Exam MS-900 topic 1 question 222 discussion

(MAX SCORE for each in brackets) A. Enable policy to block legacy authentication. (20) B. Enable user risk policy or sign-in policy. (Both have 30) C. Require multi-factor authentication for all users. (30) D. Delete/block accounts not used in last 30 days. (1) E. Do not expire passwords. (10) So Correct Answer is : ABC (Ref: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score See Max score column for each)

ABC based on https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide

As per Endra Identity Secure Score July 2024: Ensure multifactor authentication is enabled for all users 16.07% Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' 14.29% Enable Conditional Access policies to block legacy authentication 14.29%

As per Endra Identity Secure Score July 2024: Ensure multifactor authentication is enabled for all users 16.07% Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' 14.29% Enable Conditional Access policies to block legacy authentication 14.29%

I just checked in our secure score at my MSP, its ACE. MFA for all users: 3.14% Block legacy: 2.79% Passwords never expire: 2.79% User Risk: 2.44% Block/delete users isnt even listed anymore. I assume this question is very old.

THIS is the real Anwar , got it from GPT-4. Require multi-factor authentication for all users (worth 20 points). Enable policy to block legacy authentication (worth 10 points). Enable user risk policy (worth 10 points)

Score impact: ACE Enable policy to block legacy authentication - 14.29% Require multi-factor authentication for all users - 17.86% Do not expire passwords - 14.29%

Here's a list of some of the security controls that are included in the Azure AD Identity Secure Score report, along with their maximum point values: Require MFA for administrative roles (50 points) Require MFA for users accessing sensitive data (30 points) Enable password hash synchronization (10 points) Enable Azure AD Multi-Factor Authentication (10 points) Enable self-service password reset (10 points) Enable policy to block legacy authentication (10 points) Enable user risk policy (10 points) Delete/block accounts not used in last 30 days (10 points) Configure Azure AD sign-in risk policy (8 points) Enable risk-based Conditional Access policies (8 points) Note that the point values for each control may vary depending on the specific implementation and configuration of Azure AD in your organization. Additionally, not all security controls are enabled by default, and some may require additional configuration or licensing to use.

The three security items on the report that have the most impact on the Identity Secure Score are: A. Enable policy to block legacy authentication: This is an important security measure to prevent older, less secure authentication methods from being used, reducing the risk of unauthorized access to user accounts. B. Enable user risk policy: This security measure helps to identify high-risk user activities, such as failed login attempts or suspicious IP addresses, and take appropriate action to prevent unauthorized access. C. Require multi-factor authentication for all users: This security measure adds an extra layer of protection by requiring users to provide additional authentication factors, such as a code sent to their mobile device or a fingerprint scan, in addition to their password. Therefore, options A, B, and C are the correct answers. Options D and E are also important security measures but have less impact on the Identity Secure Score compared to the other three options.

ACE, as per screenshot in https://www.rozemuller.com/monitor-identity-secure-score-security-improvement-action-status/

Require MFA: 8,4% Do note expire PW: 6,72% Enable prolicy to block legacy authentication: 6,72% Turn on sigh-in risk policy: 5,88% --> So A C E

See the link https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score

A. Enable policy to block legacy authentication. (8 point) B. Enable user risk policy or sign-in policy. (7 point) C. Require multi-factor authentication for all users. (9 point) D. Delete/block accounts not used in last 30 days. (N/A) E. Do not expire passwords. (8 point)

I see a lot of doubts and different answers (looking at other dumbs that signal A B C as answer) so i logged in my security center and organized actions by %. Multi factor autentication is indeed first ( A ) Enable policy to block legacy authentication is second (b) Do not expire passwords with about 11% ends up third (c) Enable user risk policy or sign-in policy was right below the password expire at 10% so answer is confirmed A C E as of 23/08/2022

ABC is correct

My trial tenant as of 12/2021 shows that 'do not expire passwords' is worth more than 'user risk policy' therefore A C E are the answers : B. Turn on user risk policy +5.6% E. Do not expire passwords +6.4%

ABC is correct