ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 25 discussion

Actual exam question from Microsoft's AZ-500
Question #: 25
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

The tenant contains the named locations shown in the following table.

You create the conditional access policies for a cloud app named App1 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by Sandy44428 at Dec. 10, 2021, 8:21 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Naqsh27
Highly Voted 3 years, 6 months ago
User 1 from Boston: is user 1 member of Group 1 - yes - Block is user 1 member of Group 2 - yes Exclusion takes priority - Allow Policy 1 does not apply Policy 2 Applies Policy 3 and 4 does not apply User 1 - Allowed Is user 2 member of Group 1 - No Is user 2 member of Group 2 - Yes - Exclusion takes Priority - Allow Policy 1 does not apply - Allow Policy 2 does not apply - no Result Policy 3 - User is in group 2 - but in Seattle - Policy does not apply Policy 4 - User 2 can be anywhere - Allowed with MFA User 2 allowed Is user 2 member of Group 1 - No Is user 2 member of Group 2 - Yes - Exclusion takes Priority - Allow Policy 1 does not apply - Allow Policy 2 does not apply - no Result Policy 3 - User is in group 2 - And in Boston - Policy applies - Block Policy 4 - User 2 can be anywhere - But Block Policy take precedence in Policy 3 User 2 not allowed Y - Y - N
upvoted 108 times
waqas
3 years, 6 months ago
To me it would be NYN...mentioned answers are correct..... First option will be No. Because If both grant and block policies match, block will always win. No exceptions! So policy 3 will be applied here.
upvoted 4 times
mansc3wth1s
3 years, 4 months ago
Policy1 and Policy3 have exclued for the user and they are in both groups. Which means.. They are EXCLUDED from the policy. That means do not use/apply to any user in that group. The second policy satisfies all conditions and they are not excluded so they may be granted access. You're right that a DENY will always trump taking into account all policies IF multiple are satisfied. It's just in this case User1 was exempt from two (1,3) from even applying.
upvoted 3 times
...
...
datz
1 year ago
YYN When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts. More information about emergency access accounts and why they're important can be found in the following articles:
upvoted 2 times
...
glitchlessxddd
1 year, 3 months ago
N - Y - N Policy 3 blocks user 1 from access in boston because user 1 is part of group 2
upvoted 4 times
pentium75
11 months ago
No because User1 is also in Group1 which is excluded from Policy3.
upvoted 1 times
...
...
CrocoGreen
3 years, 5 months ago
MFA is disabled. Users cannot access resources when the MFA is required but is disabled for users.
upvoted 13 times
chancer
3 years, 3 months ago
No no no
upvoted 12 times
...
mansc3wth1s
3 years, 4 months ago
In these types of questions when they list MFA almost never does it really matter. If someone requests access to something and it says 'disabled' you can simple just request to add the MFA when you are allowed. Disabled just means that at the time they do not have it setup.
upvoted 12 times
koreshio
2 years, 8 months ago
this is correct, the per-user MFA status does not seem to matter in CAPS and PIM. see ref: https://learn.microsoft.com/en-us/answers/questions/529070/user-mfa-is-disabled-however-pim-activation-is-ask.html https://www.vcloudnine.de/mfa-disabled-but-azure-asks-for-second-factor/#:~:text=Conditional%20Access%2C%20or%20enabled%20Security,MFA%20for%20a%20specific%20user.
upvoted 4 times
...
yooi
3 years, 2 months ago
All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled. so: Enabled = The admin has enabled MFA on the account, but the user hasn't set it up. Enforced = The user has completed the setup of their MFA.
upvoted 4 times
...
...
...
Load full discussion...
...
mahi83
Highly Voted 3 years, 6 months ago
Policy 1 & 3 - Boston location - block access so option 1 & 3 is No Option 2 - user 2 - policy 4 - require MFA and user is disabled for MFA so answ is NO for 2nd option. so according to me: N-N-N
