You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
To ensure that administrators can access the Azure portal only from your on-premises network and require multi-factor authentication, you should configure an Azure AD Identity Protection sign-in risk policy. This type of policy can evaluate the risk level of each sign-in and enforce MFA or block access based on predetermined criteria, such as sign-in location. By setting the conditions to include only allowed locations (i.e., your on-premises network), you can effectively restrict access to the Azure portal and ensure MFA is utilized.
The question states that all administrators MUST enter a MFA code to login, and that they may only login from on-prem. MFA service settings only contains the option to skip MFA for trusted IPs. I believe the answer they're looking for is: C: An Azure AD Identity Protection sign-in risk policy
This one!
The correct solution would be conditional access. All of the answers are wrong. I think there is a typo somewhere, this looks like a duplicate of a previous question where the goal is to prevent users on-premise from being prompted for MFA, in which case D is correct here.
Correct. It should be through CA, require MFA by default and exclude on-prem location. There are no service settings in MFA.
Answer is C Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment condition. Ref: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
Answer is C Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment condition. Ref: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
Given answer is correct : D : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#mfa-service-settings Set TrustedIP through MFA Service settings.
This setting is to skip MFA for given IPs range, have nothing to do with not allowing to authenticate outside of that IPs range
Answer is correct, use trusted IP.
From the text of the question it seems to want to prevent administrators from accessing from any other location other than the on-premises corporate network. Furthermore, access from the on-premises network must necessarily take place with MFA. Although I don't understand the meaning of this scenario, I don't see how a sign-in risk policy can be applied as the reliability of the origin of access to the azure portal would be calculated by Azure itself and not by us. How does Azure understand that access is from a different network than the corporate one? To do this, you need to configure the location. But at that point what need do we have to use a sign-in risk policy? Just configure Conditions to set up an allowed location and set GRANT to request MFA. So I think D is the correct answer
D is correct the default for all the roles in Azure AD Privileged Identity Management - Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. an Azure AD Identity Protection user risk policy - Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. an Azure AD Identity Protection sign-in risk policy - Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.
"All administrators must enter a verification code to access the Azure portal". MFA service settings can't achieve it beacuse it bypasses the multi-factor authentication as per MS docs. Seems like Option C is a better choice.
C https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
Something is wrong here. A is nonsense. B, C and D only affect the strength of the logon (like, is second factor required), but they do not prevent logon from untrusted IP completely.
Answer is C Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an assignment condition. Ref: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies