MS-102 - Microsoft 365 Administrator Expert Implementing Conditional Access Policies Questions and Answers

Question 1

An organization wants to enforce multifactor authentication (MFA) for all users accessing Microsoft 365 services, but they want to bypass this requirement when users are connected to the corporate office network. The public IP addresses of the corporate office have been configured in a named location called 'CorpNet'. How should the Conditional Access policy be configured to meet this requirement?

Accepted Answer

Create one policy targeting 'All users', with the Locations condition including 'Any location' and excluding 'CorpNet', and the Grant control set to 'Require multifactor authentication'.

Answer

The correct approach is to create a single policy that targets all users and all locations but specifically excludes the trusted 'CorpNet' named location. The Grant control then enforces MFA for all sign-ins that do not originate from the excluded location, effectively bypassing MFA only when users are on the corporate network.

Question 2

A company is implementing a policy for unmanaged personal devices (BYOD). The goal is to allow browser-based access to SharePoint Online but prevent users from downloading sensitive files to these non-compliant devices. Which of the following Conditional Access controls is specifically designed to achieve this granular, in-session control?

Accepted Answer

Use Conditional Access App Control

Answer

Use Conditional Access App Control, which integrates with Microsoft Defender for Cloud Apps, acts as a reverse proxy to monitor and control user sessions in real-time. This allows for granular policies like blocking downloads, which is more advanced than the limited controls offered by app enforced restrictions.

Question 3

An administrator is designing a Conditional Access policy to automatically respond when Microsoft Entra ID Protection flags a user with a 'High' user risk level. The desired outcome is to allow the user to self-remediate the risk and regain access securely. Which Grant control is the most appropriate for this policy?

Accepted Answer

Require password change

Answer

When user risk is high, a common cause is compromised credentials. The 'Require password change' Grant control is the most effective self-remediation action. It forces the user to prove their identity (often with MFA) and then create a new, secure password, which invalidates the compromised credential and remediates the risk.

Question 4

You are preparing to deploy a new Conditional Access policy that will require all administrators to sign in from a compliant device. Before enforcing the policy, you need to evaluate its potential impact on all administrator sign-ins over a one-week period without blocking anyone. What is the recommended state for the policy during this evaluation phase?

Accepted Answer

Report-only

Answer

Report-only mode is a policy state specifically designed for testing and evaluation. When a policy is in Report-only mode, it evaluates sign-ins against its conditions and logs the outcome (Success, Failure, etc.) as if it were enforced, but it does not actually block or prompt the user. This allows administrators to assess the impact safely.

Question 5

An administrator needs to simulate the effect of several Conditional Access policies on a specific user's sign-in attempt from an unmanaged device in a specific country. The goal is to troubleshoot why the user might be getting blocked without actually performing the sign-in. Which tool within Microsoft Entra should be used for this purpose?

Accepted Answer

What If

Answer

The What If tool in Conditional Access is designed for this exact scenario. It allows administrators to simulate a sign-in by specifying a user, application, and various conditions (like IP address, device state, etc.) and see which policies would apply and what the outcome would be, without affecting any real users.

(MS-102) Microsoft 365 Administrator Expert Practice Test

(MS-102) Microsoft 365 Administrator Expert Practice Test

MS-102 - Microsoft 365 Administrator Expert Implementing Conditional Access Policies Questions and Answers