exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam

Exam MS-500 topic 1 question 13 discussion

Actual exam question from Microsoft's MS-500
Question #: 13
Topic #: 1
[All MS-500 Questions]

HOTSPOT -
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
✑ Assignments: Include Group1, Exclude Group2
✑ Conditions: User risk of Low and above
✑ Access: Allow access, Require password change
You need to identify how the policy affects User1 and User2.
What occurs when User1 and User2 sign in from an unfamiliar location? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: User1 only -
The Azure AD Identity Protection user risk policy is excluded from Group2. Exclusion overrides inclusion. Therefore, the policy will not affect User2. Thus, only
User 1 needs to change the Password.

Box 2: User2 only -
MFA will be triggered for User 2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
kiketxu
Highly Voted 4 years, 3 months ago
User1 is must change PW. User2 prompted for MFA
upvoted 49 times
w00t
4 years, 3 months ago
This is the right answer
upvoted 7 times
...
Yetijo
4 years ago
This is the correct answer. The CA in this scenario is designed for User 1. The user does not have MFA enabled and cannot be challenged, but they can be allowed and prompted action (password change). By nature of MFA a user will be challenged when signing on from an unfamiliar location, without a CA in place.
upvoted 7 times
...
...
Sikula
Highly Voted 4 years, 3 months ago
I assume that correct answers are: User1 must change password (because User2 is excluded from condition) Neither User1 nor User2 will be prompted (because there is not such condition)
upvoted 22 times
ellik
4 years, 2 months ago
can you elaborate more , why Neither User1 nor User2 will be prompted (because there is not such condition). it is really confusing with all these disscussion.
upvoted 1 times
dcasabona
4 years, 2 months ago
This is because the conditional access policy asks to change the password, not to enforce MFA. On top of that, MFA is disable for user 1 and excluded for user 2 since he is in the exclusion policy, which over take inclusion.
upvoted 2 times
JoelB
4 years ago
The MFA settings are not in the conditional access policy but the Azure Multi-Factor Authentication blade. This is the per-user AAD MFA (although MS are recommending utilising CA policies for MFA, this is also an option). Since the status of User 2 is set to Enabled, they will have to configure MFA on next login. The user is signing in from unfamiliar location, so they will not exempt from the Trusted IP ranges which can be configured in the per-user AAD MFA. Therefore User 2 will be required to set up MFA if they sign in, second answer is correct. I agree with the exclusion for User 2 and first answer should be User 1 only.
upvoted 7 times
LillyLiver
3 years, 3 months ago
Ummmm.... See, I think this is trickier than it appears. User2's MFA status is Enabled. When they are enabled, the user can skip the MFA registration for 2 weeks before being required to register. So in this scenario User2 is Enabled so s/he will be prompted for registration, which s/he can skip. If the status was Enforced, then yes MFA will be presented to User2. And, since the org is using per-user MFA enrollment due to User1's MFA being disabled, I think User1 will need to change their password and neither 1 or 2 will be prompted for MFA.
upvoted 2 times
LillyLiver
3 years, 3 months ago
Having gone through the Identity Protection policy again, there is no option for forcing someone to change their password. So the answer to Q1 is Neither User1 nor User2. The answer for Q2 is still Neither User1 nor User2. For my reasons above.
upvoted 1 times
...
...
...
...
...
yayoayala
4 years, 2 months ago
User1 must change password (because User2 is excluded from condition. Exclusion wins over inclusions.) User1 nor User2 will be prompted (because there is not such condition)
upvoted 4 times
...
WMG
3 years, 11 months ago
Read JoelBs answer, the correct answer is "User 1 much change password" and "User 2 will ge prompted for MFA" (User 2 will actually be enrolled into MFA as it is only Enabled)
upvoted 2 times
...
...
TomasValtor
Most Recent 2 years ago
Fisrt, sign in from an unfamiliar location is a sign-in risk, not a user risk. So I think the right answer for both users are: "Neither User1 nor User2"
