AZ-301 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-301 Exam - Question 56

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AZD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: Implement Azure AD Privileged Identity Management.

Does this solution meet the goal?

Show Answer
Correct Answer: B

Azure AD Privileged Identity Management (PIM) provides capabilities such as time-based and approval-based role activation, enforcing multi-factor authentication (MFA) to activate any role, and just-in-time privileged access to Azure resources. However, PIM does not specifically allow for the configuration of conditional access policies based on the geographical location of login attempts. To achieve the requirement of enforcing MFA for login attempts from specific countries, you would need to configure a Conditional Access policy in combination with Identity Protection. Thus, implementing Azure AD Privileged Identity Management alone does not meet the goal.

Discussion

31 comments
Sign in to comment
xmat
Nov 2, 2019

I don't think that's correct, https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do In this case you'd need an identity protection combined with conditional access rule, https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Rajuuu
Apr 26, 2020

PIM:- Enforce multi-factor authentication to activate any role. As per the link provided by you .. A could still be correct.

tartar
Sep 18, 2020

A is ok

vrana
May 27, 2020

I agree. Since it says MFA is needed when user login from those countries, I guess it leads to condiotnal access which is part of Identity protection. hence A looks correct to me too. PIM enables just in time and you can not fine control it.

NKnab
Jul 4, 2020

no. pim is for just in time access

tartar
Sep 18, 2020

A is ok

Karls
Dec 7, 2019

B is correct. Azure AD Privileged Identity Management provides time-based and approval-based ROLE. You choose a role from the subscription and add users/groups that we want to give more accesses during a period of time. You can't require MFA with this tool. For achive MFA from countries, we need to used configure a risk with Identity Protection and a Conditional access rule.

Parijat
Nov 18, 2019

B is correct https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

blackalbum
Mar 17, 2020

The ability of enabling MFA on PIM does "not" give you the option to block requests coming form a particular country. Attention! If you enable MFA on PIM, the users who were given access should pass through MFA check before activating.. The answer is all about blocking requests from a particular country which is done with Contidional Access

akamal
Jun 2, 2020

It should be : B As per the question, it's asking to activate the MFA from specific locations during "Sign in to azure portal" which is not done using PIM but only from conditional access https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

mpknz
Feb 16, 2020

you just need a location based conditional access policy on the portal for the admin user group. It doesn't need PIM as simple location based is fine, doesn't need risk based. Identity Protection is also not required to meet the stated need.

Andy001
Feb 19, 2020

I think the answer is B because the requirement is to ensure that ALL login attempts to the Azure portal from those countries require Azure MFA, while PIM enforces MFA only when users activate a role in Azure AD PIM (i.e. they must be already logged prior to activating a privileged role and that does not meet the requirement)

cloudoman
Feb 20, 2020

Conditional Access should be the right answer as per the below link https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

cloudoman
Feb 20, 2020

A - PIM is considered correct because its the closest option for the purpose.

Gianlucag77
Aug 18, 2020

the answer is NO for me the solutoin is Conditional access + MFA (requires Premium P1) https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

cyga75
Feb 16, 2020

Seems A is correct - PIM does leverage MFA: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa

bolbol
Feb 17, 2020

you are right

TinyTrexArmz
Jul 28, 2020

Another poorly worded question, in my opinion. It says the requirement is to force MFA from those countries. PIM does leverage MFA, but it does not limit it to auth requests coming from X countries. PIM will instead force MFA all the time if configured to do so.

dcprice
Feb 28, 2021

Question doesn't say we need to exclude other location from MFA ? Also best practice is to enable MFA for admin users from any locations, so I think they are looking for answer A

dcprice
Feb 28, 2021

Question doesn't say we need to exclude other location from MFA ? Also best practice is to enable MFA for admin users from any locations, so I think they are looking for answer A

yogi2020
Feb 17, 2020

The answer is A, as identity protection only detects and guides the remediation. PIM provides the ability to implement MFA, which what the asks of the questions to enable MFA from those locations

Baranli
Jun 22, 2020

Answer should be B, as access from customized location required condition access policy not PIM..

DeveshSolanki
Jun 27, 2020

Should be No...

DeveshSolanki
Jun 27, 2020

No is answer

gboyega
Jul 21, 2020

Answer is Definitely B NO

[Removed]
Aug 25, 2020

With just PIM enabled we can enforce the use of MFA for our admin users. However the requirement asks for a conditional access policy. We should enfore MFA when login attempts are coming from those unknown countries. From what I understand this is only achievable when combining PIM with a Conditional Access Policy as described in this blog post: https://gotoguy.blog/2018/05/04/how-to-configure-conditional-access-for-azure-ad-pim/. At the time of writing the features seemed in preview. So again this is another fuzzy question from Microsoft. Long story short I would vote for Yes!

Wildsheep
Aug 26, 2020

Wouldn't you need a Sign-In risk policy for this?

glam
Feb 1, 2021

B. No.

glam
Mar 9, 2021

A. Yes Ignore B

marco1
Jun 22, 2020

I would choose B. For MFA we don't need PIM

Anvip2016
Aug 3, 2020

Answer should be No, you can use Identity protection (sign-in policy) with conditional access policy. Azure AD Identity Protection detects a range of suspicious actions/risk events, and few are below- Sign-ins from anonymous IP addresses or Impossible travel to atypical locations*

petermogaka91
Sep 21, 2020

"You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA)" You can only activate your PIM after logging in to the portal, unless i'm wrong. Hence answer should be no

Rajuuu
Apr 29, 2020

Answer is A PIM enforces multi-factor authentication to activate any role. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Coolking
May 3, 2020

Answer is A "The Sign-in policy defines what happens when a certain account appears to have a high number of suspicious sign-in events. This includes sign-in from an anonymous IP address, logins from different countries in a time frame where it would not be possible to travel to the other location, and a lot more." https://hub.packtpub.com/implementing-identity-security-in-microsoft-azure-tutorial/

Neetiniti
Jul 19, 2020

Correct Answer: A. Enforce multi-factor authentication to activate any role. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Yannor
Jul 28, 2020

The question asks you to configure MFA for the connections from those countries, not for everything.

Abim
Aug 17, 2020

The answer is B. This would be a function of identity protection with conditional access. Privileged Identity Management is: Here are some of the key features of Privileged Identity Management: Provide just-in-time privileged access to Azure AD and Azure resources Assign time-bound access to resources using start and end dates Require approval to activate privileged roles Enforce multi-factor authentication to activate any role Use justification to understand why users activate Get notifications when privileged roles are activated Conduct access reviews to ensure users still need roles Download audit history for internal or external audit

sanketshah
Jan 1, 2021

A is correct answer

namco23
Mar 17, 2021

Ignore A Tested

sallymaher
Mar 24, 2021

PIM is ok as long as the question didn't say "ONLY'' those countries PIM will force 2fa from these countries and others , so it meets the requirements .

ffffffffdeeeeeeeeeeee
May 19, 2021

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure What does it do? Enforce multi-factor authentication to activate any role

kiwi123
Jul 1, 2021

No as good as is conditional access but can meet the request

kiwi123
Jul 1, 2021

Not* A is okay

us3rOption: B
Jan 27, 2022

no conditional access required