Configure Conditional Access Policies
Question
Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it.
As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.
You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.
You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.
Solution: You configure conditional access policies.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authnNo, configuring conditional access policies does not meet the goal of immediately preventing disabled user accounts from authenticating to Azure AD.
Conditional access policies are used to set specific requirements for accessing Azure AD applications and resources based on conditions such as user location, device state, and sign-in risk. However, they do not directly control user authentication to Azure AD.
To immediately prevent disabled user accounts from authenticating to Azure AD, you should enable Azure AD Connect's Password Hash Synchronization feature, which synchronizes password changes from Active Directory to Azure AD. Once Password Hash Synchronization is enabled, when a user account is disabled in Active Directory, its password is immediately invalidated in Azure AD, preventing the user from authenticating to Azure AD.
Note that this feature requires that the user's password be hashed and synced to Azure AD. If you are using another form of authentication such as federation, other solutions such as updating the user's group membership or blocking the user's sign-in may be necessary.
