A company uses Microsoft Entra ID P2 licenses. The security team wants to require multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'BreakGlass' must be excluded from MFA requirements. Additionally, the company wants to block legacy authentication protocols. Which approach should the administrator use?
Correct. Separate policies allow independent management and clear condition targeting.
Why this answer
Option A is correct because it separates the MFA requirement and legacy authentication block into two distinct Conditional Access policies, which is the recommended approach for granular control. The MFA policy targets all users except the BreakGlass group and uses the location condition to require MFA only from untrusted networks. The second policy blocks legacy authentication by targeting all users with the client apps condition set to 'Exchange ActiveSync clients' and 'Other clients', effectively preventing protocols like POP3, IMAP, and SMTP from bypassing modern authentication.
Exam trap
The trap here is that candidates often think a single Conditional Access policy can logically combine a block and a grant control, but Microsoft's policy engine evaluates all conditions and controls together, so a block control overrides any grant control, making it impossible to require MFA while also blocking legacy clients in the same policy without unintended consequences.
How to eliminate wrong answers
Option B is wrong because combining the MFA grant control and the block legacy client apps control in a single policy would cause the policy to evaluate both conditions simultaneously; if a user accesses from a trusted location but uses a legacy client, the policy would still block access, but the MFA requirement would not apply as expected, leading to inconsistent behavior. Option C is wrong because Security defaults enforces MFA for all users, including the BreakGlass group, and does not allow exclusion of specific groups or granular location-based conditions; it also blocks legacy authentication but lacks the flexibility to exclude break-glass accounts. Option D is wrong because baseline Conditional Access policies are deprecated and do not support the exclusion of a BreakGlass group or the precise location-based MFA requirement; they are rigid and cannot be customized to meet the specified requirements.