AZ-305 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-305 Exam - Question 29

HOTSPOT -

You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual machines are connected to VNET1.

You need to design a solution to manage the virtual machines from the internet. The solution must meet the following requirements:

✑ Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication (MFA) before network connectivity is allowed.

✑ Incoming connections must use TLS and connect to TCP port 443.

✑ The solution must support RDP and SSH.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Box 1: Just-in-time (JIT) VN access

Lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender for Cloud's just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM.

Note: Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. Your legitimate users also use these ports, so it's not practical to keep them closed.

When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked.

To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Box 2: A conditional Access policy that has Cloud Apps assignment set to Azure Windows VM Sign-In

You can enforce Conditional Access policies such as multi-factor authentication or user sign-in risk check before authorizing access to Windows VMs in Azure that are enabled with Azure AD sign in. To apply Conditional Access policy, you must select the "Azure Windows VM Sign-In" app from the cloud apps or actions assignment option and then use Sign-in risk as a condition and/or require multi-factor authentication as a grant access control.

Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

Discussion

17 comments
Sign in to comment
Gowind
Sep 2, 2022

1. Answer is Azure Bastion. https://docs.microsoft.com/en-us/azure/bastion/bastion-overview It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. While JIT access allows access via RDP or SSH, incoming connections is not TLS tcp 443 (but RDP or SSH when the inbound port is temporarily authorized) https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-avm%2Cjit-request-asc 2. Second is correct https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows Enforce Conditional Access policies You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the Azure Windows VM Sign-In app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access.

abxc
Feb 22, 2023

Azure Bastion is correct For conditional access policy it should be "cloud apps assignment set to Microsoft Azure management" as the requirement states MFA before network access is allowed. Using this policy users will be promted for MFA when they access azure portal

TJ001
Jan 25, 2024

i agree with this ... also it is not just RDP port - ssh to cover for Linux VMs, non domain joined systems..

Ody__
Apr 3, 2024

I think you are correct. I can't find any documentation that says VM conditional access supports SSH.

jj22222
Mar 15, 2023

i agree

alxm8
Dec 1, 2022

1. Azure Bastion 2. Conditional Access Policy that has the cloud apps assignment set to Microsoft Azure management Azure bastion client access is authorized and authenticated when trying to log into the Azure portal. You can enable MFA on the Azure portal access by using the Conditional access policy for Microsoft Azure Management. We use this currently at work, it works very well! Azure bastion proxies the web portal requests via https to the servers running in the VNET.

darthfodio
Jan 24, 2023

I wouldn't be so sure about your answer for 2. see this link - https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#enforce-conditional-access-policies

maxustermann
Sep 25, 2023

This does not mention Bastion... correct answer is Azure management

ACM13
Nov 14, 2023

For the answer is: Azure Bastion & Conditional access policy microsoft azure management

BShelat
Dec 7, 2023

I previously gave two reasons to rule out Azure Bastion as an answer. One more additional reason to rule it out: Reason 3: We need to design a solution to manage the virtual machines from the internet. Azure Bastion enable VM access on private IP address range NOT on Public IP range i.e. not on internet.

varinder82
Mar 31, 2024

Final Answer: 1. Azure Bastion 2. Conditional Access Policy that has the cloud apps assignment set to Microsoft Azure management

s8y
Sep 20, 2023

box1: JIT (The solution must support RDP and SSH), requirement for TLS referees to triggering/enabling JIT (from azure portal). It can't be bastion since it will keep rdp/ssh listener constantly running/accessible over internet (while connection must only appear on request that involves mfa)

ncseffai
Oct 12, 2023

For those who are doubting the second answer. If you look at this link, the azure bastion is not mentioned among the services. Hence it will not trigger the MFA authentication. You need to go with Windows VM Sign-in https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management

fodocel235
Nov 7, 2023

1. Answer is Azure Bastion. You can reach Bastion via https. 2. Answer is Conditional Access Policy that has the Cloud apps assignment set to Microsoft Azure Management, that's enforces the MFA for the Bastion services. Even it's not mentioned that the VM's are only Windows VM's. Maybe there are also Linux VM's.

