A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.
The customer discovers that several endpoints are infected with malware.
The customer suspends access attempts from the infected endpoints.
The malware is removed from the endpoints.
Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
AC
A: When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources.
Refresh token expiration -
Refresh tokens can be revoked at any time, because of timeouts and revocations.
C: Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It uses a combination of endpoint behavioral sensors, cloud security analytics, and threat intelligence.
The interviewees said that ג€by implementing Zero Trust architecture, their organizations improved employee experience (EX) and increased productivity.ג€ They also noted, ג€increased device performance and stability by managing all of their endpoints with Microsoft Endpoint Manager.ג€ This had a bonus effect of reducing the number of agents installed on a user's device, thereby increasing device stability and performance. ג€For some organizations, this can reduce boot times from
30 minutes to less than a minute,ג€ the study states. Moreover, shifting to Zero Trust moved the burden of security away from users. Implementing single sign-on
(SSO), multifactor authentication (MFA), leveraging passwordless authentication, and eliminating VPN clients all further reduced friction and improved user productivity.
Note: Azure AD at the heart of your Zero Trust strategy
Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD's Conditional Access capabilities are the policy decision point for access to resource
Reference:
https://www.microsoft.com/security/blog/2022/02/17/4-best-practices-to-implement-a-comprehensive-zero-trust-security-approach/ https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
AB looks correct to me
I don't think this is correct. Zero Trust its reffering to Conditional Access, so would be Microsoft Intune reports the endpoints as compliant. https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection and I assume The client access tokens are refreshed.
In Identity to achieve zero trust ( we have to use Conditional access policy stating a condition as that the resource is compliant ) so i guess ans is correct ( whereas Intune is for configuring the compliance policy via MDM and MAM)
A second thought ( why NEW conditional access policy??) so the ans seems wrong and the correct one looks like Microsoft intune reports the endpoints as compliant and The client access token are refreshed
Maybe the Conditional access already in place since he follow zero trust ? so i feel like it should be AB ?
how the current malware is detected should have been mentioned in the question. only clue given is currently Zero Trust is implemented and each access attempt is inspected which means a conditional access policy would have been in place already to detect sign in risk (fed from Azure Identity Protection) ..
You're assuming endpoints are enrolled in Intune, and assuming is never a good idea in Microsoft exams. The question says "The customer discovers ..." and "The customer suspends ...", there is nothing about Intune.
Conditional Access reaches out to Intune to check if a device is seen as compliant or not. Intune will receive the risk score from Defender for Endpoint. Devices have to be managed by Intune in order for Conditional Access to get the compliance check.
For me it's B&D. Why? See what Microsoft says: "The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there's no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy, which allows access to applications." Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide
Imho b and d
BD - See: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide Defender needs to say that device is okay InTune accepts the Defender report Conditional Access let them in
not C: verify explicity is made by conditional access. So you already have a policy that requires enpoint is compliant Not A. With CAE you don't need to wait access token expiration. So I think it could be B and D: Conditional Access verifies the compliance with Intune, cannot communicate directly with MDE. So MDE reports the endpoint as compliant. This info goes to intune that reports the endpoint as compliant and CA verify it.
A - Revoking all tokens is a standard security practice. B - CA looks at Intune for device compliance, which in turn can be influenced by Def Endpoint or other MTM partner connections.
To ensure that endpoint users can access the corporate applications again after the malware removal, consider the following two conditions: Microsoft Intune Reports Endpoints as Compliant (Option B): Microsoft Intune is a cloud-based endpoint management solution that helps manage and secure devices. After malware removal, the endpoints should be scanned and verified by Microsoft Intune to ensure compliance. If Intune reports the endpoints as compliant, it indicates that they meet security and policy requirements, allowing users to access corporate applications. Microsoft Defender for Endpoint Reports Endpoints as Compliant (Option D): Microsoft Defender for Endpoint (formerly Windows Defender ATP) provides advanced threat protection for endpoints. After malware removal, Microsoft Defender for Endpoint should verify that the endpoints are free from threats. If Defender reports the endpoints as compliant, it confirms that they are secure and can safely access corporate resources.
ayadmawla's answer are correct.
I would go for AC. Not B - they don't mention Intune. Not D - as one of pre-requisites for seeing devices in health report is that they need to be onboarded to Microsoft Defender for Endpoint - they don't mention that. Also, according this kb: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health?view=o365-worldwide, you can only onboard OS: Win, MacOS and Linux. the question is not specific about the kind of endpoints - I think we shouldn't exclude mobile devices in this case.
Answer: B. Microsoft Intune reports the endpoint as compliant. D. Microsoft Defender for Endpoint reports the endpoint as compliant. Reason: In a Zero Trust model, it is necessary to verify the security and compliance status of endpoints before they access corporate applications. Microsoft Intune and Microsoft Defender for Endpoint report the compliance status of endpoints and ensure that the endpoints are secure. Reasons why other answers are different: A. Client access tokens are refreshed: While refreshing tokens is important, it is not directly related to verifying the security status of endpoints. C. A new Azure Active Directory (Azure AD) Conditional Access policy is applied: Conditional access policies help with access control but are not directly related to verifying the compliance status of endpoints.
Answer is BD Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide
Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are; A and D.
When you force option C, automatically Conditional Access combined with B and D options.. So, there is last option with option C that is A.
Update for given selection above: Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are; A and D.
if the endpoints were infected, then surely there was access to them. Therefore, the costomer must secure access to the endpoints. He can do that with CA Policies and he has to update the existing tokens. AC is the correct answer for me
Once the conditional access is setup, the token will refresh. Token will also refresh after 8-12 hours of activity. Tokens are short lived so it cannot be the method of verification for long term solution.
Well i see you guys are all wrong : the correct answer are : B and D Option A In the given scenario, the conditions mentioned were focused on verifying the cleanliness and compliance of the endpoints after malware removal. So, while refreshing client access tokens can be beneficial for security, it is not one of the two specific conditions required in this scenario.