AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 113

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:

✑ Assignments: Include Group1, exclude Group2

✑ Conditions: Sign-in risk level: Low and above

✑ Access: Allow access, Require multi-factor authentication

You need to identify what occurs when the users sign in to Azure AD.

What should you identify for each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Reference:

http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Discussion

17 comments
Sign in to comment
Pitch09
Dec 15, 2021

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked

monob25889
Dec 23, 2021

User1: Exclusion will take precedence. The MFA will NOT be prompted.

koreshio
Oct 15, 2022

correct, they should be asked to set up MFA due to 'Enabled' (but not 'Enforced' state), but should be able to log in with username and pass but without MFA

Iuzzo
Jan 15, 2022

User1 - should be Excluded... MFA is only Enabled and not Enforced

ruscomike
Jul 12, 2024

enabled meand that he/she have to challenge MFA but has not been already configured the mfa method. after that the status become enforced

AIster77
Jul 24, 2023

in exam taken 24 July 2023

basak
Aug 14, 2023

1. user 1 will be prompted for sign-up MFA ( exclusion is applied) 2. user 2 will be applied policy. however, since user2 MFA is disabled hw will not be able login and will be blocked. a user should prior sign-up MFA to act conditional access policy.

Nik9059
Dec 14, 2021

I think in both the cases the user will be prompted for MFA

[Removed]
Jan 14, 2022

Wrong as user 2 must register for Azure AD MFA for remediation as its disabled

mansc3wth1s
Feb 20, 2022

MFA Disabled/Enabled on these questions do matter if they are already meeting remediation conditions. They would have to have enforced MFA already by this point. Because User1 is in Group1 and Group2 the user is then Excluded period. They're free to login with user and pass at this point. MFA is not enabled and no other policy to fallback on that we know of.

PapaLion
Apr 13, 2023

1) Sign in with Username and Password 2) Blocked

Anarchira
Jun 20, 2023

User1, Sign in by using a username and paswword only Not affected cuz is excluded and : If a user has MFA configured as enabled but not forced, they are not obligated to configure and use MFA. In this case, the user can choose to sign in using only their username and password without using MFA. Having MFA enabled but not forced means that users are recommended or encouraged to use MFA to add an additional layer of security to their account, but they are not required to do so. Users have the option to configure and use MFA if they wish, but it is not imposed as a mandatory requirement. User2, be blocked cuz is affected and dont have mfa

hfk2020
Dec 23, 2023

I have tested this in the Lab When User has MFA enabled it will prompt for MFA When User has MFA disabled it will still prompt for MFA if the user is required to do MFA.

brooklyn510
Jan 6, 2024

On exam 1/2/24

kabooze
Dec 2, 2022

User 2 will receive the MFA screen. Don't look at MFA state when a policy is involved. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates Enabling Azure AD Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. Don't be alarmed if users appear disabled. Conditional Access doesn't change the state. https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa As for user 1: The policy doesn't apply to them but enabled means they need to setup MFA for web apps and modern authentication. So my guess is also MFA

kabooze
Dec 2, 2022

I was incorrect. Sorry for the misinformation. This is _NOT_ about conditional access but it's about IDENTITY PROTECTION feature. So if MFA has not been setup before, you are blocked: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation

Troublemaker
Jul 24, 2023

In Exam - 28/7/2023

AZ5002023
Dec 9, 2023

enabled does not mean enforced so i think box 1 user name and pass box 2 : blocked

Alexbz
Apr 26, 2023

Both will be promoted for MFA. If MFA is disabled for a user and an access policy force it for login user with MFA disabled status won't be blocked, they will be prompted to set the MFA upon login.

zellck
May 6, 2023

1. Be prompted for MFA 2. Be blocked https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation Users must register for Azure AD MFA before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.

wardy1983
Nov 15, 2023

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked Reference: http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-accesspolicies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identityprotection- policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/conceptidentity- protection-risks

ivann2010
Mar 19, 2024

We are talking about "Identity Protection" and not "Conditional Access". Answer for me is: "Sing in by using.....", because MFA is activated, it does not show you the MFA PROMP, it gives you the option to configure it or do it later, if you say do it later you go straight in. Regarding the second, it will force you to configure MFA although it does not change the user's status.

F117A_Stealth
Nov 10, 2022

Answer seems correct

hitit
Jan 2, 2023

I think both answer is 'Use MFA'

Hillary_Innocent
Jun 25, 2023

user 1 is excluded in this policy since exclude takes precedence. therefore user one will be blocked.

flafernan
Nov 6, 2023

If you create a mandatory MFA policy and explicitly exclude USER1 from that policy, but USER1 already has MFA enabled on their account, they will not be affected by the policy. This is because the explicit deletion of the MFA policy should override the policy, allowing USER1 to continue using their multi-factor authentication as usual. The opt-out policy is more specific and will take priority over the MFA mandatory policy. Therefore, USER1 will be able to authenticate without any problems using MFA.