Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 54

HOTSPOT -

Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.

The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.

The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Yes -

    Box 2: No -

    Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.

    Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.

    Box 3: No -

    The New York IP address subnet is included in the "skip multi-factor authentication for request.

    Reference:

    https://www.cayosoft.com/difference-enabling-enforcing-mfa/

Discussion
[Removed]

Yes No No right ones

Aston1818

I think its no for the last question as the ip given in the exception is the public NAT one!

durak

MFA is not enforced

Mea988

The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO

chzon

you are right. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Holii

This. They wouldn't have listed the MFA status of each user if that didn't have an impact on the answer.

xRiot007

The question is not talking about subsequent logins, so you don't know if this is the first sign in or not, in which case, you must presume based on the principles of zero trust : device must go through MFA, so the answer is Yes.

gboyega

THE CORRECT ANSWER IS YES NO NO Because in the docs it is stated that " The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure Multi-Factor Authentication, you can only use public IP address ranges" In this case the public Ip address is already added to the excluded ips

OpsecDude

Yes that is true, but notice that Seattle Office subnet was not included in the list of Whitelisted IP's, although MS Authenticator App was unchecked in the menu so the correct answer is NO. If it had been "User must authenticate using their phone" then it would have been a yes.

wannasruls

but the first question is asking "user to authenticate using phone". So you're saying it's a yes?

TheProfessor

Why the first one is Yes? It's MFA is enabled, not enforced.

GaryKing123

Because even for user who is in enabled state, when user attempts to sign in next it will require user to complete MFA registration. So they still need to use mobile device to sign in even when enabled. Once they complete registration, MFA becomes enforced "The user is enrolled per-user in Microsoft Entra multifactor authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state"

xRiot007

Enabled means that legacy authentication is not affected until you finish up registration. When MFA registration is done, it switches to Enforced. You can also set Enforced directly. The end result will always be Enforced MFA.

zellck

YNN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states - Enabled The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser).

zellck

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.

zellck

Gotten this in May 2023 exam.

Ivan80

In exam 1/28/24

ITSystem

what is your answer ?

trashbox

1. "No": User 1's MFA status is Enabled, so the use of MFA is not enforced 2. "No": MS Authenticator app is not included in the available MFA options 3. "No": MFA is skipped because New York's Public NAT segment is included in Trusted IPs

Gesbie

In Exam April 11, 2023

ltjones12

#1 is extremely and unnecessarily confusing. I would so no. MFA is only enabled not enforced, in that case the user would authenticate with the PW first, then be prompted to register using the phone.

Rachy

This is current. 28/08/23

Qadour

Yes - No - Yes ! Why 3 = Yes ? because we have User2 trying to connect from New York OFFICE ! In the table of Whitelisted IP's we have the public IP of the NY Office

majstor86

Yes No No

stepman

On exam Apr 27, 2023

003nickm

On 2-March-2023, I passed AZ-500 with flying color. This question was in the exam. Some question was on Defender EASM as well.

fonte

Hi all, Passed my exam (13JAN2023) with 918. 50 questions (45 + 5 of a case study). Around 95% of the questions are here. I've compiled the questions and my answers in a ppt, feel free to check it out and hope it helps. https://www.dropbox.com/s/ay00xp2fnloq1ex/AZ%20500%20-%20Exam%20Topics.pptx?dl=0 Use pass az500prep to open the file. Thanks to all the people that comment on questions, I wouldn't have passed without them :)

elwo

appreciated!

Swatiagarwal

Hello, Its saying password is incorrect, you have given correct password. Please if you don't want to share then don't pass wrong information so other people time get wasted.

fonte

Have you tried downloading the file? Dropbox doesn't allow opening protected files.

romaso82

Hello, please share again the info, when i try to download , la information don´t exit

AZ5002023

No : mfa enabled not enforced No : MS authent not autorised : only phone mfa No : the ip is bypassed

JunetGoyal

Yes, 134.x.x.x is not trusted ip no. Ms app is not a checked option in mfa option, only phonw is listed No. As New york location is not a trusted ip

in_da_cloud

no no no: Mea988 is right! The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO

xRiot007

There is no such thing as a "next" login nowhere in that question. Answer is Yes

ESAJRR

Yes No No

003nickm

On 2-March-2023, I passed AZ-500 with flying color. This question was in the exam. Some question was on Defender EASM as well.