AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 54

HOTSPOT -

Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.

The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.

The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Box 1: Yes -

Box 2: No -

Use of Microsoft Authenticator is not required. Either a text or phone call is required for MFA.

Note: Microsoft Authenticator is a multifactor app for mobile devices that generates time-based codes used during the Two-Step Verification process.

Box 3: No -

The New York IP address subnet is included in the "skip multi-factor authentication for request.

Reference:

https://www.cayosoft.com/difference-enabling-enforcing-mfa/

Discussion

17 comments
Sign in to comment
[Removed]
Apr 9, 2020

Yes No No right ones

Aston1818
May 16, 2020

I think its no for the last question as the ip given in the exception is the public NAT one!

durak
May 23, 2022

MFA is not enforced

Mea988
Aug 13, 2022

The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO

chzon
Feb 9, 2023

you are right. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Holii
May 20, 2023

This. They wouldn't have listed the MFA status of each user if that didn't have an impact on the answer.

xRiot007
Jul 16, 2024

The question is not talking about subsequent logins, so you don't know if this is the first sign in or not, in which case, you must presume based on the principles of zero trust : device must go through MFA, so the answer is Yes.

gboyega
Jul 6, 2020

THE CORRECT ANSWER IS YES NO NO Because in the docs it is stated that " The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure Multi-Factor Authentication, you can only use public IP address ranges" In this case the public Ip address is already added to the excluded ips

OpsecDude
Sep 26, 2022

Yes that is true, but notice that Seattle Office subnet was not included in the list of Whitelisted IP's, although MS Authenticator App was unchecked in the menu so the correct answer is NO. If it had been "User must authenticate using their phone" then it would have been a yes.

wannasruls
Jan 5, 2024

but the first question is asking "user to authenticate using phone". So you're saying it's a yes?

TheProfessor
Sep 12, 2023

Why the first one is Yes? It's MFA is enabled, not enforced.

GaryKing123
Oct 12, 2023

Because even for user who is in enabled state, when user attempts to sign in next it will require user to complete MFA registration. So they still need to use mobile device to sign in even when enabled. Once they complete registration, MFA becomes enforced "The user is enrolled per-user in Microsoft Entra multifactor authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state"

xRiot007
Jul 16, 2024

Enabled means that legacy authentication is not affected until you finish up registration. When MFA registration is done, it switches to Enforced. You can also set Enforced directly. The end result will always be Enforced MFA.

zellck
May 7, 2023

YNN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states - Enabled The user is enrolled in per-user Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication. If the user hasn't yet registered MFA authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser).

zellck
May 7, 2023

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.

zellck
May 11, 2023

Gotten this in May 2023 exam.

trashbox
Oct 9, 2023

1. "No": User 1's MFA status is Enabled, so the use of MFA is not enforced 2. "No": MS Authenticator app is not included in the available MFA options 3. "No": MFA is skipped because New York's Public NAT segment is included in Trusted IPs

Ivan80
Jan 30, 2024

In exam 1/28/24

ITSystem
Mar 28, 2024

what is your answer ?

ltjones12
Dec 10, 2022

#1 is extremely and unnecessarily confusing. I would so no. MFA is only enabled not enforced, in that case the user would authenticate with the PW first, then be prompted to register using the phone.

Gesbie
Apr 12, 2023

In Exam April 11, 2023

fonte
Jan 14, 2023

Hi all, Passed my exam (13JAN2023) with 918. 50 questions (45 + 5 of a case study). Around 95% of the questions are here. I've compiled the questions and my answers in a ppt, feel free to check it out and hope it helps. https://www.dropbox.com/s/ay00xp2fnloq1ex/AZ%20500%20-%20Exam%20Topics.pptx?dl=0 Use pass az500prep to open the file. Thanks to all the people that comment on questions, I wouldn't have passed without them :)

elwo
Jan 16, 2023

appreciated!

Swatiagarwal
Jan 16, 2023

Hello, Its saying password is incorrect, you have given correct password. Please if you don't want to share then don't pass wrong information so other people time get wasted.

fonte
Jan 16, 2023

Have you tried downloading the file? Dropbox doesn't allow opening protected files.

romaso82
Feb 6, 2023

Hello, please share again the info, when i try to download , la information don´t exit

003nickm
Mar 2, 2023

On 2-March-2023, I passed AZ-500 with flying color. This question was in the exam. Some question was on Defender EASM as well.

majstor86
Mar 2, 2023

Yes No No

stepman
Apr 27, 2023

On exam Apr 27, 2023

Qadour
Jun 15, 2023

Yes - No - Yes ! Why 3 = Yes ? because we have User2 trying to connect from New York OFFICE ! In the table of Whitelisted IP's we have the public IP of the NY Office

Rachy
Aug 28, 2023

This is current. 28/08/23

JunetGoyal
Oct 23, 2023

Yes, 134.x.x.x is not trusted ip no. Ms app is not a checked option in mfa option, only phonw is listed No. As New york location is not a trusted ip

AZ5002023
Dec 4, 2023

No : mfa enabled not enforced No : MS authent not autorised : only phone mfa No : the ip is bypassed

003nickm
Mar 2, 2023

On 2-March-2023, I passed AZ-500 with flying color. This question was in the exam. Some question was on Defender EASM as well.

ESAJRR
Jul 24, 2023

Yes No No

in_da_cloud
Feb 16, 2024

no no no: Mea988 is right! The first one is a NO: user is enabled for MFA, which means that on next login it will be authenticated using only password, and then he can register its phone for MFA. Hence, NO

xRiot007
Jul 16, 2024

There is no such thing as a "next" login nowhere in that question. Answer is Yes