Exam AZ-500 topic 2 question 6 discussion

Medium High Medium The question is not valid anymore

This question is no longer valid. The referenced article in the explanation also mentions the same thing : "Some time ago I wrote this article about sign-in risk-based conditional access policies. But things have been changed over time and I thought it is time to update it with new content. The updated post can access using https://www.rebeladmin.com/2020/11/step-by-step-guide-how-to-configure-sign-in-risk-based-azure-conditional-access-policies/ "

Answer: 1. Impossible travel to atypical location: Medium 2. Users with leaked credential: High 3. Sign-ins from IP addresses with suspicious activity: Medium Reason: Impossible travel to atypical locations: Medium - This is considered a high-risk event because it indicates potentially impossible geographic movements that could signal account compromise Users with leaked credentials: High - This represents a medium risk as the credentials are known to be compromised but haven't necessarily been used maliciously yet Sign-ins from IP addresses with suspicious activity: Medium - This is also classified as medium risk since suspicious IP addresses might indicate potential attack attempts but aren't definitive proof of compromise Reference: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Impossible travel: Medium Leaked credentials: High IP addresses with suspicious activity: Medium

Users with leaked credentials - Low Impossible travel to atypical location - High Sign-ins from IP addresses with suspicious activity - Medium The rationale behind these choices is as follows: Users with leaked credentials are typically considered to have a lower risk level because it indicates a potential compromise of user credentials but may not necessarily imply immediate unauthorized access to sensitive resources. Impossible travel to atypical location suggests a high risk level because it indicates a significant deviation from the user's typical travel patterns, which can be indicative of account compromise or misuse. Sign-ins from IP addresses with suspicious activity indicate a medium risk level because it suggests potential suspicious behavior but may require further investigation to determine the severity and intent of the activity.

I doubt such question would appear in exams as the Risk level differ based on organization's risk definitions, Microsoft can only recommend but can't bind such levels.

Note: It is very unlikely the Microsoft will require the memorization of specific risk levels given that they have changed the documentation. Previously the risk levels were very well defined, however they now provide this very vague paragraph: "Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user." Modern Documentation: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#investigate-risk Legacy Documentation: https://web.archive.org/web/20190419234045/https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events

question no longer valid - you can now assign your own "score" to any item based on your companies needs. Which makes more sense anyway...

Sign-ins from IP addresses with suspicious activity is Medium now. https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md#sign-ins-from-ip-addresses-with-suspicious-activity