An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)
Trap 1: Authentication strength
Authentication strength is a grant control that specifies which authentication methods are required (e.g., phishing-resistant MFA), not a condition.
Trap 2: Application ID
Application ID is used to target specific cloud apps in the policy assignment, not as a condition.
- A
Device platform
Device platform is a standard condition in Conditional Access that allows policies to be scoped based on the user's device operating system.
- B
User risk
User risk is a condition available when Identity Protection is enabled; it evaluates the risk level associated with the user account (e.g., leaked credentials).
- C
Authentication strength
Why wrong: Authentication strength is a grant control that specifies which authentication methods are required (e.g., phishing-resistant MFA), not a condition.
- D
Application ID
Why wrong: Application ID is used to target specific cloud apps in the policy assignment, not as a condition.