AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 4

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Azure Active Directory (Azure AD) subscription.

You want to implement an Azure AD conditional access policy.

The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations.

Solution: You access the Azure portal to alter the grant control of the Azure AD conditional access policy.

Does the solution meet the goal?

Show Answer
Correct Answer: B

The solution does not meet the goal. While altering the grant control of the Azure AD conditional access policy in the Azure portal can be part of the solution, it is not sufficient on its own. The policy needs to be configured with specific conditions and controls to require Multi-Factor Authentication (MFA) and the use of an Azure AD-joined device when connecting from untrusted locations. Altering the grant control alone does not cover these requirements; conditions must also be set to specify untrusted locations. Therefore, the correct answer is No.

Discussion

44 comments
Sign in to comment
Micah7
Aug 21, 2021

Answer is A. There is another copy of this question that mentions going to the MFA page in Azure Portal as the solution = incorrect. On that page you cant make a Conditional Access Policy. I did this in lab step by step: - The Answer "A" is correct - Instead of the MFA page mentioned above, you have to go the route of Conditional Access Policy-->Grant Control mentioned here for this question. Under Grant Control you are given the option of setting MFA and requiring AD joined devices in the exact same window. Answer is correct.

jackdryan
Feb 23, 2023

A is correct.

MCLC2021
Apr 2, 2024

Correc Answer A (YES). Within a Conditional Access policy: Access Control GRANT: an administrator can use access controls to grant or block access to resources. Access Control SESSION: an administrator can make use of session controls to enable limited experiences within specific cloud applications. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant

Steve1983
Jul 1, 2021

Thats not all you need to do. Missing the signal and decision part of the CA policy.

NaoVazOption: A
Sep 12, 2022

In my opinion the correct option is A) "Yes". To configure MFA the correct way is through Conditional Access Policies.

Madbo
Apr 11, 2023

B. No Grant control settings in Azure AD conditional access policies determine which users, groups, or applications the policy applies to, but they do not specify the conditions under which the policy applies. To meet the stated goal, the session control settings, which determine the conditions under which the policy applies, should be modified to require MFA and Azure AD-joined devices for Global Administrators connecting from untrusted locations.

james2033Option: A
Jul 22, 2023

Question's keyword "Azure portal to alter the grant control of the Azure AD conditional access policy", choose A. Azure portal can done this task.

Sara_Mo
Jan 14, 2022

answer is no Conditional Access Policy-->Grant Control there is hybrid AD joined devices and not AD joined devices

Shabbow
Jan 20, 2022

B is the correct choice.

EmnCoursOption: A
Aug 30, 2022

Correct Answer: A

vishalarora1607Option: A
Mar 1, 2023

Yes, this is the way to achieve this.

emptyHOption: A
Apr 10, 2023

The Grant contol within the CA Policy is where this option is located

fiahboneOption: A
Sep 8, 2023

Grant control is required for this action!

Minaru
Oct 15, 2023

The correct answer is: A if you are accessing the Azure portal to alter the grant control of the Azure AD conditional access policy, and you are configuring it to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when connecting from untrusted locations, then the solution does indeed meet the goal.

Nico1973
Jul 10, 2024

B. No Explanation: The provided solution does not meet the goal of requiring members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when connecting from untrusted locations. To achieve this, you need to configure the conditions and controls of the Azure AD conditional access policy, not just alter the grant control. By modifying the grant control, you are changing who the policy applies to, not the specific requirements for access.

nherrerab
Oct 25, 2021

A is correct.

Prano
Dec 8, 2021

Ans : A Access policy>Grant control

timmytimtimo
Jan 18, 2022

thank you for the information

RavindraDevkhileOption: A
Jan 26, 2022

A

nqthien041292Option: A
Feb 10, 2022

Vote A

AzureLearner76
Feb 20, 2022

conditional access is a gate and the filter decides which users go in - after we select the groups and the the untrusted locations we have to decide which is grant access

lh00700
Mar 14, 2022

Vote A

RalphLiangOption: A
Apr 8, 2022

Answer is correct

sorgiulioOption: A
Apr 13, 2022

Vote A

epomattiOption: A
Apr 19, 2022

The correct option is A

BigBigChannel
Sep 11, 2022

A is correct

[Removed]Option: A
Sep 23, 2022

Answer is A

Cool_Z
Oct 14, 2022

A is the right answer here.

belaBenOption: A
Oct 26, 2022

is A, control by conditional access

Cham1
Dec 3, 2022

ewa sahbis the answer is in the pudding

JustinYoo
Dec 19, 2022

this question is weired

techsdcOption: A
Jan 8, 2023

answer A

RufusinskiOption: A
Jan 12, 2023

A is correct.

dhivyamohanbabu
Jun 24, 2023

Option A is correct..

ShyamNallu_100813
Jul 13, 2023

B Is correct

liketopass
Jul 13, 2023

I would say 'partly' as there are 2 requirements : 1. use MFA 2. From untrusted location And this one only specifies one of them: To use MFA you indeed use the grant control part, but you would also need to configure the conditions to specify to exclude 'trusted locations' (effectively specifying untrusted locations) So actually it is maybe a NO as the solution does not meet the goal

_gio_Option: A
Jan 13, 2024

answer is A

kkinnaOption: B
Jan 21, 2024

because under grand control we can only set requiring MFA and require AD joined devices but not location. setting location requirements is located under conditions control panel

Saurabh_Bhargav
Feb 7, 2024

A. Yes

Samiron512Option: B
Feb 15, 2024

correct answer is B. No

Amir1909
Feb 15, 2024

No is correct

3c5adce
May 11, 2024

Yes, the solution meets the goal. By configuring the Azure AD conditional access policy to require members of the Global Administrators group to use Multi-Factor Authentication (MFA) and an Azure AD-joined device when they connect from untrusted locations, you are effectively adding an additional layer of security to protect sensitive resources and data. This ensures that even if credentials are compromised, unauthorized access is prevented by requiring an additional verification step (MFA) and ensuring the device is trusted (Azure AD-joined).

[Removed]Option: A
Sep 1, 2024

A is correct

[Removed]Option: B
Feb 15, 2025

this is the same as q 2,3,4 the correct answer is B

MakaziweOption: A
Apr 17, 2025

Altering the grant control of Azure AD condition policy allows you to: require MFA, require the devices to be compliant for Azure AD joint