Exam AZ-304 topic 8 question 3 discussion

I disagree. At least with the second answer. We already have Capolicy1 that "requires that when users manage the Azure subscription for a production environment by using the Azure portal, they must connect from a hybrid Azure AD-joined device." The easiest way to achieve MFA would be modifying the modifying Grant control in Capolicy1 (just adding "Require MFA" there). "Sign-in risk policy" seems not applicable here, as the MFA requirement is not linked to any risk conditions (like 'when logging on from certain countries', 'when account is at risk' etc.). The first answer is more complex. Enabling "Security Default" would meet the requirement (and enforce users to register for MFA). But it would also enforce MFA for administrative access (thus make the other question futile), and it would have other effects (like blocking legacy authentication protocols, and we don't know if that is desired). MFA Registration Policy is part of azure AD Identity Protection. So I'd go for 1: Azure AD Identity Protection 2: Grant control in capolicy1

1: Azure AD Identity Protection 2: Grant control in capolicy1

It says to register the users for Azure MFA Security defaults in Azure AD Article 04/24/2022 8 minutes to read 8 contributors Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost. Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings: Requiring all users to register for Azure AD Multi-Factor Authentication. Requiring administrators to do multi-factor authentication. Requiring users to do multi-factor authentication when necessary. Blocking legacy authentication protocols. Protecting privileged activities like access to the Azure portal.

On exam 24.12.2021

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy 1st drop down is correct https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant 2nd drop down is grant control in cappolicy1

1. Azure AD identity protection Azure AD Identity Protection helps you manage the roll-out of Azure AD Multi-Factor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you are signing in to. See instructions here https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy#policy-configuration "Per-user MFA..." could not be used if conditional access policy is being used. See here https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates "security defaul.." also not applicable due to the usage of conditional access policy, see https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 2. the easiest way to configure the "Grant control in capolicy1" (verified in the portal)

1: Azure AD Identity Protection Litware.com has Conditional Access Policy. Don't enable or enforce per-user Azure AD Multi-Factor Authentication if you use Conditional Access policies. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates Therefor it should NOT be Per user MFA 2: Grant control in capolicy1 Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios. Grant Control is one step in process to enable MFA in Conditional Access Policy.

came in exam on 20-sep-21, I passed, I choose given one

Box 1)Per user MFA as users have P2 license Box 2)Grant control in capolicy1