ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam
Go to Exam

Exam MS-500 topic 1 question 14 discussion

Actual exam question from Microsoft's MS-500
Question #: 14
Topic #: 1
[All MS-500 Questions]

HOTSPOT -
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:
✑ Assignments: Include Group1, Exclude Group2
✑ Conditions: Sign-in risk of Low and above
✑ Access: Allow access, Require multi-factor authentication
You need to identify how the policy affects User1 and User2.
What occurs when each user signs in from an anonymous IP address? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by BialyFenek at March 12, 2021, 10:22 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Sugar123
Highly Voted 4 years, 2 months ago
User 2 will be blocked. Watch the video at 1:23 : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies. It says access will be blocked if a user is not registered for MFA
upvoted 39 times
Beitran
4 years, 2 months ago
Thank you!
upvoted 2 times
...
FrugalFungus
4 years, 2 months ago
Thanks Sugar. You are right.
upvoted 1 times
...
bingomutant
4 years, 2 months ago
this looks correct - thanks
upvoted 1 times
...
ellik
4 years, 1 month ago
how about user 1 ? is the given answer correct ? can sign-in without MFA as exclusion win ?
upvoted 2 times
...
Load full discussion...
...
Lulu77
Highly Voted 3 years, 11 months ago
Replicated these settings in my demo tenant. User1 - can sign in without MFA. User2 prompted to register.
upvoted 34 times
...
H0TDOGG
Most Recent 2 years, 1 month ago
Late to the party, but I can confirm user2 is blocked. Not prompt for MFA. Meaning, if there is no MFA linked, be it user MFA or conditional access MFA, users are blocked.
upvoted 1 times
...
ChachaChatra
2 years, 4 months ago
Valid on 28/01/2023
upvoted 4 times
...
CEEJAY83
2 years, 4 months ago
The answer is correct. The policy is applied to group 1 only, so user 1 and user 2 are blocked by default because they both are in group 1, but user 1 has an option because he’s also part of another group(group 2) which overrides the policy, and MFA is also block by default which means user 1 can sign in without MFA.
upvoted 1 times
...
Nav90
2 years, 4 months ago
User 1 - can sign in without MFA User 2 - Blocked (Explanation - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies. Under Risk remediation Warning section.)
upvoted 4 times
...
zerrowall
2 years, 5 months ago
User 2 blocked. Checked in a simple lab, this message appeared for user that has been connected from browser Brave in Tor mode: "[email protected] Your sign-in was blocked We've detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app. Before you can continue, we need to verify your identity. Please contact your admin."
upvoted 1 times
...
bac0n
2 years, 6 months ago
Given answer is correct. Check vunder's comment. If you follow the policy in this example and use Tor browser in Brave for an anonymous IP you will be blocked.
upvoted 1 times
...
Nobal
2 years, 7 months ago
User 2 will be blocked. "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 1 times
...
ewu
2 years, 9 months ago
Blocked, since the other option is prompted for mfa, which isnt the case they will be prompted for mfa registration not a mfa prompt
upvoted 1 times
...
Zzzkkk
2 years, 9 months ago
User 2 - Prompted for MFA. Enabling Azure AD Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. Don't be alarmed if users appear disabled. Conditional Access doesn't change the state. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
upvoted 3 times
...
Whatsamattr81
2 years, 11 months ago
MFA CA policies will not apply if legacy (per user) MFA is enabled for the user. Legacy supersedes CA. In this case the CA policy will be applied to User 2 so they will be promoted to register.
upvoted 4 times
...
vunder
2 years, 11 months ago
This is correct, User 1 will be allowed to sign in, due to the exemption made on group2 in the CA policy, (exclusions take precedence, this is standard for CA policies. User2 is blocked as the group1 is the one being applied. User2 must have MFA but since MFA is disabled therefore the sign-in is blocked. Things to look out for when you demo this. Check for Security Defaults that is is disabled. Use tor-browser to simulate an anonymous IP.
upvoted 2 times
...
DarkAndy
2 years, 11 months ago
Valid on exam. Jun 10, 2022
upvoted 5 times
...
tatendazw
3 years ago
User 1 can sign in, User 2 blocked https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation
upvoted 2 times
...
Ryuukossei
3 years ago
User 2 will NOT be blocked. Conditional Access policies that require MFA as an access control will prompt the user to register if they are not enabled or registered. The per-user MFA status does not affect this process. If they register, they will be allowed to sign in. If they do not register, THEN they will be blocked.
upvoted 5 times
...
Anon617
3 years, 2 months ago
User1 - Can sign in without MFA User 2 - Blocked Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention. Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
upvoted 5 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel