Securing Azure Tenant with Multi-Factor Authentication | MS-500 Exam Guide

Securing Azure Tenant with Multi-Factor Authentication

Prev Question Next Question

Question

You are the global administrator of an Azure tenant on the free tier.

You have been tasked with securing the tenant with the following requirements: Requiring all users to register for Azure AD Multi-Factor Authentication. Requiring administrators to perform multi-factor authentication. Blocking legacy authentication protocols. Requiring users to perform multi-factor authentication when necessary. Protecting privileged activities like access to the Azure portal. The solution must be as cost effective as possible.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C

Security Defaults is a set of security mechanisms that help protect your organization from common identity-related attacks like password spray, replay, and phishing.

It addresses all the requirements in this scenario.

The feature is available free of charge and can therefore be activated on the free tier:

Home > Devices > Endpoint protection Windows 10 and iter @ Basics @ Configuration settings \ Microsoft Defender Application Guard V Microsoft Defender Firewall V Microsoft Defender SmartScreen ‘A Windows Encryption Windows Settings © Encrypt devices © C Require Not configured » Encrypt storage card (mobile only) © ( Require Not configured ») BitLocker base settings © Warning for other disk encryption © ( Block Allow standard users to enable C Allow encryption during Azure AD Join © Configure encryption methods © Cc Enable Not configured » . Encryption for operating system drives © X1S-AES 128-bit Vv Encryption for fixed data-drives © XTS-AES 128-bit v Encryption for removable data-drives © AES-CBC 128-bit v BitLocker OS drive settings © ‘Additional authentication at startup © ( Require configured » BitLocker with non-compatible TPM chip lock Not configured D) {0}

Option A is incorrect.

This would address the requirements but it will require you to purchase a premium Tier license for your tenant.

Security Defaults is free of charge.

Therefore this is not the most cost-effective alternative.

Option B is incorrect.

Creating identity protection policies alone would not address the requirements.

Azure identity protection also requires the Azure P2 tier.

Option D is incorrect.

This would address all the requirements but is also the most expensive solution.

To know more about Security Default, please refer to the link below:

The best answer to this question is A: Upgrade the tenant to Premium 1 and create conditional access policies to address the requirements.

Explanation: Azure AD Premium P1 provides a variety of security features that can help meet the requirements outlined in the question. Specifically, conditional access policies can be used to require multi-factor authentication (MFA) for all users and administrators, block legacy authentication protocols, and require MFA when necessary. Additionally, Azure AD Premium P1 includes Azure AD Identity Protection, which can help protect against identity-based attacks.

Enabling Security Defaults (Option C) is an easy way to quickly secure an Azure tenant, but it does not provide the granular control necessary to meet the requirements outlined in the question. Security Defaults will enforce MFA for all users and administrators, but it does not provide the ability to block legacy authentication protocols or require MFA when necessary.

Upgrading to Premium P2 (Option D) provides additional security features beyond Premium P1, such as Privileged Identity Management and access reviews, but it may be unnecessary and more expensive than needed to meet the requirements outlined in the question.

Therefore, Option A is the best answer, as it provides the necessary security features while still being cost-effective.

Prev Question Next Question