Learn which users can sign in to Azure Virtual Desktop using number matching multi-factor authentication based on group membership and conditional access policies.
Table of Contents
Question
You have an Azure Virtual Desktop deployment.
You have a Microsoft Entra tenant that contains the users shown in the following table.
| Name | Member of |
|---|---|
| User1 | Group1 |
| User2 | Group2 |
| User3 | Group1, Group2 |
The users have smart devices that have the Microsoft Authenticator app installed.
You create a Conditional Access policy that has the following settings:
- Name: CAPolicy1
- Assignments
- Users or workload identities: Group1
- Target resources: All cloud apps
- Access controls
- Grant access: Require multi-factor authentication
- Enable policy: On
You configure the Microsoft Authenticator settings as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
- User1 can sign in to the deployment by using number matching.
- User2 can sign in to the deployment by using number matching.
- User3 can sign in to the deployment by using number matching.
Answer
User1 can sign in to the deployment by using number matching: Yes
User2 can sign in to the deployment by using number matching: No
User3 can sign in to the deployment by using number matching: Yes
Explanation
The conditional access policy CAPolicy1 requires multi-factor authentication (MFA) for users in Group1 when accessing any cloud app, including Azure Virtual Desktop.
The Microsoft Authenticator settings show that “Push” is enabled for Group1 while “Passwordless” (which includes number matching) is enabled for Group2.
Therefore:
User1 is a member of Group1 only. They are subject to the conditional access policy requiring MFA and can use the “Push” authentication mode in Microsoft Authenticator to sign in. So yes, User1 can sign in using number matching.
User2 is a member of Group2 only. The conditional access policy does not apply to them. However, the “Passwordless” authentication mode allowing number matching is enabled for Group2. So no, User2 cannot sign in using number matching since the MFA policy does not apply to them.
User3 is a member of both Group1 and Group2. The conditional access policy applies to them via Group1 membership, requiring MFA to sign in. And they can use number matching since “Passwordless” is enabled for Group2. So yes, User3 can sign in using number matching.
In summary, group membership determines which users are subject to the conditional access MFA requirement, while the Microsoft Authenticator configuration controls the available authentication modes like Push notifications or Passwordless options such as number matching. The combination of these settings ultimately governs each user’s sign-in experience.
Microsoft AZ-140 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-140 exam and earn Microsoft AZ-140 certification.