Exam AZ-303 topic 6 question 24 discussion

The question states that all administrators MUST enter a MFA code to login, and that they may only login from on-prem. MFA service settings only contains the option to skip MFA for trusted IPs. I believe the answer they're looking for is: C: An Azure AD Identity Protection sign-in risk policy

The correct solution would be conditional access. All of the answers are wrong. I think there is a typo somewhere, this looks like a duplicate of a previous question where the goal is to prevent users on-premise from being prompted for MFA, in which case D is correct here.

Answer is C Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment condition. Ref: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

D is correct the default for all the roles in Azure AD Privileged Identity Management - Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. an Azure AD Identity Protection user risk policy - Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. an Azure AD Identity Protection sign-in risk policy - Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.

Given answer is correct : D : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#mfa-service-settings Set TrustedIP through MFA Service settings.

Something is wrong here. A is nonsense. B, C and D only affect the strength of the logon (like, is second factor required), but they do not prevent logon from untrusted IP completely.

From the text of the question it seems to want to prevent administrators from accessing from any other location other than the on-premises corporate network. Furthermore, access from the on-premises network must necessarily take place with MFA. Although I don't understand the meaning of this scenario, I don't see how a sign-in risk policy can be applied as the reliability of the origin of access to the azure portal would be calculated by Azure itself and not by us. How does Azure understand that access is from a different network than the corporate one? To do this, you need to configure the location. But at that point what need do we have to use a sign-in risk policy? Just configure Conditions to set up an allowed location and set GRANT to request MFA. So I think D is the correct answer

Answer is correct, use trusted IP.

C https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

"All administrators must enter a verification code to access the Azure portal". MFA service settings can't achieve it beacuse it bypasses the multi-factor authentication as per MS docs. Seems like Option C is a better choice.