Understand how cross-tenant access and external collaboration settings in Microsoft Entra affect guest user access to cloud apps and user properties between tenants. Learn the role of compliant devices and trust settings.
Table of Contents
Question
You have a Microsoft Entra tenant named contoso.com.
You collaborate with a partner organization that has a Microsoft Entra tenant named fabrikam.com. Fabrikam.com has multi-factor authentication (MFA) enabled for all users.
Contoso.com has the Cross-tenant access settings configured as shown in the Cross-tenant access settings exhibit. (Click the Cross-tenant access settings tab.)
Contoso.com has the External collaboration settings configured as shown in the External collaboration settings exhibit. (Click the External collaboration settings tab.)
You create a Conditional Access policy that has the following settings:
- Name: CAPolicy1
- Assignments
o Guest or external users: B2B collaboration guest users
o Target resources - Include: All cloud apps
- Access controls
– Grant access - Require device to be marked as compliant
- Require multi-factor authentication
– Enable policy: On
For each of the following statements, select Yes if the statement is true, otherwise select No.
NOTE: Each correct section is worth one point.
- Users with devices that have a compliant device from fabrikam.com will be granted access to the cloud apps in contoso.com.
- To minimize the number of MFA authentication prompts for the users in fabrikam.com, you must configure the Trust settings.
- Users with devices that have a compliant device claim from fabrikam.com can review the user properties of the users in contoso.com.
Answer
Users with devices that have a compliant device from fabrikam.com will be granted access to the cloud apps in contoso.com: No
To minimize the number of MFA authentication prompts for the users in fabrikam.com, you must configure the Trust settings: Yes
Users with devices that have a compliant device claim from fabrikam.com can review the user properties of the users in contoso.com: Yes
Explanation
Based on the provided cross-tenant access and external collaboration settings:
- Users with devices that have a compliant device from fabrikam.com will NOT be granted access to the cloud apps in contoso.com. The Conditional Access policy CAPolicy1 requires both a compliant device AND multi-factor authentication (MFA) for B2B guest users to access cloud apps. While fabrikam.com has MFA enabled for all users, there is no indication that the devices from fabrikam.com are marked as compliant in contoso.com.
- To minimize the number of MFA authentication prompts for users in fabrikam.com, you MUST configure the Trust settings in contoso.com. By enabling trust settings, contoso.com can honor the MFA claims from fabrikam.com, reducing the need for fabrikam.com users to re-authenticate with MFA when accessing resources in contoso.com.
- Users with devices that have a compliant device claim from fabrikam.com CAN review the user properties of users in contoso.com. The external collaboration settings allow “B2B direct connect” for external users and groups, granting them access to review user properties and membership of directory objects in contoso.com.
In summary, while guest users from fabrikam.com can access certain directory information in contoso.com, they will not have access to cloud apps unless their devices are marked as compliant in contoso.com and they pass MFA, per the Conditional Access policy. Configuring trust settings can help minimize repeated MFA prompts for fabrikam.com users.
Microsoft AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-500 exam and earn Microsoft AZ-500 certification.