ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 31 discussion

Actual exam question from Microsoft's AZ-500
Question #: 31
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
✑ Assignments: Include Group1, exclude Group2
✑ Conditions: Sign-in risk level: Medium and above
✑ Access: Allow access, Require multi-factor authentication
You need to identify what occurs when the users sign in to Azure AD.
What should you identify for each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
by RameshSesetti at March 11, 2021, 7:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bjarki2330
Highly Voted 3 years, 11 months ago
Answers are correct: 1) MFA is enabled and whenever on next log-in he will have to sign up anyway, regardless of the policy, therefore prompted. 2) Blocked - "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention." 3) Blocked - See text in 2) https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 87 times
Hot_156
4 months ago
When Azure AD Identity Protection requires MFA for a sign-in and the user has MFA disabled, the behavior depends on the specific policy configuration. If the policy is set to "allow access, request MFA," Identity Protection will prompt the user to register for MFA during the sign-in process. This means that even if MFA is disabled for the user, they will be required to complete the MFA registration and verification to gain access.
upvoted 1 times
Hot_156
4 months ago
Ignore this. It will be blocked
upvoted 1 times
...
...
pentium75
11 months ago
MFA is "enabled" which means that it is NOT enforced and he will NOT "have to sign up anyway". "Enabling MFA for a user means that the user has the option to set up MFA, but it is not required. Enforcing MFA means that the user is required to set up MFA and cannot access their account until they have completed the MFA setup process. "
upvoted 2 times
...
BillBaits
3 years, 6 months ago
According to the official Skillpipe book, "sign-ins from infected devices" are considered as "low".
upvoted 17 times
BP_lobster
3 years, 3 months ago
you are correct imho/number 3 would now be Username & password
upvoted 5 times
BP_lobster
3 years, 3 months ago
Source: https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md (official github repo, states "sign-ins from infected devices" are considered classified as "low")
upvoted 2 times
...
...
...
azure_2563
1 year, 8 months ago
User3 will be blocked: Reason- sign-ins from infected devices is considered as "Medium" so policy will be applied. Since user3 is MFA enabled it will be blocked.
upvoted 2 times
xRiot007
11 months, 2 weeks ago
Sign in from infected devices is "Low". If things go south and user credentials are leaked that is "High".
upvoted 1 times
...
azure_2563
1 year, 8 months ago
sorry MFA is disabled so admin action is required.
upvoted 2 times
...
...
Load full discussion...
...
canonigo
Highly Voted 4 years, 3 months ago
1- Prompt for MFA -> User is excluded, but MFA is Enabled, user is always prompted for MFA. 2.- Prompt for MFA -> Risk is medium and policy applies 3.- Single Authentication -> Policy doesn't apply, risk low
upvoted 72 times
eroms
4 years, 1 month ago
User 3 --> Prompted for MFA
upvoted 4 times
...
cjace
4 years, 1 month ago
MFA MFA MFA
upvoted 26 times
Denn81
4 years, 1 month ago
Sign-ins from infected devices - Medium thus MFA
upvoted 10 times
...
Payday123
3 years, 4 months ago
That would correct for Conditional Access but question is about Identity Protection. According to Microsoft: "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are BLOCKED and require administrator intervention."
upvoted 13 times
...
...
OhBee
4 years, 3 months ago
I respectfully disagree with number 2, although I stand to be corrected. 2.- Be blocked --> Risk is medium and policy applies, HOWEVER MFA is disabled for User 2 and this he/she is blocked.
upvoted 8 times
3abmula
4 years ago
Even if MFA is disabled, since conditional access policy applied, user will be prompted for MFA enrollment, and to login using MFA. And by the way, even after the user activates MFA, status will remain disabled for that user, because it will be only used when a conditional access policy is met.
upvoted 8 times
gigiscula
3 years, 9 months ago
This is not Conditional Access. It is Identity Protection, and as stated by docs if the user isn't enrolled in MFA, it will be blocked.
upvoted 11 times
Stews
3 years, 2 months ago
Not true, this is the legacy method of assigning mfa to users. Security baselines means that all tenants have mfa enforced by default anyways. It should be managed via CA and being disabled here means nothing. I think this question is ancient, but I still wanted to add this.
upvoted 5 times
...
...
...
macco455
4 years, 3 months ago
Yes MFA is disabled for User 2 on his account, BUT since he matches the policy he will need to use MFA to log in now as the policy supercedes his AAD settings. Therefore User 2 will be Prompted for MFA
upvoted 9 times
...
