Enable Multi-Factor Authentication for Group1
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that contains a group named Group1.
You need to enable multi-factor authentication (MFA) for the users in Group1 only.
Solution: From the Azure portal, you configure an authentication method policy.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
We should use a Conditional Access policy.
Note: There are two ways to secure user sign-in events by requiring multi-factor authentication in Azure AD. The first, and preferred, option is to set up a
Conditional Access policy that requires multi-factor authentication under certain conditions. The second option is to enable each user for Azure Multi-Factor
Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on).
Enabling Azure Multi-Factor Authentication using Conditional Access policies is the recommended approach. Changing user states is no longer recommended unless your licenses don't include Conditional Access as it requires users to perform MFA every time they sign in.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstatesThe solution mentioned in the question is not sufficient to meet the goal of enabling MFA for the users in Group1 only.
Enabling multi-factor authentication (MFA) for users in Azure AD can be done at two levels: the organization level and the user level. The organization level setting affects all users in the tenant, while the user level setting allows MFA to be enabled for specific users or groups of users.
To enable MFA for the users in Group1 only, you need to create a conditional access policy that targets only the users in that group. The policy will then require MFA for those users when they sign in to Azure AD. Here are the steps to create such a policy:
- Sign in to the Azure portal using an account that has global administrator or security administrator permissions.
- Navigate to Azure Active Directory and select Conditional Access.
- Click on New Policy to create a new policy.
- Give the policy a name and select the Users and Groups that you want to target. In this case, select Group1.
- Select the Cloud Apps or actions that you want to target. For example, you can select all cloud apps to require MFA for all sign-ins, or you can select specific apps that require MFA.
- Under Access controls, select Grant and then select Require multi-factor authentication.
- Click on Create to create the policy.
This policy will require MFA for the users in Group1 only when they sign in to Azure AD. Other users in the tenant will not be affected by this policy.
Therefore, the correct answer is B. No, configuring an authentication method policy from the Azure portal is not sufficient to meet the goal of enabling MFA for the users in Group1 only. A conditional access policy targeting the Group1 users needs to be created instead.
