Windows Hello for Business (WHfB) is a strong, two-factor authentication method that is tied to a specific device, in this case, the user's laptop. It uses a biometric gesture (face, fingerprint) or a PIN to unlock a private key stored securely on the device's Trusted Platform Module (TPM). The authentication process itself happens on the laptop. Since the laptop has a wired internet connection, it can communicate with Azure AD to complete the authentication. This method does not depend on any form of mobile phone connectivity (cellular or Wi-Fi), making it the only suitable option for the described remote work scenario.

A. a notification through the Microsoft Authenticator app

This method sends a push notification to a mobile phone, which requires the phone to have an active internet connection (Wi-Fi or mobile data), both of which are unavailable.

B. an app password

App passwords are a legacy workaround for older applications that do not support modern authentication. They are not a primary MFA method for interactive user sign-ins.

D. SMS

This method sends a verification code via a text message to a mobile phone, which requires cellular service. The scenario explicitly states there is no mobile phone connectivity.

---

1. Microsoft Learn. (2023). How Windows Hello for Business works - Authentication. "Windows Hello for Business is a strong

two-factor credential that is bound to a device and uses a biometric or PIN." This confirms it is a 2FA method tied to the device itself

not a separate phone.

Section: Authentication with Windows Hello for Business > Two-factor authentication

2. Microsoft Learn. (2024). Authentication methods and features - Azure Active Directory. This document details the requirements for various methods.

Section: Microsoft Authenticator > "The user receives a notification on their smartphone..." (implies connectivity is needed).

Section: SMS > "A text message is sent to a mobile phone number..." (requires cellular service).

Section: Windows Hello for Business > "Windows Hello for Business lets users sign in to their Windows devices with a PIN or a biometric gesture." (device-centric).

3. Microsoft Learn. (2023). Manage app passwords for two-step verification. "Certain non-browser apps

such as Outlook 2010

don't support two-step verification. This lack of support means that if you're using two-step verification in your organization

the app won't work. To get around this problem

you can use an app password..."

Section: Overview. This clarifies that app passwords are a compatibility solution

not a standard MFA method for modern interactive sign-ins.

The primary requirement is to allow the AKS1 managed identity to access the data within the DB1 Cosmos DB account. This requires a data plane role. The "Azure Cosmos DB Data Reader Role" is the only option that explicitly grants permissions to read data. While the scope is the resource group (RG1), which is broader than the specific database (DB1), it is the only choice that fulfills the fundamental requirement of data access. The other roles are control plane roles, which manage the Azure resource itself but do not grant access to the data stored within it, or are excessively permissive.

B: The Owner role at the subscription scope is excessively permissive, granting full control over all resources in the subscription, which is a severe violation of the principle of least privilege.

C: The standard Reader role provides read-only access to the management (control) plane of resources. It allows viewing the Cosmos DB account's properties but not the data it contains.

D: The "Azure Cosmos DB Account Reader Role" is a control plane role. It allows reading account metadata, keys, and connection strings, but it does not grant permission to read the actual data.

1. Microsoft Learn: Configure role-based access control for your Azure Cosmos DB account. This document distinguishes between control plane and data plane operations. It clarifies that roles like "Cosmos DB Account Reader Role" are for control plane management

while data access requires specific data plane roles. The question's "Azure Cosmos DB Data Reader Role" maps conceptually to the built-in Cosmos DB Built-in Data Reader role for the data plane.

Section: "Control plane vs. data plane" and "Built-in role definitions".

2. Microsoft Learn: Azure built-in roles for Azure Cosmos DB. This document details the permissions for control plane roles. It shows that the Cosmos DB Account Reader Role has the Microsoft.DocumentDB/databaseAccounts//read permission

which allows reading account properties but not the data within containers.

Section: "Azure Cosmos DB" table

entry for "Cosmos DB Account Reader Role".

3. Microsoft Learn: Secure access to data in Azure Cosmos DB. This guide explains that to access data using Azure AD identities (like a managed identity)

you must configure Azure Cosmos DB's specific data plane RBAC

which is distinct from the Azure RBAC roles used for management.

Section: "Role-based access control".

To enable Single Sign-On (SSO) for a third-party application from the Azure AD gallery, you must add it to your tenant. This process creates an enterprise application (a service principal object). This enterprise application represents the service in your tenant and is the object you configure for SSO. When users are already signed into their Azure AD-joined computers, Azure AD can then issue access tokens for this application without requiring users to re-enter their credentials.

Conditional Access policies are the primary tool in Azure AD for enforcing organizational access rules. To restrict access to a specific application based on the device's status, you would create a Conditional Access policy. This policy would target the "Service1" enterprise application and include a grant control that requires the connecting device to be Azure AD-joined, thereby blocking access from any device that does not meet this condition.

