Exam AZ-104 topic 1 question 3 discussion

Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator. Browse to Azure Active Directory > Security > Conditional Access. Select New policy. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Under Assignments, select Users and groups Under Include, select All users Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts. Select Done. Under Cloud apps or actions > Include, select All cloud apps. Under Exclude, select any applications that don't require multi-factor authentication. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select. Confirm your settings and set Enable policy to Report-only. Select Create to create to enable your policy.

Correct answer is B. The solution mentioned does not fully meet the goal of requiring members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect from untrusted locations. While accessing the Azure portal to alter the session control is a step in the right direction, it's essential to configure the specific conditions and controls in the Azure AD conditional access policy to enforce these requirements. To achieve the goal, you need to create or modify an Azure AD conditional access policy and specify the conditions that require Multi-Factor Authentication and Azure AD-joined devices for members of the Global Administrators group when they access Azure AD from untrusted locations. Simply accessing the Azure portal to alter session control is not sufficient to fully implement this policy.

The solutions doesn't meet the goals because altering session control does not directly address the requirements

B is correct grant control, not session control

Under Assignments select the Global Admin Group Under Conditions set the location to any location and exclude all trusted locations Under Access Controls, grant access and check the options for require MFA and require the device to be marked as compliant.

questions 3 and 4 are identical.

Hello All I see lot of recommendtions to check "Mlantonis" answers.Please let me know how to find it in this huge blog

Correc Answer B (NO). Within a Conditional Access policy: Access Control GRANT: an administrator can use access controls to grant or block access to resources. Access Control SESSION: an administrator can make use of session controls to enable limited experiences within specific cloud applications.

answer is B

B is correct, needs to be grant control

ANS :A

Focus at text "alter the session", it make B is correct choice.

option B is correct

Solution B is not correct because it suggests creating a new resource group for each department. While this approach could be used to organize resources, it does not allow for direct association between the virtual machines and their respective departments. Assigning tags to the virtual machines is a better solution for this requirement.

Answer is B. Require MFA is a checkbox listed within the GRANT control portion of the conditional access policy.

No, the solution does not meet the goal. Altering the session control of the Azure AD conditional access policy alone will not achieve the desired requirements. You need to configure a conditional access policy that requires Multi-Factor Authentication (MFA) and an Azure AD-joined device for members of the Global Administrators group when connecting from untrusted locations.

A - is correct