What should you do?

You have an Azure Active Directory (Azure AD) tenant.
You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global
Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations.
What should you do?
A. From the Azure portal, modify session control of Policy1
B. From the multi-factor authentication page, modify the service settings
C. From the multi-factor authentication page, modify the user settings
D. From the Azure portal, modify grant control of Policy1

Correct Answer: D
Explanation/Reference:
Explanation:
There are two types of controls:
Grant controls – To gate access
Session controls – To restrict access to a session
Grant controls oversee whether a user can complete authentication and reach the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed. The current implementation of Azure Active Directory enables you to set the following grant control requirements:

References:
https://blog.lumen21.com/2017/12/15/conditional-access-in-azure-active-directory/