Exam MS-900 topic 1 question 25 discussion

I think answer is D. Reference : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

According to me the Ans is D - We will enable Conditional Access policy and then select the user sign in risk or login risk settings ( i wish we had AD identity Protection here as an Option)

C. Microsoft Azure AD Privileged Identity Protection. Explanation: Microsoft Azure AD Privileged Identity Protection (PIM) is designed specifically to protect privileged accounts such as Global Administrators. It does this by: Using dynamic risk profiles to assess and mitigate risks automatically. Detecting and responding to suspicious activities, such as unusual sign-ins or risky user behavior. Requiring additional authentication (such as MFA) when risks are detected. Providing just-in-time access and approval workflows for privileged roles.

Answer is C To protect members of the Global Administrators group and ensure their accounts are secured using dynamic risk profiles, Microsoft Azure AD Privileged Identity Management (PIM) is the appropriate feature. PIM helps manage, control, and monitor access to privileged roles, including Global Administrators, by enforcing Just-In-Time (JIT) access, requiring approvals, and enabling multi-factor authentication (MFA). It also provides risk-based conditional access to ensure that privileged accounts are protected based on dynamic risk profiles. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure Why not D? D. Microsoft Azure AD Conditional Access: While Conditional Access can enforce policies like MFA or block access based on risk signals, it does not specifically manage privileged roles or provide the same level of dynamic risk-based protection as PIM.

The correct answer is D. Microsoft Azure AD Conditional Access. Microsoft Azure AD Conditional Access uses dynamic risk profiles to protect members of the Global Administrators group by evaluating sign-in risks and user risks, and applying policies based on these risk levels

The other options, although security-related, are not directly focused on protecting privileged identities through dynamic risk profiles: A. Mobile application protection policy: This protects mobile applications but is not designed to protect privileged identities specifically. B. Device configuration policy: This manages device settings, but it does not specifically focus on privileged users. D. Microsoft Azure AD Conditional Access: Conditional Access controls access to applications based on various conditions but is not focused on protecting privileged identities using dynamic risk profiles. Therefore, C. Microsoft Azure AD Privilege Identity Protection is the best solution for protecting members of the Global Administrators group by leveraging dynamic risk profiles.

About Azure AD Identity Protection Azure AD Identity Protection is a security service that helps organizations detect, investigate, and remediate identity-based risks. It uses dynamic risk profiles to assess and respond to potential threats in real time.

Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

To protect members of the Global Administrators group by using dynamic risk profiles, you should use: C. Microsoft Azure AD Privileged Identity Management (PIM). Azure AD Privileged Identity Management (PIM) allows you to manage, control, and monitor access within your organization, especially for roles with elevated privileges like Global Administrators. PIM includes features such as just-in-time access, which can help protect admin roles by ensuring they are only active when necessary and can incorporate risk-based policies to enhance security. Note: Azure AD Conditional Access is also relevant for applying policies based on risk profiles, but for dynamic risk profiles specifically related to privileged roles like Global Administrators, PIM is the more focused solution.

La respuesta es la C

Conditional Access can enforce policies based on conditions, it doesn't inherently use dynamic risk profiles for protecting Global Administrators in the same way as Identity Protection.

D. Here is the clue, it tells you which feature of all they want you to use and in this case it is the user risk for admin users to be evaluated, if a Europe admin user suddenly signs in from China, a fish will be smelt.. In a conditional access policy to access certain services there will be the a user risk evaluated and the policy will be targeted at those fragile users.

DYNAMIC Risk profiles == Microsoft Azure AD Conditional Access

The Solution Seems to be C. The latter article makes use of the Risk Level in sign-ins with out taking into consideration any CA policies, but only configuration into Identity Protection Blade Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra multifactor authentication or password changes https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa I would and will Choose C.

The Solution Seems to be C. The latter article makes use of the Risk Level in sign-ins with out taking into consideration any CA policies, but only configuration into Identity Protection Blade Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra multifactor authentication or password changes https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa I would and will Choose C.

Para garantir que os membros do grupo Administradores Globais estejam protegidos usando perfis de risco dinâmicos, você deve usar o recurso "Proteção de Identidade de Privilégio do Microsoft Azure AD" (opção C). A Proteção de Identidade de Privilégio (PIM) do Azure AD ajuda a proteger as identidades privilegiadas, como os Administradores Globais, por meio da utilização de medidas de segurança adicionais, incluindo o uso de perfis de risco dinâmicos para conceder privilégios temporários aos administradores somente quando necessário. Através da PIM, você pode configurar políticas que exigem a aprovação para atividades administrativas críticas e adicionar uma camada adicional de segurança ao acesso privilegiado, protegendo os Administradores Globais de maneira eficaz.

I think answer is D. While Identity Protection also offers a user interface for creating “user risk policy” and “sign-in risk policy”, we highly recommend that you use Microsoft Entra Conditional Access to create risk-based policies.