A company uses Microsoft Entra ID and wants to enforce multifactor authentication (MFA) for all users accessing a sensitive customer relationship management (CRM) application, but only when the access request originates from outside the corporate network. Which component of a Conditional Access policy should the administrator configure to specify this location-based requirement?
Conditions include sign-in risk, device platforms, locations, client apps, and other context. The location condition is used to target access based on network location.
Why this answer
The 'Conditions' section of a Conditional Access policy allows administrators to define the circumstances under which the policy is applied, including the location from which an access request originates. By configuring a location condition, you can specify that MFA is enforced only when users access the CRM application from outside the corporate network, using named locations or IP ranges. This is the correct component to enforce the location-based requirement.
Exam trap
The trap here is that candidates often confuse 'Assignments' (who/what) with 'Conditions' (when/where), mistakenly selecting Assignments because they think location is part of the user or app assignment, whereas Conditions specifically handle environmental factors like location, device state, and risk.
How to eliminate wrong answers
Option A is wrong because 'Assignments' define which users, groups, or applications the policy applies to, not the conditions under which it is triggered. Option C is wrong because 'Grant controls' specify what actions to take (e.g., require MFA, require compliant device) after the policy conditions are met, not the location condition itself. Option D is wrong because 'Session controls' manage session-level behaviors like app-enforced restrictions or sign-in frequency, not the location-based trigger for MFA enforcement.