that MFA can be skipped from. https://c7solutions.com/2022/07/what-is-multifactor-authentication-trusted-ips

365cm
Dec 4, 2023

I don't think its marked as a trusted location, as its in a different subnet than the subnets listed as trusted.

Iali11
Jan 5, 2024

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings

osxzvkwpfcfxobqjby
Aug 10, 2023

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy Y: User is in trusted location set by MFA config MFA per user setting is an old (but still existing) one. AAD > All Users > Per-User MFA icon > Gray Service setting tab https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user

certma2023
Aug 17, 2023

No it should be YYN. The trusted IPs configured inside the legacy per-user MFA settings are IPs where MFA is bypassed. Therefore if the user connect from the "Trusted IPs" IP range he won't be prompt for MFA.

sergioandreslq
Oct 17, 2023

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy Y: User is in trusted location set by per-user MFA config MFA is an old (but still existing) one. I tested this scenario, I put my up address as trusted IP in Per-user MFA and request MFA in Conditional access policy, after testing I am getting the request for the MFA, meaning that the bypass in per-user MFA is not being applied.

Iali11
Jan 5, 2024

Believe the given answer is correct, first you need to remove IP from trusted IP and add to trusted location otherwise it will bypass mfa prompt: https://dirteam.com/sander/2020/07/07/todo-move-from-mfa-trusted-ips-to-conditional-access-named-locations/

northgaterebel
Oct 26, 2023

NYN? User1 MFA is disabled. I have seen questions like this on SC-300 and the consensus was that since the user can't use MFA they will be denied and that's different from using MFA to grant access. Roll the dice.

NrdAlrt
Nov 9, 2023

But the question is whether the statement is true. Down to the last point of the first statement... MFA is required. I think answer is still technically yes this is a true statement as policies don't make exceptions for people that are not enrolled in MFA.

daye
Nov 22, 2023

The Q is about if the user 1 MUST use MFA. And the answer is Yes because it's forced by the Conditional Access and he / she have to use it. Next topic is about the current MFA user status, that user will be asked to register / active it since the MFA is a requirement. This is the difference.

Iccen
Jan 19, 2024

Correct me if I'm wrong please! But question is he must used? Not Can he use it?

TP447
Nov 15, 2023

If the CA policy is scoped to Trusted Locations then by definition, an Untrusted location would get access to APP1 fine where as ALL trusted locations would be challenged for MFA. CA would still prompt for MFA to grant access even if the legacy MFA settings have trusted IPs (unless the Trusted IPs were EXCLUDED from the policy which they are not). I think this should be Y/Y/Y here on this basis personally.

365cm
Nov 29, 2023

Y Y N Trusted IPs you can set it to where it bypasses MFA.

benpatto
Nov 30, 2023

Agree with Y Y N (This is markes as a trusted location so MFA can be skipped)

Tomtom11
Mar 19, 2024

MFA Enabled vs Enforced Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled. MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in. MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA. MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.

Wuhao
Apr 24, 2024

The trusted IPs feature of Microsoft Entra multifactor authentication bypasses multifactor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips

Scotte2023
May 2, 2024

Trusted locations Locations such as your organization's public network ranges can be marked as trusted. This marking is used by features in several ways. Conditional Access policies can include or exclude these locations. Sign-ins from trusted named locations improve the accuracy of Microsoft Entra ID Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Locations marked as trusted can't be deleted. Remove the trusted designation before attempting to delete. Trusted IPs The trusted IPs feature of Microsoft Entra multifactor authentication also bypasses MFA prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition.

Navin_83
Dec 18, 2023

It should be YYY because the policy is set Include All trusted location, not exclude any trusted location. Which means its YYY.

Vaerox
Jan 26, 2024

I also believe it's Y Y Y: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition#configure-mfa-trusted-ips I believe it only skips MFA if you configure "Skip multifactor authentication for requests from federated users on my intranet" as an option for a Conditional Access policy.

Tomtom11
Jun 22, 2024

https://learn.microsoft.com/en-ie/entra/identity/authentication/concept-mfa-howitworks

Atos
Jul 21, 2024

Given answer looks correct YYN. (User MFA Status is irrelevant in this case) CA Policy hits first 2 Last one is in trusted ip range. To elaborate, when users are enabled individually, they perform multifactor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).