ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 26 discussion

Actual exam question from Microsoft's AZ-304
Question #: 26
Topic #: 2
[All AZ-304 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Implement Azure AD Identity Protection for Group1.
Does this solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by idrisfl at Dec. 1, 2020, 10:03 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Othermike
Highly Voted 4 years, 7 months ago
The answer is no , cause you can 't make any rules in Identity protection to require MFA For Azure portal and you can't add the location either . I think we should use conditional access policy to solve this problem .. I am 100% sure that the answer is no
upvoted 66 times
Biden
4 years, 2 months ago
Answer is NO...MS recommends using Conditional Access policies for MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
upvoted 2 times
...
esatu
4 years, 6 months ago
MFA Registration Policy in Identity Protection can be used to require MFA. Risky sign-ns allows entering trusted IPs/Locations. You can check it in the portal. I think the answer is yes.
upvoted 8 times
...
cherry23
4 years, 1 month ago
answer is Yes https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 5 times
sjai
3 years, 10 months ago
YES "Configured trusted network locations are used by Identity Protection in some risk detections to reduce false positives." https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 1 times
...
...
nExoR
4 years, 1 month ago
the answer is YES https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
upvoted 3 times
...
Load full discussion...
...
idrisfl
Highly Voted 4 years, 8 months ago
I would have said Yes. PIM is for access rights elevation, whereas Identity Protection is closely hooked to Conditional access for forcing MFA https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#risk-detection-and-remediation
upvoted 35 times
mmmore
4 years, 8 months ago
Agreed
upvoted 1 times
...
heany
4 years, 4 months ago
Agreed. Under identity protection -> report -> risky sign-in -> configure trusted IP, you can configure countries
upvoted 4 times
tteesstt
3 years, 10 months ago
Report is just that, for reporting. It doesn't proactively do anything other than reporting.
upvoted 2 times
...
...
BoxGhost
4 years ago
But the suggestion here is to implement Identity Protection. If they have not configured identity protection yet then something else must be blocking the logins such as a CA policy blocking certain countries.
upvoted 1 times
...
mindtrax
4 years, 5 months ago
Agreed the question is about identity protection and in their answer they refer to PIM, which is something different.
upvoted 3 times
...
...
silwal
Most Recent 3 years ago
Answer is A https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies We can configure custom Conditional Access Policy under Identity Protection Policy
upvoted 2 times
...
Raj99
3 years ago
answer is Y, MFA can be enabled under Identity protection blade.
upvoted 1 times
...
sapien45
3 years, 2 months ago
Implement Azure AD Privileged Identity Management for everyone.= Identity Protrection Implement Azure AD Privileged Identity Management for Group1 = Contidiotnal Access No
upvoted 1 times
...
itenginerd
3 years, 4 months ago
Selected Answer: B
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA). Identity Protection does not enable MFA, it processes signals and identifies risk.
upvoted 2 times
...
exnaniantwort
3 years, 4 months ago
Answer is NO Identity Protection is a tool that allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to your SIEM. The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection Conditional access is not included in Identity Protection
upvoted 1 times
...
JBS
3 years, 4 months ago
Selected Answer: B
Alone IP doesn't work. It required conditional access policies to enable MFA
upvoted 1 times
...
Dawn7
3 years, 4 months ago
Selected Answer: B
Correct
upvoted 1 times
...
PG4141
3 years, 5 months ago
Selected Answer: A
Refer : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection Identity Protection identifies risks of many types, including: Anonymous IP address use Atypical travel Malware linked IP address Unfamiliar sign-in properties Leaked credentials Password spray and more... The risk signals can trigger remediation efforts such as requiring users to: perform Azure AD Multi-Factor Authentication, reset their password using self-service password reset, or blocking until an administrator takes action.
upvoted 1 times
itenginerd
3 years, 4 months ago
AIP generates and processes signals. It does not in and of itself enable MFA.
upvoted 1 times
catfood
2 years, 11 months ago
Identity Protection | Sign-in risk policy - can set to a specific group of users, can require MFA but you can't specific a list of countries that the admins don't work from. It might learn that eventually, or realise that its impossible travel, but a conditional access policy would be a better option here
upvoted 1 times
...
...
...
plmmsg
3 years, 5 months ago
Selected Answer: B
No. use conditional access policy
upvoted 1 times
...
Naqsh27
3 years, 5 months ago
Selected Answer: B
The Answer is no. the reference is https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-active-directory-identity/ba-p/1320887 But I have also implemented both AAD Identity protection and Conditional Access Policies. AAD IP is an automated response to predefined signals that allows seamless mitigation and/or remediation of possible issues that cause them Conditional Access Policies allow you to target a Specific Group (Group 1 with all the admins) and set "rules" based on various options (some of which may include AAD IP risk levels). These conditional rules may allow or block access or be more refined by allowing access only of you meet certain criteria (MFA) In AAD IP - the only thing you can set is the MFA registration policy which is a global setting but does not correlate to controlled access to any specific part of Azure Portal or App.
upvoted 2 times
...
depaul
3 years, 5 months ago
Selected Answer: B
Not sure How people are confussed in this, this is a clear "NO".. you need to have conditional access for enforcing MFA
upvoted 1 times
...
arun
3 years, 5 months ago
Selected Answer: A
I think 'Yes' is right answer. pls refer https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies#azure-ad-mfa-registration-policy Identity Protection can help organizations roll out Azure AD Multi-Factor Authentication (MFA) using a Conditional Access policy requiring registration at sign-in. Enabling this policy is a great way to ensure new users in your organization have registered for MFA on their first day
upvoted 2 times
...
S_AB
3 years, 5 months ago
Selected Answer: B
I think is Yes. Becouse you can config a policy to force MFA with Identity protection and you can define mfa and login from diferent country is a risk. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
upvoted 1 times
...
Sistemas_ASMWS
3 years, 5 months ago
Selected Answer: B
I think Azure AD Identity Protection isn't the feature that gives you MFA.
upvoted 1 times
...
us3r
3 years, 6 months ago
Selected Answer: A
read the question! Several attempts have already be discovered! So, Azure AD identity Protection is the answer. YES
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel