A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?
This uses device compliance as an access-control signal for cloud apps.
Why this answer
Conditional Access policies in Microsoft Entra ID (formerly Azure AD) can enforce device compliance by integrating with Microsoft Intune. When a policy requires a compliant device, it checks the device's compliance status before granting access to Exchange Online and SharePoint Online, blocking non-compliant devices at the authentication layer. This is the correct design because it directly controls access to these cloud services based on device health.
How to eliminate wrong answers
Option B is wrong because Azure Firewall is a network-layer firewall for Azure virtual networks and cannot inspect or control access to SaaS applications like Exchange Online or SharePoint Online, which are accessed over the internet. Option C is wrong because Storage account network rules control access to Azure Blob, File, Queue, and Table storage, not to Microsoft 365 services like Exchange Online or SharePoint Online. Option D is wrong because a resource lock prevents accidental deletion or modification of an Azure resource but does not enforce any access control or device compliance requirements for Microsoft 365 tenants.