Azure AD Multi-Tenant Authentication Solution
Question
You are designing an Azure web app that will use Azure Active Directory (Azure AD) for authentication.
You need to recommend a solution to provide users from multiple Azure AD tenants with access to App1. The solution must ensure that the users use Azure Multi-
Factor Authentication (MFA) when they connect to App1.
Which two types of objects should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.AF
A: The Conditional Access feature in Azure Active Directory (Azure AD) offers one of several ways that you can use to secure your app and protect a service.
Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:
-> Multi-factor authentication
-> Allowing only Intune enrolled devices to access specific services
-> Restricting user locations and IP ranges
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
-> Service accounts and service principals.
If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.
Incorrect Answers:
B: Managed Identity does not support cross-directory scenarios.
E: Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
Note: The correct options should be application registration with Azure, this will allow the authentication of users on the AD to access the application. A default application registration validates that the user has valid login credentials. This can be your Active Directory or in case of a multi-tenant application the directory where the user is originated from.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-conditional-access-dev-guide https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management https://www.re-mark-able.net/understanding-azure-active-directory-application-registrations/To provide users from multiple Azure AD tenants with access to App1, while ensuring that they use Azure Multi-Factor Authentication (MFA), the recommended solution should include Azure AD conditional access policies and Azure AD guest accounts.
Azure AD conditional access policies can be used to control access to applications based on specific conditions such as user location, device type, and user group membership. In this case, a conditional access policy can be created to require MFA for all users accessing App1. This policy can be configured to apply to users from multiple Azure AD tenants, ensuring that MFA is enforced for all users regardless of their tenant affiliation.
Azure AD guest accounts can be used to provide access to users who are not members of the host Azure AD tenant. Guest accounts can be created for users from other Azure AD tenants or for users who do not have an Azure AD account. When a guest user attempts to access App1, they will be prompted to sign in with their Azure AD credentials and complete the MFA challenge required by the conditional access policy.
Therefore, the recommended solution should include Azure AD conditional access policies to enforce MFA, and Azure AD guest accounts to provide access to users from multiple Azure AD tenants.
