<< Prev Question Next Question >>
Question 23/106
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and the users shown in the following table.
The users have the devices shown in the following table.
You create the following two Conditional Access policies:
* Name: CAPolicy1
* Assignments
o Users or workload identities: Group 1
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -starts With "Device*"
o Access controls
Grant: Block access
Session: 0 controls selected
o Enable policy: On
* Name: CAPolicy2
* Assignments
o Users or workload identities: Group2
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions: 0 conditions selected
* Access controls
o Grant: Grant access
Require multifactor authentication
o Session:
0 controls selected
* Enable policy: On
All users confirm that they can successfully authenticate using MFA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
The users have the devices shown in the following table.
You create the following two Conditional Access policies:
* Name: CAPolicy1
* Assignments
o Users or workload identities: Group 1
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -starts With "Device*"
o Access controls
Grant: Block access
Session: 0 controls selected
o Enable policy: On
* Name: CAPolicy2
* Assignments
o Users or workload identities: Group2
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions: 0 conditions selected
* Access controls
o Grant: Grant access
Require multifactor authentication
o Session:
0 controls selected
* Enable policy: On
All users confirm that they can successfully authenticate using MFA.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Recent Comments (The most recent comments are at the top.)
Device1 is not Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
So, User1 cannot access Site1 from Device1. The answer is No.
Device2 is Azure AD joined and its name starts with “Device”, so it’s affected by CAPolicy1. However, User2 is not a member of Group1, so CAPolicy1 doesn’t apply.
User2 is a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User2 can successfully authenticate using MFA.
So, User2 can access Site1 from Device2. The answer is Yes.
Device3 is Azure AD registered and its name starts with “Device”, so it’s affected by CAPolicy1 which blocks access for Group1 members.
However, User3 is also a member of Group2, and CAPolicy2 applies to Group2. CAPolicy2 grants access with MFA, and User3 can successfully authenticate using MFA.
So, User3 can access Site1 from Device3. The answer is Yes.