Exam MS-500 topic 1 question 53 discussion

One of the protection risk policies is a “Use risk policy”. It will require a password change. For this to work in a hybrid environment: Make sure you have PHS, Password Writeback and SSPR enabled

Honestly, I don't understand the fact that answers to such trivial questions are wrong. This exam is full of wrong answers, any idea how to change it?

I have a lab with an hybrid enviroment and I don't need ADFS to use risk sign in policies. So it is C

Correct answer should be C indeed. Password writeback should be enabled as stated also in the following article: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#choosing-acceptable-risk-levels

To support the deployment of a hybrid Azure Active Directory (Azure AD) tenant with Azure AD Identity Protection risk policies enabled, you should use the "Pass-through Authentication" (PTA) method in Azure AD Connect. PTA is a simple and secure authentication method that allows users to use their on-premises passwords to authenticate with Azure AD. When users sign in to Azure AD-connected applications, their passwords are validated against your on-premises Active Directory, so there's no need to store passwords in the cloud. Additionally, PTA supports the use of Azure AD Identity Protection risk policies, which help to detect and prevent risky sign-ins. The other two authentication methods in Azure AD Connect are "Password Hash Synchronization" and "Active Directory Federation Services" (AD FS). While both of these methods are also compatible with Azure AD Identity Protection, PTA is the recommended method for its simplicity and security benefits. So, you should select the "Pass-through Authentication" option when configuring Azure AD Connect for your hybrid deployment.

Optionally, you can set up password hash synchronization as a backup if you decide to use Federation with Active Directory Federation Services (AD FS) as your sign-in method. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

When using Federation, the authentication is done on-prem. So C is the answer.

Pretty sure thats C

Federation for AD FS allows for more rigorous levels of access controls. This is a requirement in the question regarding risk policies. Password Hash is a part of Federation for AD FS if needed.

C is the correct answer for sure

C for Sure

Makes more sense

c is more likely

So what is valid on the exam??

PHS makes the most sense for this scenario

Agree with Dan91 & Pete26

One of the protection risk policies is a “Use risk policy”. It will require a password change. For this to work in a hybrid environment: Make sure you have PHS, Password Writeback and SSPR enabled. I will go with PHS for an answer.