Microsoft Azure Architect Design (AZ-301) Practice Exam

Which action should be recommended to ensure that Azure AD can only be managed from the on-premises network?

• A. Implement Azure AD roles and administrators.
• B. Use Azure AD Application Proxy.
• C. Establish a conditional access policy.
• D. Use Azure AD Privileged Identity Management.

The correct answer is: Establish a conditional access policy.

The recommended action to ensure that Azure AD can only be managed from the on-premises network is to establish a conditional access policy. Conditional access policies in Azure Active Directory allow administrators to define specific conditions under which access to Azure AD resources is granted or denied. By configuring these policies, you can enforce location-based restrictions, meaning you can allow management tasks to be performed only if the user is connecting from an approved IP address range associated with your on-premises network. This ensures that sensitive actions are shielded from external access and are only executable within a trusted environment. This added layer of security is crucial for organizations that seek to maintain strict control over their directory management and access policies, thereby reducing the risk of unauthorized access. While Azure AD roles and administrators focus on the assignment of roles and access rights, and Azure AD Application Proxy is designed to securely publish on-premise applications for remote access, neither directly provides the mechanism needed to restrict management actions specifically to on-premises environments. Additionally, Azure AD Privileged Identity Management helps manage and control access to roles within Azure AD, but it does not inherently restrict access based on network location. Thus, establishing a conditional access policy aligns best with the goal of limiting management access to the on-premises network.