exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam

Exam MS-500 topic 2 question 25 discussion

Actual exam question from Microsoft's MS-500
Question #: 25
Topic #: 2
[All MS-500 Questions]

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
Azure AD Identity Protection alerts for contoso.com are configured as shown in the following exhibit.

A user named User1 is configured to receive alerts from Azure AD Identity Protection.
You create users in contoso.com as shown in the following table.

The users perform the sign-ins shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
User1 will receive the two alerts classified as medium or higher.
Sign-ins from infected device is classified as low. This risk detection identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is why this risk detection is classified as
Low.

Box 2: No -
User2 will receive the two alerts classified as medium or higher.
Email alerts are sent to all global admins, security admins and security readers
Sign-ins from infected device is classified as low. This risk detection identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is why this risk detection is classified as
Low.

Box 3: No -
User3 will not receive alters.
Email alerts are sent to all global admins, security admins and security readers.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
kiketxu
Highly Voted 4 years, 3 months ago
Based on the below risk level severity ("old") table, I would say... YES. User1 receives 3 alerts as all them are medium and he was manually added. YES. User2 receives 3 alerts (for the same) but in this case for his Security Reader role. NO. User3 doesn't receive any because his "User Administrator" role does not permit that. Users with leaked credentials - High Sign-ins from anonymous IP addresses - Medium Impossible travel to atypical locations - Medium Sign-ins from infected devices -Medium Sign-ins from unfamiliar locations - Medium Sign-ins from IP addresses with suspicious activity -Low NOTE: This table has grew recently, seems now with more alerts, but couldn't get their current level. Not sure when we will see this in exam. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk
upvoted 31 times
Sethoo
4 years, 3 months ago
Check the configuration. The alert is configured to go to just 1 email and that is user 1. So why will user 2 get the email alert? I lean YES NO NO
upvoted 4 times
TheGuy
4 years, 3 months ago
From the Identity Protection Alert Blade: "Users in the Global administrator, Security administrator, or Security reader roles are automatically added to this list if that user has a valid "Email" or "Alternate email" configured". I'd say: Yes, Yes, and No
upvoted 3 times
...
...
Kalzonee3611
4 years, 1 month ago
How do you which activity falls under which category of threat?
upvoted 3 times
...
Jhill777
3 years, 1 month ago
Sign-ins from infected devices is low
upvoted 3 times
...
Yetijo
4 years ago
Agree, - Yes, Yes, No. Per documentation, by default - GA, Security Admin, and Security Reader receive mail. Source: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts All events are flagged in the Sign-In Risk table here. Source: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk
upvoted 2 times
...
...
MrAce
Highly Voted 3 years, 10 months ago
Maybe I think too simple. But the screenshot is User risk level and not Sign-in risk level. So answer is No No No.
upvoted 22 times
kidney83
3 years, 9 months ago
Very subtle, but I think you are right
upvoted 3 times
...
Grudo
3 years, 5 months ago
Everyone missed this except you and adamsca
upvoted 2 times
...
RVR
2 years, 9 months ago
I think you're right. The given answer appears to be correct.
upvoted 1 times
...
...
GatesBill
Most Recent 2 years, 2 months ago
A user risk represents the probability that a given identity or account is compromised. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. > Reference: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-levels Yet again an invalid question where the given policy does not match the given scenario and even if it did, no concrete info is known as Microsoft did not provide it (yet?).
upvoted 1 times
...
SKam22
2 years, 11 months ago
User risk vs sign-in risk. Answer, N,N,N. Policy doesn't apply to the Sign-ins. See below for User vs Sign-in risk: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
upvoted 2 times
...
Whatsamattr81
2 years, 11 months ago
Its sneaky, but those risks are sign in risks, and the picture is of a user risk policy. Unless the Q is wrong, the answer would be NNN... If the picture is wrong, and it should be a sign in risk policy, the answer would be YYN. Either way, you'll get one mark for this lol
upvoted 1 times
...
mbecile
3 years, 5 months ago
Per Microsoft Docs - Users with Leaked Credentials = High - Sign-ins from Anonymous IP Addresses = Medium - Impossible Travels to atypical locations = Medium - Sign-in from unfamiliar location = Medium - Sign-ins from IP Addresses with suspicious activity = Low - Sign-ins from infected devices = Low Source: https://docs.microsoft.com/en-us/learn/modules/introduction-to-azure-identity-protection/4-explore-vulnerabilities-risk-events
upvoted 2 times
...
mkoprivnj
3 years, 7 months ago
YES. User1 receives 3 alerts as all them are medium and he was manually added. YES. User2 receives 3 alerts (for the same) but in this case for his Security Reader role. NO. User3 doesn't receive any because his "User Administrator" role does not permit that.
upvoted 1 times
...
Rstilekar
3 years, 7 months ago
At present scenerios there are name changes to Azure Sentinel role to Microsoft Sentinel Role. Right ans is B & E. E. Logic App Contributor # Create and run playbooks. Microsoft Sentinel uses playbooks for automated threat response. Playbooks are built on Azure Logic Apps, and are a separate Azure resource. You can use the Logic App Contributor role to assign explicit permission for using playbooks. B. *Azure (now Microsoft) Sentinel responder # Manage incidents. Can can view data, incidents, workbooks, and other Microsoft Sentinel resources (like Microsoft Sentinel Responder) ++ manage incidents (assign, dismiss, etc.) Ref # https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 1 times
...
adamsca
3 years, 8 months ago
So, I am a little confused as I came up with No No No Because the exhibit show user risk policy but the risk event types were sign in risk events. They should not get emails based on user risk policy because we are talking about sign in risk events. Isn't "sign in risk" different from user risk? There are separate policies for these. Terrible question in my opinion. Let me know what u think.
upvoted 6 times
...
gkp_br
3 years, 8 months ago
N - N - N Sign-ins from infected devices - Low https://docs.microsoft.com/pt-br/learn/modules/introduction-to-azure-identity-protection/4-explore-vulnerabilities-risk-events
upvoted 9 times
...
AlexanderSaad
3 years, 9 months ago
Configure users at risk detected alerts As an administrator, you can set: The user risk level that triggers the generation of this email - By default, the risk level is set to “High” risk. The recipients of this email - Users in the Global administrator, Security administrator, or Security reader roles are automatically added to this list. We attempt to send emails to the first 20 members of each role. If a user is enrolled in PIM to elevate to one of these roles on demand, then they will only receive emails if they are elevated at the time the email is sent.
upvoted 1 times
...
Hami3191
3 years, 9 months ago
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications#:~:text=The%20recipients%20of,email%20is%20sent.
upvoted 1 times
...
The_Poet
3 years, 11 months ago
Sign-ins from infected device is classified as low. This risk detection identifies IP addresses, not user devices. isn't right?
upvoted 1 times
...
ThBEST
3 years, 11 months ago
Each of the sign ins are successful so therefore each have a low risk. The infected system has not set off any alerts and the risk remains low. So because of the low risk there will be no alert emails sent to either user at this time. No, No, No.
upvoted 1 times
...
Destny
4 years, 1 month ago
Definitely YYN
upvoted 2 times
...
Pitch09
4 years, 1 month ago
YYN- explained here - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications#:~:text=In%20response%20to%20a%20detected%20account%20at%20risk%2C,you%20should%20immediately%20investigate%20the%20users%20at%20risk.
upvoted 2 times
...
ismossss
4 years, 1 month ago
This one most be no. Sign-ins from infected devices -Low no. Sign-ins from infected devices -Low no. Sign-ins from infected devices -Low
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...