You plan to allow users to run internal applications from outside the company’s network.
You have a Windows Server 2012 R2 that has the Active Directory Federation Services (AD FS) role installed.
You must secure on-premises resources by using multi-factor authentication (MFA).
You need to design a solution to enforce different access levels for users with personal Windows 8.1 or iOS 8 devices.
Solution: You install a local instance of MFA Server. You connect the instance to the Microsoft Azure MFA provider, and then run the following Windows
PowerShell cmdlet. Enable-AdfsDeviceRegistration
Does this meet the goal?
A.
Yes
B.
No
Correct. Intune is needed to configure different access levels.
Azure AD conditional access is a feature of Azure Active Directory Premium. Each user who accesses an application that has conditional access policies applied must have an Azure AD Premium license
Device-based conditional access
You can restrict access to applications from devices that are registered with Azure AD, and which meet specific conditions. Device-based conditional access protects an organization’s resources from users who attempt to access the resources from:
Unknown or unmanaged devices.
Devices that don’t meet the security policies your organization set up.
You can set policies based on these requirements:
Domain-joined devices. Set a policy to restrict access to devices that are joined to an on-premises Active Directory domain, and that also are registered with Azure AD. This policy applies to Windows desktops, laptops, and enterprise tablets. For more information about how to set up automatic registration of domain-joined devices with Azure AD, see Set up automatic registration of Windows domain-joined devices with Azure Active Directory.
Compliant devices. Set a policy to restrict access to devices that are marked compliant in the management system directory. This policy ensures that only devices that meet security policies such as enforcing file encryption on a device are allowed access. You can use this policy to restrict access from the following devices:
Windows domain-joined devices. Managed by System Center Configuration Manager (in the current branch) deployed in a hybrid configuration.
Windows 10 Mobile work or personal devices. Managed by Intune or by a supported third-party mobile device management system.
iOS and Android devices. Managed by Intune.
Users who access applications that are protected by a device-based, certification authority policy must access the application from a device that meets this policy’s requirements. Access is denied if attempted on a device that doesn’t meet policy requirements.
For information about how to configure a device-based, certification authority policy in Azure AD, see Set device-based conditional access policy for Azure Active Directory-connected applications.
Source: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access
So NO
Windows domain-joined devices. Managed by System Center Configuration Manager (in the current branch) deployed in a hybrid configuration.
Windows 10 Mobile work or personal devices. Managed by Intune or by a supported third-party mobile device management system.
iOS and Android devices. Managed by Intune.