Topic: MS-102 topic 1 question 32

HOTSPOT -
You have an Azure AD tenant named contoso.com that contains the users shown in the following table.

Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs.
The tenant contains the named locations shown in the following table.

You create a conditional access policy that has the following configurations:
Users or workload identities assignments: All users
Cloud apps or actions assignment: App1
Conditions: Include all trusted locations
Grant access: Require multi-factor authentication
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

  • Haso
  • New member
  • Offline

Re: MS-102 topic 1 question 32

Y: User is in trusted location from CA policy
Y: User is in trusted location from CA policy
N: Trusted IPs in the MFA settings containts a list of IPs that MFA can be skipped from.
https://c7solutions.com/2022/07/what-is-multifactor-authentication-trusted-ips

  • 365cm
  • New member
  • Offline

Re: MS-102 topic 1 question 32

I don't think its marked as a trusted location, as its in a different subnet than the subnets listed as trusted.

Re: MS-102 topic 1 question 32

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings

Re: MS-102 topic 1 question 32

Y: User is in trusted location from CA policy
Y: User is in trusted location from CA policy
Y: User is in trusted location set by MFA config

MFA per user setting is an old (but still existing) one.
AAD > All Users > Per-User MFA icon > Gray Service setting tab

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user

Re: MS-102 topic 1 question 32

Y: User is in trusted location from CA policy
Y: User is in trusted location from CA policy
Y: User is in trusted location set by per-user MFA config MFA  is an old (but still existing) one.
    I tested this scenario, I put my up address as trusted IP in Per-user MFA and request MFA in Conditional access policy, after testing I am getting the request for the MFA, meaning that the bypass in per-user MFA is not being applied.

Re: MS-102 topic 1 question 32

No it should be YYN.

The trusted IPs configured inside the legacy per-user MFA settings are IPs where MFA is bypassed. Therefore if the user connect from the "Trusted IPs" IP range he won't be prompt for MFA.

Re: MS-102 topic 1 question 32

Believe the given answer is correct, first you need to remove IP from trusted IP and add to trusted location otherwise it will bypass mfa prompt:
https://dirteam.com/sander/2020/07/07/todo-move-from-mfa-trusted-ips-to-conditional-access-named-locations/

Re: MS-102 topic 1 question 32

Trusted locations
Locations such as your organization's public network ranges can be marked as trusted. This marking is used by features in several ways.

Conditional Access policies can include or exclude these locations.
Sign-ins from trusted named locations improve the accuracy of Microsoft Entra ID Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted.
Locations marked as trusted can't be deleted. Remove the trusted designation before attempting to delete.
Trusted IPs
The trusted IPs feature of Microsoft Entra multifactor authentication also bypasses MFA prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition.

  • Wuhao
  • New member
  • Offline

Re: MS-102 topic 1 question 32

The trusted IPs feature of Microsoft Entra multifactor authentication bypasses multifactor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Microsoft Entra multifactor authentication prompt. The trusted IPs feature requires Microsoft Entra ID P1 edition.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips

Re: MS-102 topic 1 question 32

MFA Enabled vs Enforced
Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.

MFA Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.

MFA Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.

MFA Disabled: This is the default state for a new user that has not been enrolled in MFA.

Re: MS-102 topic 1 question 32

I also believe it's Y Y Y:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition#configure-mfa-trusted-ips

I believe it only skips MFA if you configure "Skip multifactor authentication for requests from federated users on my intranet" as an option for a Conditional Access policy.

Re: MS-102 topic 1 question 32

itexamslab.com

Given answer is correct

Re: MS-102 topic 1 question 32

It should be YYY because the policy is set Include All trusted location, not exclude any trusted location. Which means its YYY.

Re: MS-102 topic 1 question 32

Agree with Y Y N (This is markes as a trusted location so MFA can be skipped)

  • 365cm
  • New member
  • Offline

Re: MS-102 topic 1 question 32

Y
Y
N
Trusted IPs you can set it to where it bypasses MFA.

  • TP447
  • New member
  • Offline

Re: MS-102 topic 1 question 32

If the CA policy is scoped to Trusted Locations then by definition, an Untrusted location would get access to APP1 fine where as ALL trusted locations would be challenged for MFA.
CA would still prompt for MFA to grant access even if the legacy MFA settings have trusted IPs (unless the Trusted IPs were EXCLUDED from the policy which they are not).
I think this should be Y/Y/Y here on this basis personally.

Re: MS-102 topic 1 question 32

NYN? User1 MFA is disabled. I have seen questions like this on SC-300 and the consensus was that since the user can't use MFA they will be denied and that's different from using MFA to grant access. Roll the dice.

  • Iccen
  • New member
  • Offline

Re: MS-102 topic 1 question 32

Correct me if I'm wrong please! But question is he must used? Not Can he use it?

Re: MS-102 topic 1 question 32

But the question is whether the statement is true. Down to the last point of the first statement... MFA is required. I think answer is still technically yes this is a true statement as policies don't make exceptions for people that are not enrolled in MFA.

  • daye
  • New member
  • Offline

Re: MS-102 topic 1 question 32

The Q is about if the user 1 MUST use MFA. And the answer is Yes because it's forced by the Conditional Access and he / she have to use it. Next topic is about the current MFA user status, that user will be asked to register / active it since the MFA is a requirement. This is the difference.