Microsoft Azure Active Directory Documentation, "What is application management in Azure Active Directory?": This document clarifies that an application added from the gallery to a tenant for SSO is represented as an "enterprise application." It states, "An enterprise application is an object in your Azure AD tenant that represents an application that has been configured for single sign-on." (learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management)

Microsoft Azure Active Directory Documentation, "What is Conditional Access?": This source defines Conditional Access as the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. It explicitly lists "device state" as a common signal. (learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview)

Microsoft Azure Active Directory Documentation, "Conditional Access: Conditions": This document details the specific conditions available for policies. The "Device platforms" and "Device state (deprecated)" conditions, along with grant controls like "Require Hybrid Azure AD joined device," demonstrate how Conditional Access is used to enforce device-based restrictions. (learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions)

For assigning users to an existing application like App1, specific administrative roles are required. The Application Administrator (Admin1) and Cloud Application Administrator (Admin3) roles both include permissions to manage user and group assignments to enterprise applications. The Application Developer role does not have this permission for apps it doesn't own, and a standard User has no such administrative rights.

For registering a new application like App2, the default setting in an Azure AD tenant allows all users to register applications. Therefore, everyone listed—including the administrators (Admin1, Admin2, Admin3) and the standard user (User1)—can register App2. The administrative roles have this capability inherently, and the standard user has it via the default tenant-wide policy.

Microsoft Entra built-in roles: Microsoft Learn. (n.d.).

Application Administrator: "Users in this role can create and manage all aspects of enterprise applications, application registrations..." This includes "managing user and group assignments."

Cloud Application Administrator: "Users in this role have the same permissions as the Application Administrator, excluding the ability to manage application proxy." This also includes managing user assignments.

Application Developer: "Users in this role can create application registrations when the 'Users can register applications' setting is set to no." However, they can only manage the applications they create, not assign users to arbitrary applications like App1 registered by a Global Admin.

Reference found in the descriptions of each role under the "Azure AD built-in roles" documentation page.

Configure how users can consent to applications: Microsoft Learn. (n.d.).

Section: "User settings for app registrations"

Content: This document states, "It's possible for all users in a tenant to register application... This switch is set to Yes by default." This confirms that User1, along with all administrators, can register App2 under the default configuration.

To delegate administrative permissions over a specific subset of users, such as executives, while adhering to the principle of least privilege, an administrative unit (AU) is the appropriate object type. An AU acts as a container to scope the application of roles.

The Authentication Administrator role is the most precise choice because it grants permissions to both reset passwords and manage multi-factor authentication (MFA) settings for users within its assigned scope. Other roles like Helpdesk Administrator or Password Administrator are insufficient as they can reset passwords but cannot manage MFA, failing to meet all the requirements of the dedicated support team.

Microsoft Entra ID Documentation, "Administrative units in Microsoft Entra ID." This document explicitly states, "you can use administrative units to delegate administrative permissions over subsets of users... For example, you could use administrative units to delegate the Helpdesk Administrator role to a regional support specialist, so they can manage users only in the region that they support." This directly supports using AUs for scoped administration.

Microsoft Entra ID Documentation, "Microsoft Entra built-in roles," Section: "Authentication Administrator." The description for this role confirms that users with this role can "require users to re-register for existing non-password credentials (for example, MFA or FIDO)... Can also reset passwords for non-administrators and some roles." This validates its suitability for both required tasks.

Microsoft Entra ID Documentation, "Microsoft Entra built-in roles," Section: "Helpdesk Administrator." The documentation clarifies that this role can "Reset passwords for non-administrators," but it does not list any permissions related to managing MFA settings, making it an incorrect choice.

To meet the delegation requirements using the principle of least privilege, you should first restrict the general ability of non-administrative users to create applications. This is done by configuring the Allow users to register application tenant-wide setting to 'No'.

Next, to grant this specific capability only to User1, you assign them the Application developer role. This role is specifically designed to allow a user to create and manage the application registrations they own, even when the general tenant setting prohibits it for other users. The Application administrator and Cloud application administrator roles would grant excessive permissions, including the ability to manage all applications in the tenant, which violates the principle of least privilege for this scenario.

Microsoft Entra ID Documentation, Microsoft Entra built-in roles.

Reference: Under the "Application Developer" role description.

Content: "Users in this role can create application registrations when the 'Users can register applications' setting is set to No. This role also grants permission to consent to permissions on behalf of the current user." This directly supports assigning the Application developer role as the correct method for delegation when the general setting is restricted.

Microsoft Entra ID Documentation, Configure user settings in Microsoft Entra ID.

Reference: Section on "Restrict app registration to administrators."

Content: This documentation explains that setting "Users can register applications" to 'No' prevents non-admin users from creating app registrations. It specifies that for a user to register an app in this case, they must be assigned a role that grants the microsoft.directory/applications/create permission, such as Application developer.

In an Azure AD Conditional Access policy, the Grant control is used to enforce specific requirements for access to be allowed. To mandate multi-factor authentication (MFA), an administrator must configure the policy to "Grant access" but "Require multi-factor authentication" within these settings. This control block determines the actions a user must take to gain access to the specified cloud applications.

The Session control settings in a Conditional Access policy are used to manage the user's session after they have successfully authenticated. To force a user to re-authenticate after a specific period, such as every eight hours, an administrator would configure the "Sign-in frequency" option within the Session settings. This feature dictates the time a user can remain signed in before they are prompted to provide their credentials again.

Microsoft Documentation (Azure AD): "Conditional Access: Grant". Microsoft Learn. Under the section "Require multi-factor authentication," it states, "This control requires users to complete multi-factor authentication." This directly maps the MFA requirement to the Grant control.

Microsoft Documentation (Azure AD): "Conditional Access: Session". Microsoft Learn. The document details the "Sign-in frequency" control, stating, "Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource." This confirms that re-authentication intervals are managed under Session settings.

The settings shown are for Multi-Factor Authentication (MFA) account lockout, which is triggered by "MFA denials". The lockout threshold is set to three attempts. Among the given options, the Microsoft Authenticator app code is a form of multi-factor authentication. Entering the wrong password relates to primary authentication, not MFA. An email address is a user identifier, not an authentication factor. Therefore, three consecutive failed attempts using the Authenticator app code would trigger the lockout.

The configuration explicitly states the value for "Minutes until account is automatically unblocked" is 30. This setting defines the duration of the lockout period. After 30 minutes have passed since the account was locked due to too many MFA denials, the user will be able to attempt to sign in again. The 60-minute value corresponds to the lockout counter reset, not the lockout duration itself.

Microsoft Learn: "Configure Azure AD Multi-Factor Authentication settings" - This document details the account lockout settings for Azure AD MFA. In the "Account lockout" section, it describes the function of each setting shown in the exhibit, including "Number of MFA denials to trigger account lockout" and "Minutes until account is automatically unblocked," confirming the logic used to determine the answers.

Azure Active Directory (Azure AD) Identity Protection is the specific service designed to detect and remediate identity-based risks. It uses Microsoft's threat intelligence to identify vulnerabilities, including leaked credentials found on the dark web, and classifies them by severity (e.g., high-risk).

A User risk policy is used to trigger remediation. Identity Protection aggregates various risk detections (like leaked credentials) to calculate an overall risk level for a user account. A policy can be configured to take action when this user risk level reaches a certain threshold, such as 'High'. This is distinct from 'Sign-in risk', which assesses the risk of an individual sign-in session.

The control Grant access but require password change is the most appropriate mitigation. It directly addresses the problem of a compromised password by forcing the user to create a new one. This action remediates the risk while fulfilling the requirement to allow the user to regain access to applications.

Microsoft Entra ID Protection Documentation: "Microsoft works with law enforcement, researchers, and partners to find username and password pairs. Identity Protection can detect these leaked credentials and allow administrators to configure policy to automatically force users to change their passwords when their credentials are leaked."

Source: Microsoft. (n.d.). What is Identity Protection?. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection#risk-detections (See section on 'Risk detections' and the 'Leaked credentials' detection type).

Microsoft Documentation on Risk Policies: "A user risk policy detects the probability that a user account is compromised... Identity Protection can be configured to prompt users to register for Microsoft Entra multifactor authentication or change their password if they reach a certain level of risk."

Source: Microsoft. (n.d.). Configure and enable risk policies. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies (See section on 'User risk policy').

Microsoft Documentation on Conditional Access Controls: "Require password change: This control is only available when user risk is detected as a condition. When this control is selected, users will be prompted to change their password to gain access to resources."

Source: Microsoft. (n.d.). Grant controls in Conditional Access policy. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-password-change

Statement 1 (Yes): The terms of use policy Terms1 is configured with "Require users to consent on every device" set to On. Since User1 accepted the terms only on Device3 on November 15, they will be prompted again and must accept the terms when they sign in from a different device, such as Device1, on November 20.

Statement 2 (Yes): The policy is set to "Expire consents" starting on December 10, 2020. This means any consent given before this date becomes invalid. On December 11, which is after the expiration date, User1's previous consent from November 15 will have expired. Therefore, they will be required to re-accept the terms on their next sign-in, regardless of the device.

Statement 3 (No): On December 7, User1's consent on Device3 (given on November 15) is still valid. The consent expiration does not begin until December 10. Because the consent is still active for that specific device, User1 will not be prompted to accept the terms again and therefore cannot accept them.

Microsoft Learn (Azure Active Directory Documentation): Describes the settings for terms of use policies.

Require users to consent on every device: "If you enable this option, users are required to accept the terms of use on each device they access the protected resource from. The user's device must be registered in Azure AD." (Note: While registration is mentioned, the prompt is tied to the sign-in session which enforces the Conditional Access policy containing the ToU).

Expire consents: "If you set this option, you can then specify an expiration schedule... When a user's consent expires, they'll be required to reaccept the terms of use."

Source: Microsoft Learn, Quickstart: Require users to accept terms of use before accessing cloud apps, Sections: "Create terms of use", "View report of who has accepted and declined".