Enable Multi-Factor Authentication for Group1
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.
You need to enable multi-factor authentication (MFA) for the users in Group1 only.
Solution: From the Azure portal, you configure an authentication method policy.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
We should use a Conditional Access policy.
Note: There are two ways to secure user sign-in events by requiring multi-factor authentication in Azure AD. The first, and preferred, option is to set up a
Conditional Access policy that requires multi-factor authentication under certain conditions. The second option is to enable each user for Azure Multi-Factor
Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on).
Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. Changing user states is no longer recommended unless your licenses don't include Conditional Access as it requires users to perform MFA every time they sign in.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstatesThe solution provided in the question does not meet the stated goal of enabling MFA for the users in Group1 only. Therefore, the correct answer is B. No.
Configuring an authentication method policy from the Azure portal applies to all users in the tenant and cannot be scoped to a specific group. This means that enabling MFA through an authentication method policy would enforce MFA for all users in the tenant, including those not in Group1.
To enable MFA for only the users in Group1, you can use Azure AD Conditional Access policies. Conditional Access policies enable you to define access rules based on conditions such as user groups, locations, and device states. By creating a Conditional Access policy that targets Group1 and requires MFA, you can ensure that only users in that group are prompted for MFA when signing in.
To create a Conditional Access policy for Group1:
- Go to the Azure portal and navigate to Azure Active Directory.
- Click on Conditional Access from the left-hand menu.
- Click on New policy.
- Give the policy a name and click on Users and groups.
- Select Group1 from the list of groups and click Done.
- Click on Cloud apps or actions and select the applications that the policy will apply to.
- Under Access controls, click on Grant and select Require multi-factor authentication.
- Click on Enable policy and then click on Create.
Once the policy is created, users in Group1 will be prompted to complete MFA when signing in to the targeted applications.
