ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 11 discussion

Actual exam question from Microsoft's AZ-500
Question #: 11
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.

The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.

The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -

Box 2: No -
Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.
Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.

Box 3: No -
The New York IP address subnet is included in the "skip multi-factor authentication for request.
Reference:
https://www.cayosoft.com/difference-enabling-enforcing-mfa/
by Kerbob at Nov. 4, 2019, 4:36 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 5 years, 2 months ago
Yes No No right ones
upvoted 90 times
Mea988
2 years, 10 months ago
The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO
upvoted 15 times
Holii
2 years, 1 month ago
This. They wouldn't have listed the MFA status of each user if that didn't have an impact on the answer.
upvoted 2 times
...
xRiot007
11 months, 3 weeks ago
The question is not talking about subsequent logins, so you don't know if this is the first sign in or not, in which case, you must presume based on the principles of zero trust : device must go through MFA, so the answer is Yes.
upvoted 1 times
...
chzon
2 years, 4 months ago
you are right. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
upvoted 2 times
...
...
durak
3 years, 1 month ago
MFA is not enforced
upvoted 3 times
...
Aston1818
5 years, 1 month ago
I think its no for the last question as the ip given in the exception is the public NAT one!
upvoted 9 times
...
...
gboyega
Highly Voted 4 years, 12 months ago
THE CORRECT ANSWER IS YES NO NO Because in the docs it is stated that " The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure Multi-Factor Authentication, you can only use public IP address ranges" In this case the public Ip address is already added to the excluded ips
upvoted 43 times
TheProfessor
1 year, 9 months ago
Why the first one is Yes? It's MFA is enabled, not enforced.
upvoted 1 times
xRiot007
11 months, 3 weeks ago
Enabled means that legacy authentication is not affected until you finish up registration. When MFA registration is done, it switches to Enforced. You can also set Enforced directly. The end result will always be Enforced MFA.
upvoted 1 times
...
GaryKing123
1 year, 8 months ago
Because even for user who is in enabled state, when user attempts to sign in next it will require user to complete MFA registration. So they still need to use mobile device to sign in even when enabled. Once they complete registration, MFA becomes enforced "The user is enrolled per-user in Microsoft Entra multifactor authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state"
upvoted 4 times
...
...
OpsecDude
2 years, 9 months ago
Yes that is true, but notice that Seattle Office subnet was not included in the list of Whitelisted IP's, although MS Authenticator App was unchecked in the menu so the correct answer is NO. If it had been "User must authenticate using their phone" then it would have been a yes.
upvoted 4 times
wannasruls
1 year, 6 months ago
but the first question is asking "user to authenticate using phone". So you're saying it's a yes?
upvoted 1 times
...
...
...
Knighthell
Most Recent 4 weeks ago
No No YES "Skip MFA for trusted IPs applies only to users with MFA status 'Enabled'. Users with MFA status 'Enforced' will always be prompted for MFA even when connecting from trusted IPs."
upvoted 1 times
...
Yvesk
3 months ago
YNY - Trusted IPs do not override an enforced MFA requirement.
upvoted 1 times
...
qwerjj
11 months, 1 week ago
Could I know why the question#2 is No? I guess only the NAT IP is approved now, so it means the NAT access from Seattle has not been approved.
upvoted 1 times
...
in_da_cloud
1 year, 4 months ago
no no no: Mea988 is right! The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO
upvoted 1 times
xRiot007
11 months, 3 weeks ago
There is no such thing as a "next" login nowhere in that question. Answer is Yes
upvoted 2 times
...
...
Ivan80
1 year, 5 months ago
In exam 1/28/24
upvoted 5 times
ITSystem
1 year, 3 months ago
what is your answer ?
upvoted 2 times
...
...
AZ5002023
1 year, 7 months ago
No : mfa enabled not enforced No : MS authent not autorised : only phone mfa No : the ip is bypassed
upvoted 2 times
...
JunetGoyal
1 year, 8 months ago
Yes, 134.x.x.x is not trusted ip no. Ms app is not a checked option in mfa option, only phonw is listed No. As New york location is not a trusted ip
upvoted 2 times
...
trashbox
1 year, 9 months ago
1. "No": User 1's MFA status is Enabled, so the use of MFA is not enforced 2. "No": MS Authenticator app is not included in the available MFA options 3. "No": MFA is skipped because New York's Public NAT segment is included in Trusted IPs
upvoted 5 times
...
Rachy
1 year, 10 months ago
This is current. 28/08/23
upvoted 4 times
...
ESAJRR
1 year, 11 months ago
Yes No No
upvoted 1 times
...
Qadour
2 years ago
Yes - No - Yes ! Why 3 = Yes ? because we have User2 trying to connect from New York OFFICE ! In the table of Whitelisted IP's we have the public IP of the NY Office
upvoted 4 times
...
zellck
2 years, 1 month ago
YNN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states - Enabled The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser).
upvoted 7 times
zellck
2 years, 1 month ago
Gotten this in May 2023 exam.
upvoted 3 times
...
zellck
2 years, 1 month ago
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
upvoted 1 times
...
...
Gesbie
2 years, 2 months ago
In Exam April 11, 2023
upvoted 4 times
...
majstor86
2 years, 4 months ago
Yes No No
upvoted 3 times
stepman
2 years, 2 months ago
On exam Apr 27, 2023
upvoted 2 times
...
...
003nickm
2 years, 4 months ago
On 2-March-2023, I passed AZ-500 with flying color. This question was in the exam. Some question was on Defender EASM as well.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel