Refer to the exhibit. A Conditional Access policy is configured to block legacy authentication for Office 365. However, users are still able to access Exchange Online using Outlook (modern authentication). What is the most likely reason?
Modern authentication is not classified as 'other'.
Why this answer
The Conditional Access policy is configured to block legacy authentication, which targets protocols like POP3, IMAP, SMTP, and Exchange ActiveSync that do not support modern authentication. Modern authentication (used by Outlook with OAuth 2.0) is not affected by this policy, so users can still access Exchange Online via Outlook. The policy explicitly allows modern authentication flows, making option A correct.
Exam trap
The trap here is that candidates assume 'block legacy authentication' means blocking all older clients, but it specifically targets authentication protocols, not client applications, so modern authentication clients like Outlook (with OAuth) are still allowed.
How to eliminate wrong answers
Option B is wrong because the policy is scoped to Office 365 cloud apps, which includes Exchange Online by default. Option C is wrong because the question does not indicate any user exclusion; even if it applied to all users, the policy would still not block modern authentication. Option D is wrong because if the policy were not enabled, it would not block any authentication at all, but the question states the policy is configured and users are still accessing via modern authentication, implying the policy is active but not blocking the intended traffic.