The correct option is Conditional Access policies.

Conditional Access policies are the policy engine in Azure Active Directory that evaluate signals such as network location, device compliance state, user and group membership, application, and sign in risk to make access decisions. They can require MFA, block or grant access, or require a compliant device based on those conditions, and they integrate with Intune device compliance to enforce posture based controls.

Microsoft Authenticator mobile app provides a convenient and strong second factor for authentication through push notifications or one time codes. It is an authentication method and not a policy engine, so it cannot on its own enforce detailed access rules based on location or device compliance.

OATH one time password hardware tokens are physical devices that generate time based one time passwords for MFA. They offer a form of verification but they do not evaluate conditions like network location or device health and so they cannot implement conditional access rules.

Azure Active Directory security defaults enable simple, tenant wide protections such as requiring MFA for privileged accounts and blocking legacy authentication. They are intentionally broad and global and do not provide the granular, conditional controls that Conditional Access policies deliver.

Full AWS Practitioner Certification Question