Exam MS-102 All QuestionsBrowse all questions from this exam
Go to Exam
Question 32

HOTSPOT -

You have an Azure AD tenant named contoso.com that contains the users shown in the following table.

Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs.

The tenant contains the named locations shown in the following table.

You create a conditional access policy that has the following configurations:

Users or workload identities assignments: All users

Cloud apps or actions assignment: App1

Conditions: Include all trusted locations

Grant access: Require multi-factor authentication

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Haso

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy N: Trusted IPs in the MFA settings containts a list of IPs that MFA can be skipped from. https://c7solutions.com/2022/07/what-is-multifactor-authentication-trusted-ips

365cm

I don't think its marked as a trusted location, as its in a different subnet than the subnets listed as trusted.

Iali11

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings

osxzvkwpfcfxobqjby

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy Y: User is in trusted location set by MFA config MFA per user setting is an old (but still existing) one. AAD > All Users > Per-User MFA icon > Gray Service setting tab https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user

certma2023

No it should be YYN. The trusted IPs configured inside the legacy per-user MFA settings are IPs where MFA is bypassed. Therefore if the user connect from the "Trusted IPs" IP range he won't be prompt for MFA.

sergioandreslq

Y: User is in trusted location from CA policy Y: User is in trusted location from CA policy Y: User is in trusted location set by per-user MFA config MFA is an old (but still existing) one. I tested this scenario, I put my up address as trusted IP in Per-user MFA and request MFA in Conditional access policy, after testing I am getting the request for the MFA, meaning that the bypass in per-user MFA is not being applied.

Iali11

Believe the given answer is correct, first you need to remove IP from trusted IP and add to trusted location otherwise it will bypass mfa prompt: https://dirteam.com/sander/2020/07/07/todo-move-from-mfa-trusted-ips-to-conditional-access-named-locations/

northgaterebel

NYN? User1 MFA is disabled. I have seen questions like this on SC-300 and the consensus was that since the user can't use MFA they will be denied and that's different from using MFA to grant access. Roll the dice.

NrdAlrt

But the question is whether the statement is true. Down to the last point of the first statement... MFA is required. I think answer is still technically yes this is a true statement as policies don't make exceptions for people that are not enrolled in MFA.

daye

The Q is about if the user 1 MUST use MFA. And the answer is Yes because it's forced by the Conditional Access and he / she have to use it. Next topic is about the current MFA user status, that user will be asked to register / active it since the MFA is a requirement. This is the difference.

Iccen

Correct me if I'm wrong please! But question is he must used? Not Can he use it?

Scotte2023

Trusted locations Locations such as your organization's public network ranges can be marked as trusted. This marking is used by features in several ways. Conditional Access policies can include or exclude these locations. Sign-ins from trusted named locations improve the accuracy of Microsoft Entra ID Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Locations marked as trusted can't be deleted. Remove the trusted designation before attempting to delete. Trusted IPs The trusted IPs feature of Microsoft Entra multifactor authentication also bypasses MFA prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition.

Wuhao

The trusted IPs feature of Microsoft Entra multifactor authentication bypasses multifactor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips

Tomtom11

MFA Enabled vs Enforced Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled. MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in. MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA. MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.

benpatto

Agree with Y Y N (This is markes as a trusted location so MFA can be skipped)

365cm

Y Y N Trusted IPs you can set it to where it bypasses MFA.

TP447

If the CA policy is scoped to Trusted Locations then by definition, an Untrusted location would get access to APP1 fine where as ALL trusted locations would be challenged for MFA. CA would still prompt for MFA to grant access even if the legacy MFA settings have trusted IPs (unless the Trusted IPs were EXCLUDED from the policy which they are not). I think this should be Y/Y/Y here on this basis personally.

Atos

Given answer looks correct YYN. (User MFA Status is irrelevant in this case) CA Policy hits first 2 Last one is in trusted ip range. To elaborate, when users are enabled individually, they perform multifactor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

Tomtom11

https://learn.microsoft.com/en-ie/entra/identity/authentication/concept-mfa-howitworks

Vaerox

I also believe it's Y Y Y: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition#configure-mfa-trusted-ips I believe it only skips MFA if you configure "Skip multifactor authentication for requests from federated users on my intranet" as an option for a Conditional Access policy.

Navin_83

It should be YYY because the policy is set Include All trusted location, not exclude any trusted location. Which means its YYY.