Exam AZ-104 topic 1 question 2 discussion

B is correct, 1- the best way to enforce MFA is by Conditional Access 2- the device has to be identified by azure AD as A AD joined Device. 3- the trusted ip must be configured.

No, the solution does not meet the goal. To implement the required conditional access policy, the following steps should be taken: Create a new Conditional Access policy in Azure AD portal. Set the policy to require Multi-Factor Authentication and Azure AD device registration. In the policy's "Users and Groups" section, specify the Global Administrators group as the target. In the policy's "Conditions" section, specify the locations that are considered untrusted. Save the policy. Simply accessing the multi-factor authentication page and altering user settings does not provide a comprehensive solution to meet the stated goal.

La solution proposé ne permet pas d'implementer MFA et AAD (Entra ID) conditional access

Answer: B. No The requirement is to enforce Conditional Access rules that combine: 1. MFA (Multi-Factor Authentication) 2. Device compliance (Azure AD-joined device) 3.Location-based access (trusted vs. untrusted locations). Simply going to the Multi-Factor Authentication page and altering user settings will only enable or enforce MFA on the user account, it does not enforce device requirements, it does not apply location-based rules. To meet the requirement, you must configure a Conditional Access policy in Azure AD. That’s where you can specify conditions like "Require MFA" + "Require Hybrid Azure AD-joined or compliant device" + "Apply only to Global Administrators group" + "Exclude trusted locations." So, altering only the MFA settings does not achieve the goal.

No, because, it is not a good solution when we use multi factoer to alter user, but we must use AD.

B is correct

This is done using conditional access

fails to enforce MFA and Azure AD-joined device requirements for Global Admins in untrusted locations. Thus, it does not meet the goal

No, the solution does not meet the goal.

Below are the possible options for this scenario. Consolidating here for easy read of subscribers. Solution: You access the multi-factor authentication page to alter the user settings. - No Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. - No Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. - Yes

Below are the options for this question. Commenting here for easy read. Solution: You access the multi-factor authentication page to alter the user settings. - No Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy. - No Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy. - Yes

Correctly requires configuration in the “Grant (Access Control)” section

B is the answer

Policy should be configured at group level not at user level

Il faut configurer l'accès conditionnel en ajoutant MFA

Condition access policies aren't confugured on the multi-factor authentication MFA page, to achieve the desired results you'd need to create the conditional access policy in Azure AD specifying access, conditions, access controls.

You can understand the answer here: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa?toc=%2Fentra%2Fidentity%2Fconditional-access%2Ftoc.json&bc=%2Fentra%2Fidentity%2Fconditional-access%2Fbreadcrumb%2Ftoc.json