Free Actual MS-102 Actual Exam Questions – Microsoft 365 Administrator - Question 6 Discussion
HOTSPOT You have a Microsoft 365 E5 subscription. You need to create a Conditional Access policy that will require the use of FID02 security keys only when users join their Windows devices to Microsoft Entra ID. How should you configure the policy? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point. 
Option B for cloud apps, and require FIDO2 in grant controls.
I noticed that under "Cloud apps or actions," there’s an option called "Device registration" which seems to cover device join scenarios. If we pick that, it should target the join process specifically. Then for "Grant," choosing "Require multi-factor authentication" combined with "Require authentication strength" set to FIDO2 should enforce using FIDO2 keys only. Also, make sure the policy targets Windows devices under "Conditions > Device platforms" so it doesn’t apply to other OSes. This approach narrows down the policy exactly to Windows device join with FIDO2 keys.
Selecting MFA for ‘Grant controls’ restricts it to FIDO2 when combined with the right conditions.
Is there a way to specify FIDO2 keys only for device join in the policy settings?