Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a user named User1. User1 is a member of a group named Group1 and is in an organizational unit (OL)} named OU1. The domain has minimum password lengths configured as shown in the following table. 
What is the minimum password length that User1 should use when changing to a new password?
Doesn't the PSO with lowest precedence always override the domain policy if it's linked via Group1? Unless User1 has another direct PSO or a higher-precedence one applies somehow, looks like 7 chars is enforced. Someone correct me if I'm missing a nuance with OU-level policies here.
Pretty sure it's A here. JIT VM access specifically reduces the window that admin ports are open, which is what Azure exams usually focus on for security. D trips people up since Bastion hides public RDP, but it's not as granular for port lockdown. Disagree?
I get why people pick D, but for this you want to limit port exposure as much as possible, so A (JIT VM access) is better. Pretty sure Azure pushes JIT in these scenarios. Correct me if I'm missing some corner case.