upvoted 1 times
...
examdog
2 years, 6 months ago
When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. <https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups>
upvoted 2 times
...
SahMat
2 years, 7 months ago
If Exclusion overrides inclusion, then no User1 nor User2 will be prompted with the MFA, as MFA is disabled for group 1 and both users are members of Group 1 which is disabled for MFA .....
upvoted 2 times
...
pete26
2 years, 9 months ago
This is probably the most commented question for MS-500. I do agree with the answers given for both: User1 will be asked to change password because it is a member of Group1. Group1 is included in the assignments. User2 MFA status is set to “enabled”. This means he will be prompted for MFA. Once registered his MFA status will change to “enforced”. Yes, User2 is excluded from the user risk policy, but the user risk policy has nothing to do with MFA, a sign-in policy does. This is how Microsoft tries to get you!
upvoted 5 times
...
SKam22
2 years, 10 months ago
Let's break it down: A- SSPR can only be enabled for users that have MFA B: User risk policy can require SSPR The users are logged in from unfamiliar location? This is related to "Sign in" risk policy not "User risk" policy therefore the correct answer for both is: Neither User 1 nor User 2.
upvoted 3 times
...
Bulldozzer
2 years, 12 months ago
The correct answers are: Q1: "Neither User1 nor User2" because there is no password change option in the Identity protection sign-in risky policy. Q2: “User2" because even if the MFA status is set to "Enabled" the user will be prompted for MFA
upvoted 3 times
...
Whatsamattr81
3 years ago
The policy doesn’t apply to user 2 but it doesn’t change their MFA status (Enabled) - so they will either be promoted for MFA or, if the first time, promoted for setup and then prompted for MFA.
upvoted 2 times
...
tatendazw
3 years, 1 month ago
Pwd change required for User 1 only and User risk policy does not prompt for MFA so neither User 1 nor 2 shall be prompted for MFA, If it was a Sign in risk then User 2 will be prompted to register for MFA https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states
upvoted 1 times
...
rtea
3 years, 2 months ago
There is no sign-in risk condition available under a user risk policy
upvoted 2 times
...
VickyRajdev
3 years, 3 months ago
User1 - Must Change Password, its based on the Policy mentioned in question User2 - Will be prompted for password, because if you see words "MULTI-FACTOR AUTH STATUS" this term is only and exactly available under PER-USER MFA SETTINGS, hence USER2 will be prompted for the MFA based on Per-User MFA settings
upvoted 1 times
...
Jared144
3 years, 5 months ago
Interesting to consider that MFA is required when resetting password so perhaps It's both User1 and User 2 are prompted for the second one.
upvoted 2 times
kakakayayaya
3 years, 4 months ago
Defenetely!
upvoted 1 times
...
...
mgrcic56
3 years, 6 months ago
1st: Both users 2nd: User2 only
upvoted 1 times
...
mkoprivnj
3 years, 7 months ago
User 1 and User 2 only.
upvoted 1 times
...
Rstilekar
3 years, 7 months ago
Given ans is wrong for box 2. Box 1: User1 only - The Azure AD Identity Protection user risk policy is excluded from Group2. Exclusion overrides inclusion. Therefore, the policy will not affect User2. Thus, only User 1 needs to change the Password. The CA in this scenario is designed for User 1. The user does not have MFA enabled and cannot be challenged, but they can be allowed and prompted action (password change). Box 2: User2 only MFA will be triggered for User 2. Even though User2 is excluded by Group2 (exc overides inc), so CA is not applied for it but by nature of MFA a user will be challenged when signing on from an unfamiliar location, without a CA in place. For User1 MFA is disabled all together so it will not be challenged for MFA.
upvoted 1 times
Rstilekar
3 years, 7 months ago
I mean given answers are correct for both
upvoted 1 times
...
...
Rstilekar
3 years, 7 months ago
The CA in this scenario is designed for User 1. The user does not have MFA enabled and cannot be challenged, but they can be allowed and prompted action (password change).
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...