Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 113

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:

✑ Assignments: Include Group1, exclude Group2

✑ Conditions: Sign-in risk level: Low and above

✑ Access: Allow access, Require multi-factor authentication

You need to identify what occurs when the users sign in to Azure AD.

What should you identify for each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Discussion
Pitch09

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked

monob25889

User1: Exclusion will take precedence. The MFA will NOT be prompted.

koreshio

correct, they should be asked to set up MFA due to 'Enabled' (but not 'Enforced' state), but should be able to log in with username and pass but without MFA

Iuzzo

User1 - should be Excluded... MFA is only Enabled and not Enforced

ruscomike

enabled meand that he/she have to challenge MFA but has not been already configured the mfa method. after that the status become enforced

AIster77

in exam taken 24 July 2023

basak

1. user 1 will be prompted for sign-up MFA ( exclusion is applied) 2. user 2 will be applied policy. however, since user2 MFA is disabled hw will not be able login and will be blocked. a user should prior sign-up MFA to act conditional access policy.

Nik9059

I think in both the cases the user will be prompted for MFA

[Removed]

Wrong as user 2 must register for Azure AD MFA for remediation as its disabled

mansc3wth1s

MFA Disabled/Enabled on these questions do matter if they are already meeting remediation conditions. They would have to have enforced MFA already by this point. Because User1 is in Group1 and Group2 the user is then Excluded period. They're free to login with user and pass at this point. MFA is not enabled and no other policy to fallback on that we know of.

PapaLion

1) Sign in with Username and Password 2) Blocked

brooklyn510

On exam 1/2/24

hfk2020

I have tested this in the Lab When User has MFA enabled it will prompt for MFA When User has MFA disabled it will still prompt for MFA if the user is required to do MFA.

Anarchira

User1, Sign in by using a username and paswword only Not affected cuz is excluded and : If a user has MFA configured as enabled but not forced, they are not obligated to configure and use MFA. In this case, the user can choose to sign in using only their username and password without using MFA. Having MFA enabled but not forced means that users are recommended or encouraged to use MFA to add an additional layer of security to their account, but they are not required to do so. Users have the option to configure and use MFA if they wish, but it is not imposed as a mandatory requirement. User2, be blocked cuz is affected and dont have mfa

AZ5002023

enabled does not mean enforced so i think box 1 user name and pass box 2 : blocked

Troublemaker

In Exam - 28/7/2023

kabooze

User 2 will receive the MFA screen. Don't look at MFA state when a policy is involved. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates Enabling Azure AD Multi-Factor Authentication through a Conditional Access policy doesn't change the state of the user. Don't be alarmed if users appear disabled. Conditional Access doesn't change the state. https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa As for user 1: The policy doesn't apply to them but enabled means they need to setup MFA for web apps and modern authentication. So my guess is also MFA

kabooze

I was incorrect. Sorry for the misinformation. This is _NOT_ about conditional access but it's about IDENTITY PROTECTION feature. So if MFA has not been setup before, you are blocked: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation

ivann2010

We are talking about "Identity Protection" and not "Conditional Access". Answer for me is: "Sing in by using.....", because MFA is activated, it does not show you the MFA PROMP, it gives you the option to configure it or do it later, if you say do it later you go straight in. Regarding the second, it will force you to configure MFA although it does not change the user's status.

wardy1983

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked Reference: http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-accesspolicies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identityprotection- policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/conceptidentity- protection-risks

zellck

1. Be prompted for MFA 2. Be blocked https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation Users must register for Azure AD MFA before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.

Alexbz

Both will be promoted for MFA. If MFA is disabled for a user and an access policy force it for login user with MFA disabled status won't be blocked, they will be prompted to set the MFA upon login.

flafernan

If you create a mandatory MFA policy and explicitly exclude USER1 from that policy, but USER1 already has MFA enabled on their account, they will not be affected by the policy. This is because the explicit deletion of the MFA policy should override the policy, allowing USER1 to continue using their multi-factor authentication as usual. The opt-out policy is more specific and will take priority over the MFA mandatory policy. Therefore, USER1 will be able to authenticate without any problems using MFA.

Hillary_Innocent

user 1 is excluded in this policy since exclude takes precedence. therefore user one will be blocked.

hitit

I think both answer is 'Use MFA'

F117A_Stealth

Answer seems correct