Maurice95000
Sep 5, 2023

1. Answer is Azure Bastion.

Elecktrus
Sep 12, 2023

Box 2 is a bit tricky. It is not mentioned anywhere that the virtual machines are Windows (Azure Windows VM Sign-In only works in windows). And you need permit ssh access (that is typically used in Linux), so we are not sure that machines are only windows. This option only works for windows. But MFA for MAnagement Acces is only to to protect privileged resources (Azure Portal, CLI, etc) not for login to machines. I can use a RDP or SSH client from my personal PC to connect to this VM, and then the policy is useless. So, there isnt a fully correct answer. I will choose Windows VM Sign-in, because it will work sometimes (if the VM are windows)

serget12
Sep 18, 2023

Not sure about Bastion, the reason I see for using Bastion if for the TLS/443 but that is all about sending data. For connection, which will be done over rdp/ssh, 3389/22, you would use JIT. Going to go with JIT. for the second, don't think the correct option is listed so have to go with the next best option. Of course, Cloud apps is being removed. Could be an old question.

learning93
Sep 21, 2023

Azure Bastion: Azure Bastion is a managed PaaS service that allows secure and seamless RDP and SSH access to your virtual machines directly from the Azure portal without the need for a public IP address on the VMs. It uses TLS encryption (HTTPS) on port 443 for secure access.

learning93
Sep 21, 2023

JIT Access can be used to control and restrict RDP and SSH access to your VMs but it doesn't inherently provide MFA or TLS encryption.

learning93
Sep 21, 2023

Conditional Access Policy with "Cloud apps assignment set to Windows VM signin": This option is designed to enforce MFA for user sign-ins to Windows VMs hosted in Azure. When you create a conditional access policy targeting "Windows VM signin," it allows you to require MFA when users attempt to access the VMs. This policy will ensure that users are prompted for MFA when accessing the VMs, enhancing security for VM access.

maxustermann
Sep 25, 2023

You need to authenticate over Bastion, which is not mentioned in the learn article. So we need to use the Azure management in Conditional Access

husam421
Sep 26, 2023

Answer is Azure Bastion The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting: 22 - SSH 3389 - RDP 5985 - WinRM 5986 - WinRM

rajeshrj1981
Nov 20, 2023

Answer is Azure Bastion and Conditional Access Policy with "Cloud apps assignment set to Windows VM signin":

BShelat
Dec 7, 2023

I would rule out "Azure Bastion" for following reasons. 1) Question text does not indicate the existence of Azure Bastion subnet in VNET1. Without Azure Bastion subnet in virtual network Bastion host cannot be deployed in virtual network. 2) Answer area also does not mention anything about "Create Azure Bastion subnet and host. So for above reasons I will go with JIT VM

DeinosK
Dec 18, 2023

#1 is bastion https://www.youtube.com/watch?v=DHiZbIks9i0

23169fd
Jun 21, 2024

To provide access to virtual machines on VNET1, use: Azure Bastion Azure Bastion provides secure and seamless RDP and SSH connectivity to virtual machines directly in the Azure portal over TLS (TCP port 443), ensuring secure access without exposing the VMs to the public internet. To enforce Azure MFA, use: A Conditional Access policy that has the Cloud apps assignment set to Azure Windows VM Sign-In A Conditional Access policy ensures that users must authenticate with MFA before accessing the virtual machines, enhancing security by requiring multi-factor authentication for access.

23169fd
Jun 21, 2024

Why Not Other Options: Just-in-time (JIT) VM access: While JIT reduces exposure by limiting the time a VM is accessible, it doesn't provide the seamless TLS/port 443 access that Bastion offers. Azure Web Application Firewall (WAF) in Azure Front Door: WAF is designed to protect web applications from common threats, not to manage RDP/SSH access to VMs. An Azure Identity Governance access package: Primarily for managing access to resources through access reviews and role assignments, not specifically for enforcing MFA. A Conditional Access policy that has the Cloud apps assignment set to Microsoft Azure Management: This policy targets Azure management activities rather than VM sign-ins specifically.