upvoted 20 times
pentium75
11 months ago
YYN because group exclusion takes precedence, and MFA "disabled" does not mean that he cannot enroll
upvoted 1 times
...
...
ca7859c
Most Recent 1 month, 1 week ago
YYN Disabled ❌ No ❌ No Normal sign-in Enabled ⚠️ Yes (for registration) ❌ No (yet) Asked to register Enforced ✅ Yes ✅ Yes MFA enforced
upvoted 1 times
...
WilianCArias
1 year, 6 months ago
Yes, Yes, No.
upvoted 3 times
...
Obama_boy
1 year, 6 months ago
in exam 08/12/2023
upvoted 2 times
...
wardy1983
1 year, 7 months ago
Explanation: User1 can access - Remember, exclusions take precedence. Policy1 won't apply since group2 is excluded, policy2 allows, policy3 won't apply since group1 is excluded, policy4 won't apply. User2 can access - there are no policies blocking the Seattle range User2 cannot access - policy1 won't apply since group2 is excluded, policy2 allows, but policy3 blocks access for group2
upvoted 2 times
...
tweleve
1 year, 8 months ago
In exam 13 Oct
upvoted 3 times
...
iVath
1 year, 9 months ago
for case1 : User1 from Boston, Policy1 is NOT applied for User1. see https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups : Exclude users When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy.
upvoted 1 times
...
heatfan900
1 year, 10 months ago
TRUSTED IP LOCATIONS overrides MFA. N,Y,N The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
upvoted 2 times
...
FedericoBellotti
2 years, 1 month ago
Y-Y-N this is the correct answer. To be sure i create the same configuration on my test tenant. Policy 1 and 3 don't work because exclusion has priority over inclusion
upvoted 2 times
...
zellck
2 years, 1 month ago
YYN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
upvoted 3 times
xRiot007
11 months, 2 weeks ago
I think the first one is No. Trusted IPs can bypass MFA, but the user tries to access from a Boston IP, which is NOT a trusted location. Policy 2 allows but requires MFA, which is disabled for User 1. So User 1 has disabled MFA and he can't bypass MFA because he tries to access from a location that is NOT trusted (Boston). I would say that's a No.
upvoted 2 times
...
Gerd95
1 year, 3 months ago
Then it should be NYN, What part of the first question overrides MFA? The user is from Boston, which is not a trusted location. He is allowed by Policy2, which still requires MFA
upvoted 2 times
...
...
Gesbie
2 years, 2 months ago
In Exam April 11, 2023
upvoted 7 times
...
icebw22
2 years, 3 months ago
Should be Y,Y,N exclude group takes precedence over include groups
upvoted 1 times
...
majstor86
2 years, 3 months ago
Yes Yes No
upvoted 2 times
...
sofieejo
2 years, 4 months ago
In exam 29/01/2023 + many questions about Microsoft Sentinel
upvoted 4 times
...
fonte
2 years, 5 months ago
Hi all, Passed my exam (13JAN2023) with 918. 50 questions (45 + 5 of a case study). Around 95% of the questions are here. I've compiled the questions and my answers in a ppt, feel free to check it out and hope it helps. https://www.dropbox.com/s/ay00xp2fnloq1ex/AZ%20500%20-%20Exam%20Topics.pptx?dl=0 Use pass az500prep to open the file. Thanks to all the people that comment on questions, I wouldn't have passed without them :)
upvoted 2 times
nnd
2 years, 5 months ago
Hello, File is not opening
upvoted 1 times
fonte
2 years, 5 months ago
you can't open it directly... download and use the pass provided.
upvoted 1 times
...
...
josh_josh
2 years, 5 months ago
File has been deleted
upvoted 4 times
...
...
ltjones12
2 years, 5 months ago
The correct answers are Y,Y,N User1 can access - Remember, exclusions take precedence. Policy1 won't apply since group2 is excluded, policy2 allows, policy3 won't apply since group1 is excluded, policy4 won't apply. User2 can access - there are no policies blocking the Seattle range User2 cannot access - policy1 won't apply since group2 is excluded, policy2 allows, but policy3 blocks access for group2.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel