ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 2 question 35 discussion

Actual exam question from Microsoft's AZ-301
Question #: 35
Topic #: 2
[All AZ-301 Questions]

Your network contains an Active Directory domain named contoso.com that is federated to an Azure Active Directory (Azure AD) tenant. The on-premises domain contains a VPN server named Server1 that runs Windows Server 2016.
You have a single on-premises location that uses an address space of 172.16.0.0/16.
You need to implement two-factor authentication for users who establish VPN connections to Server1.
What should you include in the implementation?

  • A. In Azure AD, create a conditional access policy and a trusted named location
  • B. Install and configure Azure MFA Server on-premises
  • C. Configure an Active Directory Federation Services (AD FS) server on-premises
  • D. In Azure AD, configure the authentication methods. From the multi-factor authentication (MFA) service settings, create a trusted IP range
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
You need to download, install and configure the MFA Server.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy
by Karls at Dec. 6, 2019, 2:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Karls
Highly Voted 5 years, 6 months ago
It should be A. A. In Azure AD, create a conditional access policy and a trusted named location Review this link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-registration
upvoted 36 times
maheshwary
4 years, 11 months ago
Should be D. Asking for trusted IP range, not trusted location.
upvoted 6 times
...
Famous_Guy
5 years, 2 months ago
Important: As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
upvoted 8 times
tartar
4 years, 9 months ago
B is ok
upvoted 1 times
tartar
4 years, 9 months ago
out dated.. let's choose A..
upvoted 4 times
toja1234
4 years, 9 months ago
But Server1 is onpremises, users connect via vpn -> Azure AD not involved. Can't find any hint that Azure AD is involved... With B out dated no valid answer here.
upvoted 1 times
...
...
...
...
heany
4 years, 2 months ago
B even it's outdated. as 172 is private IP. The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication, you can only use public IP address ranges. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips
upvoted 2 times
...
...
Happiman
Highly Voted 5 years, 2 months ago
On-prem server1 will authenticate VPN users, NOT Azure AD. Answer is B.
upvoted 9 times
...
j888
Most Recent 4 years, 3 months ago
Answer is D, conditional access require premium licence
upvoted 1 times
...
glam
4 years, 4 months ago
A. In Azure AD, create a conditional access policy and a trusted named location
upvoted 2 times
...
sanketshah
4 years, 6 months ago
A is correct answer
upvoted 1 times
...
hiraz007
4 years, 6 months ago
Create conditional access (Option A) to choose a trusted name location or MFA trusted IP. Answer is A
upvoted 1 times
...
David_986969
4 years, 9 months ago
B is not the answer because is deprecated, and the give you the ONLY IP of the site, so I think it should be D, to create a trusted ip range
upvoted 3 times
levo017
4 years, 4 months ago
requests from Trusted IP range does NOT need MFA. I think the correct solution is use Named Location to ensure only requests from Server 1 ( On-Prem network ) can access. So requests from Server 1 will be MFAed, request from other than Server1 will be blocked.
upvoted 1 times
...
...
Rooh
4 years, 9 months ago
A should be the correct answer
upvoted 2 times
...
ACSC
4 years, 10 months ago
Maybe the correct answer is C. Look at this: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa. Configure Azure MFA as authentication provider with AD FS: If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS resources, both on-premises and in the cloud. Azure MFA enables you to eliminate passwords and provide a more secure way to authenticate. Starting with Windows Server 2016, you can now configure Azure MFA for primary authentication or use it as an additional authentication provider. Unlike with AD FS in Windows Server 2012 R2, the AD FS 2016 Azure MFA adapter integrates directly with Azure AD and does not require an on premises Azure MFA server. The Azure MFA adapter is built in to Windows Server 2016, and there is no need for additional installation.
upvoted 3 times
tmurfet
4 years, 10 months ago
ACSC you make a good case for C as an answer -- however I don't think that was the intent of this old question. It would need to be re-worded.
upvoted 1 times
...
...
Ashish2021
4 years, 11 months ago
Server1 is On-premise not in Azure which needs new MFA server. B is correct.
upvoted 3 times
...
Yannor
4 years, 11 months ago
As i understand, the question talks about a federated relationship between azure and onprem AD. This means that, for example, you can not set conditional access policies on Azure because the authentication is delegated to onprem. This might also be the case here.
upvoted 3 times
...
gboyega
4 years, 11 months ago
A is the correct answer B is wrong, because microsoft stopped it in July 1 2019 C is totally wrong
upvoted 3 times
...
ArulLivingston
4 years, 11 months ago
Answer is A.
upvoted 2 times
...
DeveshSolanki
5 years ago
Answer is A. create a conditional access policy and a trusted named location
upvoted 5 times
...
jonnybugaloo
5 years ago
Guys, the answer is correct. The server1 is in On-premise, and the question requests MFA to connect to this server, which is a VPN server. So, to connect on a server in On-Premises, a MFA server or MFA solution must be implemented On-prem.
upvoted 4 times
[Removed]
4 years, 11 months ago
I agree. However I think the question is just outdated.
upvoted 1 times
...
...
corona2020
5 years ago
I will choose D B -> Deprecated and even if the exam is old remember they keep updating the questions and answers so always go with the latest A -> it same trusted named location, we need trusted IP
upvoted 7 times
...
Rajuuu
5 years, 1 month ago
Answer is correct..B …MFA has to be implemented for on-premise connected VPN .
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel