A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?
Trap 1: Azure Policy with built-in policy to enforce MFA and Azure Activity…
Azure Policy can audit whether MFA is enabled on accounts, but it cannot enforce MFA during sign-in. It is not the correct tool for requiring MFA at authentication time. Activity Log can capture policy changes, but the enforcement method is wrong.
Trap 2: Microsoft Entra ID Identity Protection to enforce MFA and Azure…
Identity Protection offers risk-based conditional access (e.g., require MFA for risky sign-ins), but it is not designed to enforce MFA for all administrators regardless of risk. Azure Sentinel is a SIEM that could ingest logs, but it is unnecessary for the stated requirement for basic monitoring of policy changes; Azure Monitor is simpler and sufficient.
Trap 3: Azure Policy to assign built-in policy 'MFA should be enabled on…
This policy audits whether MFA is enabled, but again does not enforce MFA during authentication. Azure Security Center (now Defender for Cloud) focuses on security posture and workload protection, not on monitoring identity policy changes.
- A
Azure Policy with built-in policy to enforce MFA and Azure Activity Log to monitor changes.
Why wrong: Azure Policy can audit whether MFA is enabled on accounts, but it cannot enforce MFA during sign-in. It is not the correct tool for requiring MFA at authentication time. Activity Log can capture policy changes, but the enforcement method is wrong.
- B
Microsoft Entra ID Conditional Access policy to require MFA for Azure management and Azure Monitor with Log Analytics for monitoring.
Conditional Access policies are the appropriate way to enforce MFA for accessing Azure Portal (Azure Management cloud app). Azure Monitor can collect Activity Logs from Microsoft Entra ID and Azure subscriptions to track changes to Conditional Access policies or other critical resources, and Log Analytics can be used for querying and alerting.
- C
Microsoft Entra ID Identity Protection to enforce MFA and Azure Sentinel for monitoring.
Why wrong: Identity Protection offers risk-based conditional access (e.g., require MFA for risky sign-ins), but it is not designed to enforce MFA for all administrators regardless of risk. Azure Sentinel is a SIEM that could ingest logs, but it is unnecessary for the stated requirement for basic monitoring of policy changes; Azure Monitor is simpler and sufficient.
- D
Azure Policy to assign built-in policy 'MFA should be enabled on accounts with write permissions' and Azure Security Center for monitoring.
Why wrong: This policy audits whether MFA is enabled, but again does not enforce MFA during authentication. Azure Security Center (now Defender for Cloud) focuses on security posture and workload protection, not on monitoring identity policy changes.