Your company uses Azure AD for identity management. You need to enforce multi-factor authentication (MFA) for all users. Where should you configure this policy?

Correct answer: Conditional Access policies

Option C is correct because Conditional Access policies in Azure AD (Entra ID) are the designated mechanism for enforcing MFA based on conditions such as user group, location, application, or risk level, giving granular control over when and for whom MFA is required. Option A is incorrect because RBAC controls what actions users can perform on Azure resources, not authentication requirements such as MFA. Option B is incorrect because Azure Policy governs resource configuration and compliance at the resource management layer, and cannot enforce authentication controls like MFA. Option D is incorrect because Security Defaults apply a fixed, opinionated set of baseline protections including MFA, but they cannot be customized for specific users or conditions, making Conditional Access the superior choice when fine-grained control is needed.