AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 3

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the Azure portal to alter the session control of the Azure AD conditional access policy.

Does the solution meet the goal?

Show Answer
Correct Answer: B

The solution does not meet the goal because altering the session control of the Azure AD conditional access policy is not sufficient to enforce the required conditions for Multi-Factor Authentication and Azure AD-joined devices. To meet the goal, the policy should be configured by altering the grant control, not the session control. The grant control allows administrators to enforce access requirements such as Multi-Factor Authentication and device compliance, which are necessary for ensuring that members of the Global Administrators group use an Azure AD-joined device and MFA when connecting from untrusted locations.

Discussion

34 comments
Sign in to comment
edengoforit
Jan 27, 2022

Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator. Browse to Azure Active Directory > Security > Conditional Access. Select New policy. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Under Assignments, select Users and groups Under Include, select All users Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts. Select Done. Under Cloud apps or actions > Include, select All cloud apps. Under Exclude, select any applications that don't require multi-factor authentication. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select. Confirm your settings and set Enable policy to Report-only. Select Create to create to enable your policy.

Minaru
Sep 19, 2024

Correct answer is B. The solution mentioned does not fully meet the goal of requiring members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect from untrusted locations. While accessing the Azure portal to alter the session control is a step in the right direction, it's essential to configure the specific conditions and controls in the Azure AD conditional access policy to enforce these requirements. To achieve the goal, you need to create or modify an Azure AD conditional access policy and specify the conditions that require Multi-Factor Authentication and Azure AD-joined devices for members of the Global Administrators group when they access Azure AD from untrusted locations. Simply accessing the Azure portal to alter session control is not sufficient to fully implement this policy.

powerpro
Jul 22, 2021

B

BenStokes
Jul 4, 2021

Answer should be A

BenStokes
Jul 4, 2021

Sorry its B - NO We need to use Grant Control and NOT the Session Control

emptyHOption: B
Apr 10, 2023

Answer is B. Require MFA is a checkbox listed within the GRANT control portion of the conditional access policy.

ShyamNallu_100813Option: A
Jul 13, 2023

ANS :A

SivaPannier
Aug 29, 2023

I think the Answer is A only. I could see session control option in the Conditional Access Policy configuration page. Grant control should not be for session control. see the link below...

SivaPannier
Aug 29, 2023

Sorry I am wrong in the earlier comment. The correct answer is B only, for the given requirement there is no need to configure anything in the session control page of conditional access policy. Hence this action will not fulfill the project requirement.

MCLC2021
Apr 2, 2024

Correc Answer B (NO). Within a Conditional Access policy: Access Control GRANT: an administrator can use access controls to grant or block access to resources. Access Control SESSION: an administrator can make use of session controls to enable limited experiences within specific cloud applications.

tsummeyOption: B
Jun 17, 2024

Under Assignments select the Global Admin Group Under Conditions set the location to any location and exclude all trusted locations Under Access Controls, grant access and check the options for require MFA and require the device to be marked as compliant.

Prano
Dec 8, 2021

Ans : B You can alter the grant control and not the session control

LG2240Option: B
Feb 6, 2022

Security > Conditional Access --> Access controls --> Grant -->

AzureLearner76Option: B
Feb 20, 2022

voting for be , needs a grant

NaoVazOption: B
Sep 12, 2022

In my opinion the correct option is B) "No". To configure MFA the correct way is through Conditional Access Policies. Based on the provided documentation the correct approach is through "Grant" Access Controls.

DaJarHead
Feb 15, 2023

From my understanding, session controls is used when wanting to configure policies within a certain cloud apps, ( such as SharePoint, Exchange).

james2033Option: B
Jul 13, 2023

Focus at text "alter the session", it make B is correct choice.

[Removed]Option: B
Sep 1, 2024

B is correct grant control, not session control

nherrerab
Oct 25, 2021

B is correct.

elishlomoOption: B
Jan 12, 2022

Correct answer - B. To enforce MFA from an untrusted location, you need to create a conditional access rule that requires MFA with Grant control.

Shabbow
Jan 20, 2022

B is the correct choice.

nqthien041292Option: B
Feb 10, 2022

Vote B

brand9
Mar 14, 2022

B is the correct grant control

EmnCoursOption: B
Aug 30, 2022

Correct Answer: B

BigBigChannel
Sep 11, 2022

B is correct

km_2022
Jan 10, 2023

B is the correct Answer

RufusinskiOption: B
Jan 12, 2023

B is correct.

vishalarora1607Option: B
Mar 1, 2023

No this is not the way to achieve this.

SindhuM
Mar 10, 2023

A - is correct

TunaSD
Mar 23, 2023

No, the solution does not meet the goal. Altering the session control of the Azure AD conditional access policy alone will not achieve the desired requirements. You need to configure a conditional access policy that requires Multi-Factor Authentication (MFA) and an Azure AD-joined device for members of the Global Administrators group when connecting from untrusted locations.

Madbo
Apr 11, 2023

Solution B is not correct because it suggests creating a new resource group for each department. While this approach could be used to organize resources, it does not allow for direct association between the virtual machines and their respective departments. Assigning tags to the virtual machines is a better solution for this requirement.

dhivyamohanbabu
Jun 24, 2023

option B is correct

DBFrontOption: B
Nov 6, 2023

B is correct, needs to be grant control

_gio_Option: B
Jan 13, 2024

answer is B

76d5e04
May 28, 2024

Hello All I see lot of recommendtions to check "Mlantonis" answers.Please let me know how to find it in this huge blog

3ba6d0bOption: B
Jun 6, 2024

questions 3 and 4 are identical.

RealmTarget
Dec 2, 2024

No. One is asking about grant controls and one is session controls. Grant controls are correct. Because you want to grant access in these situations. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session

MakaziweOption: B
Apr 17, 2025

The solutions doesn't meet the goals because altering session control does not directly address the requirements