Microsoft Security, Compliance, and Identity Fundamentals (SC-900) Practice Exam

The correct option is a Conditional Access policy. This type of policy allows administrators to create rules that are enforced when accessing resources in Azure Active Directory. By using Conditional Access, you can specify conditions under which multi-factor authentication (MFA) is required, such as ensuring that all users in a specific group must complete an additional authentication step when signing in.

Conditional Access policies are highly customizable and can be tailored to fit various scenarios, including group membership, user location, and device compliance status. This makes them the ideal choice for enforcing MFA requirements across specific user groups.

In contrast, Azure Policy is generally used for managing resources and enforcing organizational standards across Azure. While it ensures compliance at the resource level, it doesn't specifically address user authentication scenarios.

A communication compliance policy is focused on monitoring and protecting organizational communications rather than controlling access to applications based on user authentication.

A user risk policy is designed to automatically respond to user risk assessments—like requiring MFA for users identified as potentially compromised—but it does not provide the same level of control over user groups as a Conditional Access policy. Hence, for ensuring that all users in a certain group must use MFA, a Conditional Access policy is the precise tool to achieve that goal.