Force Multi-Factor Authentication for Global Administrators in Azure AD

Enforce Multi-Factor Authentication for Global Administrators in Azure AD

Prev Question Next Question

Question

You have an Azure Active Directory (Azure AD) tenant.

You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global

Administrators group authenticate to Azure AD from untrusted locations.

You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.

What should you do?

Answers

A. From the Azure portal, modify session control of Policy1.

B. From multi-factor authentication page, modify the user settings.

C. From multi-factor authentication page, modify the service settings.

D. From the Azure portal, modify grant control of Policy1.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The correct answer is A. From the Azure portal, modify session control of Policy1.

Explanation:

The scenario describes an existing Azure AD conditional access policy named Policy1 that enforces the use of Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations. The requirement is to enforce multi-factor authentication for members of the Global Administrators group when they authenticate from untrusted locations.

To enforce multi-factor authentication, we need to modify the session control of Policy1. Session control defines the actions to take when a user session meets the specified conditions in a conditional access policy. To enforce multi-factor authentication, we need to add an additional session control that requires multi-factor authentication.

Follow these steps to modify the session control of Policy1:

Sign in to the Azure portal.
Navigate to Azure Active Directory > Conditional access.
Select Policy1 from the list of policies.
In the Session controls section, select the + New session control button.
In the New session control pane, configure the following settings: a. Name: Enter a name for the session control (for example, "Require MFA"). b. Assignments: Select Users and groups, and then select the Global Administrators group. c. Cloud apps or actions: Select All cloud apps. d. Conditions: Select Locations, and then select Trusted locations as an exclusion. e. Access controls: Select Grant, and then select Require multi-factor authentication.
Select the Create button to save the session control.

The new session control will require members of the Global Administrators group to use multi-factor authentication when they authenticate from untrusted locations, in addition to the existing session control that enforces the use of Azure AD-joined devices.

Option B and C are incorrect because they refer to modifying the user or service settings for multi-factor authentication, which would apply to all users and services, not just members of the Global Administrators group.

Option D is incorrect because it refers to modifying the grant control of Policy1, which determines whether access is allowed or denied based on the outcome of the policy evaluation. Modifying grant control would not enforce multi-factor authentication.

Prev Question Next Question