You have a Microsoft 365 tenant.
The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
You plan to create an emergency-access administrative account named Emergency1
Emergency1 will be assigned the Global administrator role in Azure AD.
Emergency1 will be used in the event of Azure AD functionality failures and on-premises infrastructure failures.
You need to reduce the likelihood that Emergency1 will be prevented from signing in during an emergency.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The scenario described in the question involves the need to create an emergency-access administrative account named Emergency1 to be used in case of Azure AD functionality failures and on-premises infrastructure failures. This account will be assigned the Global administrator role in Azure AD, which grants the highest level of access to the tenant. The question is asking for a recommendation to reduce the likelihood that Emergency1 will be prevented from signing in during an emergency.
Option A: Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in. This option suggests setting up Azure Monitor to generate an alert if Emergency1 is modified or signs in. While this can provide visibility into Emergency1's activities, it does not address the potential issue of Emergency1 being unable to sign in during an emergency.
Option B: Require Azure AD Privileged Identity Management (PIM) activation of the Global administrator role for Emergency1. This option recommends enabling Azure AD Privileged Identity Management (PIM) for the Global administrator role assigned to Emergency1. PIM allows you to manage, control, and monitor access to resources within Azure AD, including the Global administrator role. By using PIM, you can require activation of the Global administrator role before it can be used, which can reduce the risk of unauthorized access. In this case, activating the Global administrator role for Emergency1 during an emergency can be done through PIM, which can help reduce the risk of unauthorized access to the tenant.
Option C: Configure a conditional access policy to restrict sign-in locations for Emergency1 to only the corporate network. This option suggests using a conditional access policy to restrict Emergency1's sign-in locations to only the corporate network. While this can provide additional security, it can also potentially prevent Emergency1 from being able to sign in during an emergency if they are not physically located on the corporate network.
Option D: Configure a conditional access policy to require multi-factor authentication (MFA) for Emergency1. This option suggests using a conditional access policy to require multi-factor authentication (MFA) for Emergency1. MFA requires additional authentication factors, such as a text message or mobile app notification, in addition to a password. This can help reduce the risk of unauthorized access in case of compromised credentials. While this can provide additional security, it can also potentially prevent Emergency1 from being able to sign in during an emergency if they are unable to complete the MFA process for some reason.
Overall, the best recommendation would be to require Azure AD Privileged Identity Management (PIM) activation of the Global administrator role for Emergency1. This approach can provide an additional layer of security for the Global administrator role assigned to Emergency1, while also ensuring that Emergency1 can still access the tenant during an emergency. Additionally, if Emergency1 is not used frequently, the activation of the Global administrator role can be scheduled to automatically expire after a set period, further reducing the risk of unauthorized access.