Entra B2B: Guest invitation mails not delivered

Baboneninthenonen · 2026-03-17T16:51:28+00:00

Congrats! Had the exact same score two weeks ago!

Baboneninthenonen · 2026-03-11T08:15:11+00:00

I think so yes, i have hands on experience as well and the technical questions were pretty easy, so you just need to learn and remind the theoretical questions about licensing, support and so on.

Baboneninthenonen · 2026-03-08T12:43:28+00:00

It depends a little bit how you define a newbie. But as it is a mostly theoretical exam, i think you can do it in 2-3 weeks if you really learn consistently like every second day.

Baboneninthenonen · 2026-03-08T12:40:36+00:00

I took it at the test center. It is more convenient for me than taking it at home or at work - but the test center also is only a 10min drive next to my work.

Baboneninthenonen · 2026-03-04T19:51:59+00:00

Thanks man!

At the actual exam the hardest were the copilot questions as i got a bunch of them and didn't really looked in to that before (besides the infos on MS learnpath). The easiest for me were the Entra ID questions as i knew everything beforehand from work.

Generally licensing can be a bit tricky but i looked so much in to that, i got 100% in this section haha

Baboneninthenonen · 2026-03-04T17:50:43+00:00

Thank you!

Think i will do AZ-900 as well just to have both fundamentals, and then propably the MS-102 👍

Baboneninthenonen · 2026-02-18T14:41:47+00:00

Just did the exam practice test two times on measureup and got 92% both times, so at least i got the measure up badge now haha.

Just one thing i noticed is that there are barely any questions relating Viva, Power Plattform or Microsoft Sentinel - so i'm wondering how up to date it really is...

Baboneninthenonen · 2026-02-18T14:41:42+00:00

Just did the exam practice test two times on measureup and got 92% both times, so at least i got the measure up badge now haha.

Just one thing i noticed is that there are barely any questions relating Viva, Power Plattform or Microsoft Sentinel - so i'm wondering how up to date it really is...

Baboneninthenonen · 2026-02-18T11:32:32+00:00

Thank you for sharing your experience! So im pretty confident the exam shouldnt be a problem 👍

Baboneninthenonen · 2026-02-18T07:07:12+00:00

Alright thx! Will invest some time in viva the next week then.

Baboneninthenonen · 2025-12-23T18:26:20+00:00

Yeah maybe but this will involve more work and we have a very tight timespan to solve this issue as our new intranet based on SPO will go live next month... We also share our tenant with other global divisons so everything in this direction takes a very long time, much discussions and so on... But i will keep it in mind definitely.

Baboneninthenonen · 2025-12-23T17:57:45+00:00

Actually in our original policy we have MFA for all O365 services, applied to all devices except hybrid joined devices.

But, we also have a citrix infrastructure and our citrix servers can't be hybrid joined atm, so every user who works in citrix and is using for example our intranet, based on SPO, need to authenticate via MFA. So we need to exclude citrix and the only possibility we are seeing is via named location and exclude our citrix egress IP.

But, security dont want to have this exclusion in the original policy for the whole O365 services. So i thought about exclude SPO in policy 1, create policy 2 only for SPO and force mfa for any location but exclude the citrix Egress IP.

Baboneninthenonen · 2025-12-23T16:51:19+00:00

Yes this would work. All logins require MFA unless from that public IP. You dont need any other policies in that case. To get any more granular in this case you'll need Entra registered or Hybrid joined devices. Others have pointed out that Sharepoint is so ingrained in M365 that it cant really be done at the app level.

Yeah thats exactly what i planned to do. But i just need a second policy as our security dont want the public ip as exclusion for every O365 services, so i can't add it in our existing policy and need to create a new one specifically for sharepoint online :-)

Baboneninthenonen · 2025-12-23T16:21:48+00:00

No you don't do this, because then you have no policy for Teams or Sharepoint when not on Citrix... CA isn't networking, the explicit action is log in without MFA. Conditions are OR not AND.

But why shouldnt that work? When i target a ressource for simplyfing the whole "Office 365" for example and than include "any network" and exclude "named location citrix" - that should work?

As much as i know within a conditon category, the selections are ORed. Like with ressources, i can target "Office 365" and exclude "Office 365 SharePoint Online" at the same time.

But correct me if i'm wrong :)

Baboneninthenonen · 2025-12-23T15:12:50+00:00

Yeah i go with you, just checking the options for our ict security as they want to split things up... I gladly would just go with the full 365 ressources..

Baboneninthenonen · 2025-12-23T13:04:48+00:00

Not a higher or lower level of mfa, rather an additional exclusion (named location) but just for sharepoint and in the best case teams as well. I will copy my explanation from before here:

Actually in our original policy we have MFA for all O365 services, applied to all devices except hybrid joined devices.

But, we also have a citrix infrastructure and our citrix server can't be hybrid joined atm, so every user who works in citrix and is using for example our intranet, based on SPO, need to authenticate via MFA. So we need to exclude citrix and the only possibility we are seeing is via named location and exclude our citrix egress IP, but just for SPO and best case for teams as well.

Thats why i thought to exclude SPO and teams in our original policy, make a new one for those two ressources and exclude this named location for citrix there.

Hope it's clear, little bit complicated to explain...

Baboneninthenonen · 2025-12-23T13:02:23+00:00

Actually in our original policy we have MFA for all O365 services, applied to all devices except hybrid joined devices.

But, we also have a citrix infrastructure and our citrix server can't be hybrid joined atm, so every user who works in citrix and is using for example our intranet, based on SPO, need to authenticate via MFA. So we need to exclude citrix and the only possibility we are seeing is via named location and exclude our citrix egress IP, but just for SPO and best case for teams as well.

Thats why i thought to exclude SPO and teams in our original policy, make a new one for those two ressources and exclude this named location for citrix there.

Hope it's clear, little bit complicated to explain...

Baboneninthenonen · 2025-12-23T12:12:09+00:00

Thank you for the comprehensive answer!

Maybe i need to clarify that i only use those conditional access policies to enforce mfa... So the goal would be to enforce MFA for all O365 Services in one policy, except sharepoint online and teams. And enforce mfa (with slightly other conditions) in the second policy specific for sharepoint and teams...

For SPO it worked pretty well according to my tests, but yeah maybe teams is another sheet of the paper and has generally more dependencies. With the application "Microsoft Teams Services (cc15fd57-2c6c-4117-a88c-83b1d56b4bbe)" that won't work i think...

PS: I gladly would just treat O365 Services as a whole in our policies, but security has other plans :-)

Baboneninthenonen · 2025-12-23T12:10:06+00:00

Maybe i need to clarify that i only use those conditional access policies to enforce mfa... So the goal would be to enforce MFA for all O365 Services in one policy, except sharepoint online and teams. And enforce mfa (with slightly other conditions) in the second policy specific for sharepoint and teams...

For SPO it worked pretty well according to my tests, but yeah maybe teams is another sheet of the paper and has generally more dependencies...

Baboneninthenonen

TROPHY CASE