ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 16 question 3 discussion

Actual exam question from Microsoft's AZ-300
Question #: 3
Topic #: 16
[All AZ-300 Questions]

Your company has an Azure subscription.
You enable multi-factor authentication (MFA) for all users.
The company's help desk reports an increase in calls from users who receive MFA requests while they work from the company's main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?

  • A. From Azure Active Directory (Azure AD), configure organizational relationships.
  • B. From the MFA service settings, create a trusted IP range.
  • C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
  • D. From Conditional access in Azure Active Directory (Azure AD), create a named location.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to consider configuring some of the available settings. One of the most important features is a trusted IPs list. This will allow you to whitelist a range of IPs for your network. This way, when users are in the office, they will not get prompted with MFA, and when they take their devices elsewhere, they will. Here's how to do it:
Log in to your Azure Portal.
Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.
References:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/
by rogerchen at Jan. 22, 2020, 11:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 5 years ago
A. From Azure Active Directory (Azure AD), configure organizational relationships. Nope B. From the MFA service settings, create a trusted IP range. Yepp, that would solve the problem. See this link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips C. From Conditional access in Azure Active Directory (Azure AD), create a custom control. I have no idea what a "custom control" should be in this context. Maybe it's made up? D. From Conditional access in Azure Active Directory (Azure AD), create a named location. Adding the companies public IP address ranges as named location wouldn't help to disable MFA. With named locations you can mark IPs and ranges as "trusted locations" which lowers a user's sign-in risk. So B. is correct!
upvoted 9 times
Tombarc
5 years ago
You can select a named location as an exception for your rule, which would completely ignore MFA for your trusted location.
upvoted 1 times
admins
4 years, 11 months ago
But they don't mention doing this in the answer D, so the answer is B as it is a complete solution.
upvoted 1 times
...
ipvaid
4 years, 11 months ago
Yes you can but without selecting it doesn't work and selection is not in any choice. So it is incorrect
upvoted 1 times
...
...
...
gboyega
Highly Voted 5 years ago
Given answer is correct
upvoted 6 times
...
cttay71
Most Recent 4 years, 10 months ago
D is not correct, because setting named location is not sufficient. You still need additional set to exclude that named location in the policy -> conditions sections
upvoted 2 times
...
colinquek
4 years, 10 months ago
was very confused initially but then https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-locations Read the section on "Skipping multi-factor authentication". Still is trusted IP range. I would go with (B)
upvoted 2 times
...
_syamantak
4 years, 11 months ago
B is the right answer. We can go to MFA service page and enable trusted IP ranges
upvoted 1 times
...
Duva
4 years, 11 months ago
Answer is D even their answer explanation said so
upvoted 1 times
cttay71
4 years, 11 months ago
Should be B. When you click on "Configure MFA trusted IPs", it brings you to the MFA Service Setting. If you define Named Location, it is used to detect false positive in risk detection. https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations
upvoted 1 times
...
...
BEB
4 years, 11 months ago
IP based is very common. Note that AD is capable of identifying your location (location means where you are connecting from ... it is IP address, not street number:-)). If you are connecting from a "trusted" environment, then no need for multi-factor (given that you are on premises / more controlled environment). Answer is "trusted IP" which is the IP of the location where the request came from.
upvoted 2 times
...
ChanderM
5 years ago
B seems to be correct answer as D is saying about creating a named location. If you create a named location then you have add trusted IP range to get it work. Same it mentions in explanation. In future there is going to single blade for all this. https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/NamedNetworksV2
upvoted 1 times
ChanderM
5 years ago
Also when I click Configure MFA trusted IP tab from Named location, it takes me to blade where I can just change user settings to change MFA methods but cannot provide any IP. I have free Active directory tier so it seems that that options is only in premium. For now only way I can add trusted IP is by created a named location.
upvoted 1 times
...
...
azureexaminer
5 years, 1 month ago
Read the statement carefully "From Conditional access in Azure Active Directory (Azure AD), create a named location". You DO NOT create a named location from conditional access; you only select a named location. If you selected TRUSTED IPs, you would still need to go the answer B to configure the trusted ip. So correct answer is B.
upvoted 2 times
...
Test_Taker
5 years, 1 month ago
According to the below, it's B Location Conditional Access Policy: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition "Requiring multi-factor authentication for users accessing a service when they are off the corporate network. Blocking access for users accessing a service from specific countries or regions." Trusted IP's: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips "You can set trusted IP ranges for your on-premises environments to when users are in one of those locations, there's no Azure Multi-Factor Authentication prompt."
upvoted 2 times
...
Prash85
5 years, 1 month ago
answer is B not to confuse with named location
upvoted 1 times
...
dumbu
5 years, 2 months ago
B is correct based on the link https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
upvoted 1 times
tmurfet
5 years, 1 month ago
I agree. The requirement is specific: "You need to prevent the users from receiving MFA requests when they sign in from the main office." So B is a direct method. "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips"
upvoted 1 times
...
...
MidCities
5 years, 2 months ago
Here we go ladies and gents, a couple of links that I think validate choice "D" as the correct choice. In summary, you have to go through Named Location in order to get to trusted IPs. Screen shots included in links. https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
upvoted 1 times
admins
4 years, 11 months ago
No you don't, you can access the MFA settings page from the User's blade in Azure.
upvoted 1 times
...
...
Explen
5 years, 2 months ago
Correct answer is B as it talks of addressing the second authentication which is done on MFA then navigate to MFA service settings D is not considering MFA. It addresses access (password and/or MFA) based on trusted locations where users are allowed to login. If a user is not on the trusted location, then are blocked from accessing the service. (Doesn't consider MFA status)
upvoted 2 times
...
P0d
5 years, 2 months ago
The given answer is a quickest way. So you can just add ip address or range to the section in MFA --> Configure--> Additional cloud-based MFA settings: From the trusted ips tab add ips
upvoted 3 times
P0d
5 years, 2 months ago
But in explanation it shows Named location :)
upvoted 1 times
admins
4 years, 11 months ago
But just adding a named location on it's own isn't a complete solution, you'd then need to modify any conditional access policies. Personally I'd use a named location over trusted IPs, because there are times where I'd want to force MFA even if it's coming from a trusted IP (and with trusted IPs this isn't possible), but the answer they're giving in D isn't a complete solution so we can't use it. In this case B is the only appropriate answer.
upvoted 1 times
...
...
...
Pigi_102
5 years, 3 months ago
What about: https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/ Here it seems that with MFA the Trusted IP is OK.
upvoted 1 times
...
tboggie
5 years, 3 months ago
The answer is D https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel