Q: 7
You have a Microsoft 36S ES subscription that contains a Windows 11 device named Device 1 and
three users named User 1. User2. and User3.
You plan to deploy Azure Information Protection (AIP) and the Microsoft Purview Information
Protection client to Device 1.
You need to ensure that the users can perform the following actions on Device1 as part of the
planned deployment
• User 1 will test the functionality of the client.
• User2 will install and configure the Microsoft Rights Management connector.
• User3 will be configured as the service account for the information protection scanner.
The solution must maximize the security of the sign-in process for the users What should you do?
Options
Discussion
Option B makes more sense here since passwordless authentication is supported for both interactive and service accounts (like User3), but passkey (D) won't work for non-interactive scenarios. D looks tempting but is a trap for service use. Anyone disagree?
B tbh
Probably B, since passwordless authentication boosts security for both service and interactive accounts. User2 and User3 are handling service-level stuff like the connector and scanner, so they benefit most from it. Traditional MFA wouldn't really fit those roles. If I'm missing something about how they log in for setup, let me know.
B or D? Both sound like they raise security, but I think B covers the service account best. FIDO2 (D) is great for humans but not for a service like User3 running background jobs. Anyone see a downside to B?
D doesn't actually help the service account since FIDO2 needs someone there to tap or verify. Isn't that a trap here?
I was thinking D makes sense here since FIDO2 passkeys are super secure for logins. Since all three would be covered for strong auth, seemed solid. Not sure if the service account setup would be tricky with this though, so maybe I'm missing something.
Option D, People overlook that service accounts sometimes work with FIDO2 if configured right, so D might be valid.
Pretty sure it's B here. Service accounts like User3 can't handle FIDO2, so passwordless is the safer bet for non-interactive stuff. Open to other thoughts if someone disagrees.
B . D is tempting but FIDO2 needs user interaction, which doesn't work for service accounts.
I don’t think it’s B. D makes more sense if you want strong security for all three users, since enabling passkey (FIDO2) means everyone would have phishing-resistant sign-in. Even if User3 is a service account, you could technically assign FIDO2, though setup might be tricky. Pretty sure about this but open to other views.
Be respectful. No spam.
