Learn how a Conditional Access policy affects user access to SharePoint Online sites based on group membership and device configuration in this MS-102 certification exam question.
Table of Contents
Question
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and the users shown in the following table.
| Name | Member of | Device |
|---|---|---|
| User1 | Group1 | Device1 |
| User2 | Group2 | Device2, Device3 |
The devices are configured as shown in the following table.
| Name | Platform | Azure AD join type |
|---|---|---|
| Device1 | Windows 11 | None |
| Device2 | Windows 10 | Joined |
| Device3 | Android | Registered |
You have a Conditional Access policy named CAPolicy1 that has the following settings:
Assignments –
Users or workload identities: Group1
Cloud apps or actions: Office 365 SharePoint Online
Conditions –
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -startsWith “Device”
Access controls –
Grant –
Grant: Block access –
Session: 0 controls selected –
Enable policy: On –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
- User1 can access Site1 from Device1.
- User2 can access Site1 from Device2.
- User2 can access Site1 from Device3.
Answer
- User1 can access Site1 from Device1: No
- User2 can access Site1 from Device2: Yes
- User2 can access Site1 from Device3: Yes
Explanation
User1 cannot access Site1 from Device1 because:
- User1 is a member of Group1, which is included in the Conditional Access policy (CAPolicy1).
- Device1 is a Windows 11 device that is not Azure AD joined, and its name starts with “Device”.
- CAPolicy1 excludes devices that start with “Device” and blocks access for users in Group1.
User2 can access Site1 from Device2 because:
- Although User2 is not a member of Group1 (which is targeted by CAPolicy1), Device2 is an Azure AD joined Windows 10 device.
- CAPolicy1 only applies to users in Group1, so User2 is not affected by the policy when accessing Site1 from Device2.
User2 can access Site1 from Device3 because:
- Device3 is an Android device that is registered with Azure AD, but not Azure AD joined.
- CAPolicy1 only applies to users in Group1, and User2 is not a member of that group.
- Therefore, User2 can access Site1 from Device3 without being blocked by the Conditional Access policy.
In summary, the Conditional Access policy (CAPolicy1) only blocks access for User1 when accessing SharePoint Online (Site1) from Device1, as it matches the policy’s conditions. User2 can access Site1 from both Device2 and Device3 because the policy does not apply to User2’s group membership.
Microsoft MS-102 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft MS-102 exam and earn Microsoft MS-102 certification.