HOTSPOT - To meet the authentication requirements of Fabrikam, what should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: 1 - One single Azure AD tenant is needed as only the Corp tenant is migrated.
Box 2: 1 -
Box 3: 2 - One conditional access policy for Multi-Factor Authentication (MFA) will be used for administative access, and a second conditional access policy in order to prevent external access. Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
Given answer looks correct, 1-1-2.
1=1:Single tenant creation required only due to RD restrictions implemented.
2=1:Need to add custom domain due to default .onmicrosoft.com domain on tenant creation
3=2 Two policies requires, can't have multiple actions to block + allow on single conditional access policies.
One required for admin MFA, second to block external access as per requirements.
I think it is 1-1-1 as you can include locations in "Conditions" section of a Conditional Access Policy (and "Grant with MFA" in the Access Control section)
All >ADMINISTRATIVE< only access to the Azure portal must be secured by using multi-factor authentication (MFA). So 1 policy for location and 2 for MFA. 1-1-2
for the 3rd part since they are asking about the " Minimum" number of conditional access policies, then it is 1, by making use of a single access policy one can enable both location filters and MFA restrictions.
I would say:
1 - only one AD should be migrated, everyone agrees on that
1 - onmicrosoft is default domain, need to add new domain, everyone agrees
0 - If you go to Azure AD -> Security -> Identity Protection -> MFA, you can choose who should use MFA. You don't need to create a conditional access for that. Location - I believe it should be done automatically
"Company information including policies, templates, and data must be inaccessible to anyone outside the company." Ok, now i see what they are saying. You can only access company data if you are in one of the four offices. That would require another conditional access policy. But it's very poorly worded. Initially i read that as meaning you can't access company data unless you have a company identity. Maybe the question seemed less ambiguous when we all worked in an office.
2-1-1
Minimum Number of Azure AD Tenants:
Fabrikam already has two Active Directory forests: corp.fabrikam.com and rd.fabrikam.com. These forests can be synchronized with Azure AD as separate tenants.
Therefore, the minimum number of Azure AD tenants required would be 2.
Minimum Number of Custom Domains to Add:
Fabrikam wants users to authenticate using their corp.fabrikam.com UPN identity.
For this, you need to add a custom domain to Azure AD that matches the domain used in the on-premises Active Directory forest (corp.fabrikam.com).
Therefore, the minimum number of custom domains to add would be 1.
Minimum Number of Conditional Access Policies to Create:
Fabrikam has a requirement to ensure that users always authenticate using their corp.fabrikam.com UPN identity.
You can create a conditional access policy in Azure AD to enforce this requirement. The policy can be configured to only allow authentication from the corp.fabrikam.com domain and deny access from other domains.
Therefore, the minimum number of conditional access policies to create would be 1.
On Conditional Access policies:
The case says "Company information ... must be inaccessible to anyone outside the company." The question is what is meant "outside the company": not on the company network? In that case the second conditional access policy makes sense.
If they just mean external users (non-employees), then you can solve this in a better way than with conditional access.
0 Custom Domains since contoso.com should be the primary domain name
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage#set-the-primary-domain-name-for-your-azure-ad-organization
Not true. In your link the user has already added a custom domain. "Every new Azure AD tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as [email protected]."
2 policies should be correct for the last box. Security defaults are used to enable MFA for ALL users, not just admins. And preventing users from accessing the portal outside the company network needs a separate policy as the policy action cannot be more than 1 per policy, unlike scope.
I agree with MFA, but I don't see a conditional access policy condition in the docs that might be directly applicable to deny external access to company resources. Conditional access policies are to enforce MFA, filter by location, device, user-risk, and a few other edge cases. Therefore I'd go for 1-1-1.
Here is a list in the docs:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions
Regarding conditional access policies, I could answer 0, or 1. I can't imagine where 2 came from.
0 - If I enable security defaults, I create zero policies and I accomplish the task admin task.
1 - If I configure a new policy for just the admins (without enabling security defaults)
Preventing public access to your dev/test environment would be handled through your app service. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
But maybe I'm missing something.
upvoted 12 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RandomNickname
Highly Voted 1 year, 10 months agoronsav80
Highly Voted 2 years, 2 months agomikenyga
2 years agoSeMo0o0o0o
Most Recent 3 weeks, 6 days agocosmicT73
1 month, 4 weeks agoMHguy
7 months, 2 weeks agobabakeyfgir
1 year agosawanti
1 year, 3 months agodave22339
1 year, 5 months agoBertmeister
1 year, 6 months agosawanti
1 year, 3 months agoOPT_001122
1 year, 10 months agohonzar
1 year, 11 months agoCineZorro824
2 years agojp_mcgee
2 years, 1 month agoGrimstad
1 year, 11 months agoSamko635
2 years, 1 month agoFidel_104
9 months, 1 week agoexistingname
2 years, 2 months agoBorman
1 year, 11 months agoDavin0406
2 years, 2 months agojellybiscuit
2 years, 2 months ago