Conditional Access policies in Azure Active Directory (Azure AD) are the primary tool for enforcing organizational access rules. They function as if-then statements. An administrator can define a policy where the "if" condition targets a specific group of users, and the "then" action, or access control, is to grant access but require multi-factor authentication (MFA). This directly fulfills the requirement of ensuring all users in a designated group must use MFA to sign in.

A. Azure Policy: This service enforces rules and compliance for Azure resources (like virtual machines or storage), not for user sign-in and identity access control.

B. a communication compliance policy: This is a Microsoft Purview feature used to monitor and manage risks in user communications (e.g., email, Teams messages), not for authentication.

D. a user risk policy: This is a specific type of policy within Azure AD Identity Protection that enforces controls based on a calculated user risk level, not simply on group membership.

---

1. Microsoft Learn. "What is Conditional Access in Azure Active Directory?". Microsoft Entra documentation. This document states

"Conditional Access policies at their simplest are if-then statements

if a user wants to access a resource

then they must complete an action... Common signals... include... User or group membership... Common decisions... include... Require multi-factor authentication." This directly supports using Conditional Access to require MFA for a specific group.

2. Microsoft Learn. "Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication". Microsoft Entra documentation. This tutorial provides a step-by-step guide on creating a Conditional Access policy. Step 4

"Create a Conditional Access policy

" explicitly shows how to select a specific user group under "Assignments" and then select "Require multi-factor authentication" under "Access controls."

3. Microsoft Learn. "What is Azure Policy?". Azure Governance documentation. This source clarifies that Azure Policy "evaluates resources in Azure by comparing the properties of those resources to business rules." This confirms its focus is on resource governance

not identity access.

4. Microsoft Learn. "Configure and enable risk policies". Microsoft Entra documentation. This document explains

"The user risk policy detects the probability that a user account is compromised and allows administrators to configure an automated response... such as... requiring a secure password change or requiring multi-factor authentication." This shows that user risk policies are triggered by risk

not just group membership.