ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 62 discussion

Actual exam question from Microsoft's AZ-304
Question #: 62
Topic #: 2
[All AZ-304 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.
You discover several login attempts to the Azure portal from countries where administrative users do NOT work.
You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).
Solution: Implement Azure AD Privileged Identity Management.
Does this solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by NileshDump2021 at Sept. 28, 2021, 5:53 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
VincentZhang
Highly Voted 3 years, 9 months ago
answer is wrong. The right answer is Conditional Access
upvoted 28 times
zeeek
3 years, 3 months ago
there is no conditional access option for this question, so i think all of them is no, there is no correct answer
upvoted 1 times
...
rdemontis
3 years, 6 months ago
exactly. MFA authentication for PIM is used when the user (already authenticated to the azure portal) wants to activate a new elevated role. But this is not the case: "You can require that users complete a multifactor authentication challenge when they sign in. You can also require that users complete a multifactor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). This way, even if the user didn't complete multifactor authentication when they signed in, they'll be asked to do it by Privileged Identity Management" https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
upvoted 6 times
...
17Master
3 years, 4 months ago
there are three of the same questions here, none of the three have the Conditional Access option. so what is the answer? for me it must be PIM because it fits more.
upvoted 1 times
kilowd
3 years ago
Azure MFA can be leveraged as an additional verification mechanism through: Conditional Access policies Azure AD Identity Protection to mitigate risky sign-ins Step-up authentication mechanisms, like the OneDrive Personal Vault feature The Azure MFA NPS Extension Azure MFA registration can be combined with the registration for Azure AD Self-service Password Reset, to make the registration for the one complete the registration for the other.
upvoted 1 times
...
AubinBakana
2 years, 10 months ago
There does not have to be a right answer. Read the description above.
upvoted 2 times
...
AubinBakana
2 years, 10 months ago
There does not have to be a right answer. Read the description above.
upvoted 1 times
...
...
17Master
3 years, 3 months ago
yes is correct. check this link: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa We recommend that you require multifactor authentication (MFA or 2FA) for all your administrators. Multifactor authentication reduces the risk of an attack using a compromised password. You can require that users complete a multifactor authentication challenge when they sign in. You can also require that users complete a multifactor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). This way, even if the user didn't complete multifactor authentication when they signed in, they'll be asked to do it by Privileged Identity Management.
upvoted 3 times
...
...
syu31svc
Highly Voted 3 years, 9 months ago
Answer is No Conditional access is the solution
upvoted 7 times
gssd4scoder
3 years, 8 months ago
Few doubts you're right man
upvoted 1 times
...
...
rxlicon
Most Recent 1 year, 9 months ago
The correct answer is Identity Protection as a Signal source for Conditinal Access"
upvoted 1 times
...
PPP164
2 years, 8 months ago
Correct answer is ADPIM, Yes
upvoted 1 times
...
Snownoodles
2 years, 8 months ago
Selected Answer: B
Conditional Access
upvoted 1 times
...
jellybiscuit
2 years, 9 months ago
Selected Answer: B
No. -- the answer is a conditional access policy PIM can require MFA, but only for elevated (administrative) roles -- meaning it can't apply to all users. It also cannot consider location.
upvoted 2 times
...
One111
2 years, 10 months ago
Selected Answer: A
Conditional Access policy with country based on IP addresses is needed. If admins have Authenticator on mobiles with GPS, this could be hardened by using GPS coordinates from their devices.
upvoted 1 times
...
AubinBakana
2 years, 10 months ago
Selected Answer: B
I am adamant this is false. Conditional Access.
upvoted 1 times
...
kilowd
3 years ago
Azure MFA can be leveraged as an additional verification mechanism through: Conditional Access policies Azure AD Identity Protection to mitigate risky sign-ins Step-up authentication mechanisms, like the OneDrive Personal Vault feature The Azure MFA NPS Extension Azure MFA registration can be combined with the registration for Azure AD Self-service Password Reset, to make the registration for the one complete the registration for the other.
upvoted 1 times
...
bhuren
3 years, 2 months ago
Right Solution would be AZ Identity Protection - Sign-in Risk Policy
upvoted 1 times
...
Zsolt72
3 years, 2 months ago
Selected Answer: A
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do What does it do? - Enforce multi-factor authentication to activate any role
upvoted 2 times
...
azlan69
3 years, 3 months ago
it's a Yes answer : Unlike Conditional Access, Azure PIM only applies to administrative roles within Azure and Azure AD. This is an important consideration, both as it relates to ‘administrative’ functions as well as, more importantly, the idea of Azure and Azure AD ‘roles’. Also, unlike Conditional Access, Azure PIM requires Microsoft’s highest license tiers (E5 or Premium 2) for any users that are subject to the tool.
upvoted 2 times
...
itenginerd
3 years, 3 months ago
On my exam today was another question with the correct answer "Use Privileged Identity Manager to enable MFA", so I'd think Microsoft would say this is a functional answer. Yes, I'd do it with Conditional Access in production, but this answer plays if you have AD Premium P2 in place.
upvoted 1 times
...
kanweng
3 years, 3 months ago
Selected Answer: B
No, the correct answer should be Azure AD Identity Protection https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
upvoted 1 times
...
Plesking
3 years, 3 months ago
I encountered a similar situation at work and Azure AD identity protection is the answer here.
upvoted 1 times
...
hobozero
3 years, 3 months ago
As many others have point out, Conditional Access is the correct answer, but PIM is only relevant during role activation. The correct answer is Identity Protection as a Signal source for Conditinal Access" "Administrators can specify entire countries/regions IP ranges to block or allow traffic from." "Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action." https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
upvoted 1 times
...
petey212
3 years, 3 months ago
Selected Answer: A
a - this is technically correct because you can enable mfa through PIM. conditional access is more appropriate (because you can specify the regions it is enabled) but pim is still an acceptable answer as you can enforce mfa.
upvoted 3 times
azlan69
3 years, 3 months ago
correct : Unlike Conditional Access, Azure PIM only applies to administrative roles within Azure and Azure AD. This is an important consideration, both as it relates to ‘administrative’ functions as well as, more importantly, the idea of Azure and Azure AD ‘roles’. The question mentioned on the administrator role
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel