Your company makes use of Microsoft 365 in their environment.
You have been tasked with making sure that members of the Global Administrators group are protected. The feature you use should achieve this by making use of dynamic risk profiles.
Which of the following is a feature you should use?
To protect members of the Global Administrators group using dynamic risk profiles, the best feature to use is Microsoft Azure AD Conditional Access. Conditional Access allows you to create policies that take into account risk levels for specific scenarios, such as sign-in risk or user risk, and enforce actions like multi-factor authentication or access restrictions based on those risk assessments. This provides a flexible and dynamic way to manage access and protect high-value accounts like those of Global Administrators.
I think answer is D. Reference : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
According to me the Ans is D - We will enable Conditional Access policy and then select the user sign in risk or login risk settings ( i wish we had AD identity Protection here as an Option)
Please explain what is C!
Isn't the correct answer "Azure AD Identity Protection" for securing members by risk (although it doesn't appear here).
C is correct Reasoning: - https://docs.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide "Rather than having your global administrator accounts be permanently assigned the global administrator role, you can use Azure AD Privileged Identity Management (PIM) to enable on-demand, just-in-time assignment of the global administrator role when it is needed."
I agree because the questions askes for a dynamic role.
Privilege Identity Protection (PIP) isn't referenced as a feature in Microsoft AAD. PIM is not PIP; No place for dynamic risk in the article. Explain and be specific, please.
The correct answer is D. The feature you should use to protect members of the Global Administrators group by making use of dynamic risk profiles is Microsoft Azure AD Conditional Access. Option D, Microsoft Azure AD Conditional Access, allows you to create policies that use dynamic risk profiles to determine the level of access a user should have. With this feature, you can create policies that protect members of the Global Administrators group by requiring additional authentication factors or blocking access if the risk level is too high. Therefore, it is the correct answer. Option C, Microsoft Azure AD Privileged Identity Protection, is a feature used to protect privileged accounts in Azure AD, but it does not make use of dynamic risk profiles, which is a requirement in the question. Therefore, it is not the correct answer.
DYNAMIC Risk profiles == Microsoft Azure AD Conditional Access
Microsoft Azure AD Identity Protection.
This is most cetainly PIM
The fact it states 'dynamic risk profiles', points to Conditional Access Policy, e.g. Risk Policy.
To protect members of the Global Administrators group by using dynamic risk profiles, you should use: C. Microsoft Azure AD Privileged Identity Management (PIM). Azure AD Privileged Identity Management (PIM) allows you to manage, control, and monitor access within your organization, especially for roles with elevated privileges like Global Administrators. PIM includes features such as just-in-time access, which can help protect admin roles by ensuring they are only active when necessary and can incorporate risk-based policies to enhance security. Note: Azure AD Conditional Access is also relevant for applying policies based on risk profiles, but for dynamic risk profiles specifically related to privileged roles like Global Administrators, PIM is the more focused solution.
C is correct
needs an explanation
PIP...never heard of that...PIM yes...this Answer is wrong.
C correct because of the dynamics of Admin role when need full access to finish a task or for a short period of time. So as admin you will not have the same privileged account to log in , u need approval every time.
A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating Azure AD Identity Protection sign-in risk detections.
This is a poorly-worded question. A "dynamic risk profile" can refer to a great number of things, that apply to both time-bound (e.g. just-in-time) and conditional access (e.g. device, location) policies. Because the question is not specifically stating that specific conditions must be met, it probably refers to, "dynamic," in terms of what is needed for privileged access to do perform a specific administrative action.
Dynamic risk profiles or dynamic identity protection is achieved using Conditional Access.
This is correct answer, question before is conditional access, but here is c the only answer!!!!!!!!!
Incorrect. The question before states "approval" which is PIM. Conditional access is not approval. In this case it's CA because the question states "risk". You need to pay attention to the details
Para garantir que os membros do grupo Administradores Globais estejam protegidos usando perfis de risco dinâmicos, você deve usar o recurso "Proteção de Identidade de Privilégio do Microsoft Azure AD" (opção C). A Proteção de Identidade de Privilégio (PIM) do Azure AD ajuda a proteger as identidades privilegiadas, como os Administradores Globais, por meio da utilização de medidas de segurança adicionais, incluindo o uso de perfis de risco dinâmicos para conceder privilégios temporários aos administradores somente quando necessário. Através da PIM, você pode configurar políticas que exigem a aprovação para atividades administrativas críticas e adicionar uma camada adicional de segurança ao acesso privilegiado, protegendo os Administradores Globais de maneira eficaz.
Answer is C To protect members of the Global Administrators group and ensure their accounts are secured using dynamic risk profiles, Microsoft Azure AD Privileged Identity Management (PIM) is the appropriate feature. PIM helps manage, control, and monitor access to privileged roles, including Global Administrators, by enforcing Just-In-Time (JIT) access, requiring approvals, and enabling multi-factor authentication (MFA). It also provides risk-based conditional access to ensure that privileged accounts are protected based on dynamic risk profiles. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure Why not D? D. Microsoft Azure AD Conditional Access: While Conditional Access can enforce policies like MFA or block access based on risk signals, it does not specifically manage privileged roles or provide the same level of dynamic risk-based protection as PIM.
C. Microsoft Azure AD Privileged Identity Protection. Explanation: Microsoft Azure AD Privileged Identity Protection (PIM) is designed specifically to protect privileged accounts such as Global Administrators. It does this by: Using dynamic risk profiles to assess and mitigate risks automatically. Detecting and responding to suspicious activities, such as unusual sign-ins or risky user behavior. Requiring additional authentication (such as MFA) when risks are detected. Providing just-in-time access and approval workflows for privileged roles.
They really really need to update this. It is making me feel insecure that i am ready for this exam.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies C is correct, supported by link.
D is the correct answer
Correct Answer : C https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide#azure-ad-privileged-identity-management
did you find this on your exam? i thik is the C too, anyway also by using the CA you could achive the qestion's goal.
Question is badly written. I think the answer is C in the context of what they're asking here, but it could be D as well.
I also think that the answer is Conditional Access.
I think that the answer is D. If we have AD identity Protection here instead of privileged then the answer would be C.
Should be D
I think answer should be C https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#migrate-risk-policies-from-identity-protection-to-conditional-access
I think answer should be D https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#migrate-risk-policies-from-identity-protection-to-conditional-access
PIM = Privileged Identity Management which is the answer. Not sure what Privileged Identity Protection is. Maybe they meant PIM.
respuesta correcta D https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectionconfigure-risk-policies
Azure Active Directory Identity Protection to protect your organization’s Global Administrators group. Azure AD Identity Protection is a cloud security service that uses machine learning to detect and prevent attempts to attack your organizations Azure AD accounts. Microsoft recommends the below risk policy configurations to protect your organization: User risk policy Require a secure password change when user risk level is High.
So, the ans will Azure Active Directory Identity Protection but here you create user risk policy suing CA.
The answer is C.
Answer D Risk policies can be used with conditional access policies, with the required license (P2)
I think answer is D. While Identity Protection also offers a user interface for creating “user risk policy” and “sign-in risk policy”, we highly recommend that you use Microsoft Entra Conditional Access to create risk-based policies.
The Solution Seems to be C. The latter article makes use of the Risk Level in sign-ins with out taking into consideration any CA policies, but only configuration into Identity Protection Blade Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra multifactor authentication or password changes https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa I would and will Choose C.
The Solution Seems to be C. The latter article makes use of the Risk Level in sign-ins with out taking into consideration any CA policies, but only configuration into Identity Protection Blade Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra multifactor authentication or password changes https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa I would and will Choose C.
I have to correct my own Self. It says Previledged Identity Management not Identity Protection. Hence it should be D. Entra Sign in does take risk into Consideration but here C is about PIM. My apologies
D. Here is the clue, it tells you which feature of all they want you to use and in this case it is the user risk for admin users to be evaluated, if a Europe admin user suddenly signs in from China, a fish will be smelt.. In a conditional access policy to access certain services there will be the a user risk evaluated and the policy will be targeted at those fragile users.
Conditional Access can enforce policies based on conditions, it doesn't inherently use dynamic risk profiles for protecting Global Administrators in the same way as Identity Protection.
La respuesta es la C
Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
About Azure AD Identity Protection Azure AD Identity Protection is a security service that helps organizations detect, investigate, and remediate identity-based risks. It uses dynamic risk profiles to assess and respond to potential threats in real time.
The other options, although security-related, are not directly focused on protecting privileged identities through dynamic risk profiles: A. Mobile application protection policy: This protects mobile applications but is not designed to protect privileged identities specifically. B. Device configuration policy: This manages device settings, but it does not specifically focus on privileged users. D. Microsoft Azure AD Conditional Access: Conditional Access controls access to applications based on various conditions but is not focused on protecting privileged identities using dynamic risk profiles. Therefore, C. Microsoft Azure AD Privilege Identity Protection is the best solution for protecting members of the Global Administrators group by leveraging dynamic risk profiles.
The correct answer is D. Microsoft Azure AD Conditional Access. Microsoft Azure AD Conditional Access uses dynamic risk profiles to protect members of the Global Administrators group by evaluating sign-in risks and user risks, and applying policies based on these risk levels