Exam AZ-304 topic 2 question 56 discussion

GIven answers are not correct, as they are using Azure AD Free. -Smart Lockout requires Azure AD P1 or higher (Source: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) -Conditional Access Policies requires Azure AD P1 or higher (Source: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) Correct answers are Pass-Through Authentication (PTA) and Security Defaults PTA Rationale: Authentication and password policy is handled by OnPrem DCs. We can configure security policies OnPrem to disable and account for X amount of minutes for password spray attacks. Security Defaults: Blocking legacy authentication protocols (Source: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) This also minimizes cost.

Was in exam today 1-10-2021. I passed with score 896. I chose smart lockout for 1 and Enable Security Defaults for 2

1. To protect against brute force attacks: Smart lockout should be recommended. Azure AD has a smart lockout feature that can recognize sign-ins coming from valid users and treat them differently than ones that are likely from attackers. Smart lockout can lock out attackers while letting valid users continue to access their accounts. 2. To block legacy authentication attempts: Enable Security defaults should be recommended. Security defaults in Azure AD make it easier to help protect your organization with preconfigured security settings for common attacks. This includes blocking legacy authentication protocols that can be used with guessing simple passwords or are not capable of doing multi-factor authentication. Both options are available in the free edition of Azure AD and do not incur additional costs, which satisfies the requirement to minimise costs.

Smart Lockout is always enable for all versions of Azure AD. In this question Azure AD free version is used so smart lockout is enabled by default but can't make any changes to setting of smart lockout. So, if there is a need to make changes in the setting of Smart Lockout then it requires AAD P1 or higher license. So, Smart Lockout is correct answer.

Smart lockout https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart-lockout-works Enable security defaults https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

1. Smart Lockout Smart lockout is always on, for all Azure AD customers, with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires Azure AD Premium P1 or higher licenses for your users. 2. Security Default Security defaults: Available versions of Azure AD Multi-Factor Authentication Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features via Security Defaults.

With an AAD Free license, I would say: 1. SMART LOCKOUT with default setting (Customization require AAD Premium P1 as explained here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#:~:text=Customization%20of%20the%20smart%20lockout,user%20is%20never%20locked%20out. Azure AD > Security > Authentication Methods 2. DEFAULT SECURITY SETTING (also available to AAD free version) Azure AD > Properties > Manage Security Defaults > Toggle to YES > Save https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Question is very confusing. Smart Lock protects from Brute Force attack but requires AAD P1 or higher license but Question says company has free AAD license.

Conditional access and Security defaults both can do see Conditional access https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication Security defaults: Available versions of Azure AD Multi-Factor Authentication Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features via Security Defaults. But conditonal access is rejected because the question states it's free subscription. Security default is available for free version (stated above)

Can confirm Smart Lockout and Security Defaults based on the course I just finished, which had this question in the practice tests.

1. Smart Lockout 2. Security Default

Smart Lock and Security defaults https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Smart Lockout & Security Defaults : Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.

1. Smart lockout 2. Security defaults

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#blocking-legacy-authentication Protect brute force using mart lockout and block legacy using security defaults

came in exam on 20-sep-21, I passed, i choose pass through and enable default

1. Smart Lockout 2. Security Default