Question #46
You are designing an Azure web app that will use Azure Active Directory (Azure AD) for authentication.
You need to recommend a solution to provide users from multiple Azure AD tenants with access to App1. The solution must ensure that the users use Azure Multi-
Factor Authentication (MFA) when they connect to App1.
Which two types of objects should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD conditional access policies
B. Azure AD managed identities
C. an Identity Experience Framework policy
D. an Azure application security group
E. an Endpoint Manager app protection policy
F. Azure AD guest accounts
Correct Answer: AF
A: The Conditional Access feature in Azure Active Directory (Azure AD) offers one of several ways that you can use to secure your app and protect a service.
Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:
✑ Multi-factor authentication
✑ Allowing only Intune enrolled devices to access specific services
✑ Restricting user locations and IP ranges
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
✑ Service accounts and service principals.
If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.
Incorrect Answers:
B: Managed Identity does not support cross-directory scenarios.
E: Application security groups enable you to configure network security as a natural extension of an applicationג€™s structure, allowing you to group virtual machines and define network security policies based on those groups.
Note: The correct options should be application registration with Azure, this will allow the authentication of users on the AD to access the application. A default application registration validates that the user has valid login credentials. This can be your Active Directory or in case of a multi-tenant application the directory where the user is originated from.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-conditional-access-dev-guide
https://www.re-mark-able.net/understanding-azure-active-directory-application-registrations/