Azure AD Multi-Factor Authentication for Login Attempts from Restricted Countries | Implementation Guide

Azure AD Multi-Factor Authentication

Prev Question Next Question

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a group named Group1. Group1 contains all the administrative user accounts.

You discover several login attempts to the Azure portal from countries where administrative users do NOT work.

You need to ensure that all login attempts to the Azure portal from those countries require Azure Multi-Factor Authentication (MFA).

Solution: You implement an access package.

Does this meet the goal?

Answers

A. Yes

B. No

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B.

Instead implement Azure AD Privileged Identity Management.

Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

The solution provided in the question is not correct as an access package is not the correct tool for enforcing MFA based on geographic location.

An access package is a collection of resources, such as Azure AD apps, Azure resources, and SharePoint Online sites, that can be granted to users or groups. Access packages can also include conditions that must be met before a user can access the resources in the package.

To meet the stated goal of requiring MFA for login attempts from specific countries, Conditional Access policies should be used instead. Conditional Access policies can be used to apply access controls and enforce MFA based on various conditions, including location.

To implement the solution using Conditional Access policies, follow these general steps:

Create a new Conditional Access policy.
Configure the policy to apply to all users or a specific group, such as Group1.
Configure the policy to apply to the Azure portal.
Configure the policy to require MFA when the user is signing in from specific countries or regions.
Enable the policy.

By using Conditional Access policies, it is possible to ensure that all login attempts to the Azure portal from specific countries require MFA, which will help to protect against unauthorized access to administrative accounts.

Therefore, the correct answer to the question is B. No, the solution provided does not meet the goal.

Prev Question Next Question