Microsoft Azure Architect Design (AZ-304) Practice Test

What solution should be recommended to restrict Azure AD tenant management to only the on-premises network computers?

• A. Azure AD roles and administrators
• B. A conditional access policy
• C. Azure AD Application Proxy
• D. Azure AD Privileged Identity Management

The correct answer is: A conditional access policy

The recommended solution to restrict Azure Active Directory (Azure AD) tenant management to only the on-premises network computers is a conditional access policy. Conditional access policies in Azure AD allow you to set specific requirements and controls for access to resources based on certain conditions. In this scenario, you can create a policy that enforces restrictions on management operations, requiring that any access to Azure AD management features must come from devices located within the on-premises network. By implementing this kind of policy, organizations can enhance their security posture by ensuring that sensitive operations related to tenant management can only be performed from trusted and secure locations, thereby minimizing the risk of unauthorized access or potential breaches from untrusted networks. The other solutions listed have different use cases: Azure AD roles and administrators define permissions and access levels within Azure AD but do not inherently restrict access based on location. Azure AD Application Proxy allows access to on-premises applications while exposing them securely to remote users but does not manage tenant administration based on network location. Azure AD Privileged Identity Management helps manage, control, and monitor access within Azure AD, specifically for privileged roles, but again does not enforce network-based restrictions on management operations.