HOTSPOT You have a Microsoft 365 E5 subscription that contains the users shown in the following table. 
You configure the Microsoft Authenticator authentication method policy to enable passwordless authentication as shown in the following exhibit. Both User1 and User2 report that they are NOT prompted for passwordless sign-in in the Microsoft Authenticator app. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. 
YES, NO, NO
User1 is covered since they're in Group1 and the policy is assigned there. User2 is a common trap-just registering the app isn't enough if their group isn't included in the policy scope. User3 can't use passwordless at all without registering Authenticator. Think YES for User1 only applies once they enable phone sign-in though. Anyone see it differently?
YES, NO, NO. User1 is in the right group and just needs to enable phone sign-in. User2's group isn’t included in the policy so won’t get prompts. User3 hasn't registered the Authenticator app at all. That’s how I’d map it, but open if anyone sees it different.
Pretty sure User2 would be prompted as long as they enable phone sign-in and have the app registered, regardless of group policy. Seen similar setup on a practice set. Correct me if I'm off.
I actually think User2 could get the prompt once they enable phone sign-in, even if their group isn't listed in the policy, because sometimes the app registration is enough. Might be a trap with how the policy gets applied though. Let me know if this looks off.
