HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
The tenant contains the named locations shown in the following table.
You create the conditional access policies for a cloud app named App1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
User 1 from Boston: is user 1 member of Group 1 - yes - Block is user 1 member of Group 2 - yes Exclusion takes priority - Allow Policy 1 does not apply Policy 2 Applies Policy 3 and 4 does not apply User 1 - Allowed Is user 2 member of Group 1 - No Is user 2 member of Group 2 - Yes - Exclusion takes Priority - Allow Policy 1 does not apply - Allow Policy 2 does not apply - no Result Policy 3 - User is in group 2 - but in Seattle - Policy does not apply Policy 4 - User 2 can be anywhere - Allowed with MFA User 2 allowed Is user 2 member of Group 1 - No Is user 2 member of Group 2 - Yes - Exclusion takes Priority - Allow Policy 1 does not apply - Allow Policy 2 does not apply - no Result Policy 3 - User is in group 2 - And in Boston - Policy applies - Block Policy 4 - User 2 can be anywhere - But Block Policy take precedence in Policy 3 User 2 not allowed Y - Y - N
To me it would be NYN...mentioned answers are correct..... First option will be No. Because If both grant and block policies match, block will always win. No exceptions! So policy 3 will be applied here.
Policy1 and Policy3 have exclued for the user and they are in both groups. Which means.. They are EXCLUDED from the policy. That means do not use/apply to any user in that group. The second policy satisfies all conditions and they are not excluded so they may be granted access. You're right that a DENY will always trump taking into account all policies IF multiple are satisfied. It's just in this case User1 was exempt from two (1,3) from even applying.
MFA is disabled. Users cannot access resources when the MFA is required but is disabled for users.
In these types of questions when they list MFA almost never does it really matter. If someone requests access to something and it says 'disabled' you can simple just request to add the MFA when you are allowed. Disabled just means that at the time they do not have it setup.
All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled. so: Enabled = The admin has enabled MFA on the account, but the user hasn't set it up. Enforced = The user has completed the setup of their MFA.
this is correct, the per-user MFA status does not seem to matter in CAPS and PIM. see ref: https://learn.microsoft.com/en-us/answers/questions/529070/user-mfa-is-disabled-however-pim-activation-is-ask.html https://www.vcloudnine.de/mfa-disabled-but-azure-asks-for-second-factor/#:~:text=Conditional%20Access%2C%20or%20enabled%20Security,MFA%20for%20a%20specific%20user.
No no no
N - Y - N Policy 3 blocks user 1 from access in boston because user 1 is part of group 2
YYN When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts. More information about emergency access accounts and why they're important can be found in the following articles:
Policy 1 & 3 - Boston location - block access so option 1 & 3 is No Option 2 - user 2 - policy 4 - require MFA and user is disabled for MFA so answ is NO for 2nd option. so according to me: N-N-N
In Exam April 11, 2023
In exam 29/01/2023 + many questions about Microsoft Sentinel
The correct answers are Y,Y,N User1 can access - Remember, exclusions take precedence. Policy1 won't apply since group2 is excluded, policy2 allows, policy3 won't apply since group1 is excluded, policy4 won't apply. User2 can access - there are no policies blocking the Seattle range User2 cannot access - policy1 won't apply since group2 is excluded, policy2 allows, but policy3 blocks access for group2.
YYN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
Then it should be NYN, What part of the first question overrides MFA? The user is from Boston, which is not a trusted location. He is allowed by Policy2, which still requires MFA
I think the first one is No. Trusted IPs can bypass MFA, but the user tries to access from a Boston IP, which is NOT a trusted location. Policy 2 allows but requires MFA, which is disabled for User 1. So User 1 has disabled MFA and he can't bypass MFA because he tries to access from a location that is NOT trusted (Boston). I would say that's a No.
In exam 13 Oct
Hi all, Passed my exam (13JAN2023) with 918. 50 questions (45 + 5 of a case study). Around 95% of the questions are here. I've compiled the questions and my answers in a ppt, feel free to check it out and hope it helps. https://www.dropbox.com/s/ay00xp2fnloq1ex/AZ%20500%20-%20Exam%20Topics.pptx?dl=0 Use pass az500prep to open the file. Thanks to all the people that comment on questions, I wouldn't have passed without them :)
Hello, File is not opening
you can't open it directly... download and use the pass provided.
File has been deleted
Yes Yes No
Y-Y-N this is the correct answer. To be sure i create the same configuration on my test tenant. Policy 1 and 3 don't work because exclusion has priority over inclusion
TRUSTED IP LOCATIONS overrides MFA. N,Y,N The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
Explanation: User1 can access - Remember, exclusions take precedence. Policy1 won't apply since group2 is excluded, policy2 allows, policy3 won't apply since group1 is excluded, policy4 won't apply. User2 can access - there are no policies blocking the Seattle range User2 cannot access - policy1 won't apply since group2 is excluded, policy2 allows, but policy3 blocks access for group2
in exam 08/12/2023
Yes, Yes, No.
For the first question, Is user1 a member of group 1 - yes - Block. No more evaluation takes place after that, so question #1 is a definite NO.
Should be Y,Y,N exclude group takes precedence over include groups
for case1 : User1 from Boston, Policy1 is NOT applied for User1. see https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups : Exclude users When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy.