Exam AZ-103 topic 5 question 2 discussion

D is the correct answer. This is conditional access

Answer D is what is closest to the truth, as some IP restrictions are included inside the sign in risk policy. MFA settings is wrong, you only can set there IPs from where MFA is skipped (trusted locations). See here for sign in policy: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk

Well B should be correct. All administrators much enter verification code ...mean they have MFA which provide verification code. As part of MFA access you can configure which locations can access be allowed from. Sign in risk policy determines a risk score based on where/how sign in happened from . https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

testing

D. an Azure AD Identity Protection sign-in risk policy

It should be D ( an Azure AD Identity Protection sign-in risk policy ) " When configuring location as a condition, organizations can choose to include or exclude locations. These named locations may include the public IPv4 network information, country or region, or even unknown areas that don't map to specific countries or regions. Only IP ranges can be marked as a trusted location. " https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#sign-in-risk

The given answer is correct - B This is about Configuring MFA trusted IPs You can also configure IP address ranges representing your organization's local intranet in the multi-factor authentication service settings. This feature enables you to configure up to 50 IP address ranges. The IP address ranges are in CIDR format. " https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

Answer not in the dang list. 'Conditional Access' policy!

Sign-in risk policy Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication. ans:C

We need to use Conditional Access Policy to achive both multi-factor authentication (first part of the requirement) and the trusted IP location (second part of the requirement). Under Conditional access, setup a trusted location based on IPs form corporate network. Create a new conditional policy with as below: 1. Users: Administrator group 2. Cloud Apps: Microsoft Azure Management (Portal access) 3. Condition: Choose location -> include the trusted IP 4. Access control: Grant Access with MFA Now, conditional Access is part of Azure Advanced Identity Protection. So acswer should be C.

Given answer B is correct.

Sign in Risk policy seems more appropriate because it can trigger the control for Multi Factor authentication if the sign is is detected from outside of the on premise network.

Correct answer is D. Read this; https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies You enforce both MFA & Location based MFA only allows you to set trusted locations, not define locations from which one must login from.

Its D because sign-in risk policy supports MFA.

enabling MFA have nothing to do with restrictions!!!! its D

Answer is B. MFA Service Settings https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#:~:text=In%20the%20Azure%20portal%2C%20search,Select%20Mark%20as%20trusted%20location.

My mistake. B is the right one which is MFA where we can set up Trusted IPs.