...
...
gumibobo
Most Recent 1 year, 3 months ago
right answers
upvoted 1 times
...
heatfan900
1 year, 10 months ago
USER 1 WILL ALWAYS BE PROMPTED REGARDLESS OF POLICY ASSIGNMENT BECAUSE MFA IS ENFORCED AGAINST THEIR ACCT. USER 2 WILL BE BLOCKED BECAUSE THEY ARE SOLELY IN GROUP 1 AND THE MEET THE CONDITIONS OF THE POLICY ASSIGNED WITH MFA DISABLED WHICH GOES AGAINST THE POLICY REQUIREMENTS. USER 3 WILL BE ALLOWED TO LOGIN WITH USERNAME AND PASSWORD ONLY BECAUSE, ALTHOUGH THEY ARE IN GROUP 1 THEY DO NOT MEET THE CONDITIONS AND DO NOT HAVE MFA ENFORCED DIRECTLY AGAINST THEIR ACCT. SIGNING IN FROM AN INFECTED DEVICE IS CONSIDERED LOW RISK..
upvoted 8 times
pentium75
11 months ago
No, MFA is "enabled", not "enforced".
upvoted 2 times
...
...
majstor86
2 years, 3 months ago
MFA Blocked Username and password
upvoted 5 times
...
ltjones12
2 years, 5 months ago
The first 2 are correct, the third is "sign in with username and pw only". It's low risk, and MFA is disabled for the user
upvoted 3 times
...
TweetleD
2 years, 7 months ago
sign ins from an infected device is classified as a low risk so user3 will be able to sign in by using a username and password only
upvoted 2 times
...
somenick
2 years, 9 months ago
Latest update: Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. So this question is obsolete
upvoted 10 times
Fal991l
2 years, 7 months ago
It's still good practice though
upvoted 1 times
...
...
fro_prince
2 years, 10 months ago
2 and 3 - blocked https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 2 times
...
Ivanvazovv
2 years, 10 months ago
All "Sign in from unfamiliar location", "Sign in from infected device" and "Sign in from anonymous IP address" are medium risk thus all satisfy the condition to require MFA. User1 will be prompted from MFA regardless. So all three sign ins require MFA.
upvoted 1 times
...
certmonk
3 years, 1 month ago
All 3 should be prompted for MFA. Because all of them are in Group1 and the Access level is set to Allow access Require MFA. For 2 and 3 the user should still be prompted for MFA but since they have MFA disabled so they will not be able to proceed with MFA.
upvoted 2 times
...
DaveBinDC
3 years, 2 months ago
Answers are correct. The key here is that user MUST complete MFA registration for the identity protection sign-in risk policy to take effect. Since USER1 is the only one that is MFA enabled (registered), he is the only one that will be forced to use MFA to sign in. The other two will be blocked. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
upvoted 1 times
...
CJ32
3 years, 5 months ago
1.) Username and Password only. User is a part of Group 2. Exclusion takes precedence. 2.) Blocked. User MUST sign up for MFA beforehand or they will be blocked. (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies) 3.) Blocked. Same reasoning as above.
upvoted 3 times
...
stack120566
3 years, 5 months ago
1. Sign in Username and Pw only .. user1 is member of group 2 ( excluded from risk policy ) 2. Blocked .. MFA required but User 2 MFA status is disabled 3. Sign In with UserName and Pw only... Low risk so policy does not apply
upvoted 3 times
Payday123
3 years, 4 months ago
1. User1 is MFA in user's properties
upvoted 3 times
...
...
[Removed]
3 years, 5 months ago
MFA Blocked Single Authentication
upvoted 3 times
...
snake_alejo
3 years, 6 months ago
my answers based on that: user1 will ask MFA for being a medium threat. user2 will ask for MFA for being a medium type threat (unfamiliar location.) User 3 does not apply the policy since the risk, according to Microsoft, is low. in no case user 1 and 2 are blocked.
upvoted 1 times
...
Patchfox
3 years, 6 months ago
As gigiscual said: Users must register for Azure AD MFA and SSPR BEFORE they face a situation requiring remediation. Users not registered are blocked and require administrator intervention. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies So, User2 will be blocked. But I do not agree with answer three because Microsoft classify sign-ins from infected devices with low risk.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel