Answer: Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

Option C is the correct answer because it addresses both password security and multi-factor authentication (MFA) in the context of a federated identity setup. Since the organization uses synchronization and SAML federation between Cloud Identity and Microsoft Active Directory, password policies should be managed at the Active Directory level (source of truth) rather than in Cloud Identity. Additionally, security keys provide stronger 2-Step Verification (2SV) than SMS or phone calls, as they are resistant to phishing and SIM-swapping attacks, aligning with NIST recommendations against SMS-based 2SV. Options A and B are incorrect because they configure password policies in Cloud Identity, which conflicts with the federated setup where Active Directory is the authoritative source. Option D is less secure due to the use of verification codes via text or phone call, which are vulnerable to interception and social engineering.

Author: LeetQuiz Editorial Team